tilburg university personal data protection as a nonfunctional requirement in the smart city's

Tilburg University

Personal data protection as a nonfunctional requirement in the Smart City'sdevelopmentDalla Corte, Lorenzo; van Loenen, Bastiaan; Cuijpers, Colette

Published in:Managing Risk in the Digital Society

Document version:Publisher's PDF, also known as Version of record

Publication date:2017

Link to publication

Citation for published version (APA):Dalla Corte, L., van Loenen, B., & Cuijpers, C. (2017). Personal data protection as a nonfunctional requirementin the Smart City's development. In Managing Risk in the Digital Society: Proceedings of the 13th InternationalConference on Internet, Law & Politics Universitat Oberta de Catalunya.

General rightsCopyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright ownersand it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.

- Users may download and print one copy of any publication from the public portal for the purpose of private study or research - You may not further distribute the material or use it for any profit-making activity or commercial gain - You may freely distribute the URL identifying the publication in the public portal

Take down policyIf you believe that this document breaches copyright, please contact us providing details, and we will remove access to the work immediatelyand investigate your claim.

Download date: 27. mrt. 2019

https://research.tilburguniversity.edu/en/publications/31faf828-c35f-4bb3-a4d4-a5321a2a7e29

Managing Risk In the Digital SocietyActas del 13º Congreso Internacional Internet, Derecho y Política. Universitat Oberta de Catalunya, Barcelona, 29-30 de junio de 2017

Managing Risk In the Digital SocietyProceedings of the 13th International Conference on Internet, Law & Politics. Universitat Oberta de Catalunya,Barcelona, 29-30 June, 2017

2017

MANAGING RISK IN THE DIGITAL SOCIETY

COORDINADORES

Benjamí Anglès Juanpere, Joan Balcells Padullés, Rosa Borge Bravo, Ana María Delgado García, Mirela Fiori, Maria Julià Barceló, Alessandro Mantelero, Clara Marsan Raventós, María José Pifarré de Moner, Mònica Vilasau Solana

© 2017, Los autores © 2017, Huygens Editorial

Padua, 20 bajo 1 08023 Barcelona www.huygens.es

ISBN: 978-84-697-4474-1Editado en España

Esta obra está bajo una licencia Attribution- NonCommercial-NoDerivs 3.0 Unported de Creative Commons. Para ver una copia de esta licencia, visite http://creativecommons.org/licenses/by-nc-nd/3.0/.

http://www.huygens.es

http://creativecommons.org/licenses/by

ÍNDICE GENERAL

INTRODUCCIÓN / INTRODUCTION ........................................................................................... 14

PROPIEDAD INTELECTUAL / INTELLECTUAL PROPERTY

TOO STRICT TO SUCCEED: HOW JUDGES STEP IN TO SEEK AND PROTECT FLEXIBILITY IN COPYRIGHT LAW. Kasper Drążewski ........................................................................................ 19

1. INTRODUCTION .................................................................................................................. 192. THE ROOTS OF FLEXIBILITY: FAIR USE RULINGS IN THE U.S. .................................. 21

2.1. Flexibility in ‘pre-transformative use’ justifications ............................................................. 212.1.1. Even fair use must be applied flexibly: Harper & Row v. Nation Enterprises ............ 22

2.2. Transformative use: a (vague) remedy to vagueness? ........................................................... 232.3. Non-paradigm cases: a flexible approach to the doctrine .................................................... 23

2.3.1. Dr. Seuss v. Penguin Books ...................................................................................... 242.3.2. AP v. Meltwater ....................................................................................................... 25

2.4. Looking for flexibility without fair use: examples of European copyright cases ................... 262.4.1. Vorschaubilder I ....................................................................................................... 262.4.2. Vorschaubilder II .................................................................................................... 282.4.3. SAIF v. Google Inc. and Google France ................................................................... 302.4.4. Megakini v. Google .................................................................................................. 32

3. SUMMARY .............................................................................................................................. 344. BIBLIOGRAPHY ..................................................................................................................... 35

DIGITAL SINGLE MARKET: A LONG WAY TO GO. Viola Elam ................................................... 37

A PROPOSED MODEL FOR THE LEGAL STATUS OF CREATIONS BY ARTIFICIAL INTELLI-GENCE SYSTEMSCREATIONS. Ana Ramalho ............................................................................. 38

1. INTRODUCTION .................................................................................................................. 382. CAN THE CURRENT COPYRIGHT FRAMEWORK OF AUTHORHSIP ACCOMMO-

DATE AIS AS CREATORS? ..................................................................................................... 392.1. The United States ............................................................................................................... 392.2. The European Union .......................................................................................................... 402.3. Australia ............................................................................................................................. 432.4. Interim conclusion ............................................................................................................. 44

3. CURRENT POSSIBLE CONSTRUCTIONS – COMPUTER-GENERATED WORKS ... 44

6 Índice General

4. SHOULD COPYRIGHT PROTECT AIS AS AUTHORS? .................................................. 474.1. Why? Copyright rationales ............................................................................................... 474.2. RelatedO: related rights rationales ..................................................................................... 504.3. A proposal: public domain? ............................................................................................... 51

5. CONCLUSION ...................................................................................................................... 536. BIBLIOGRAPHY ..................................................................................................................... 54

POLICING TRADEMARK INFRINGEMENT ON ONLINE SELLING PLATFORMS - AN ACCOUNT OF TENSIONS BETWEEN ISP LIABLITY, TRADEMARK PROTECTION AND COMPETITION LAW IN THE EU. Maria José Schmidt-Kessen ............................................................................................ 56

1. INTRODUCTION .................................................................................................................. 562. TRADEMARK PROTECTION AND ISP LIABILITY ........................................................... 58

2.1. Increase in counterfeit trade as a challenge to trademark protection .................................... 582.2. EU Trademark Law and the IP Enforcement Directive ....................................................... 592.3. Online intermediary liability for trademark infringement – the CJEU’s interpretation of

the E-commerce Directive .................................................................................................. 612.4. Economic inefficiency of the online intermediary liability regime as interpreted by the

CJEU ................................................................................................................................ 643. EU COMPETITION LAW AS AN OBSTACLE TO AN EFFICIENT TRADEMARK PRO-

TECTION SYSTEM IN ONLINE RETAIL? .......................................................................... 663.1. Internet selling bans and the CJEU judgment in Pierre Fabre ............................................. 663.2. National Competition Authorities’ and courts’ assessment of online selling restraints ......... 693.3. Making the tension visible ................................................................................................. 70

4. AN OPPORTUNITY TO ADDRESS THE TENSION - CASE C-230/16 COTY V AK-ZENTE ..................................................................................................................................... 71

5. BIBLIOGRAPHY ..................................................................................................................... 72

PRIVACIDAD Y PROTECCIÓN DE DATOS / PRIVACY & DATA PROTECTION

A SWISS CHEESE? AUTOMATED DECISION MAKING AND ALGORITHMIC TRANSPAREN-CY IN THE EU DATA PROTECTION LEGISLATION. Maja Brkan ................................................ 75

PERSONAL DATA PROTECTION AS A NONFUNCTIONAL REQUIREMENT IN THE SMART CITY’S DEVELOPMENT. Lorenzo Dalla Corte, Bastiaan van Loenen, Colette Cuijpers ......................... 76

1. INTRODUCTION .................................................................................................................. 762. WHAT IS A SMART CITY?..................................................................................................... 78

2.1. The instrumentation of the built environment ................................................................... 812.2. Technology as policy ........................................................................................................... 83

3. DATA PROTECTION AS A NONFUNCTIONAL REQUIREMENT ................................. 843.1. The right to data protection in the smart city environment ................................................ 853.2. Value-Sensitive Design and data protection ........................................................................ 87

7 Índice General

4. CONCLUSION ....................................................................................................................... 895. ACKNOWLEDGEMENTS ..................................................................................................... 896. BIBLIOGRAPHY ..................................................................................................................... 89

LA RESPONSABILIDAD CIVIL DE LOS PADRES Y CENTROS EDUCATIVOS POR EL USO INDEBIDO POR LOS MENORES DE LAS REDES SOCIALES. Patricia Escribano Tortajada ......... 93

1. INTRODUCCIÓN ................................................................................................................. 932. REDES SOCIALES: CONCEPTO, TIPOLOGÍA Y EDAD MÍNIMA PARA SU ACCESO .... 943. EL USO DE INTERNET Y LAS REDES SOCIALES POR PARTE DE LOS MENORES .... 974. LA SENTENCIA DE LA AUDIENCIA PROVINCIAL DE GUIPÚZCOA 139/2016, DE 27

DE MAYO ................................................................................................................................ 1005. LA RESPONSABILIDAD CIVIL DE LOS PROGENITORES Y LOS CENTROS EDUCA-

TIVOS ...................................................................................................................................... 1036. CONCLUSIONES ................................................................................................................... 1067. BIBLIOGRAFÍA ....................................................................................................................... 106

RIESGOS JURÍDICOS DE LA INSPECCIÓN PROFUNDA DE PAQUETES TCP/IP. José Luis González San Juan .......................................................................................................................... 109

1. INTRODUCCIÓN ................................................................................................................. 1092. CONCEPTOS PREVIOS ........................................................................................................ 110

2.1. Red distribuida y principio end-to-end: la neutralidad de red .............................................. 1102.2. Modelo ISO de Interconexión de Sistemas Abiertos y protocolos TCP/IP .......................... 1112.3. Empaquetado de los datos en Internet ................................................................................ 111

3. INSPECCIÓN PROFUNDA DE PAQUETES ....................................................................... 1134. PRINCIPALES USOS DE LA INSPECCIÓN PROFUNDA DE PAQUETES ....................... 114

4.1. Usos privados ..................................................................................................................... 1144.2. Usos públicos ..................................................................................................................... 115

5. RIESGOS JURÍDICOS DE LA INSPECCIÓN PROFUNDA DE PAQUETES .................... 1165.1. Conflictos con el secreto de las comunicaciones ................................................................. 1165.2. Conflictos con la intimidad personal y familiar .................................................................. 1185.3. Conflictos con la Protección de Datos de Carácter Personal ............................................... 1195.4. Conflictos con las Libertades de Expresión y de Información .............................................. 1205.5. Otros Riesgos Jurídicos de la DPI ...................................................................................... 121

6. ENCAJE DE LA DPI EN LA LEGISLACIÓN ACTUAL........................................................ 1227. MEDIDAS PARA MINIMIZAR LOS RIESGOS DE LA DPI ................................................ 1238. CONCLUSIONES ................................................................................................................... 1259. BIBLIOGRAFÍA ....................................................................................................................... 126

BUILDING A CYBERSECURITY CULTURE IN THE EU THROUGH MANDATORY NOTIFICA-TION OF DATA BREACHES AND INCIDENTS: DIFFERENCES AND SIMILARITIES OF DATA VULNERABILITY REPORTING TOOLS. Lina Jasmontaite ............................................................. 129

1. INTRODUCTION ................................................................................................................. 129

8 Índice General

2. INCIDENT NOTIFICATION UNDER THE NIS DIRECTIVE ........................................ 1312.1. The NIS Directive .............................................................................................................. 1312.2. Incident notification: New wine in old bottles ................................................................... 132

2.2.1. Definitions ............................................................................................................... 1322.3. The rationale ...................................................................................................................... 1332.4. Practical implementation: High hopes for implementing acts............................................. 1352.5. Vision of notifications: Close cooperation of all stakeholders ............................................. 1362.6. A light-touch regime for providers of digital services? ......................................................... 136

3. DATA BREACH NOTIFICATION UNDER THE GDPR ................................................... 1373.1. The GDPR ........................................................................................................................ 1373.2. Definitions ......................................................................................................................... 1383.3. The rationale ...................................................................................................................... 1393.4. Not a game changer but… ................................................................................................. 140

4. INCIDENT NOTIFICATION AND DATA BREACHES: A COMPARISON OF APPLES AND ORANGES ..................................................................................................................... 141

5. CONCLUSION ...................................................................................................................... 1426. BIBLIOGRAPHY ..................................................................................................................... 142

THE GENERAL DATA PROTECTION REGULATION AND THE RISE OF CERTIFICATION AS A REGULATORY INSTRUMENT. Eric Lachaud ................................................................................ 144

1. INTRODUCTION .................................................................................................................. 1442. REGULATORY NATURE OF CERTIFICATION ................................................................ 146

2.1. Moving target .................................................................................................................... 1472.2. Extending Scope ................................................................................................................ 1502.3. GDPR and certification of fundamental rights ................................................................... 154

3. DATA PROTECTION MAKES OF CERTIFICATION A MONITORED SELF-REGULA-TION TOOL ............................................................................................................................ 1593.1. Self-regulation ................................................................................................................... 1603.2. Co-regulation ..................................................................................................................... 1623.2 Monitored self-regulation .................................................................................................... 167

4. CONCLUSION ....................................................................................................................... 1685. BIBLIOGRAPHY ..................................................................................................................... 169

A TALE OF TWO RIGHTS: THE CLASH AND COLLABORATION OF RIGHT TO DATA PORTA-BILITY AND RIGHT TO BE FORGOTTEN. Wenlong Li ................................................................. 173

1. INTRODUCTION: GDPR AND TWO NOVEL RIGHTS ................................................... 1732.1. The right to be forgotten .................................................................................................... 1752.2. The right to data portability ............................................................................................... 175

2. RELATIONSHIP BETWEEN THE TWO RIGHTS: Forgetfulness v. portability ................... 1772.1. From erasure to ‘be forgotten’ ............................................................................................ 1772.2. Data portability and the precondition of data duplication .................................................. 1782.3. Forgetfulness v. portability ................................................................................................. 179

3. THE CLASH: ‘MORE THAN ONE DATA SUBJECT IS INVOLVED’ ................................ 179

9 Índice General

3.1. Human’s social nature and its reflection in the digital sphere .............................................. 1803.2. A comprehensive approach to privacy ................................................................................ 180

3.2.1. Private-public dichotomy and the semi-private zone ................................................ 1813.2.2. Access-control dichotomy and control-based rights .................................................. 1823.2.3. Positive-negative freedoms ....................................................................................... 182

3.3 The balance: Interpretation of ‘without prejudice to’ ............................................................ 1833.3.1. The GDPR solution ................................................................................................. 1833.3.2. Lessons from access requirements ............................................................................. 183

4. THE COLLABORATION: JOINT EXERCISE OF BOTH RIGHTS CONCERNED ......... 1854.1. Socio-economic context: the ‘Switching’ economy and individual use of personal data ...... 1864.2. Legal context: The failing consent mechanism and supplements of individual rights .......... 187

5. CONCLUSION ....................................................................................................................... 1896. BIBLIOGRAPHY ..................................................................................................................... 190

PROTECCIÓN DE DATOS DESDE EL DISEÑO DE LOS PROCESOS: VENTAJAS Y DESVEN-TAJAS. Santiago Martín-Romo Romero, Carmen de Pablos Heredero .................................................... 192

1. LA PRIVACIDAD DESDE EL DISEÑO ................................................................................ 1922. ESTUDIO REALIZADO ......................................................................................................... 193

2.1. Las preguntas planteadas y las respuestas propuestas ........................................................... 1932.2. Participantes en el estudio ................................................................................................... 1992.3. Resultados obtenidos .......................................................................................................... 200

3. CONCLUSIONES ................................................................................................................... 2044. BIBLIOGRAFÍA ...................................................................................................................... 208

EL NUEVO MODELO DE GOBERNANZA DEL DERECHO A LA PROTECCIÓN DE DATOS EN EUROPA. Ramón Martín Miralles López, Joana Marí Cardona .......................................................... 211

1. NECESIDAD DE UN CAMBIO DE MODELO .................................................................. 2112. EL REGLAMENTO GENERAL DE PROTECCIÓN DE DATOS: UN MODELO EN-

FOCADO A LA RESPONSABILIDAD Y A LA VALORACIÓN DEL RIESGO ................. 2132.1. Privacidad en el diseño y por defecto .................................................................................. 2142.2. Evaluación de impacto sobre la protección de datos (en adelante EIPD) ............................. 2152.3. Principio de seguridad y gestión de riesgos ......................................................................... 2202.4. Delegado de protección de Datos ...................................................................................... 2222.5. Autoridades de control ...................................................................................................... 224

3. CONCLUSIONES ................................................................................................................... 2244. BIBLIOGRAFÍA ...................................................................................................................... 225

VIDA MÁS ALLÁ DE LA MUERTE (DIGITAL). LA PROTECCIÓN DE LAS VOLUNTADES DIGI-TALES EN LA REFORMA DEL DERECHO CIVIL CATALÁN. Albert Ruda González ...................... 226

1. INTRODUCCIÓN ................................................................................................................. 2262. NECESIDAD O NO DE LA REGULACIÓN ........................................................................ 227

10 Índice General

3. LAS FIGURAS DEL SUCESOR Y DEL APODERADO DIGITALES ................................... 2304. GESTIÓN DE LOS ACTIVOS O CUENTAS DIGITALES ................................................... 2335. CONCLUSIÓN ....................................................................................................................... 2376. BIBLIOGRAFÍA ....................................................................................................................... 238

LAS ACCIONES COLECTIVAS DENTRO DEL MARCO DEL REGLAMENTO GENERAL DE PROTECCIÓN DE DATOS. Natalia Wilson Aponte ........................................................................ 240

1. INTRODUCCIÓN ................................................................................................................. 2402. GENERALIDADES DE LAS ACCIONES COLECTIVAS EN LA UNIÓN EUROPEA ....... 244

2.1. Las acciones colectivas en Estados miembros de la UE ....................................................... 2462.2. Acciones colectivas en España ............................................................................................ 247

3. ACCIONES COLECTIVAS EN EL REGLAMENTO DE PROTECCIÓN DE DATOS ..... 2504. PROS Y CONTRAS ................................................................................................................. 2535. BIBLIOGRAFÍA ....................................................................................................................... 256

COMERCIO ELECTRÓNICO Y MERCADO DIGITAL / E-COMMERCE & DIGITAL MARKET

THE EUROPEAN COMMISSION’S PRELIMINARY REPORT ON THE E-COMMERCE SEC-TOR INQUIRY: COMPETITION ENFORCEMENT IN DIGITAL CONTENT MARKETS. Konstanti-na Bania ....................................................................................................................................... 259

1. INTRODUCTION ................................................................................................................. 2592. BUNDLING OF RIGHTS ...................................................................................................... 2603. EXCLUSIVITY COMBINED WITH LONG DURATION .................................................. 2634. TERRITORIAL RESTRICTIONS .......................................................................................... 267

4.1. Specific market conditions from the perspective of rights holders ....................................... 2674.2. Specific market conditions from the perspective of licensees ............................................... 268

5. CONCLUSIONS ..................................................................................................................... 2696. BIBLIOGRAPHY ..................................................................................................................... 270

EL SUMINISTRO INMEDIATO DE INFORMACIÓN EN EL IMPUESTO SOBRE EL VALOR AÑADIDO. Ana María Delgado García, Rafael Oliver Cuello .............................................................. 273

1. INTRODUCCIÓN .................................................................................................................. 2732. OBJETIVOS DEL NUEVO SISTEMA DE GESTIÓN .......................................................... 2753. ÁMBITO SUBJETIVO ............................................................................................................ 2774. LA OPCIÓN POR LA LLEVANZA ELECTRÓNICA DE LOS LIBROS REGISTRO .......... 2795. CONTENIDO DE LA INFORMACIÓN A SUMINISTRAR ................................................ 2806. PLAZOS PARA LA REMISIÓN ELECTRÓNICA DE LAS ANOTACIONES ...................... 2827. MODIFICACIÓN DE LAS OBLIGACIONES FORMALES ................................................. 2838. RÉGIMEN SANCIONADOR ................................................................................................. 2859. CONCLUSIONES ................................................................................................................... 28610.BIBLIOGRAFÍA ...................................................................................................................... 287

11 Índice General

ROL Y RÉGIMEN JURÍDICO DE LA PLATAFORMA EN LÍNEA EN EL DISCUSSION DRAFT OF A DIRECTIVE ON ONLINE INTERMEDIARY PLATFORMS. Adrian Di Pizzo Chiacchio ................. 288

1. INTRODUCCIÓN: LA NECESIDAD DE REGULAR LA ACTIVIDAD DE LAS PLATA-FORMAS DIGITALES ............................................................................................................. 289

2. EL ROL QUE DESEMPEÑA LA PLATAFORMA DIGITAL ................................................ 2912.1. La plataforma digital como servicio de la sociedad de la información ................................. 2912.2. De la relación bilateral a la relación triangular: ¿quién es qué? ........................................... 293

3. EL (DES)ENCAJE DE LA PLATAFORMA DIGITAL EN LA NORMATIVA DE CONSUMO ACTUAL: ¿NECESITAMOS UNA DIRECTIVA SOBRE PLATAFORMAS EN LÍNEA? ........... 2943.1. Aproximación a la regulación de las plataformas en línea ................................................... 2943.2. El régimen de las plataformas en línea en la PDPL ............................................................. 296

3.2.1. El ámbito de aplicación material y las definiciones preliminares ............................... 2963.2.2. Los sistemas de reputación por feedback ................................................................. 2973.2.3. Los deberes de información de la plataforma ........................................................... 2993.2.4. Régimen de responsabilidad de la plataforma .......................................................... 301

4. CONCLUSIONES ................................................................................................................... 3025. BIBLIOGRAFÍA ....................................................................................................................... 303

LEGAL UNCERTAINTY: PROPOSED REGULATION ON ADDRESSING GEO-BLOCKING. Maria Lorena Florez Rojas ................................................................................................................ 305

1. INTRODUCTION .................................................................................................................. 3052. DISCRIMINATORY PRACTICES AMONG EUROPEAN UNION ................................. 3073. GENERAL PROHIBITION OF NON-DISCRIMINATION .............................................. 310

3.1. Legal Uncertainties ............................................................................................................ 3113.2. Lack of enforcement actions by national authorities .......................................................... 312

4. PROPOSED REGULATION ON ADDRESSING GEO-BLOCKING ............................... 3144.1. Scope of application .......................................................................................................... 3154.2. Pitfalls of the geo-blocking proposal .................................................................................. 316

5. CONCLUSIONS .................................................................................................................... 3186. BIBLIOGRAPHY ................................................................................................................... 319

ALLOCATING JURISDICTION AND APPLICABLE LAW AFTER GDPR: THE PERSPECTIVE OF OVERALL DAMAGES’ CLAIMS. Maiia Otchenash .................................................................. 323

1. INTRODUCTION .................................................................................................................. 3242. ALLOCATING JURISDICTION IN DATA PROTECTION CLAIMS AFTER GDPR ........ 326

2.1. The current scope of application of Brussels Recast for online data protection cases and its interaction with the art.79 of GDPR ................................................................................ 327

2.2. The situation for claiming worldwide damages in online data protection cases after GDPR ... 3302.2.1. Jurisdictional criteria for online infringements under the Brussels Recast and in the

case law of the Court of Justice of European Union (the CJEU) .............................. 3302.2.2. The Shevill test and jurisdictional rules in the litigations concerning protection of

personal rights ......................................................................................................... 3322.2.3. Allocation of the liability for damages’ compensation between controllers and pro-

cessors in GDPR ..................................................................................................... 334

12 Índice General

3. EXTENDED TERRITORIAL SCOPE OF GDPR AND APPLICABLE LAW ....................... 3343.1. The role of the main establishment of the data controller in the sense of GDPR’s applicability ... 3343.2. Non-EU “established” companies who “target” or “monitor” EU data subjects ................... 3363.3. The practical application of “monitoring” after GDPR ....................................................... 337

4. UNIVERSAL APPLICATION OF GDPR IN TERMS OF DAMAGES’ CLAIMS ................ 3385. CONCLUDING REMARKS .................................................................................................. 3396. BIBLIOGRAPHY .................................................................................................................... 340

THE PROTECTION OF IP ADDRESSES IN PEER-TO-PEER (P2P) NETWORKS. Dr. Nafiye Yücedağ .......................................................................................................................................... 342

1. INTRODUCTION ................................................................................................................. 3422. THE CHARACTERIZATION OF IP ADDRESSES AS PERSONAL DATA ...................... 343

2.1. The Differing Positions of Swiss Law and German Law ...................................................... 343 2.2. The input of the European Court of Justice ................................................................. 345

3. THE LAWFUL PROCESSING OF IP ADDRESSES BY COPYRIGHT HOLDERS .......... 3473.1. The Lawful Processing of Data Made Available to the Public .............................................. 347

3.1.1. General Overview: A Two-Fold Test?........................................................................ 3473.1.2. Are IP Addresses Made Available to the Public in P2P Networks? ............................ 350

3.2. The Overweighting Interest of the Controller..................................................................... 3523.2.1. The Balancing Test ................................................................................................... 3523.2.2. The Balancing Test Applied to the Interest of the Copyright Holder ........................ 354

4. CONCLUSION ...................................................................................................................... 3565. BIBLIOGRAPHY .................................................................................................................... 357

INTERNET, POLÍTICA Y SOCIEDAD / INTERNET, POLITICS & SOCIETY

TOWARDS A MAP-BASED ACCOUNTABILITY FOR ENVIRONMENTAL HEALTH RISK? THE CASE OF THE EQUATORIAL ASIAN HAZE. Anna Berti Suman ................................................... 359

1. THE HAZE CHALLENGE IN EQUATORIAL ASIA ............................................................ 3591.1. The regional scenario .......................................................................................................... 3601.2. Where the danger comes from ............................................................................................ 3611.3. Impacts of the haze on public health ................................................................................... 3611.4. Methodology ...................................................................................................................... 364

2. THE RESPONSE OF THE INTERNATIONAL COMMUNITY ......................................... 3652.1. The letter from UN special rapporteurs on HRs ................................................................. 3652.2. The claims against the Indonesian Government ................................................................. 3652.3. Human Rights breaches according to the special rapporteurs ............................................. 366

3. THE MAPS, A DIGITAL SOLUTION ................................................................................... 3663.1. Mapping tools as a response to the haze .............................................................................. 3663.2. Institutional initiatives ....................................................................................................... 3673.3. Non-institutional initiatives ................................................................................................ 368

13 Índice General

4. DISCUSSION: THE DIGITAL MAPS AS COURT EVIDENCE AND A WARNING FOR THE GOVERNMENT ............................................................................................................ 3704.1. Maps as authoritative evidence ......................................................................................... 370

4.1.1. The provisions of local legislation for maps against the haze ..................................... 3704.1.2. A doctrinal opinion on digital (maps) evidence in Singapore .................................... 3724.1.3. Case law on digital maps used as evidence of the haze .............................................. 373

4.2. A recent development in the Haze Litigation ...................................................................... 3745. CONCLUSION ....................................................................................................................... 3766. RECOMMENDATIONS: the multilateral and grassroots approach ......................................... 3777. BIBLIOGRAPHY ..................................................................................................................... 377

TWITTER ACTIVISM IN THE FACE OF NATIONALIST MOBILIZATION: THE CASE OF THE 2016 CATALAN DIADA. Toni Rodon, Francesc Martori, Jordi Cuadros .............................................. 381

INTRODUCCIÓN

Benjamí Anglès Juanpere Joan Balcells Padullés

Rosa Borge Bravo Ana María Delgado García

Mirela Fiori Maria Julià Barceló

Alessandro ManteleroClara Marsan Raventós

María José Pifarré de Moner Mònica Vilasau Solana

Managing Risk in the Digital Society ha sido el tema central del 13º Congreso In-ternacional de Internet, Derecho y Política (Barcelona, 29-30 junio 2017) organizado por los Estudios de Derecho y Ciencia Política de la Universitat Oberta de Catalunya.

Desde los años noventa el concepto de sociedad del riesgo ha penetrado con fuerza en muchos ámbitos de las ciencias sociales y las humanidades. Desde el derecho y la ciencia política, la sociedad del riesgo ha sido un concepto que ha vehiculado el aná-lisis de los riesgos inherentes a la sociedad contemporánea y cómo estos son objeto de regulación. Con la irrupción de las nuevas tecnologías de la información y la comuni-cación se ha producido un cambio profundo en esta sociedad del riesgo. Las TIC están estrechamente relacionadas con el riesgo, ya que estas son tanto generadoras de riesgos como medios para evitarlos. El reto que tenemos ante nosotros es pues el de gestionar los riesgos inherentes a la era digital.

En el momento en que nació el concepto de sociedad del riesgo de la mano de Beck y Giddens, Internet y las TIC se encontraban en un estadio de desarrollo embrionario. Sin embargo, ya entonces se intuía que las TIC serían uno de los campos paradigmáticos en cuanto al aumento de la complejidad de la modernidad. Pasadas tres décadas desde la irrupción de este concepto y de cómo ha permitido el estudio y la gestión del riesgo, se hace necesario abrir un debate profundo sobre el estado actual de la gestión del riesgo en la sociedad digital.

Es necesario, pues, analizar las TIC como generadoras de nuevos riesgos y valorar cómo la sociedad los está afrontando, de la misma manera que es necesario reflexionar sobre cómo las TIC han influido en la percepción y tratamiento de los riesgos socia-les. ¿Qué usos de la tecnología se asocian a determinados riesgos? ¿De qué modo percibe la sociedad los riesgos, nuevos y tradicionales? ¿Los riesgos son una oportunidad para el cambio

15 Introducción / Introduction

y la mejora social? ¿Cómo los prevenimos y quién está legitimado para regularlos y establecer los límites? Estas y otras cuestiones han sido objeto de debate en el seno del Congreso.

El desarrollo general de Internet y la irrupción en concreto de los datos masivos (big data) o del Internet de las cosas han supuesto un paso adelante clave para el desarro-llo de la sociedad en cuestiones como la salud, la seguridad, la calidad de vida, el ahorro de tiempo y energía o el apoderamiento ciudadano que ha supuesto múltiples benefi-cios –grandes y pequeño– a la humanidad. Sin embargo, son numerosos los usos de las TIC que de forma más o menos inmediata pueden plantear conflictos en relación con los derechos fundamentales, como el derecho a la intimidad, el derecho a la libertad de expresión y de información, o incluso nuevos derechos configurados en el seno de esta sociedad del riesgo tecnológica, como el derecho a la autodeterminación informativa.

Cabe preguntarse hasta qué punto los actores privados, principalmente las grandes multinacionales, pueden determinar las nuevas reglas y límites del desarrollo de las TIC. Asistimos a un fenómeno creciente de autorregulación donde determinados sectores fijan los propios códigos de conducta y remiten a arbitrajes la resolución de los posibles conflictos. ¿Se está socavando con estas medidas la legitimidad democrática? ¿Cuál debe ser el límite infranqueable respecto a la autonomía reguladora de los actores privados? ¿Puede el mercado fijar sus propias normas, teniendo en cuenta que en la mayoría de los casos vendrán determinadas por lo que la tecnología permite hacer? Por otra parte, ante estas nuevas percepciones del riesgo, el legislador ha ido expandiendo el derecho penal para dar una respuesta rápida a la gestión de este riesgo minando las garantías hasta aho-ra intrínsecas a los sistemas penales del estado democrático y de derecho.

Una sociedad cada vez más global genera riesgos nuevos que necesitan de una res-puesta política, desde los retos medioambientales hasta la gestión de fenómenos como la migración, el terrorismo o la creciente desigualdad. Asimismo, el mundo digital ha ace-lerado los procesos de transformación política, presionando hacia una sociedad cada vez más interconectada pero a la vez desconectada de sus principales instituciones políticas, lo que plantea nuevos y numerosos interrogantes. Las TIC han abierto espacios públicos que obligan a repensar el monopolio de los actores políticos tradicionales y su relación con el ciudadano. Los medios digitales han fragmentado y revolucionado el panorama de la comunicación más allá de los generadores habituales de opinión pública. Internet ha dado paso a nuevas formas de contestación y protesta más allá de las fronteras físi-cas y ha permitido la articulación de nuevas fuerzas políticas que cuestionan el orden establecido. Fenómenos como Wikileaks han puesto de manifiesto la vulnerabilidad del sistema a la hora de retener el secreto y el control de la información. En definitiva, el mundo digital abre nuevos espacios y oportunidades para replantear el orden político actual a la vez que acentúa los riesgos y las incertidumbres.

El presente libro de actas recoge las comunicaciones que, tras un proceso de re-visión por pares, han sido aceptadas para el Congreso. El libro se estructura en cuatro bloques temáticos que abordan los principales riesgos y retos de la sociedad digital actual

desde el ámbito académico del derecho y de la ciencia política. Estos bloques son los siguientes: (1) propiedad intelectual, (2) privacidad y protección de datos, (3) comercio electrónico y mercado digital e (4) Internet, política y sociedad.

Aprovechamos estas líneas para manifestar nuestro más sincero agradecimiento tanto a los autores de las comunicaciones como a los revisores de las mismas que han participado en la presente edición y que han contribuido, una vez más, a convertir este Congreso en un foro de referencia internacional.

INTRODUCTION

Managing Risk in the Digital Society has been the central theme of the 13th Interna-tional Conference on Internet, Law & Politics (Barcelona, 29-30 June 2017) organized by the Faculty of Law and Political Science of the Universitat Oberta de Catalunya.

Since the 1990s, the concept of risk society has deeply penetrated many fields of the social sciences and humanities. From law and political science, the Risk Society has been a concept that has channelled the analysis of risks inherent in contemporary society and how they are regulated. With the emergence of the new information and communication technologies there has been a profound change in this risk society. ICT are closely related to risk, as they are both generators of risks and a means of avoiding them. Thus, the challenge facing us is to manage the risks inherent in the digital era.

When the concept of risk society was created by Beck and Giddens, Internet and ICT were in a state of embryonic development. Nevertheless, it was already felt that ICT would be one of the paradigmatic fields in terms of the rising complexity of modernity. Three decades after the appearance of this concept, during which risk has been studied and managed, a wide-ranging debate must be opened on the current state of risk in the digital society.

Therefore, we must analyse ICT as generators of new risks and assess how society is confronting them; just as we must reflect on how ICT have influenced the percep-tion and treatment of social risks. What uses of technology are associated with specific risks? How does society perceive risks, new and traditional? Are risks an opportunity to change and improve society? How do we anticipate them and who is entitled to regulate them and establish their limits? These and other questions have been the object of the debate within the Conference.

The general development of the Internet, and specifically the rise of big data or the Internet of Things, have meant a key step forward for the development of society in issues such as health, security, quality of life, saving time and energy or citizen empower-ment, which has brought multiple benefits –big and small– to humanity. Moreover, the-re are numerous uses of ICT that more or less immediately can pose conflicts in relation to fundamental rights, such as the right to privacy, the right to freedom of expression


and information, and even new rights developed within this technological society of risk, such as the right to informational self-determination.

We must ask how far the private actors, mainly the big multinationals, can deter-mine the new rules and limits of the development of ICT. We are witnessing a growing phenomenon of self-regulation in which specific sectors establish their own codes of conduct and refer the resolution of possible conflicts to arbitration. Is democratic le-gitimacy being undermined by these measures? What should the impassable limit on the regulating autonomy of private actors be? Can the market establish its own rules, bearing in mind that in most cases they will be determined by what technology permits? Furthermore, given these new perceptions of risk, the legislator has been expanding criminal law to give a quick response to managing this risk through guarantees so far intrinsic to the criminal systems of the democratic state and rule of law.

An increasingly more global society generates new risks that need a political res-ponse, from the environmental challenges to the management of phenomena such as migration, terrorism or growing inequality. Moreover, the digital world has accelerated the processes of political transformation, pressuring towards a society that is an ever more interconnected but at the same time disconnected from its main political institu-tions, which poses new and numerous questions. ICT have opened public spaces that oblige us to rethink the monopoly of the traditional political actors and their relations-hip with citizens. The digital media has fragmented and revolutionized the panorama of communication beyond the usual public opinion generators. Internet has given way to new forms of protest beyond physical borders, allowing the articulation of new political forces that question the established order. Phenomena such as Wikileaks have made clear the vulnerability of the system when keeping information secret and under control. In short, the digital world opens new spaces and opportunities to rethink the current political order while highlighting the risks and uncertainties.

This proceedings book contains the papers that, after a process of peer-review, have been accepted for the Conference. The book is structured in four thematic areas focused on the risks and challenges of the digital society from the standpoint of law and political science. These four areas are the following ones: (1) intellectual property, (2) privacy & data protection, (3) e-commerce and digital market, and (4) Internet, politics & society.

We would like to take this opportunity to sincerely thank both the authors of the papers and the reviewers who have participated in this edition. All of them have contrib-uted once again to making this Conference an international forum of reference.


PROPIEDAD INTELECTUAL / INTELLECTUAL PROPERTY

1

TOO STRICT TO SUCCEED: HOW JUDGES STEP IN TO SEEK AND PROTECT FLEXIBILITY IN COPYRIGHT LAW

Kasper DrążewskiPh.D. Candidate, Law Department, European University Institute, Florence, Italy.

ABSTRACT: The announcement of the proposed changes in EU copyright law came as a cold show-er to all those hoping for signs of a more flexible copyright regime, better suited for the digital reality and leaving some headroom for innovation. Sadly, despite the lengthy process and public consulta-tions, with requirements such as that of internet service providers actively policing the Web and its users, it appears that we are all but solidifying the walls around intellectual property, an approach raising controversy regarding its viability and creation of new entry barriers for start-ups, independent coders and creators.Copyright is unique as it deals with human creativity; and human creativity is both limitless and un-predictable. Now, at a time when the proposals for the EU Copyright Directive are under scrutiny for their conservatism, we might do well to remember what, in the recent past, courts of law have been forced to do when confronted with a regulatory framework too strict to keep in line with the reality of the copyright cases at hand. This paper looks at sample cases of U.S. judges who had to considerably stretch the convenient doctrine of transformative use when it was imposing restrictions upon dealing justice. This is confronted with examples of borderline judicial activism from German, French and Spanish judges in their search for legal means to keep the door open for innovation.

KEYWORDS: overregulation, fair use, copyright flexibility, copyright exceptions, judicial activism

1. INTRODUCTION

The following is a story of the risk of overregulation in copyright law, and how the flexibility of its application has been defended by judges on both sides of the Atlantic, by treating loosely (or stepping outside) a well-grounded doctrine (in the U.S.) and building creative if inconsistent constructs when faced with insufficient latitude within the system of copyright proper (in Europe). Such acts, at times bordering upon judicial activism, should be viewed as symptomatic of an overregulated system of law.

When ruling in favour of digitizing of books for search and accessibility uses in the Hathitrust case,1 Judge Baer made his famous comment on the value of this contribution

1 Author’s Guild v. Hathitrust, 755 F.3d 87 (2d Cir. 2014).

20 TOO STRICT TO SUCCEED: HOW JUDGES STEP IN TO SEEK AND PROTECT...

to the progress of science and creative arts being so immense that it could not have been deemed not to constitute fair use. This touched upon a point that has been present in discussions around copyright for a long time: that of adequately balancing copyright protection of existing works, when faced with new creative developments that build on other people’s intellectual property in ways that do not fit within the existing legislative (or doctrinal) framework. The answer to this is usually to apply an individual approach to every case and ensure a level of flexibility to balance the interests involved; in a rigidly regulated system, however, this poses a challenge.

The copyright flexibilities allowed by the U.S. fair use system are not without faults. The system attracts criticism for its vagueness, legal uncertainty and the potential to lead to arbitrary decision-making. To address that, the transformative use doctrine proposed by Pierre Leval2 and picked up by the Supreme Court3 in early 1990s, aimed to bring or-der into the perceived chaos, shifting the accents in judicial reasoning and attempting to define a clear standard of what fair use really is. Since then, ‘transformativeness’ of crea-tive work has become a major criterion in determining fair use. Interestingly, however, despite criticism for being vague in itself,4 the doctrine –as will be demonstrated– has also been sidestepped by judges where it proved too rigid and restricting the flexibility guaranteed by law.

From this perspective, the paper then offers a critique of a few analogous cases in Europe to illustrate how European judges pursued a similar position, yet at a greater effort due to the less permitting legislation. Here the challenge required finding a way to preserve a useful invention which did not fit within a rigid legal framework. These efforts, as seemingly going against the letter of the law, could be seen as ju-dicial activism; in any case, the claim is that they were all symptomatic of a system regulated too tightly to allow for new inventions which put the established ways of thinking to the test.

2 Leval, P.N., Toward a Fair Use Standard, 103 Harv. L. Rev. 105, 1105 (1990), p. 1107.3 Campbell v. Acuff-Rose Music, Inc., 510 U.S. 569 (1994).4 See generally Zimmermann, Diane, ‘The More Things Change, The Less They Seem ‘Trans-

formed’; Some Reflections on Fair Use’, 46 J. Copyright Soc’y 251 (1998).

21 Managing Risk In the Digital Society

2. THE ROOTS OF FLEXIBILITY: FAIR USE RULINGS IN THE U.S.

2.1. Flexibility in ‘pre-transformative use’ justifications

The 1976 U.S. Copyright Act, introducing the fair use considerations of today,5 codified a doctrine originating from common law, one long thought necessary to fulfill ‘copyright’s very purpose to promote the progress of science and useful arts’.6 Long before codification, these considerations arose as a framework ensuring a level of judicial latitude for delicate matters of potentially fair uses. In the landmark 1841 pirating case of Folsom v. Marsh,7 Justice Story observed how the question of piracy often depended:-

upon a nice balance of the comparative use made in one of the materials of the other; the nature, extent, and value of the materials thus used; the objects of each work; and the degree to which each writer may be fairly presumed to have resorted to […] common sources of information, or to have exercised the same common diligence in the selection and arrangement of the materials.

The court noted that a wide interval exists between uses which are clearly infrin-ging and clearly fair, demanding caution in making such assessments. Earlier com-ments at the time observed that such cases demanded caution in examining the nature of the secondary work, the value and extent of the copies, and the injury upon the original authors.8

Folsom v. Marsh is often cited as the first fair use case; given its language, it is more likely based on (and summarizing) an already existing practice. In doing that, it takes on a similar endeavor as that of Leval; to draw a framework around judicial practice developed in response to a complicated matter where statutory law may only aspire to codify standards coined by judges,9 taking great caution not to restrict them – even if, as often noted regarding the codification of the fair use factors, such regulations sound too broad to be meaningful without the body of case law behind them.

5 Enumerated by Section 17 of the Copyright Code, these include: examining the purpose and character of the use, the nature of the copyrighted work, how much is being taken and the effect upon the potential market.

6 Campbell, quoting the U.S. Constitution.7 Story, J., Folsom v. Marsh, 9 F. Cas. 342, 348 (No. 4,901) (CCD Mass. 1841)8 Lord Chancellor Cottenham, in Saunders v. Smith, 3 Mylne & C. 7119 Campbell, Ibid.


2.1.1. Even fair use must be applied flexibly: Harper & Row v. Nation Enterprises

A memorable case of when the U.S. Supreme Court advocated for flexibility in applying fair use provisions, Harper & Row has its roots in 1977, when, shortly after stepping down, President Gerald Ford made a contract with Harper & Row and Reader’s Digest for the publication of his memoirs, still unwritten at the time. These were anti-cipated due to the expected information about the Watergate scandal and Ford’s par-doning of Nixon; consequently, pre-publication rights were bought by Time Magazine. Unexpectedly, the manuscript was leaked to The Nation, who produced a short piece using material from the manuscript. Time canceled its agreement and the licensees sued for infringement. The court of the first instance ruled for the plaintiffs, on appeal the ru-ling was reversed on grounds of public usability. The Court of Appeals stated that it was not the aim of the law ‘to impede that harvest of knowledge so necessary to a democratic state’ or ‘chill the activities of the press by forbidding a circumscribed use of copyrighted words.’10 This wording was later upheld by the Supreme Court, who nevertheless re-versed the opinion.11 Quoting the Constitution Copyright Clause about promoting ‘progress of Science and of useful Arts’12 in connection with Sony Corp. of America v. Universal City Studios, it observed that the purpose of copyright was to serve as:-

a means by which an important public purpose may be achieved. It is intended to motivate the creative activity of authors and inventors […] and to allow the public access to the products of their genius after the limited period of exclusive control has expired.

It is worth observing that the Clause gets quoted by courts both in judgments finding in favor of fair use and those that do not.13 What is also significant in Harper & Row v. Nation Enterprises from the perspective of this analysis, is that the case was later quoted for the Supreme Court’s flexible approach to fair use itself, by stressing the importance of tailoring of fair use analysis to the particular case.14

10 723 F.2d 195, 205 (1983) at 197, 209.11 Harper & Row v. Nation Enterprises, 471 U.S. 539 (1985), cit. 6.12 Article I, Section 8, Clause 8, of the United States Constitution.13 See e.g. Authors Guild v. Google, Inc., 13-4829-cv, decided October 16, 2015.14 See e.g. Salinger v. Random House, Inc., 811 F.2d 90 (2d Cir. 1987).


2.2. Transformative use: a (vague) remedy to vagueness?

For a criterion so often used in fair use cases, to a lawyer arising from the civil law tradition it may be striking how transformative use is, in fact, not a creation of the lawmaker but found its way into doctrine after a scholarly article.15 In his analysis, Leval observed that decisions in fair use cases were not governed by consistent prin-ciples; they resembled more ‘intuitive reactions to individual fact patterns’, rendering the system unpredictable. This, he feared, caused the nature and character of fair use to become lost. He argued that it should be seen as a ‘rational, integral part of copyright, whose observance is necessary to achieve the objectives of that law’. The most crucial, he claimed, was the first of the statutory fair use factors, i.e. the purpose and character of the use –coupled with an examination of whether the use is, in fact, ‘transformative’. The term he defined as one encompassing earlier judicial considerations of a use being ‘productive’ in bringing new benefits to the public, but also employing the quoted work in a different manner, or for a different purpose from the original. In other words, the test would be passed by a use that is both productive and serves goals different than those of the original work, by creating ‘new information, new aesthetics, new insights and understandings’.16

Despite Leval’s effort to keep the founding analysis straightforward, the term ‘transformative use’ was faced with criticism for being too indeterminate to serve a valid purpose in court in the years that followed. As observed by Diane Zimmermann,17 this has led to cases of disagreements between appellate panels of the same court: one bench would support that finding a ‘transformative purpose’ renders it irrelevant whether the borrowed material is included in a ‘new mode of presentation’ or not’18; another would claim the exact opposite.19

2.3. Non-paradigm cases: a flexible approach to the doctrine

The following rulings serve as an illustration of the controversies that surrounded the ‘transformative’ doctrine, and, to a degree, continue to this day. They offer a valuable insight into what happens when the judge faces an incompatibility between the doctrine and the flexibility considerations written into law.

15 Leval, Ibid.16 Leval, Ibid.17 Zimmermann, Ibid.18 Referring to Castle Rock, 150 F.3d at 142-43 and Infinity Broad. Corp. v. Kirkwood, 150 F.3d

104, 108 (2d Cir. 1998).19 Ibid.


2.3.1. Dr. Seuss v. Penguin Books20

In 1995, Alan Katz and Chris Wrinn created an illustrated book meant as a rhy-ming-verse satire on O.J. Simpson’s murder trial that made a reference to the 1957 novel ‘Cat in the Hat’ by Theodor S. Geisel, published under the pseudonym of Dr. Seuss. Katz and Wrinn’s book, entitled ‘The Cat NOT in the Hat – a Parody’, was published with Penguin Books under the pseudonym of Dr. Juice. It included a drawing of a character wearing a similar hat and made general references to the characteristic style of the original. Sued for breach of copyright, Penguin stated that infringement could not be based on the title of the parody (since, as a matter of statutory construction, titles could not claim statutory copyright); similarly, no claim of ownership could be made on the design of lettering, stylized neologisms and onomatopoeia; if this reasoning were to fail, Penguin claimed a fair use defense on grounds of parody. Still, injunctive relief was granted and the case was appealed.

The Court of Appeals observed that a distinction must be made between a parody (as claimed in the appeal) and satire. This distinction was crucial as the Penguin book did not make an attempt to ridicule the original ‘Cat in the Hat’; au contraire, it merely copied its distinctive style without actually conjuring neither its substance nor its con-tent. As such, the work could not be seen as a parody of the original work as ‘no effort was made to create a transformative work with ‘new expression, meaning, or message’.21

The non-transformative verdict in Dr. Seuss Enterprises v. Penguin Books has been cited as surprising not as much in view of its finding against fair use; it was criticised for stating ‘non-transformativeness’ even though the public was clearly provided ‘with a new or reworked product’.22 This makes the language used in the verdict seem counterintui-tive. The work in question was made in a way that would seem highly ‘transformative’ by the popular understanding of the word; there also was clearly no market substitution. Being a satire and not a parody, the work had failed to satisfy the first statutory fair use factor and thus, the fair use exception could not be claimed. Still, the court chose to ad-dress the ‘transformative’ aspect and find against it. The case shows an interesting dyna-mic between the statutory considerations and the ‘transformative use’ doctrine. On the one hand, the doctrine had become so embedded in the judiciary practice that the court would fret to openly reject it; on the other, the ruling is firmly rooted in the flexibility ensured by the law and, in a less than transparent way, dismissed the doctrine which, though intended to introduce greater legal certainty, proved overly rigid in this case.

20 Dr. Seuss Enterprises, L.P. v. Penguin Books USA, Inc., 109 F.3d 1394 (9th Cir. 1997).21 Dr Seuss, Ibid.22 Zimmermann, Ibid, p.4


2.3.2. AP v. Meltwater23

A more recent case to demonstrate the vagueness of the ‘transformative use’ term and its even looser application, the 2013 Associated Press v. Meltwater was a copyright dispute a news-monitoring service offered by Meltwater since 2005. Meltwater indexed and scraped news stories off the Web and sent daily snippets to its subscribers, matched to their pre-defined search queries. It also allowed real-time ad hoc searches, with re-sults also offered as snippets. Every matched article was labeled identifying the article’s source, such as the publisher and country of origin, and contained two snippets: a 300 character-long opening of the article, and then a 140-character line of text with the highlighted search phrase that triggered the match. The user could then click the pro-vided link to be transferred to the original material. Where the original material had been already removed, the result would be that of following a broken or outdated link. Associated Press felt it infringed copyright in the materials in question and filed suit. Meltwater argued that their use was transformative, using content for a new purpose, as an ‘information-location’ tool.

The SDNY court observed that AP’s business model included licensing of access to the news stories it created; including licensing to entities offering a similar snippet functionality as that of Meltwater. It noted that Meltwater had been marketing its servi-ce as one to trace and monitor media coverage and to stay informed on current events; it also observed that the Meltwater service had been described as allowing ‘not to read the whole article’ and thus saving time.24

In the fair use analysis, the court cited Infinity Broadcast to say that ‘use of co-pyrighted material that merely repackages or republishes the original is unlikely to be deemed a fair use’ and a ‘change of format, though useful’ is not transformative.25 Then, quoting Leval, it made a point about the original material being used as ‘raw material, transformed in the creation of new information, new aesthetics, new insights and un-derstandings’. On this basis, the court found the use as non-transformative, by using computer programs to ‘automatically capture and republish designated segments of text from news articles, without adding any commentary or insight in its News Reports.’26 The court had refused to consider Meltwater a search engine; on the contrary, due to its marketing which had made references to substituting the original material, it was considered to have built a business model around ‘consistent copying of creative expres-

23 The Associated Press v. Meltwater U.S. Holdings, Inc. et al, No. 1:2012cv01087 - D 156 (S.D.N.Y. 2013)

24 Meltwater, p. 10.25 Infinity Broadcast Corp., 150 F.3d at 108 & n.226 Meltwater, p. 33.


sion’ that was not transformative. Meltwater was found to make money directly from ‘undiluted use’ of protected material, conveying an intent of serving as a substitute for AP’s news service. The court ended on a strong note that ‘permitting Meltwater to take the fruit of AP’s labor for its own profit, without compensating AP, injures AP’s ability to perform this essential function of democracy’.

The AP position and the SDNY ruling has met with criticism on many levels. In its amicus curiae brief of 2013, the Electronic Frontier Foundation criticized AP’s approach citing a multitude of cases where transformative use has been defined in favor of electro-nic search services; some authors noted the court had become unnecessarily focused on matters of competition, since AP had been licensing access to companies offering news monitoring and snippet view; others addressed the brusque manner the court displayed towards transformative use, despite strong similarities to other content indexing/snip-pet view applications. The fact that the use of source material had clearly served a new purpose and offered a range of possibilities with hardly any market substitution did not sway the court in its highly flexible approach to the transformative use doctrine.

2.4. Looking for flexibility without fair use: examples of European copyright cases

2.4.1. Vorschaubilder I27

A strong example of a case where a circumscribed legal framework forced the court to improvise in view of the lack of a suitable exception in the law, the 2010 Vorschau-bilder I case argued before the German Federal Supreme Court pertained to the use of thumbnail pictures by Google in its search results. The functionality pertained to using an automated service for making and storing smaller-sized copies of images found on websites (thumbnails of approx. 100x150 pixels, yet ‘retaining the essential creative fea-tures’), without permission of the copyright holders, and using them in the course of commercial activity. By doing so, Google violated § 15.2.2 of the Author’s Law (UrhG) in connection with § 19a which secures the exclusive right to make one’s works accessi-ble to the public, at a time and place individually chosen.28

The plaintiff was a visual artist, running a website containing pictures of her works since 2003. In 2005, she entered her name into Google and was presented with search results involving thumbnail pictures created using her own art presented on her website. Seeing this as a copyright infringement, the plaintiff sought injunctive

27 BGH, Urteil vom 29. 4. 2010 – I ZR 69/08 – Vorschaubilder I28 UrhG §§ 19a.


relief in court, seeking prohibition of reproduction, publication and modification of her copyrighted work.

Google stated that the use of the images fell under copyright exemptions for tran-sient or incidental reproduction of no economic significance (§44a of the UrhG) –and even if it was not found to be the case, the plaintiff had herself put the images on the Web by publishing them on her website which signified an ‘implicit acquiescence’ for the images to be accessed and processed by search services. Moreover, the website had undergone a search engine optimization to ‘lure’ search engines to it by inclusion of cha-racteristic ‘meta’ elements also influencing the behavior of the search function. The case was dismissed in the first instance and again on appeal,29 then submitted to the Federal Supreme Court for review.

The Jena Court of Appeals (Oberlandgericht) observed that the pictures were indeed protected works of art whose digitalization did not deprive them of protection, and that including them in search results may have infringed the right to make them available to the public as mentioned in § 19a in connection with § 15, subsec. 2, item 2 of the UrhG. Nevertheless, creation and use of thumbnails constituted a transformation of the original work which required consent by the author of the primary work under §23 UrhG, and this consent had not been granted. The court noted that shrunken versions of the images did not qualify as quotation; similarly, Google’s ‘transient or incidental reproduction of no economic significance’ defense of § 44a was rejected, as the use of thumbnails was of a lasting nature with continuous earning opportunities, e.g. from advertising. Lastly, implied consent could not be claimed on the basis of just posting images on a website without protective measures. However, an injunction against the search engine operator would be considered an ‘abuse of rights’ citing § 242 BGB. This abuse was seen in the contradictory behavior of the plaintiff: the artist had optimized the source code on her website to attract automated content-analyzing services, and then opposed a ‘customary process’ of the services in question in reference to transforming her content into thumbnails. On these grounds, revision of the judgment was refused.

On final appeal, the Bundesgerischtshof affirmed that the defendant had interfered with the exclusive right of the applicant to exploit their works in tangible form (§ 15 Abs. 1 UrhG). The digital images on the plaintiff’s website constituted ‘physical fixations’ of her paintings and copies within the meaning of the UrhG. The thumbnail pictures reduced the works in size, but without any ‘essential changes’, thus remained identical to the original works. In this regard, the court observed, even further reaching transfor-mations that would still be devoid of their ‘own creative expression’, would still be con-sidered a remodeling of the original work and thus still falling under the same category

29 OLG Jena GRUR-RR 2008, 223.


due to lack of originality and the ‘matching overall impression’ (übereinstimmender Gesamteindruck). The court then noted that, by storing thumbnails independently of their source, and controlling their availability through its services, Google met the crite-ria of § 19a (making them publicly available). The fact that an Internet user first needed to enter a search phrase for the thumbnails to be retrieved and displayed did not change the fact that the use was effected and controlled by the defendant. The court also ruled out the application of copyright exceptions for standalone work created through free use of another person’s work which would have been allowed under § 24 UrhG. Merely by virtue of shrinking an image, yet retaining the essential creative properties of the origi-nal, it could not be claimed that a transformation had been created.

Nevertheless, the court observed, the defendant’s action was not illegal, due to consent of the plaintiff, despite no declaration of intent (Willenserklärung) to this effect. This was contrary to the earlier view of the court of appeals, stating that such a consent would need to meet criteria as are generally considered under the applicable doctrine. Here, the Supreme Court decided the defendant could assume that implied consent had been issued to the processing of the works by a search engine.

The case is notable for the innovation-friendly attitude by the courts –and a com-mendable dedication to finding a legal solution amidst regulations of statutory law which clearly lacked the flexibility to leave room for situations precisely like the one in question. The BGH had chosen to rest its decision on an ‘implied consent’ construct that made the tacit assumption of there being an ‘opt-out’ model with Google’s search functions. This rather weak construct aside, the ruling is an extensive list of legal provi-sions that demonstrate how a legalist approach would have led to the case being resolved against Google and its image search service. The ‘judicial resourcefulness’ in coming up with the solution has been noted, yet with a grain of salt: as commented by Paul Hugenholz and Martin Senftleben, it was symptomatic of a legal system that lacked an appropriate escape valve, as flexibility ‘should ideally be found inside the system of copyright proper’.30

2.4.2. Vorschaubilder II31

A year after the first Vorschaubilder case, another of a related nature was decided by the Bundesgerischtshof. The decision shows the court taking further its earlier line of reasoning (and further expanding its definition of consent).

30 Hugenholtz, P. Bernt and Senftleben, Martin, Fair Use in Europe: In Search of Flexibilities (February 29, 2012). Amsterdam Law School Research Paper No. 2012-39

31 BGH Mitteilung vom 19. 10. 2011 – 165/11


The plaintiff was a photographer who had, at one point, done a photoshoot of the TV anchor Collien Fernandes. These photos were then licensed to a number of online services. At one point, the photographer discovered, using the Google Image Search function, that those pictures were featured on two websites without his permission and that thumbnails of his pictures were displayed by Google as links leading to those in-fringing websites. This use of his copyrighted work by Google he considered an infrin-gement in itself and filed for an injunctive relief prohibiting Google from displaying his works as thumbnails to the German public in its search results. He also demanded that Google be obliged to provide information on the extent of the unauthorized use of his photographs and that it reimbursed both his legal fees and his estimated loss due to the said unauthorized use.

The case was ruled in favor of the plaintiff before the district court, but reversed on appeal. The case then reached the Bundesgerichtshof which examined it against the background of the earlier Vorschaubilder I ruling. It noted again that illegality is ruled out when copyrighted property is being put on display on the Internet without protective measures. As the court observed, the plaintiff had, in the past, licensed the online display of the images to third-party websites. Thus, he had granted ‘effective consent’ (wirksame Einwilligung) to them being used as thumbnail pictures, not li-mited to the display of images put online with the author’s consent. The court obser-ved that search engines used automated processes which did not distinguish between images published by an authorized party and those lacking authorization. Once the images are published, the court reasoned, the search engine operator ‘can and may’ assume a consent that encompasses display of thumbnails also in regard to copies which have been put online without consent of the author. The author is, nonethe-less, entitled to bring claims against parties who conduct unauthorized publication of his images.

Expanding on the opt-out construct of Vorschaubilder I, the ruling held to the presumption of implied consent, creating a safe space for search engine operators. Still, the rules of this presupposed opt-out scheme were bad news for rights holders: they are only safe as long as their licensees include due means of protection on their websites against automatic indexing services. Without much effort one could imagine a scenario where uncontrolled dissemination of pictures (along with the thumbnails) begins once a licensee website drops its protection e.g. as a result of a webmaster error a long time after the publication; the same doubts apply to a situation where a licensee website were to fail to meet its obligations to apply such means of protection from the start. Would this invalidate the search engines’ safe space in this regard? These questions appear to be another link to the first Vorschaubilder case: the ‘implied consent v1.1’ as proposed by the BGH in Vorschaubilder II remains a prosthetic solution by its very nature. As shown in the above counterexamples, when tested, the construct shows its deficiencies likely resulting from its ad hoc character.


2.4.3. SAIF v. Google Inc. and Google France32

One of Google Books’ legal adventures in Europe, the case of La Société des Auteurs des arts visuels et de L’Image Fixe (SAIF) against Google France is an example of courts actively looking for a way to save a new technological solution that was clearly beneficial to the public. This was done in the face of an overwhelmingly precise legislation which, taking the legalist approach, would leave little doubt as to ruling in favor of shutting the project down.

In 2005, SAIF filed suit before the Tribunal de grande instance (TGI) against Goo-gle Inc. and its local subsidiary Google France for infringement by reproducing and offe-ring Internet users the viewing of ‘thousands of works’ belonging to its repertoire and without its permission. This violated the provisions of Articles L 122-4, prohibiting any full or partial reproduction,33 and L 335-2 of the French Code of intellectual property, setting forth a rigid definition of counterfeit works.34 The plaintiffs also demanded EUR 50,000 in damages, 60,000 in legal fees and EUR 80,000,000 as ‘restorative compen-sation’. Google was to be banned from further reproduction of images as thumbnails unless an agreement were to be executed to this end with SAIF. Google countered that French law should not apply due to the location of its servers, and that the Paris court should review the case under American federal copyright law, in particular its fair use provisions. Google invoked Article 5.2 of the Berne Convention, stating that the extent of protection, as well as the means of redress, shall be governed exclusively by the laws of the country where protection is claimed. This country, according to Google, was the United States. Alternatively, it claimed that the said search services did not affect ‘normal exploitation of the works of authors’.

The TGI agreed that Google’s search services were hosted in Mountain View, Cali-fornia. Google France was found to be unrelated to the operation of the search engine; it is Google Inc. that ‘controls, manages and makes all decisions regarding search engine activity that represents the heart of its business’. The action against Google France was thus dismissed. The court then ruled on the basis of Article 5.2 of the Berne Convention that the country where protection is sought is ‘not necessarily that of the court hearing but that of the country where the event occurred, and where the damage is suffered’.

32 Cour d’Appel de Paris, Pôle 5 - Chambre 1, Arrêt du 26 janvier 2011, http://juriscom.net/2011/01/ca-paris-26-janvier-2011-saif-c-google/.

33 Under Article L 122-4, any full or partial representation or reproduction made without the consent of the author or his successors or assigns is deemed unlawful.

34 Under Article L 335-2, forbidden as counterfeiting, under pain of 500,000 EUR penalty and five years’ imprisonment, is any edition of writings, musical composition, drawing, painting or any other production, printed or engraved in whole or in part without consent of authors.

http://juriscom.net/2011/01/ca-paris-26-janvier-2011-saif-c-google/

http://juriscom.net/2011/01/ca-paris-26-janvier-2011-saif-c-google/


Citing an interpretation offered in recent cases,35 the court chose to apply the law of the U.S. on the grounds of the location of the servers and the registered office of Google in California. On this basis, the court applied the fair use provisions of the 1976 Copyright Act and found in favour of fair use.

By the time the Cour d’Appel (CA) overturned the ruling on appeal in 2011, it had already been widely criticized in the legal scholarship as referring back to applying the domicile law of the infringer and disregarding the law of the jurisdiction where the infringement was committed, the harm was done and protection was being sought. This would lead to a disjunction between the law of the jurisdiction where the infringement was committed and that applied to the claim; it would also go against the intention of the Berne Convention to ensure the most uniform protection of authors.36 If upheld, this would constitute a gateway to forum-shopping by allowing infringers to escape liability by establishing their businesses and server rooms in exotic locations without adequate protection of intellectual property.37

The court noted how the services were intentionally made available to the French public via a *.fr domain. France was thus considered as by far more related to the case and French law needed to be applied. Delving deeper into the nature of creation of thumbnails, the court noted that search results are displayed via a cache or buffer me-mory and that this function allows access to images for a few days or weeks after the original has ceased to exist. The storage of thumbnails is thus conducted over a certain period, but still is temporary. This function, the court reasoned, indicates therefore a ‘transitory’ nature involving a temporary reproduction for speeding up the flow of infor-mation and constitutes an ‘integral and essential’ part of an image search engine. Offe-ring clickable thumbnails is not exerting control over legal content; the search function provider is thus a neutral link between the user and the website operator; a passive intermediary. On this basis, the court noted that the role of Google qualifies as ‘purely technical, automatic and passive’ and this its service, which boils down to content inde-xing posted on the Internet by third parties and automatic, intermediate and transient storage of the information transmitted which is regulated in Article L. 32-3-4 of the Loi

35 SISRO v. Ampersand Software BV, 5 March 2002, JCP II 10082; Lamore v. Universal City Studios, 30 January 2007, 212 RIDA 261.

36 Thus eg. Ginsburg, J.C., Treppoz, E., International Copyright Law: U.S. and E.U. Perspectives: Text and Cases, Edward Elgar Publishing, 2015, p. 653; see also Stamatoudi, I., Torremans, P., EU Copyright Law: A Commentary, Google Books DRM Edition, May 30, 2014, p. 1052.

37 The TGI did not continue this line of interpretation and in the next case involving a conflict of laws, André R. and H & K v. Google France (2009) ruled on the application of the law of the territory where the damage occurred. See Matulionyte, R., Law Applicable to Copyright: A Comparison of the ALI and CLIP Proposals, Edward Elgar Publishing, 2011, p. 38-39.


du 21 juin 2004 pour la confiance dans l’économie numérique (LCEN), implementing the e-Commerce Directive 2000/31/EC.38 Thus, all claims of SAIF were dismissed.

It is noteworthy how the court had found a way to exonerate Google on the basis of a regime liability for passive service providers with no knowledge or control over the processed content. However, reaching out to the e-Commerce directive to reduce Google’s role to a ‘passive-only’ Internet service provider, while certainly praiseworthy, is also legally weak. The assumption of a ‘transient’ nature of reproduction has been rejected in the German cases; also the ‘lack of control’ over displayed content by Google could be up for debate. But even leaving the ECD qualification aside, the fact remains that the case of SAIF v Google, a copyright case by its nature, was decided based on rules on e-commerce, rather than copyright law. The lack of a copyright argument may be most easily explained looking at the rather desperate (and short-lived) forum-shopping concept as offered by the TGI earlier; the simple fact is that French copyright law did not allow for such acts of reproduction as conducted by Google Image Search, and no sustainable reasoning could be built by the court to give Google a free pass.

2.4.4. Megakini v. Google39

As another example of the court venturing beyond the copyright statute, April 2012 saw the end of a case argued before the Spanish Supreme Court, concerning ca-ching of websites and displaying snippets of text in search results. The plaintiff, Megaki-ni.com, had claimed copyright infringement and sued Google Spain demanding that it be prohibited from further operation of a search engine.

The court of first instance applied a construct of non-abuse of rights and presumed consent not unlike that used by the German courts, stating that the reproduction of mi-nor parts of the page was temporary and provisional,40 and necessary for the operation of search engines. Moreover, the caching of the entire site was seen as falling under ‘proxy caching’ by ISP’s41 under the implementation of the e-Commerce Directive as was later applied by the CA in Paris.42

38 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) Official Journal L 178 , 17/07/2000 P. 0001 – 0016.

39 Sentencia n.172/2012, of 3 April 2012, Supreme Court, Civil Chamber.40 Article 31.1 Texto Refundido de la Ley de Propiedad Intelectual (TRLPI), implementing Article

5.1. of the e-Commerce Directive.41 Article 15 Ley de Servicios de la Sociedad de la Información (LSSICE) implementing Article

Art. 13 e-Commerce Directive.42 See Juzgado Mercantil n.5 de Barcelona, ruling of 30 March 2007.

http://Megakini.com

http://Megakini.com


On appeal, the Provincial Court in Barcelona also ruled against the plaintiff, albeit on different grounds.43 While agreeing that the search results displaying fragments of text were of minimal and incidental nature, it did strike down the construct offered un-der the e-Commerce regime for passive service providers as Google was not, after all, an access provider. It also noted that Google could not benefit from a safe harbor releasing search engines of liability for linking to infringing content44 since it was its own act of infringement that was being discussed. The court of appeal did, however, offer an ex-tensive argument why Google’s actions did not constitute an infringement. Noting that the TRLPI featured a closed list of exceptions, the court applied a construal of Article 40a TRLPI, (introducing the Berne restrictions on unreasonably prejudicing legitimate rights of the author and normal exploitation of the work) stating that it could also be interpreted in a positive manner, by application to limiting the author’s rights, relating it to the concept of harmless use of movable property of third parties (usus inocui). The court also noted that the Anglo-Saxon fair use doctrine should be taken into account as guidance that the author’s rights are not of absolute nature.

The Supreme Court generally agreed with these findings, noting that in situa-tions not covered explicitly by statutory law, a judge must defer to applying general principles of the law, such as that of good faith and prohibition of abuse of rights,45 in the context of the constitutional principle of property not being an absolute right. The Court also made a reference to the nature of the plaintiff’s claim, aimed more at harming Google rather than protecting a legitimate right, which should not prevail on general principles despite the situation not falling within the exceptions allowed by Spanish copyright law. Lastly, the court made an express reservation that the ruling only applies to the given case.

From the perspective of this analysis, the dismissal of the e-Commerce safe harbor cannot be found surprising and it further undermines the findings of the CA in the French case. Similarly, the narrowness of the safe harbor under Art. 17 LSSICE preclu-des its applicability in a case where linking may be considered copyright infringement. This has been commented upon with some concern, pointing that the German presu-med consent may, after all, be a more reliable solution.46 While the general good faith and non-abuse of rights approach has earned praise as opening the door to a measure of

43 Sentencia de la Audiencia Provincial de Barcelona (Section 15), of 17 September 17, 2008.44 Article 17 LSSICE.45 Articles 7.1 and 7.2 of the Spanish Civil Code.46 Raquel Xalabarder, Spanish Supreme Court Rules in Favour of Google Search Engine… and a

Flexible Reading of Copyright Statutes? , 3 (2012) JIPITEC 162, para. 1.


flexibility under the European copyright regime,47 others have noted that the construct it upheld had, in fact, created a new flexible exception despite other rulings in Europe noting that it is not the court’s role to do that.48

3. SUMMARY

In the American context, judicial flexibility has been applied and advocated since the dawn of fair use appearing in case law, over a century before its introduction into statutory law. As demonstrated, this sometimes leads to interesting tensions between statutory fair use and the transformative use doctrine established, with the aid of the Supreme Court, in early 1990’s. In the U.S. cases presented here, the ‘transformative’ parameter of the work was not really of any use (and, particularly in Dr Seuss, it became a burden on the courts in a case otherwise easily resolved under statutory considera-tions). This demonstrates how, despite its popularity and value as a standard intended to bring a solid base into the perceived unpredictability of fair use cases, judges were only willing to accept it as far as it did not restrict the flexibility under the original statutory considerations.

Even more interestingly from a civil law perspective, it has been demonstrated how this very flexibility is desired and sought for by European judges in cases pertaining to digital innovation occurring at the expense of copyright protection. With the approach taken by the Spanish courts arguably being the boldest and potentially the most robust, the reasoning offered in the cited cases of Germany and France shows how, faced with a law too rigid to accommodate such innovation, judges were forced to display con-siderable creativity –and how, while undoubtedly resourceful, still questionable (and seemingly unsustainable) the resulting legal constructs were.

47 Ibid, p. 5; see also Javier Martínez de Aguirre, El caso “Megakini vs. Google› o la excesiva rigidez de nuestra Ley de Propiedad Intelectual, PropiedadIntelectualHoy.com.

48 Stephan A. Ott, Spain: Google Cache is legal (the Megakini.com-case), Linksandlaw.com, mak-ing a reference to the 2008 thumbnail case decided in Hamburg.

http://PropiedadIntelectualHoy.com

http://Megakini.com

http://Linksandlaw.com


4. BIBLIOGRAPHY

Books, articles and press releases

Generalpatent.com, Picking Your Battles, 18 May 2011. http://www.generalpatent.com/2011/05/18/picking-your-battles.

Ginsburg, J.C., Treppoz, E., [2015] International Copyright Law: U.S. and E.U. Per-spectives: Text and Cases, Edward Elgar Publishing.

Hugenholtz, P. B. and Senftleben, M., [2011] Fair Use in Europe: In Search of Flex-ibilities (November 14). Available at SSRN: http://ssrn.com/abstract=1959554 or http://dx.doi.org/10.2139/ssrn.1959554

Leval, P. N., [1990] Toward a Fair Use Standard, 103 Harv. L. Rev. 105, 1105. Matulionyte, R., Law Applicable to Copyright: A Comparison of the ALI and CLIP

Proposals, Edward Elgar Publishing, 2011, p. 38-39Martínez de Aguirre, J., El caso ‘Megakini vs. Google’ o la excesiva rigidez de nuestra

Ley de Propiedad Intelectual, PropiedadIntelectualHoy.com, https://propiedadi-ntelectualhoy.com/2012/06/18/el-caso-megakini-vs-google-o-la-excesiva-rigidez-de-nuestra-ley-de-propiedad-intelectual/

Neuburger, J., Posting of Entire News Article is Fair Use, Says Judge in Righthaven Copyright Litigation, New Media and Technology Law Blog, upd. 22.04.2011.

Ott, Stephan A., Spain: Google Cache is legal (the Megakini.com-case), Linksandlaw.com, making a reference to the 2008 thumbnail case decided in Hamburg, http://www.linksandlaw.com/news-update60-megakini-case-spain.htm

Stamatoudi, I., Torremans, P., EU Copyright Law: A Commentary, Google Books DRM Edition, May 30, 2014, p. 1052.

Xalabarder, R., Spanish Supreme Court Rules in Favour of Google Search Engine… and a Flexible Reading of Copyright Statutes? , 3 (2012) JIPITEC 162, para. 1.

Zimmermann, Diane, ‘The More Things Change, The Less They Seem ‘Transformed’; Some Reflections on Fair Use’, 46 J. Copyright Society 251 (1998).

Laws

Code de la propriété intellectuelle, loi no 92-597 du 1er juillet 1992 relative au code de la propriété intellectuelle, publié au Journal officiel du 3 juillet 1992, Article L122-5.

Copyright Act of 1976 – An Act for the general revision of the Copyright Law, title 17 of the United States Code, and for other purposes, Pub.L. 94–553

Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic

http://Generalpatent.com

http://www.generalpatent.com/2011/05/18/picking

http://www.generalpatent.com/2011/05/18/picking

http://ssrn.com/abstract

http://dx.doi.org/10.2139/ssrn.1959554

http://PropiedadIntelectualHoy.com

https://propiedadintelectualhoy.com/2012/06/18/el

https://propiedadintelectualhoy.com/2012/06/18/el

http://Megakini.com



http://www.linksandlaw.com/news-update60-megakini-case-spain.htm

http://www.linksandlaw.com/news-update60-megakini-case-spain.htm


commerce, in the Internal Market (‘Directive on electronic commerce’) Official Journal L 178 , 17/07/2000 P. 0001 – 0016.

Gesetz über Urheberrecht und verwandte Schutzrechte (Urheberrechtsgesetz – UrhG) 16. September 1965 (BGBl. I S. 1273)

Court rulings and opinions

Author’s Guild v. Google, Inc., 13-4829-cv, decided October 16, 2015 (2d Circuit)Author’s Guild et al. v. Hathitrust, et al., 11 CV 6351 (HB) 755 F.3d 87 (2d Cir. 2014)BGH, Urteil vom 29. 4. 2010 – I ZR 69/08 – Vorschaubilder I.Campbell v. Acuff-Rose Music, Inc. 510 U.S. 569 (1994), 510 U.S. Dr. Seuss Enterprises, L.P. v. Penguin Books USA, Inc., 109 F.3d 1394 (9th Cir. 1997)Folsom v. Marsh, 9 F. Cas. 342, 348 (No. 4,901) (CCD Mass. 1841)Harper & Row v. Nation Enterprises, 471 U.S. 539 (1985), cit. 6.Infinity Broad. Corp. v. Kirkwood, 150 F.3d 104, 108 (2d Cir. 1998).Lamore v. Universal City Studios, 30 January 2007, 212 RIDA 261Righthaven LLC v. Wayne Hoehn, 9th Cir., Nos. 11–16751, 11–16776, decided 9 May

2013.Righthaven LLC v. Kayse Jama and Center For Intercultural Organizing, D. Nev. April

22, 2011, 2:10-cv-01322-JCM -LRLSalinger v. Random House, Inc., 811 F.2d 90 (2d Cir. 1987).SISRO v. Ampersand Software BV, 5 March 2002, JCP II 10082The Associated Press v. Meltwater U.S. Holdings, Inc. et al, No. 1:2012cv01087 - Doc-

ument 156 (S.D.N.Y. 2013),

2

DIGITAL SINGLE MARKET: A LONG WAY TO GO

Viola ElamPhD Researcher, European University Institute, Fiesole

ABSTRACT: This paper provides an overall assessment of recent initiatives devised by the European Commission to foster the functioning of the Digital Single Market. A particular focus in the policy debate is laid on the modernization of the European framework of copyright and related rights, in order to make it fully fit for the digital world. This paper highlights the major challenges that copy-right territoriality poses to the smooth functioning of the internal market. Then, it outlines the policy options put forward by the previous Commission in order to achieve a wide availability of creative content across borders. Thereafter, it throws light on the legislative steps taken as part of the Digital Single Market Strategy. It argues that a full integration of markets for creative content will not become a reality, at least in the near future. The Commission’s efforts to tackle geo-blocking are not addressed to providers of audiovisual content and copyright-protected works. Likewise, the extension of the “country of origin” principle is limited to services ancillary to broadcasts. There is also a tendency to focus on attention-grabbing issues, such as cross-border “portability” of content, which do not offer a real solution to dismantling national barriers in the European digital environment. Moreover, the newly introduced neighbouring right for press publishers and the general monitoring obligation im-posed on information society service providers cause particular concern. This paper, however, values the adoption of Regulations, entailing a deeper level of harmonisation, and the provision of manda-tory exceptions and limitations.

KEYWORDS: digital Single Market; Geo-Blocking; Portability; Broadcasting; Neighbouring Right; Press Publishers; General Monitoring Obligation; Online Intermediaries; Copyright Reform.

Paper selected to be published in issue number 26/2018 of the e-journal IDP - Internet, Law and Politics. Available at: http://idp.uoc.edu/.

http://idp.uoc.edu

3

A PROPOSED MODEL FOR THE LEGAL STATUS OF CREATIONS BY ARTIFICIAL INTELLIGENCE SYSTEMSCREATIONS

Ana RamalhoAssistant Professor of Intellectual Property, Department of International and European Law,

Maastricht University.

ABSTRACT: While currently artificial intelligence (AI) is not yet completely independent from hu-man input, the speed and direction of technology development seem to anticipate a not-so-distant future where it will be. From an intellectual property perspective, this scenario challenges traditional conceptions, notably that of copyright authorship.In many jurisdictions, authorship seems to be somewhat connected to the conditions for protection, which might imply that, absent a human author, a work will not be original and therefore not co-pyrightable. This may leave many works that would otherwise be copyrightable without protection, the-reby causing legal uncertainty; but it also raises questions about whether protection should at all be avai-lable, and about whether copyright is fit for purpose in face of technological progress in the area of AI.The first part of this paper focuses on whether the current copyright framework can accommodate AIs as creators with a view to copyright protection. Comparative analysis of authorship and protection require-ments in the EU, the US and Australia show it cannot. Other legal constructions, such as the regime of computer-generated works existent in some common law jurisdictions, also prove inefficient in that regard. The second part of the paper enquires whether copyright should protect AIs as creators. The answer to that question is found by looking into the different rationales of copyright protection. Absent a justification to grant copyright protection to AIs’ creations, the paper concludes by proposing a public domain model, coupled with a disseminator’s right.

KEYWORDS: copyright; artificial intelligence; robotics; authorship; intellectual property.

1. INTRODUCTION

AARON, a programme created in the 70s by Harold Cohen –an art professor and an artist himself– generates drawings and paintings (with real paint and canvas, as Cohen has built a painting machine that goes with the AI). Cohen has since then been refining AARON’s code, and enhancing its knowledge of artistic elements such as colour or form.1 AARON creates the works autonomously (though based on the “teachings”

1 Bridy (2016) at 397.

39 A PROPOSED MODEL FOR THE LEGAL STATUS OF CREATIONS BY ARTIFICIAL...

of Cohen). Its works have been exhibited in many galleries and museums around the world, and private collectors have paid considerable sums for AARON’s art.2

The act of creation is traditionally equated with a human being. As the example above shows, however, developments in the field of artificial intelligence (AI) are cha-llenging this notion. We currently have machines that can create books, music, pain-tings, and other subject-matter that could eventually come under copyright protection.

This paper concerns AIs as creators (of literary and artistic works), rather than AIs as a mere tool or aid to human creation. The reality of non-human creation raises ques-tions regarding the legal status of AI creations. The place of AI in copyright law forces us to rethink key concepts in copyright, such as authorship and conditions for protection, but also the dialectic between privatisation and public domain, and the rationales un-derlying copyright protection in the first place.

Section 2 of this paper will examine the current legal regime to assess whether it can accommodate AIs as creators. For that purpose, it looks into definitions of authorship in the United States, European Union and Australia. Section 3 analyses specific legal cons-tructions that work around the definition of author as a human being. Section 4 assesses whether copyright protection should be available in view of copyright rationales (4.1.) and suggests an extension of the assessment to related rights rationales (4.2.), before proposing a model for the regime of AI creations (4.3.). The model proposed amounts to a combination of a public domain status with a neighbouring right-type of protection for disseminators. Section 5 offers a conclusion.

2. CAN THE CURRENT COPYRIGHT FRAMEWORK OF AUTHORHSIP ACCOMMODATE AIS AS CREATORS?

2.1. The United States

In the US, a work will be protected by copyright law if it is original in the sense that it is an independent creation and that it displays a modicum of creativity. This was stated by the US Supreme Court in Feist.3 Creativity is thus a key element in copyright protec-tion. The Court did not define what creativity might amount to, but from the ruling it is apparent that the threshold of creativity for purposes of copyright protection is low.4

2 Moss (2015).3 Feist v. Rural Telephone, 499 US 340, 346 (1991).4 Feist, at 345: the Court mentions that a `creative spark` can be for this purpose “crude, humble

or obvious.”


Creativity in the realm of US copyright law seems to necessarily imply a human creator. In fact, even though no definition of authorship is found in the law, it can be argued that under US law the author will necessarily be a natural person. Section 101 of Title 17 of the US Code (hereinafter, “Copyright Act”) defines anonymous works as the ones where no natural person is identified as an author, which seems to presume that an author is necessarily a human being.

This view is reinforced by the Compendium of US Copyright Office practices. The Compendium clearly states that it is necessary for the work to be created by a human being for it to be registered, as copyright law only protects the product of a creative mind and intellectual labour5- something that, presumably, is a human prerogative. Section 313.2 further elaborates on this point and emphasizes the intertwinement of authorship with requirements for protection. After quoting Section 102(a) of the Copyright Act, which states that copyright protects original works of authorship, the Compendium expressly declares that “to qualify as a work of ‘authorship’, a work must be created by a human being”. The statement is backed to a reference to the case Burrow-Giles, where the Supre-me Court expressed the following view: “We entertain no doubt that the Constitution is broad enough to cover an act authorizing copyright of photographs, so far as they are representatives of original intellectual conceptions of the author” 6 [emphasis added]

What the Court is implying here is that a given subject-matter may be copyright protected if, and only if, they consist of “original intellectual conceptions” of its author– meaning, authorship is embedded by its own nature in the requirements for copyright protection.

Further on under the same section, the Compendium adds that the Copyright Office will not register works produced by animals, plants, and neither by “machines or mere mechanical processes that operate randomly or automatically without any crea-tive input or intervention from a human author.” Therefore, while it is arguable that the current drafting does not seem to contemplate a future where machines will create works non-randomly or automatically, the requirement of a human author is clear and unescapable.

2.2. The European Union

In the EU, authorship is only addressed in the Software Directive, the Database Directive, and the Rental and Lending Rights Directive (the latter in relation to cinema-tographic photographic works, with the corresponding rule repeated in the Satellite and

5 U.S. Copyright Office (2014).6 Burrow-Giles Litographic Co. v Napoleon Sarony, [1884] 111 US 53, 58.


Cable Directive and the Term of Protection Directive).7 The Software and the Database Directives take a deregulatory approach and leave a great amount of leeway to Member States, allowing them to define the author of a computer program or of a database as either the natural person or group of natural persons that created it, or the legal person defined as a right holder under national law (Article 2(1) Software Directive and Article 4(1) Database Directive).

The Explanatory Memorandum to the Proposal for a Database Directive clari-fies that the objective was to restate the “fundamental principle of the Berne Conven-tion[…] that the human author who creates the work is the first owner of the rights in that work”, even though it is then made clear that national arrangements that allow for the exercise of rights by legal persons will be allowed.8 This seems to convey the view that the author will by default be a natural person, while deviations to that rule are merely tolerated.9

Interestingly, the original Proposal for a Software Directive did not contain the possibility of a legal person being the author. The Explanatory Memorandum to the Software Proposal mentioned that “[i]n common with all literary works, the question of authorship of the program is to be resolved in favour of the natural person or group of persons who have created the work. Although the right to exercise exclusive rights may be assigned to another, the author will retain at least the unalienable rights to claim paternity of his work.”10The reference to natural persons and to moral rights clearly shows that authorship was seen as necessarily implying a human being. The Proposal also contained a provision on computer generated works, which did not make it to the final draft (it was then Article 2(5)). According to it, the natural or legal person who caused the generation of subsequent programs would be entitled to exercise all rights in respect of the programs, unless otherwise provided by contract. There was no mention of authorship proper, although the Explanatory Memorandum did raise the question of whether authorship of the generated programs should reside with the creator of the first program, or with the user that causes it to generate other works.11No consideration is given to any other solution –again showing that authorship is a human trait– as revealed

7 Directive 2009/24/EC (Software Directive); Directive 96/9/EC (Database Directive); Directive 2006/115/EC (Rental and Lending Rights Directive); Directive 93/83/EEC (Satellite and Ca-ble Directive); Directive 2006/116/EC (Term Directive).

8 Explanatory Memorandum to the proposal for a Database Directive, COM(92) 24 final, 13 May 1992.

9 Quaedvlieg (2012) at 207.10 Explanatory Memorandum to the proposal for a Software Directive, COM (88) 816 final, 17

March 1989.11 Explanatory Memorandum, at 21.


by the following passage: “The human input as regards the creation of machine genera-ted programs may be relatively modest, and will be increasingly modest in the future. Nevertheless, a human ‘author’ in the widest sense is always present, and must have the right to claim ‘authorship’ of the program.”12 Article 2(5) was judged too premature and was deleted following a vote by the European Parliament.13

It is also possible to look at the requirements for protection and assess whether they imply a human author. In Europe, the notion of originality for purposes of copyright protection is statutorily defined in relation to software, databases and photos as the “author’s own intellectual creation.”14 The CJEU has however extended this notion of originality to all types of subject-matter, through its Infopaq decision.15

A work will be its author’s own intellectual creation where it reflects her or his personality, according to Recital 16 of the Term of Protection Directive. The CJEU has further interpreted the expression “author’s own intellectual creation” to mean that the author was able to make free and creative choices16 and that the work bore her or his personal touch stamp.17

The references to personality and “personal touch stamp” of the author seem to highlight the need for a human author of the work, in so far as personality can be des-cribed as a human attribute only. With regard to free and creative choices, even though in practice humans themselves suffer from social, technical and/or institutional constra-ints, at least some of them are internal or self-imposed.18 By contrast, the limitations of (current) AIs are unsurmountable and do not allow them to make such choices outside of the framework of their program. This is supported by the CJEU case Football Dataco, where the Court stated that there would be no room for free and creative choices where the work was dictated by “technical considerations, rules or constraints”19 – much like it is the case of a creative AI, whose “autonomous creations” still depend on technical rules and programming by a human being.

12 Ibid.13 Dreier (1991), at 321.14 See respectively article 1(3) Software Directive, article 3(1) Database Directive and article 6

Term of Protection Directive.15 Case C-05/08 Infopaq International, ECLI:EU:C:2009:465.16 Joined cases C-403/08, C-429/08 Football Association Premier League/ Karen Murphy,

ECLI:EU:C:2011:631.17 Case C-145/10 Painer, ECLI:EU:C:2011:798.18 van Gompel (2014), 97, 108 et seq..19 Case C-604/10 Football Dataco, at 39 and case law cited therein.


Other case law of the CJEU confirms the human nature of authorship and its connection to protection requirements. In the Luksan case,20 for instance, the CJEU has made a clear link between Article 17(2) of the Charter of Fundamental Rights of the EU (which states that “intellectual property shall be protected”) and the protec-tion of the author of a copyright protected work (in that case, the principal director of a cinematographic work, thus a natural person). The Court reasoned that the prin-cipal director of a cinematographic work was, as an author, entitled to exploitation rights to that work.21 Because the national law at stake did not allocate such exploi-tation rights to the principal director, the Court considered that it was in breach of Article 17(2) of the Charter.22

2.3. Australia

In Australia, the Australian Copyright Act distinguishes between original literary, dramatic, musical and artistic works (Part III), and “copyright in subject-matter other than works” (Part IV), such as broadcasts or films. Regarding the former, the Act esta-blishes that the author shall be a qualified person (Section 32(1)), which means that s/he will be an Australian citizen or a person resident in Australia (Section 32(4)) – and seemingly a human being.23 By contrast, initial ownership of copyright in subject-mat-ter other than works may vest in either a person or a corporation (section 84 et seq.). Cautiously, in this part of the Act, the word “author” is avoided.

Case law confirms the need for a human author of the work, and links this to availability of copyright protection. The rulings in Ice TV,24 Phone Directories (both first instance and appeal)25 and Acohs26 all underline that authorship is a key element when assessing whether a work is protected by copyright, and all refuse to grant copyright to products that were computer generated and lacked (completely or a great part of ) human input.27 Previous decisions to those go as far as to assert that “the word ‘original’ connotes the ‘authorship’”, emphasizing the dependency of copyright protection on

20 Case C-277/10 Luksan.21 Luksan at 44-53.22 Luksan at 68-70.23 Ricketson (2012).24 IceTV Pty Ltd v Nine Network Australia Pty Ltd (2009) 239 CLR 458.25 Telstra Corporation Ltd v Phone Directories Co Pty (2010) FCAFC 149.26 Acohs Pty Ltd v Ucorp Pty (2012) FCAFC 16.27 All cases thoroughly analysed in McCutcheon (2013).


(human) authorship.28 Originality thus requires that an author has personally put some mental/intellectual effort in the work, and that such mental effort, even if it is low, is directed to the particular form of expression of that work.29

2.4. Interim conclusion

All the jurisdictions examined –EU, US, Australia– have two things in common. First, they still equate the author with a human being. That makes sense if nothing else because rights need to have a subject –rights arising from authorship need to be ascribed to human beings, as machines are not subjects of rights. Second, they intertwine author-ship with requirements for protection in a way that the former appears to be embedded in the latter.30

There are however some legal constructions that have worked around this `hu-manization´ of authorship, such as the regime of computer-generated works. The next subsection will examine it.

3. CURRENT POSSIBLE CONSTRUCTIONS – COMPUTER-GENERATED WORKS

A few common law jurisdictions –New Zealand, United Kingdom, Ireland, Hong Kong, South Africa and India– have a special regime for computer-generated works, i.e., a work that is generated by a computer “such that there is no human author,”31 or in relation to which the author “is not an individual.”32 Authorship in computer-generated works is given to the person by whom the arrangements necessary for the creation of the work are undertaken,33 or to the person who causes the work to be created,34 depending on the jurisdiction.

28 Sands & McDougall Pty Ltd v Robinson (1917) 23 CLR 49, as explained in McCutcheon (2013), at 935.

29 McCutcheon (2013), at 936-942; Ricketson (2012), at 57.30 See also Ginsburg (2002-2003) at 1077, contending that “originality is the overarching standard

of authorship”. 31 Section 178 of the UK Copyright Designs and Patents Act (CDPA).32 Section 2(1) Irish Copyright and Related Rights Act 2000.33 S. 9(3) CDPA.34 Indian Copyright Act S. 2(d)(vi)


The rule on authorship for computer-generated works is a legal fiction that dero-gates from the general rule that defines the author as the one who creates the work.35 As such, the link between authorship and conditions for protection is rekindled, as the originality requirement will have to be self-standing and independent of authorship– not linked to the person responsible for the arrangements (as s/he is the author only due to the legal fiction and has no direct connection to the work), but also not linked to the computer.36

It is however unclear if and how the regime of authorship for computer-generated works could be applicable to AI creations. Central to this is the interpretation of the term “arrangements”, and the person responsible for them, who might include the user, the programmer, the person who sells or produces the software, or an investor;37 but also, more broadly, the person instructing or training the programmer or the person customizing the software;38 or even a combination of them, depending on the specific work at issue (and on whether the interpreter agrees that the word “person”[by whom arrangements are undertaken] can include more than one person, which is debatable). All these options are possible, because the term “arrangements” amounts to preparing or organizing something so that the work may be created (considering that, without such preparation or organization, the work could not have been produced, which is indicated by the expression “necessary arrangements”).39 The person responsible for the arrangements will depend on the factors weighed in, which can include inter alia the initiative to create the work, the proximity to the final act of creation (the closer to the final creation, the more likely to be in charge of the arrangements to create the work), or the extent to which the arrangements are responsible for the creation of the work (which would put the emphasis on the operation of the software).40

In a British case concerning the frame images generated when the user plays the game, the person by whom arrangements were undertaken was considered to be the per-son who programmed and designed the game.41 The Court expressly refused to confer that status to the user, as the latter’s input was not artistic in nature, nor had he under-

35 See e.g. in relation to the UK 9(1) CDPA36 McCutcheon (2013a), at 51, holds that “it seems that the criterion of originality would be

applied on a hypothetical basis: if the work had been authored by a human, or if that human could be identified, would it be original?”

37 See Bently & Sherman (2009), at 122; McCutcheon (2013), at 956-960.38 McCutcheon (2013a), at 54.39 McCutcheon (2013a), at 53.40 McCutcheon (2013a), at 55-56.41 Nova Productions Ltd v Mazooma Games Ltd (2006) RPC 379.


taken the arrangements necessary to create the frame images.42 It has however been ar-gued that not all programmers will be eligible to be the author of a computer-generated work, and sometimes a less involved programmer might give way to e.g. the investor or the person who is financially responsible for generating the work.43In short, the un-certainty regarding the person by whom arrangements are undertaken, who will have to be identified on a case-by-case basis, does not favour legal certainty and constitutes a reason to not extend the applicability of this legal fiction. Interestingly, similar cases in the US concerning (copyright protected) displays in videogames have had the same outcome, with the courts ruling that it is immaterial whether the displays are generated autonomously by the machine or through the actions of the player – copyright belongs, in both cases, to the owner of the copyright in the game code.44 This raises legitimate doubts as to the usefulness of the regime for computer-generated works and their quest for authorship.

Moreover, “the person by whom arrangements are undertaken” presupposes hu-man intervention at some point. Current legal regimes that recognise computer-genera-ted programs as such still trace back authorship to human intervention (the person that makes the arrangements and that therefore is considered to ultimately have produced the work) – so, to a certain extent, computers are still tools in this construction.

By contrast, in AI creations that are completely autonomous from any human input, it might be hard to discern a human being who would be responsible for the arrangements further up the chain. In fact, the scale of autonomy of AI seems to work in inversely proportionate terms to the applicability of the regime of computer generated works: the more autonomous the AI, the less likely the applicability of the regime would be, due to the lack of human intervention. The provisions on computer generated works do not therefore seem to be a solution for (increasingly autonomous) AI, and even where they are a solution to less autonomous AI, it is unclear who the person responsible for the arrangements is.

42 Nova Productions Ltd v Mazooma Games Ltd at 399.43 As pointed out by McCutcheon (2013), at 961-962, similar wording in UK and Australian law

in relation to film authorship highlight that the “person by whom the arrangements necessary are undertaken” (in relation to films) amount to the producer, as he is financially responsible for the making of the film.

44 Bridy (2012), at 24, citing Stern Elec. V Kaufman, ‘Scramble” (2nd Circ. 1982), Atari, Inc v North American Philips Consumer Elec. Corp., “Pacman” (7th Circ. 1982) and Williams Elec. Inc. v Artic Int’l, Inc, “Defender” (D.N.J. 1981).


4. SHOULD COPYRIGHT PROTECT AIS AS AUTHORS?

4.1. Why? Copyright rationales

The idea of romantic authorship – the author as a single individual – has chan-ged through time. It has accommodated joint authorship and entrepreneurial works, for instance. But the current framework cannot accommodate non-human authors, as demonstrated in the previous section. This begs the question of whether copyright law should be stretched to accommodate AIs as creators –always bearing in mind that, if that is the case, copyright would be only a piece in the constellation of legal standing of AIs,45 and that the question brings about serious reflections on the broader consequences of affording legal personhood to machines.

In other words, the AI is the author in factual terms, but should it be the author in legal terms? In this regard, it may be problematic to assess the degree of autonomy of the AI, and to what extent there is (copyright protected) human input in the act of creation in the case of works with contributions from both human and machine. Programmers and users can be seen as contributors to the work (depending on the AI), but should they be considered as authors? It all depends, of course, on the level of involvement. Where the computer program is a tool employed by the user to produce a work, the user is the creator; there is a high level of creativity input on his part. Likewise, programmers will be authors where the final product results from their intellectual endeavours: for example, where the program displays an animation of fireworks whenever a button is pushed, the creative input is from the programmer that created the animation, rather than from the user who pushes the button.46 But this is no different than assessing the degree of originality for purposes of protection of a fully human-produced work – if there is enough of a human input in creating an original work, then copyright pro-tection will be available at least for the human-created part of the work (even though, admittedly, there may be cases where human and machine contributions are not easy to separate or evaluate). Also in the cases of works which are partly human, partly machine authored, however, the question remains the same: should copyright protection be avai-lable for works (or parts thereof ) that are created by AIs?

This question calls for a consideration of copyright rationales. By analysing the justifications for copyright protection in the first place, a conclusion on whether new subjects and/or subject-matter should come under copyright protection becomes more grounded.

45 Grimmelmann (2015-2016), at 414.46 Grimmelmann (2015-2016), at 409-410.


The number and classification of copyright rationales differs greatly in the literatu-re.47 One option is to distinguish two major lines of argument: the natural rights justifi-cation and the utilitarian justification.48 The natural rights argument equates copyright to a natural right, which implies that laws do not create the right, but merely recognize its existence. From this premise, two main theories of copyright rationales flow: the labour theory and the personality theory.

The labour theory, formulated by the British philosopher John Locke in the 17th century, implies that every man should be the proprietor of the product of his labour. This suggests the idea of “reward”: the intellectual labour invested in creation should be rewarded, creators should be compensated for their intellectual effort.49 Under this theory, there is a reason why creative expressions are protected – they are the result of intellectual labour, and the latter should be protected, even if the underlying idea is not. This premise is expressed in case law from several jurisdictions that determine that it is the mind behind the creative process, not the executant, that ultimately is deserving of authorship status.50 This is significant, as it recognizes the mind as an important element of authorship.

The personality rights theory, for which mainly the philosophers Kant and Hegel are responsible, holds that an intellectual work embodies its creator’s personality or will. Therefore, the work is worthy of protection because it is an expression of the personality or self of its creator.51According to this conception, property is an extension of persona-lity, providing a means for self-actualization and personal expression.52

Both natural rights theories focus on the relation between the author and his work, and not on the link between such relation and society.53 Here a main obstacle of using natural rights justifications for granting copyright protection to AIs: it is doubtful that, at least for now, AIs can engage in any type of relation with their work, for that entails deeper emotional connections. The labour theory implies a reward for effort, which is something foreign to machines (at least at the current time, where there is no such thing as machine consciousness and emotions). Although it can be argued that humans don’t always make a conscious effort to create, it is a fact that at least sometimes they can ar-

47 See, for example, Yen (1990); Fisher (2001); Bently & Sherman (2009) at 34-39.48 Ramalho (2016).49 See Hughes (1988) at 296 et seq., discussing the several interpretations of “reward” in the context

of the labour theory. 50 Ginsburg (2002-2003), at 1072-1074, and case law cited therein.51 Hughes (1988) at 330; Fisher (2001).52 Hughes 1988 at 330.53 Lacey (1989) at 1564.


ticulate their creative process and explain their creative choices; machines, on the other hand, are unaware of its processes.54 They are deprived of intention states such as desire (unlike the “higher human intelligence”), and therefore the reward mechanism speaks little to them. The personality theory as a justification for the grant of copyright seems even less applicable, as “personality” implies a person, with intention states that are for now absent in AIs.

In contrast to the natural rights theory, the utilitarian justification considers that the main goal of copyright is to promote social welfare, which is achieved by granting incentives to creation and supporting the dissemination of intellectual goods to the public.55 This “incentive” element is not to be confused with the “reward” argument presented by the natural rights theory: here, copyright is granted having society’s inter-ests in mind (see e.g. the US case, where grant of copyright is constitutionally linked to the progress of the science and useful arts56). Utilitarianism views copyright as a positive (as opposed to natural) right, which is granted with the aim of furthering societal goals.

Granting copyright to AIs does not comply with the utilitarian justification for protection either. AIs do not need an incentive to create (again, at least not for now, as they lack consciousness), not to mention that they have no means of reaping the econo-mic benefits deriving from copyright protection (which dictated that protection in the first place).57

Absent any justification for copyright protection, and even if AIs could be given legal personhood for purposes of holding rights, there is no argument to support the grant of copyright in this case.

It can still be explored whether someone else should be granted copyright protec-tion in the cases where the output is AI-created. The link to the programmer might be too tenuous for a claim of copyright authorship; since s/he was not directly involved in the creation of the work, the work does not reflect her/his personality, nor should s/he be rewarded for something that s/he has not created. Likewise, s/he cannot receive any incentive to create a work that s/he will not produce. The reward and/or incentive s/he receives, and her/his personality, will be reflected on the AI itself, not on the secondary products that it creates. The programmer should thus be entitled to the benefits deriving from the creation of the AI; but not to “meta benefits” that derive from AI creations. Such solution would lead to a double reward of the author of the AI (who would then

54 Dartnall (1994), at 36.55 Fisher (2001).56 Clifford (1996-1997), 1700-1702. 57 Samuelson (1985) at 1199.


be able to derive income not only from the creation of the AI but from all its output).58 Some of these arguments also apply to the user that operates the AI – s/he is not the creator of the works, and therefore the works do not reflect her/his personality, and any benefits deriving from it do not serve as either an incentive or reward for her/his crea-tions, as the user hasn’t created anything.

4.2. RelatedO: related rights rationales

Another possibility to protect AI creations would be to establish a regime akin to the protection of producers or broadcasters, whose protection has a commercial or technical nature. This could be achieved through e.g. the grant of a neighbouring right (for civil law countries), by enlarging existing categories such as those of entrepreneurial works (such as the one existing in the UK) or the regime of initial ownership of subject-matter other than works (which exists in Australia).59 It is also possible to consider the grant of a sui generis right in AI created works, much like the EU legislature decided to do for makers of databases.60 The common rationale here is protection of investment.61

The introduction of a new sui generis right in the legal order should be carefully reflected upon. The Evaluation Report of the Database Directive has admitted that the economic impact of the sui generis right on database protection is unproven, and that the sui generis provisions have caused “considerable legal uncertainty.”62 The European Parliament followed-up and called for the Commission to abolish the Database Directive.63

The grant of a neighbouring right or the enlargement of existing categories (de-pending on the jurisdiction) would not be as risky an option, in the sense that several legislations already contain provisions directed at the protection of investment (such as

58 Ibid.59 Sections 84 et seq. of the Australian Copyright Act. This particular solution was one of the op-

tions advocated McCutcheon (2013a).60 See Database Directive.61 van Eechoud et al. (2009), at 191; Torremans (2008) at 192-193 (in relation to entrepreneurial

works); Derclaye (2008), at 45 (in relation to databases).62 First evaluation of Directive 96/9/EC on the legal protection of databases. Retrieved March

16th 2017 from http://ec.europa.eu/internal_market/copyright/docs/databases/evaluation_re-port_en.pdf

63 European Parliament resolution of 19 January 2016 on Towards a Digital Single Market Act (2015/2147(INI)), paragraph 108. Retrieved March 16th 2017 from http://www.europarl.eu-ropa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+TA+P8-TA-2016-0009+0+DOC+PD-F+V0//EN

http://ec.europa.eu/internal_market/copyright/docs/databases/evaluation_report_en.pdf

http://ec.europa.eu/internal_market/copyright/docs/databases/evaluation_report_en.pdf

http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+TA+P8-TA-2016-0009+0+DOC+PDF+V0//EN




the protection of producers or broadcasters). However, the introduction of a right in the legal order is not free of negative consequences and impact in other policy areas, and its creation should be the object of in-depth studies in any case. A solution may then be either an absence of rights (as an opposite solution to privatisation), or the combination of such absence with weak or contained neighbouring rights. The next section will exa-mine this in more detail.

4.3. A proposal: public domain?

At the present time, as has been demonstrated, authorship is intrinsically linked to requirements for protection. Where there is no human author, a work cannot be original; and without originality, a work cannot be protected by copyright.64 Such work belongs, thus, to the public domain, which is traditionally defined as encompassing intellectual elements not protected by copyright or whose protection has elapsed.65 However, even if society comes to a point where AIs have legal personality, it is doubtful whether copyright protection should at all be available. Legal personality or personhood is not confined to human beings, as the example of corporations demonstrates. The cases where corporations are considered as authors (not authors per se) are limited and operate by way of legal fiction.66 “Real” authorship seems to be linked to the quality of being human, rather than that of having legal personality (although the latter is necessary to enjoy rights).

The absence of a justification for privatisation should cause the subject-matter (AI creations) to be part of the public domain. The legal basis for the existence of a public domain stems from the principle of equal negative liberty, which frames the public domain as an equal negative liberty to use certain information.67 This implies the complete lack of subjective rights and a universal possibility of access to the infor-mation (i.e., in this case, the AI creations).68 The consequence of AI creations being in the public domain is that they are free for everyone to use them, as no exclusive right exists. Advantages of the public domain include, thus, the unencumbered creation of new knowledge, free or low cost access to information, competitive imitation, or public access to cultural heritage. 69

64 Dussolier (2010) at 24: “the entrance to the copyright building is conditioned of finding of some degree of originality in the work.”

65 Dussolier (2010). See also WIPO (2010), Annex paras. 4 and 22. 66 See, for instance , the regime of works made for hire, in the US.67 Peukert (2016), para. 16 et seq.68 Ibid.69 WIPO (2010), para. 29.


A possible objection is the disparate (and consequently unfair) treatment of works depending on whether they are authored by an AI or by a human being: if a copyright protected work (authored by a human being) would be created by an AI instead, pro-tection would not be available.70 But this argument is overcome if one bears in mind the rationales of copyright, for these two works are not the same when it comes to the reasons to protect them. Authorship is, indeed, a central element for protection, not only de facto but also in terms of justification for protection in the first place. The point here is that works created by AI are not original because requirements for protection are linked to human authorship; and non-original works are not protected by copyright.

It is also worth noting that broadly stating that AI creations are in the public do-main is not enough, since there are works that have human and AI input. A preliminary consideration should thus be the level of involvement of humans. This can be hard to assess, and it is doubtful whether the substantiality test used in copyright – i.e., asses-sing whether the original input (from a human being) is substantial enough to deserve copyright protection – will provide a straightforward answer at all times. Moreover, assessing whether a creation by an AI and a human being is original for purposes of copyright protection will entail tracing the human contribution (if at all possible), and evaluating whether such contribution is enough to merit copyright protection. This will inevitably mean that the connection between the work and the human author will have to be judged. However, not all jurisdictions follow this practice, i.e., not all courts look at the work and trace back the process of creation to its origin; in some jurisdictions, courts tend to focus on the work and not on who created it for purposes of assessing originality.71 Different court practices, grouped with the fact that some works merge indistinctly human and machine contributions, may prove to be a hurdle.

With regard to AI creations that are deemed to be (fully or partially) part of the public domain, a further distinction needs to be drawn. “Public domain” does not mean that free access is ensured; free access and free use are not interchangeable notions.72 A distinction must be made here between creation and dissemination. The creator of the work –the AI– does not need an incentive to create, nor does it make sense to protect works as an extension of its (non-existing) personality, or to award it a reward for its (non-existing) effort to create. It is however possible that someone who disseminates AI creations (thus bringing them to the public) needs to be incentivized or rewarded for doing so, much like the publishers of e.g. books in the public domain expect users to pay for copies of the book. In other words, the public domain status of AI creations

70 Argument adduced by e.g. McCutcheon (2013).71 See for example van Gompel (2014) at 128, referring to the Netherlands.72 Dussolier (2010), 7-9.


does not mean that every contribution relating to such creations should go unremune-rated –either through copyright or related rights–, but that is a different question from authorship (and rights derived from authorship alone).

This is where a neighbouring right could come into play. A similar regime to the publisher’s right in the publication of previously unpublished works, prescribed by the EU Term of Protection Directive, could be a solution. Article 4 of the Term Directive gives publishers a 25-year protection equivalent to the economic rights of the author for the first lawful publication or communication of a previously unpublished work after the expiry of copyright protection. The sentence “after the expiry of copyright protec-tion” does not mean that the work must have been protected by copyright some time in the past; a couple of Member States, such as Spain, have explicitly extended the right to works that were never protected by copyright.73 This right is exactly intended to sti-mulate publication of works.74 Likewise, a “disseminator’s right” –a neighbouring right limited in scope so as to not endanger the public domain nature of AI creations– could protect the investment of disseminators of those creations.

5. CONCLUSION

It is uncertain how AIs will technically evolve, and how law- and policy-makers will react to increasingly autonomous machines.

In the field of copyright, we should take this uncertainty as an opportunity to rethink rationales for privatisation in general, and where to place AI creations in that equation specifically. Justifications for granting copyright protection do not fit AI crea-tions, and privatisation through the grant of (exclusive) rights should not be readily chosen without further thought.

Rather, legislators should consider a public domain model for AI creations. Indeed, that stems from the fact that the public domain is the natural alternative path to privati-sation. But more than that, placing AI creations in the public domain allows for creation of new knowledge and easier access to information, to name only a few advantages. The attribution of AI creations to the public domain should be coupled with the establish-ment of a “disseminator’s right” as a tool to ensure that AI creations reach the public. The design of such right should however not endanger the public domain nature of AI creations, and should therefore be limited in scope.

73 Angelopoulos (2012), 592.74 Bradshaw (1995), 174.


This solution is not without flaws, and may prove complex in cases where the creation merges human and AI input, especially for jurisdictions where courts are not in the habit of tracing works back to its authors. Moreover, jurisdictions that have the regime of computer-generated works may be resistant to the idea of a public domain model grouped with a disseminator’s right, and choose instead to extend the regime of computer-generated works to every type of AI creations. However, the eventual obsta-cles should not distract from the consideration of privatisation versus public domain rationales; and from the fact that, independently of the specific regime of privatisation, the latter seems to stand on a thin basis in the realm of AI creations.

6. BIBLIOGRAPHY

Angelopoulos, C. (2012). The Myth of European Term Harmonisation – 27 Public Domains for 27 Member States. IIC, 43(5), 567.

Bently, L. & Sherman, B. (2009). Intellectual Property Law (3rd ed). Oxford: OUP.Bradshaw, D. (1995). The EC Copyright Duration Directive: Its Main Highlights and

some of its ramifications for businesses in the UK entertainment industry. ELR, 6(5), 171.

Bridy, A. (2012). Coding creativity: Copyright and the Artificially Intelligent Author. Stan. Tech. L. Rev., 5, 1-28

Bridy, A. (2016). The evolution of authorship: works made by code. CJLA, 39(3), 395.Clifford, R. (1996-1997). Intellectual Property in the Era of the Creative Computer

Program: Will the True Creator Please Stand Up?. Tulane Law Review, 71, 1675.Dartnall, T. (1994). Introduction: on having a mind of your own. In T. Dartnall (ed.),

Artificial Intelligence and Creativity (pp. 29-42). Dordrecht: Springer.Derclaye, E. (2008). The Legal Protection of Databases. A Comparative Analysis. Chel-

tenham: Edward Elgar.Dreier, T. (1991). The Council Directive of 14 May 1991 on the Legal Protection of

Computer Programs. EIPR, 13(9), 319.Dussolier, S. (2010). Scoping Study on Copyright and Related Rights and the Public Do-

main. Retrieved March 16th 2017 from http://www.wipo.int/edocs/mdocs/mdocs/en/cdip_7/cdip_7_inf_2.pdf

Fisher, W. (2001). Theories of Intellectual Property. Retrieved March 16th,2017 from http://www.law.harvard.edu/faculty/tfisher/iptheory.html

Ginsburg, J.C. (2002-2003). The concept of authorship in comparative copyright law, DePaul Law Review, 52, 1063.

Grimmelmann, J. (2015-2016). There’s no such thing as a computer-authored work – and it’s a good thing, too, CJLA, 39(3), 403.

http://www.wipo.int/edocs/mdocs/mdocs/en/cdip_7/cdip_7_inf_2.pdf

http://www.wipo.int/edocs/mdocs/mdocs/en/cdip_7/cdip_7_inf_2.pdf

http://www.law.harvard.edu/faculty/tfisher/iptheory.html


Hughes, J. (1988). The Philosophy of Intellectual Property. Georgetown Law Journal, 77, 287.

Quaedvlieg, A. (2012). Authorship and Ownership: Authors, Entrepreneurs and Rights. In T.E. Synodinou (ed.), Codification of European Copyright Law. Challeng-es and Perspectives (pp. 197-239). Alphen aan den Rijn: Kluwer Law International.

Lacey, L.J. (1989). Of Bread and Roses and Copyrights. Duke Law Journal, 6, 1532.McCutcheon, J. (2013). The vanishing author in computer-generated works: a critical

analysis of recent Australian case law. MelbULawRw, 36 (3), 915.McCutcheon, J. (2013a). Curing the Authorless Void: Protecting Computer-Generat-

ed Works following IceTV and Phone Directories. MelbULawRw, 37(1), 46.Moss, R. (2015). Creative AI: The Robots that Would be Painters. Retrieved March

16th, 2017 from http://newatlas.com/creative-ai-algorithmic-art-painting-fool-aar-on/36106/.

Peukert, A. (2016). A Doctrine of the Public Domain. Retrieved March 16th, 2017 from https://papers.ssrn.com/sol3/papers2.cfm?abstract_id=2713757

Ramalho, A. (2016).The competence of the European Union in Copyright Lawmaking. A Normative Perspective of EU Powers for Copyright Harmonization. Cham: Springer.

Ricketson, S. (2012). The need for human authorship – Australian developments: Telstra Corp Ltd v Phone Directories Co Pty Ltd. EIPR, 34(1), 54.

Samuelson, P. (1985). Allocating Ownership Rights in Computer Generated Works. U. Pitt. L. Rev., 47, 1185.

Torremans, P. (2008). Holyoak & Torremans Intellectual Property Law (5th ed). Oxford: OUP.

U.S. Copyright Office (2014). Compedium of U.S. Copyright Office Practices. Retrieved March 13th,2017 from https://www.copyright.gov/comp3/comp-index.html.

Van Eechoud, M. et al. (2009). Harmonizing European Copyright Law. The Challeng-es of Better Lawmaking. Alphen aan den Rijn: Kluwer Law International.

Van Gompel, S. (2014). Creativity, Autonomy and Personal Touch. In M. van Eechoud (ed.), The Work of Authorship (95-143). Amsterdam: Amsterdam University Press.

WIPO Intergovernmental Committee on Intellectual Property and Genetic Resourc-es, Traditional Knowledge and Folklore (2010). Note on the Meanings of the Term ‘Public Domain’ in the Intellectual Property System with Special Reference to the Pro-tection of Traditional Knowledge and Traditional Cultural Expressions/Expressions of Folklore. Retrieved March 16th, 2017 from http://www.wipo.int/edocs/mdocs/tk/en/wipo_grtkf_ic_17/wipo_grtkf_ic_17_inf_8.pdf

Yen, A.C. (1990). Restoring the Natural Law: Copyright as Labor and Possession. Ohio State Law Journal, 51, 517.

http://newatlas.com/creative-ai-algorithmic-art-painting-fool-aaron/36106/

http://newatlas.com/creative-ai-algorithmic-art-painting-fool-aaron/36106/

https://papers.ssrn.com/sol3/papers2.cfm?abstract_id=2713757

https://www.copyright.gov/comp3/comp-index.html

http://www.wipo.int/edocs/mdocs/tk/en/wipo_grtkf_ic_17/wipo_grtkf_ic_17_inf_8.pdf

http://www.wipo.int/edocs/mdocs/tk/en/wipo_grtkf_ic_17/wipo_grtkf_ic_17_inf_8.pdf

4

POLICING TRADEMARK INFRINGEMENT ON ONLINE SELLING PLATFORMS - AN ACCOUNT OF TENSIONS BETWEEN ISP LIABLITY, TRADEMARK PROTECTION AND COMPETITION LAW IN THE EU

Maria José Schmidt-KessenPhD Candidate

European University Institute, Law Department

ABSTRACT: In the past decade, the argument that has shaped the law of online intermediary li-ability is that intermediaries should not incur liability for IP infringements (including trademark infringements) committed by third parties on their platforms. For economic efficiency reasons, the burden of policing platforms for IP infringements should solely be placed on IP owners. While this contribution generally agrees with this position, it points out that competition law, as applied by several competition authorities in the EU, might place obstacles to trademark owners trying to imple-ment a distribution policy that they believe best to protect them from trade in counterfeit goods on online selling platforms. National competition authorities have targeted brand owners that implement selective distribution systems imposing online selling platform bans on their distributors. They have found these distribu-tion agreements to be a form of restriction of competition contrary to Article 101 TFEU. The Court of Justice of the European Union (CJEU) will soon have the opportunity in pending Case C-230/16 Coty v Akzente to rule indirectly on whether this practice of the national competition authorities is in line with EU competition rules or is overly strict. When deciding this case, the Court should be aware of potential tensions with the regime for online intermediary liability it has established in relation to EU trademark law under the E-Commerce Directive.

KEYWORDS: EU trademark law, EU competition law, E-commerce Directive, online intermediary liability, pending Case C-230/16 Coty v Akzente.

1. INTRODUCTION

The biggest revolution for retail trade in the past two decades has been the disco-very and establishment of the internet as business tool. The internet has become such a common sales tool that a consumer goods manufacturer not present on the internet will lose outlet capacities, revenues and possibilities to do business at distance.

Nonetheless, manufacturers of branded goods have observed the development of online sales with suspicion. Albeit having embraced the internet as selling tool for them-selves, some goods manufacturers of high quality brands have imposed considerable

57 POLICING TRADEMARK INFRINGEMENT ON ONLINE SELLING PLATFORMS...

restrictions on their retailers when it comes to using the internet as selling tool. These restrictions are often implemented in the framework of selective distribution systems.1

The fear of branded good manufacturers has been that retailers might damage their valuable trademarks’ reputation by offering protected goods in an inadequate online environment, for example without adequate costumer service. Furthermore, the fear of an increase in trade in counterfeit goods over the internet has prompted them to restrict internet sales of their goods.

This contribution addresses the question of who should bear the policing burden for detecting and acting against trademark infringements in online retail. The first ob-vious actor on the internet that would be liable for bearing these costs would be the tra-demark owner herself. With the rise of the digital platform economy, however, EU law has opened the door for liability of a second type of actor in the context of online retail: online selling platforms (as, for example, eBay, Amazon, OLX or Craigslist).

In the past decade, the argument has been regularly made that online platform providers should not incur liability for IP infringements (including trademark infringe-ments) committed by third parties on their platforms.2 For economic efficiency reasons, the burden of policing platforms for IP infringement should be placed on IP owners.3 While this contribution generally agrees with this position, it points out that competi-tion law, as applied by several competition authorities in the EU, might obstruct trade-mark owners trying to implement a distribution policy that they believe to be best to protect them from trade in counterfeit goods on online selling platforms.

1 The EU Commission Guidelines on Vertical Restraints (2010/C 130/01) define selective dis-tribution systems as agreements that restrict the number of authorized distributors on the one hand, and the possibilities of resale on the other. These agreements restrict sale to any non-au-thorized distributor leaving only appointed dealers and final customers as possible buyers. It is almost always used to distribute branded final products. See Commission Guidelines on Vertical Restraints at paragraph 174.

2 See e.g. Rimmer (2011), Weckstrom (2012) in relation to trademark infringement on online selling platforms. See Lemley, M. and Dogan, S. (2007) for this argument in relation to use of trademarks as Google AdWords or search terms on online platforms. In relation to copyright infringement, Lemley and Reese manage to put this argument down in one phrase: “The key policy point is that going after makers of technology for the uses to which their technologies may be put threatens to stifle innovation”. See Lemley, M. and Reese, A. (2004), p. 1349.

3 This argument applies only in the case of online intermediaries that do not induce infringement, such as e.g. in the famous US Supreme Court Grokster case (Grokster, 545 U.S. at 913). As long as a platform has a working notice-and-take-down system in place, it seems that there would not be an inducement and thus no liability, e.g. Viacom Int’l, Inc. v. YouTube, Inc., 718 F. Supp. 2d 514, 523 (S.D.N.Y. 2010).. See Dogan, S. (2011), p.2.


2. TRADEMARK PROTECTION AND ISP LIABILITY

2.1. Increase in counterfeit trade as a challenge to trademark protection

Trade in counterfeit goods, or “fakes”, refers to trade in goods which infringe IP rights. In the case of trademarks, counterfeit goods usually have the sign of well-known trademarks attached to them, without having been produced by the trademark owner or under authorization of the trademark owner. The suppliers of counterfeit goods benefit from the reputation of the well-known trademark, without having incurred the inves-tments in the form of research, development, marketing and advertisement incurred by the trademark owner. They therefore freeride on the economic effort that a trademark owner has undertaken in order to build up brand value.

In April 2016, the European Intellectual Property Office (EUIPO) and the OECD jointly published a report that estimated the worth of global trade in counterfeit goods to be US $ 461 billion (€ 338 billion), amounting to 2.5% of total global trade.4 Fur-thermore, the report estimated that imports in counterfeit goods in the EU were worth € 85 billion, making up 5% of all goods imported into the EU.5

There appears to be an increase in trade in counterfeit goods.6 The report mentions four factors that provided a favorable trade environment for the trade in counterfeit goods: (i) the growing importance of IP rights, in particular trademarks, (ii) the post-cri-sis revival of trade, (iii) the globalization of value chains, and (iv) the rapid development of global e-commerce.7 Two of the mentioned factors in the OECD/EUIPO report are of particular importance to discuss the allocation of policing costs in EU law for trade-mark infringements occurring on online selling platforms: the growing importance of IP rights, and the rapid development of global e-commerce.

Firstly, the report mentions that trademark rights play a key role in today’s glo-bal economy, as they “help customers and businesses to identify products that meet their expectations in terms of quality or price, thereby fostering trust between economic agents”.8 Consumers and firms benefit from trademarks as information tools. Trade-marks allow consumers to choose efficiently between products that they expect to meet their quality standards and needs, and to repeat satisfactory purchases by associating

4 Based on data for 2013. See OECD/EUIPO (2016), p.11.5 OECD/EUIPO (2016), p.11.6 OECD/EUIPO (2016), p.11.7 OECD/EUIPO (2016), p.25.8 OECD/EUIPO (2016), p.27.


their experience to a brand name. Firms benefit from trademarks as a signaling tool that reflects their investment in production standards, product development and marketing efforts.9 The estimated value of well-known trademarks can be immense. The Apple tra-demark, for example, is valued at US $ 118 billion.10 The trust that consumers place in well-known trademarks, and the high mark-ups that owners of well-known trademarks can place on their goods, provide a strong incentive for counterfeiters to engage in trade with counterfeit goods, despite of the risk of criminal prosecution if discovered.11

Secondly, the report mentions the rapid growth of e-commerce as a source of the increase in counterfeit trade.12 In the EU, total internet sales increased from 9% to 14% of turnover of non-financial enterprises between the years 2004 and 2010.13 Similarly, in the US e-commerce amounted to 7% of total retail sales in 2014.14

E-commerce provides great benefits to consumers and businesses. For consumers, e-commerce reduces, for example, search costs for goods and services. It also facilitates price comparison between different offers and therefore enhances competition. For bu-sinesses, e-commerce has lowered operating costs and enlarged their market reach. In this context, online selling platforms have had an enabling role for businesses to take advantage of e-commerce by providing services such as a ready-made online sales outlet and payment infrastructure. At the same time, e-commerce has not only facilitated legal trade, but it has also facilitated trade in counterfeit goods.15 The most-targeted branded goods by counterfeiters of well-known brands have been Rolex watches, Louis Vuitton bags, Ray Ban sunglasses, and Nike shoes.16

2.2. EU Trademark Law and the IP Enforcement Directive

In EU law, the first, and most immediate legal regime that protects trademark ow-ners against trade in counterfeit goods is EU trademark law. The EU Trademark Direc-

9 OECD/EUIPO (2016), p.27.10 OECD/EUIPO (2016), p.30.11 The OECD/EUIPO report mentions, however, that the rise of e-commerce helps counterfeiters

evade criminal prosecution: “In addition, counterfeiters are able to function across multiple jurisdictions, evading capture, and are also able to take down and set up new websites overnight without losing their customer base”. OECD/EUIPO (2016), p.35.

12 OECD/EUIPO (2016), p.34.13 OECD/EUIPO (2016), p.34.14 OECD/EUIPO (2016), p.3415 OECD/EUIPO (2016), p.35.16 OECD/EUIPO (2016), pp.53-54.


tive17 and the European Union Trademark Regulation18 both give trademark owners the right to prevent others from using any sign which is identical with their trademark for identical goods.19 Well-known trademarks receive an even higher degree of protection. Trademark owners of well-known marks have the right to prevent others from using an identical or similar sign for non-similar goods where the use of the sign without due cause takes unfair advantage of, or is detrimental to, the distinctive character or the re-pute of the trademark.20 These rights essentially award trademark owners complete legal protection against counterfeiters.21

In addition to the two principal EU trademark law instruments, the IP Enforce-ment Directive,22 which also applies to trademarks, obliges EU Member States to offer trademark owners the possibility to have infringing goods recalled and definitely remo-ved from channels of commerce, and to have them ultimately destroyed.23 Furthermore, IP owners should be able to obtain an injunction against an infringer of their IP rights prohibiting the continuation of the infringement, including against intermediaries whose services are used by a third party to infringe an intellectual property right.24

The IP Enforcement Directive does not govern, however, whether online selling platforms qualify as intermediaries that trademark owners can sue for third parties using them to sell counterfeit goods. Since online platforms qualify as information society servi-ce providers (ISSP) under the E-commerce Directive,25 their potential liability for trade-mark infringement is to be determined under the regime of the E-commerce Directive.26

17 Directive 2015/2436 to approximate the laws of the Member States relating to trade marks. The Directive harmonizes national trademark laws.

18 Regulation 207/2009 on the European Union Trademark (“EUTMR“). The first EU Trademark Regulation 40/94 for the first time created an EU-wide trademark right. The EU Trademark Directive and EUTMR form a parallel system of trademark protection. Their substantive provisions are mostly identical and the CJEU interprets both regimes identically.

19 Article 9 (1) (a) EUTMR, Article 10 (2) (a) EU Trademark Directive.20 Article 9 (1) (c) EUTMR, Article 10 (2) (c) EU Trademark Directive.21 Weckstrom, K. (2012), p. 23.22 Directive 2004/48/ on the enforcement of intellectual property rights.23 Article 10 (1) IP Enforcement Directive.24 Article 11 IP Enfrocement Directive.25 This was first established for Google’s AdWord’s service in Joined Cases C 236/08 to C 238/08,

Google France [2010], and later for online market places such as eBay in C-324/09, L’Oréal v eBay [2011].

26 Article 2 (3) (a) of the IP Enforcement Directive gives precedence to Articles 12-15 of the E-Commerce Directive, which contain the rules that limit the liability of intermediary service providers.


2.3. Online intermediary liability for trademark infringement – the CJEU’s interpretation of the E-commerce Directive

Protection against counterfeiters through trademark law and the guarantee of ju-dicial remedies can be insufficient when it is difficult and costly to trace and sue sellers of counterfeit products. The luxury jewelry producer Tiffany’s, for example, submitted in US court proceedings that it had to employ two full-time employees monitoring eBay auction sites for counterfeit Tiffany merchandise. They had eBay remove 19 000 auctions in the years 2003 and 2004. Furthermore, out of 186 pieces of alleged Tiffany’s silver jewelry purchased by Tiffany’s employees on eBay in 2004, 73% turned out to be fakes.27 Luxury good producers are currently raising similar problems with large-scale sales of counterfeit goods in relation to the Chinese online selling platform Alibaba.28

Luxury brand owners have therefore had resort to an additional legal mechanism to protect themselves against trade in counterfeit goods in online retail: They have as-ked courts to impose liability on online selling platforms for trademark infringements committed by third party sellers using their services. Such liability would give online selling platforms incentives to implement screening and filtering technologies to detect infringers and block their activities on the platform.

In the EU, the E-commerce Directive governs liability of so-called ISSPs, including online selling platforms. The Directive limits liability to avoid that neutral ISSPs that only provide the infrastructure for exchanges of information over the internet face dis-proportionate burdens of monitoring traffic for illegal content.29 Articles 12 to 14 of the Directive provide safe harbors for providing services consisting of mere conduit, caching and hosting. Article 15 prohibits Member States from imposing general obligations on ISSPs to monitor information which they transmit or store, and to actively seek facts or circumstances indicating illegal activity. These legal provisions are embodiments of the argument that intermediaries should not incur liability for IP infringements committed by third parties on their platforms

27 Tiffany & Co, ‘Complaint’, Submission in Tiffany & Co v eBay Inc’, No 04 Civ 4607 (NRB), 2004 WL 2237672 (SD NY), 14 July 2004.

28 New York Times (2016). Alibaba Faces Growing Pressure Over Counterfeit Goods. New York Times, December 22, 2016. The large-scale sale in counterfeit goods on Alibaba is also inhibiting its entry into the US market.

29 The EU Commission’s First Report on the application of the E-commerce Directive justifies the limitations of liability for ISSPs because “general monitoring of millions of sites and web pages would, in practical terms, be impossible and would result in disproportionate burdens on intermediaries and higher costs of access to basic services for users”. See EU Commission (2003). First Report on the application of Directive 2000/31/EC, COM(2003) 702 final, p.15.


Whether, according to these provisions of the E-commerce Directive, online selling platforms could be exempted from liability for trademark infringements committed by third parties using their services was at stake in the case of L’Oréal v eBay before the CJEU.30 The Court held that online selling platforms could in principle benefit from the limitation of liability under Article 14 of the E-commerce Directive in as far as they me-rely stored information about offers provided by third party sellers on their platform.31 This would be different as soon as the platform operator played an active role, for exam-ple by providing assistance which entailed optimizing the presentation of the offers for sale in question or promoting those offers.32 In this case, the platform operator would have knowledge or control over the data in the offers in question, and could therefore not benefit from the exemption in Article 14.

Interestingly, the Court held, furthermore, that even if a platform operator did not play an active role, it could under certain circumstances face liability. If the platform operator was aware of facts or circumstances based on which “a diligent economic ope-rator should have realized that the offers for sale in question were unlawful and, in the event of it being so aware, failed to act expeditiously”33 to remove the unlawful offers, no exemption under Article 14 would be available. The Court thus interpreted the re-quirement of passivity and neutrality of the ISSP to benefit from the safe harbor under Article 14 strictly.34 Assisting in optimizing the presentation of offers could already be enough to imply knowledge, and thus trigger liability. Only a mere storage providing service could probably be fully sure to be covered by the safe harbor of Article 14.35

Additionally, the Court held that Member States could impose injunctions on on-line selling platform operators in the form of measures which contributed not only to bringing to an end trademark infringements of third party sellers, but also to preven-ting further infringements. Those injunctions would have to be effective, proportionate, dissuasive and should not create barriers to legitimate trade. In this form, they would not amount to a general monitoring obligation as prohibited under Article 15 of the E-commerce Directive.36 It appears that once an infringement had come to the attention of the platform operation, it could be ordered to take precautionary measures to avoid future infringements of the same kind.

30 C-324/09, L’Oréal v eBay [2011].31 C-324/09, L’Oréal v eBay [2011] at 115.32 C-324/09, L’Oréal v eBay [2011] at 116.33 C-324/09, L’Oréal v eBay [2011] at 119-120.34 Kur, A. (2014), p.527.35 This has been the path taken by French courts, see Kur, A. (2014), p.527.36 C-324/09, L’Oréal v eBay [2011] at 139-141.


The CJEU’s judgment in L’Oréal v eBay was considered as a triumph for brand ow-ners because it would allow them to shift some of their trademark infringement policing burden to online selling platforms. It was, in other words, “a strong decision in favor of brand owners, as it places a much higher burden on online marketplace operators to police the content of their users’ postings”.37

The EU judgment in L’Oréal v eBay stands in contrast to the Tiffany & Co v eBay Inc.38 case decided in the US. In this case, the US Court of Appeal for the Second Cir-cuit held that eBay could not be held liable for trademark-infringing goods sold by third parties on its platform under a form of contributory trademark infringement or dilu-tion doctrine. General knowledge about the fact that unlawful offerings were posted on eBay’s platform was insufficient to trigger liability.39 In response to Tiffany’s argument that eBay would willingly turn a blind eye on trademark infringements committed by third party sellers to avoid any knowledge, and thus liability, the Court found that free market forces would address this concern. The Court held that

“private market forces give eBay and those operating similar businesses a strong incentive to minimize the counterfeit goods sold on their websites. eBay received many complaints from users claiming to have been duped into buying counterfeit Tiffany products sold on eBay. The risk of alienating these users gives eBay a reason to identify and remove counterfeit listings. Indeed, it has spent millions of dollars in that effort.”40

The Court of Appeal for the Second Circuit thus constructed a test for contributory trademark infringement, which made a finding of liability of intermediaries difficult for plaintiffs. It held that there was insufficient knowledge by eBay to establish liability.41 This stands in stark contrast to the CJEU’s approach under the E-Commerce Directive which provided a narrow definition of the safe harbor under Article 14. Knowledge of infringing acts could be implied more readily under the L’Oréal v eBay test. As a result

37 Smith, J. and Silver, J. (2011), p. 767. National courts of EU Member States have arguably favored brand owners even more, see for example in SA Louis Vuitton Malletier v eBay, Tribunal de Commerce de Paris, Premiere Chambre B, Case No. 200677799 (30 June 2008), confirmed by the Paris Court of Appeal in 2010. In this case, eBay was held liable for the sale of counterfeit Louis Vuitton and Christian Dior goods, as well as counterfeits of luxury perfume brands, as in violation of the luxury goods producers’ selective distribution systems.

38 Tiffany & Co v eBay Inc., 600 F 3d 93, 107 (2d Cir NY, 2010).39 Tiffany & Co v eBay Inc., 600 F 3d 93, 107 (2d Cir NY, 2010) at 109.40 Tiffany & Co v eBay Inc., 600 F 3d 93, 107 (2d Cir NY, 2010) at 109.41 The Court did so by applying the knowledge requirement established in the US Supreme Court

case Sony Corp. of America v. Universal City Studios, Inc., 464 U.S. 417 (1984). See Tiffany & Co v eBay Inc., 600 F 3d 93, 107 (2d Cir NY, 2010) at 108.


eBay, and any other online selling platforms, are subject to different standards of inter-mediary liability in the US and the EU.

Several commentators have applauded the US judgment in Tiffany & Co. v eBay Inc., while they have criticized the CJEU’s judgment in L’Oréal v eBay.42 The reason for favoring an exemption for online platforms for liability for trademark infringements committed by third parties using the platform’s services, as endorsed by the US Federal Court for the Second Circuit, is based on economic efficiency considerations.

2.4. Economic inefficiency of the online intermediary liability regime as interpreted by the CJEU

The imposition of liability on online intermediaries such as online selling platforms has often been criticized as an inefficient mechanism to deal with the risks of trademark infringement by third parties offering counterfeit goods or other types of trademark-infringing goods on platforms. The main reason for this inefficiency is that it would lead to intermediaries over-policing offers of trademarked goods, thereby also inhibiting le-gitimate sales of branded goods. The cost of having to police the platform for trademark infringements under the shadow of facing suits by trademark owners would be passed on to the users, buyers as well as sellers, of the online platform. This would lead to ove-rall higher prices for using online selling platforms and burden legitimate trade.43 The Electronic Frontier Foundation, Public Citizens and Public Knowledge dramatically put the final result of imposing liability on online intermediaries for trademark infrin-gement in their amicus brief in Tiffany & Co. v eBay Inc.: it would “drastically imped[e] the continuing growth of the Internet as a vibrant forum for commerce and speech”.44 Intermediary liability thus risks depriving consumers from the benefits of collaborative consumption .45 Furthermore, as the Tiffany & Co. v eBay Inc. Court noticed, online intermediaries should have sufficient incentives to provide protection mechanisms to reduce trade in infringing goods on their platforms.46

As long as online selling platforms provide a notice-and-take-down system, effi-ciency considerations would militate towards imposing the entire trademark infringe-

42 Rimmer (2011), Weckstrom (2012).43 Rimmer (2011), p. 13-14.44 Electronic Frontier Foundation (2008), p. 1.45 Rimmer (2011), p. 33.46 See also Dogan (2011), p.9.


ment policing burden in online trade on trademark owners.47 According to Weckstrom, “the property owner who suffers direct harm is in the best position to evaluate putting a proportionate amount of resources towards the harm it suffers, and is best suited to bear the ultimate risk of non-enforcement of the property right”.48 She suggests that trade-mark owners should pool their resources similarly to copyright owners when using co-llecting societies to enforce their rights.49 Furthermore, trademark owners should colla-borate with intermediaries and find together the best possible monitoring mechanisms for trademark infringements on online selling platforms.50 All this should occur in the framework of a private effort, without undue threats of liability suits for intermediaries, to lead to an efficient result.

The vision of trademark owners pooling their resources, however, has not quite materialized. Owners of valuable brands have rather proceeded to setting up selective distribution systems with online platform selling bans. These selective distribution agre-ements contain clauses in which the producers of branded goods impose on their retai-lers not to sell their goods on online platforms such as eBay or Amazon. This reduces the trademark owner’s policing burden of online platforms to such extent that whenever an offer with their trademark appears on an online platform, they know that it cannot have been placed there by an authorized dealer (due to the online selling platform ban imposed in their selective distribution contracts). Consequently, offers must be either by non-authorized sellers that could be sued under contract or trademark law, or by legitimate second-hand dealers. Online selling platform bans might therefore enable trademark owners to spot trademark infringers more easily.

From an economic efficiency perspective, the self-help system implemented by tra-demark owners in the form of selective distribution systems that contain online plat-form selling bans should be preferred over imposing liability for trademark infringement on ISPs for the reasons mentioned above. The cost for each single trademark owner of monitoring trademark infringement on online platforms with the help of a selective distribution system including an online selling platform ban would probably be lower than the cost for a platform operator to actively monitor for trademark infringements for all possible trademarks.51

47 Weckstrom bases this consideration on the Coase theorem and the resulting normative recommendation that liability should be imposed on the cheapest cost avoider. See Weckstrom (2012), p.39, 45.

48 Weckstrom (2012), p.47.49 Weckstrom (2012), p.47.50 Weckstrom (2012), p.48.51 This is an hypothesis in Weckstrom (2012) which would require empirical testing.


The problem is, however, that selective distribution agreements attract scrutiny of competition authorities. In the EU, in particular, national competition authorities have treated online selling restraints in selective distribution agreements as restrictions of competition contrary to Article 101 of the Treaty on the Functioning of the European Union (TFEU) or its equivalent provisions in national law.

3. EU COMPETITION LAW AS AN OBSTACLE TO AN EFFICIENT TRADEMARK PROTECTION SYSTEM IN ONLINE RETAIL?

Before discussing the decision of national competition authorities and courts in relation to online selling platform bans in selective distribution systems, it is worth looking at how competition authorities and the CJEU have so far dealt with complete internet selling bans. Whereas online selling platform bans only prohibit the use of on-line selling platforms, some luxury goods manufacturers have attempted to implement a total ban on using the internet as a sales tool in their selective distribution agreements. They therefore prohibited the internet as selling tool as such. The assessment of total internet selling bans under competition law is discussed first, as it served as a basis for the subsequent competition treatment of online selling platform bans.

3.1. Internet selling bans and the CJEU judgment in Pierre Fabre

Pierre Fabre52 was the first time the CJEU had to determine the scope of permis-sible internet selling restraints in selective distribution systems under Article 101 (1) TFEU.53 The case concerned a decision by the French competition authority against the cosmetics manufacturer Pierre Fabre (PF) for prohibiting its retailers to sell the products of PF brands via the internet. By its general conditions of distribution, PF required its members of the selective distribution system to sell its products at a specific physical outlet, in the presence of a person with a degree in pharmacy. The ban on internet sales of PF’s branded goods was therefore not explicit, but the contractual conditions for distributors made internet sales de facto impossible, due to the compulsory presence of a pharmacist.

52 Case C-439/09, Pierre Fabre Dermo-Cosmétique SAS v Président de l’Autorité de la Concurrence (Pierre Fabre’) [2011].

53 The Court also tested whether a selective distribution system, holding a market share below 30 %, which imposed a total ban of internet sales on its distributors could benefit from an exemption under the Commission Regulation the application of Article 101(3) TFEU to categories of vertical agreements and concerted practices. The Court denied the possibility of an exemption.


The decision against Pierre Fabre had been part of a series of decisions issued by the French Authority against manufacturers that prohibited within their selective distribution systems the sales of their products via the internet. The decisions had mostly targeted undertakings which were manufacturers of consumer goods sold under expensive brands, such as cosmetics and personal care products in the case of Pierre Fabre (PF), watches (inter alia Festina) and consumer electronics (inter alia Bang & Olufsen).54 It appears that the main concern of the French competition authority was not a structural competition problem in these markets. In fact, despite selective dis-tribution systems and restrictions on internet sales some manufacturers had in place, there was vivid inter-brand competition, both at manufacturing level and at distribu-tion level.55 Additionally, there was an overall trend towards opening up internet sale channels for distribution.56

The motivation of the French Competition Authority to act was therefore hardly grounded on typical antitrust concerns, such as the foreclosure of the market or any other reasons for stifled competition. The Authority appeared to be driven rather by an industrial policy choice of promoting the internet as a medium for distribution and furthering e-commerce in general.57 This policy choice was inherent in the argumenta-tion of the Authority, which expressed concerns about the restriction of the commer-cial freedom of PF’s distributors, because PF deprived them from using the internet as an important selling tool or marketing strategy.58 Furthermore, the Authority justified its action by referring to PF’s selective distribution system as depriving consumers of the possibility to purchase PF goods online.59 The Authority therefore was concerned with opening up the possibility to French consumers to acquire any product they de-sire via the Internet (after all, consumers could have switched to substitute products sold over the internet by PF’s competitors). When PF appealed against the decision of the French Competition Authority, the French court in charge filed a preliminary question with the CJEU.

54 Décision n° 06-D-24 du 24 de juillet 2006 relative à la distribution des montres commercialisées par Festina; Décision n° 12-D-23 du 12 de décembre 2012 relative à les pratiques mises en œuvre par Bang & Olufsen dans le secteur de la distribution sélective de matériels Hi-Fi et Home-cinéma (short summary in English of the decision: http://www.lexology.com/library/detail.aspx?g=350ba01d-c5ea-4de6-a404-4a37b9731cd1 [last visited 6 May 2017]).

55 Opinion of AG Mazák in case C-439/09, Pierre Fabre, para. 6. 56 Ibid.57 Monti, G. (2013).58 Opinion AG Mazák para. 8.59 Opinion AG Mazák para. 8.

http://www.lexology.com/library/detail.aspx?g=350ba01d-c5ea-4de6-a404-4a37b9731cd1

http://www.lexology.com/library/detail.aspx?g=350ba01d-c5ea-4de6-a404-4a37b9731cd1


The CJEU departed in its analysis under Article 101 (1) TFEU from the premise that, absent objective justifications, selective distribution systems were to be considered as prohibited restrictions of competition by object.60 The test for identifying an objective justification included three steps61: (i) the conditions had to be applied to all sellers in the selective distribution system in a non-discriminatory way, (ii) the restriction result-ing from the conditions had to serve a legitimate aim, and (iii) it had to be proportion-ate vis-à-vis the aim. PF submitted two justifications for the conditions of its selective distribution system. On the one hand, the presence of a pharmacist ensured adequate individual advice to allow the costumer to make the right choice of product according to his skin or hair conditions.62 On the other hand, the ban on internet sales was an appropriate means to reduce the risk of counterfeiting and of free-riding,63 as well as to maintain the prestigious image of the PF brands.64 The Court rejected all justifications brought forward by Pierre Fabre as not proportionate or not serving a legitimate aim, and found that the contractual clauses imposing an absolute internet selling ban on retailers were contrary to Article 101 (1) TFEU.65

60 Case C-439/09, Pierre Fabre at 39.61 Case C-439/09, Pierre Fabre at 40-43. The court relied on similar tests applied earlier in selective

distribution cases (e.g. Case 107/82 AEG-Telefunken v COM [1983] at 33 and case 26/76 Metro I [1977] at 20). The point of departure in these cases was the premise that selective distribution systems could actually enhance competition, unless the criteria for selecting the distributors were not applied on the basis of objective criteria of a qualitative nature or in a discriminatory fashion, or the products did not require such distribution method (Metro I at 20-21 and Case 31/80 L’Oréal at 16). In these previous cases the court had essentially inquired whether the restriction would lead to an increase in non-price competition, without unduly limiting price competition. In Pierre Fabre the Court appeared to look for the objective justification not in an increase in non-price competition but rather in the compatibility of the restrictions with the free movement of goods, evidenced by its reference to free movement case law at paragraph 44 of the judgment.

62 Case C-439/09, Pierre Fabre at 17.63 Case C-439/09, Pierre Fabre at 23.64 Case C-439/09, Pierre Fabre at 45.65 Case C-439/09, Pierre Fabre at 46. The Court also rejected a possible exemption under the

Vertical Block Exemption Regulation and held that Pierre Fabre’s internet selling ban constituted a hardcore restriction under Article 4 (c) of the Regulation.


3.2. National Competition Authorities’ and courts’ assessment of online selling restraints

The CJEU made clear in Pierre Fabre that an outright ban to sell over the internet in a selective distribution system would be caught and prohibited by EU competition rules. The judgment left open, however, whether milder restrictions of online selling, such as online selling platform bans, would be acceptable from an EU competition law perspective.

National competition authorities and courts seem to have taken Pierre Fabre as a reason to also find milder restrictions on online selling possibilities of retailers to be contrary to competition law. The German competition authority, for example, publicly endorsed this approach, arguing that restrictions in selective distribution systems with platform bans robbed consumers and small sellers from the efficiencies that online plat-forms provide in terms of, for example, price transparency and reliance on the payment systems offered by platforms.66

Consequently, the German competition authority initiated proceedings against Adidas and ASICS from implementing online selling platform bans in their selective distribution systems.67 Similarly, a German Higher Regional Court held that a school bag producer implementing an online selling platform ban in its selective distribution system had violated competition law. It could therefore not enforce the selective distri-bution agreement against one of its retailers that had sold school bags on eBay.68

Another German Higher Regional Court, however, has signalled some doubts about whether online selling platform bans should be considered to be contrary to com-petition law, or whether they could actually be legitimate taking into consideration the interests of trademark owners.69 The proceedings before this Court have led to a prelimi-nary reference to the CJEU, which will be discussed below under Section 4.

66 Bundeskartellamt (2013). See also Ezrachi (2016), p. 4 and EU Commission (2016), at 9. The EU Commission appears to generally disagree with finding online selling platform bans in selective distribution systems to be contrary to EU competition law. See EU Commission (2016), at 472.

67 Bundeskartellamt decision in case B2-98/11 of 26 August 2015 (“ASICS”), see http://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2014/28_04_2014_Asics.html, Adidas (case summary, B3-137/12, 19 August 2014).

68 KG Berlin, judgment of 19 September 2013 - 2 U 8-09 (Kart), WRP 2013, 1517 - Schulranzen und - rucksäcke.

69 OLG Frankfurt, judgment of 22 December 2015 – 11 U 84/14 (Kart), GRUR RR 2016, 372 – Funktionsrucksäcke, and OLG Frankfurt, preliminary reference to CJEU of 19 April 2016 – 11 U 96/14 (Kart), GRUR Int 2016, 853 - Depotkosmetik II.

http://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2014/28_04_2014_Asics.html




3.3. Making the tension visible

The point to be taken from the discussion so far is one of a tension between what efficiency tells us about imposing liability on online intermediaries on the one hand, and on the other competition law intervention when it comes to online selling platform bans in selective distribution systems. While it appears to be efficient to place the burden of policing for trademark infringements on online selling platforms on trademark owners, EU competition law might interfere with the trademark owner’s freedom to choose on-line selling platform bans as a tool to monitor infringements.

There seems to be a paradox. Competition law, the paradigmatic field of law pur-suing economic efficiency actually appears to justify using an inefficient, second best alternative in ensuring protection against counterfeit trade, namely by easing the requi-rements for imposing liability on online intermediaries. In other words, it is possible to set up a hypothesis by which the wisdom that efficiency requires trademark owners to police online platforms for trademark-infringing offers only applies if competition law gives trademark owners full freedom in designing their distribution agreements. This freedom would presumably include setting up selective distributions systems implemen-ting online selling platform bans.

If competition law, however, prohibits certain online selling restrictions in selective distribution agreements, then imposing liability on online platform operators in specific circumstances might actually be necessary, also from an efficiency point of view. The L’Oréal v eBay judgment might thus be justified even from an efficiency perspective in a legal system that prohibits certain online selling restrictions in selective distribution systems under competition law.

This hypothesis could be supported by reference to the US legal system. In the US, the regime of ISP liability that makes it very difficult to impose policing duties on online selling platforms for trademark infringement by third parties (as established in Tiffany & Co v eBay Inc.) co-exists with an antitrust system that is very lax on vertical restra-ints.70 In this system, goods manufacturers generally have broad freedom to design their distribution systems.71 US law appears to not even have a specific term to treat selective

70 Selective distribution systems are a type of vertical restraint. In the US, even the most controversial form of vertical restraint, minimum resale price maintenance, is subject only to a rule of reason analysis. The US Supreme Court replaced per-se illegality standard for resale price maintenance with a rule of reason assessment in Leegin Creative Leather Products, Inc v PSKS, Inc, 127 S. Ct. 2705 (2007).

71 See for example US Supreme Court Monsanto Co. v. Spray-Rite Svc. Corp. 465 U.S. 752 (1984) and US District Courts in Computer Place v. HP 607 F. Supp. 822 (1984), MD Products, Inc. v. Callaway Golf Sales Co., 459 F. Supp. 2d 434 (W.D.N.C. 2006). See also Steuer, R. (2015), 7-8.


distributions systems as a special type of contract subject to antitrust scrutiny.72 This is why in the US system, where trademark owners are entirely free from antitrust scrutiny when designing their distribution system (at least in terms of non-price parameters), placing the entire policing burden for trademark infringement on online platforms on trademark owners is warranted.

4. AN OPPORTUNITY TO ADDRESS THE TENSION - CASE C-230/16 COTY V AKZENTE

In the EU, it appears that either National Competition Authorities got it wrong when it comes to sanctioning online selling platform bans, or the CJEU got the in-terpretation of the e-commerce Directive wrong in L’Oréal v eBay, when it comes to deciding whether trademark owners or ISSPs should bear liability for trademark in-fringements by third parties.

The preliminary reference by the Higher Regional Court of Frankfurt in Coty v Akz-ente73 now offers the chance to address this tension to a certain extent. The case concerns the selective distribution agreements of luxury cosmetics company Coty which imple-ments a clause that prohibits online sales over third party platforms. The referring court essentially seeks to get an opinion of the CJEU whether brand image protection and the policing against counterfeits can be a valid justification under Article 101 (1) TFEU, which ultimately legitimizes an online selling platform ban under competition law.

If the CJEU answers the question of the referring court in the affirmative, and trademark owners are thus free to implement online selling platform bans in their selec-tive distribution agreements, a reconsideration of the liability of ISSPs in the framework of the e-Commerce Directive would be required. The judgment of the CJEU in L’Oréal v eBay might then continue to be considered as creating inefficiencies in relation to the policing burden on ISSPs for trademark infringing products on their platforms.

If the Court answers the question in the negative, thus holding that online selling platform bans violate EU competition rules, then the interpretation of ISSP liability under the E-Commerce Directive might be correct, however, taking into account that trademark owners are barred from implementing their chosen monitoring systems for detecting trade in counterfeit goods on online selling platforms. The first important step, is to make this tension visible, and let then the CJEU decide this reference in light of the tension outlined in the present contribution.

72 Witt, A. (2016), 442.73 Pending Case C-203/16 Coty v Akzente.


5. BIBLIOGRAPHY

Bundeskartellamt [German Federal Competition Authority] (2013). Hintergrundpa-pier „Vertikale Beschränkungen in der Internetökonomie“, 10 October 2013.

Dogan, S. (2011). “We Know it When we See it”: Intermediary Trademark Liability and the Internet. Stanford Technology Law Review, 7, 1-12.

Electronic Frontier Foundation et al. (2008). Amicus Brief in support of eBay from EFF, Public Citizen, and Public Knowledge. Retrieved March 20th, 2017 from https://www.eff.org/es/document/amicus-brief-support-ebay-eff-public-citizen-and-pub-lic-knowledge.

EU Commission (2003). First Report on the application of Directive 2000/31/EC, COM(2003) 702 final.

EU Commission (2016). Preliminary Report on the E-commerce Sector Inquiry of 15 September 2016, SWD(2016) 312.

Ezrachi, A. (2016). The Ripple Effects of Online Marketplace Bans,” SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, November 12, 2016), https://papers.ssrn.com/abstract=2868347.

Kur, A. (2014). Secondary Liability for Trademark Infringement on the Internet: The Situation in Germany and Throughout the EU. Columbia Journal of Law and the Arts 37(4), 525-540.

Lemley, M. and Reese, A. (2004). Reducing Digital Copyright Infringement Without Restricting Innovation. Stanford Law Review, 56(6), 1345-1434.

Lemley, M. and Dogan, S. (2007). Grounding Trademark Law Through Trademark Use. Iowa Law Review 92, 1669-1701.

Monti, G. (2013). Restraints on Selective Distribution Agreements. World Competition 36 (4), 489–511.

New York Times (2016). Alibaba Faces Growing Pressure Over Counterfeit Goods. New York Times, December 22, 2016.

OECD/EUIPO (2016). Trade in Counterfeit and Pirated Goods: Mapping the Economic Impact, Paris: OECD Publishing.

Rimmer, M. (2011). ‘Breakfast at Tiffany’s’: eBay Inc. Trademark Law and Counterfeit-ing. Journal of Law, Information and Science, 21(1), 1-39.

Smith, J. and Silver, J. (2011). L’Oréal v eBay: a Warning to Online Marketplace Op-erators. Journal of Intellectual Property Law & Practice, 6 (11), 765-768.

Steuer, R. (2015). Online Price Restraints under U.S. Antitrust Law. CPI Antitrust Chronicle (1), 1-9.

Weckstrom, K. (2012). Liability for Trademark Infringement for Internet Service Pro-viders. Marquette Intellectual Property Review, 16(1), 1-50.

https://www.eff.org/es/document/amicus-brief-support-ebay-eff-public-citizen-and-public-knowledge



https://papers.ssrn.com/abstract=2868347


Witt, A. (2016). Restrictions on the Use of Third-Party Platforms in Selective Dis-tribution Agreements For Luxury Goods. European Competition Journal, 12(2-3), 435-461.

PRIVACIDAD Y PROTECCIÓN DE DATOS / PRIVACY & DATA PROTECTION

5

A SWISS CHEESE? AUTOMATED DECISION MAKING AND ALGORITHMIC TRANSPARENCY IN THE EU DATA PROTECTION LEGISLATION

Maja BrkanAssistant Professor, Faculty of Law, Maastricht University, The Netherlands

ABSTRACT: The purpose of this paper is to analyse the rules of the General Data Protection Regu-lation and the Directive on Data Protection in Criminal Matters on automated decision making and to explore how to ensure transparency of such decisions, in particular those taken with the help of algorithms. The GDPR, in its Article 22, and the Directive, in its Article 11, take a negative stance towards automated individual decision-making, including profiling. On the first impression, the right of the data subject not to be submitted to such automated decisions comes across as a forceful fortress for strongly protecting individuals and potentially even hampering the future development of AI in decision making. However, it can be argued that this position, containing numerous limitations and exceptions, looks like a Swiss cheese with giant holes in it. Moreover, in case of automated decisions involving personal data of the data subject, the GDPR obliges the controller to provide the data subject with ‘meaningful information about the logic involved’ (Articles 13(2)(f ) and 14(2)(g)). If we link this information to the rights of data subject, we can see that the information about the logic involved needs to enable him/her to express his/her point of view and to contest the automated deci-sion. While this requirement fits well within the broader framework of GDPR’s quest for a high level of transparency, it also raises several queries particularly in cases where the decision is taken with the help of algorithms: What exactly needs to be revealed to the data subject? How can an algorithm-based decision be explained? Apart from technical obstacles, we are facing also intellectual property obstacles and implementation obstacles to this ‘algorithmic transparency’. The paper seeks to find ways how to overcome these obstacles in order to fulfil the transparency requirement from the GDPR.

KEYWORDS: automated decision making, profiling, algorithms, transparency, GDPR, Directive on Data Protection in Criminal Matters.


http://idp.uoc.edu

6

PERSONAL DATA PROTECTION AS A NONFUNCTIONAL REQUIREMENT IN THE SMART CITY’S DEVELOPMENT

Lorenzo Dalla Corte, Tilburg University, TILT; TU Delft, Kenniscentrum Open Data

PhD candidate

Bastiaan van Loenen, TU Delft, Kenniscentrum Open Data

Associate professor

Colette Cuijpers, Tilburg University, TILT

Associate professor

ABSTRACT: “Smart city” is a fuzzy concept, evading a unitary characterisation. Its blurriness is highlighted by the broad array of definitions with which academic and corporate literature have attempted at delineating the notion. This paper derives from the elaboration of several definitions that have been given to the concept of smart city. It maintains that a smart city is, succinctly, the specific set of practices and design choices underlying the instrumentation and digitalisation of the urban environment. The ICT underlying the smart city is however inherently political, has regula-tory capacity, and thus influences both urban governance and management practices, and the life and behaviour of individual city dwellers. Following the principle of Data Protection by Design, we thus argue for the conceptualisation of the right to personal data protection as a nonfunctional requirement to be applied to the design and development of smart cities. This paper aims at con-tributing to the delineation of the scope and definition of the notion of smart city and of its driving values. Its goal is to frame the concepts of privacy and data protection as naturally belonging to the smart city’s teleology, to the stack of values, goals, and goods that the smart city concept aims at achieving or safeguarding.

KEYWORDS: data protection, smart cities, GDPR, privacy, urbanism.

1. INTRODUCTION

Over the past decades, a new concept has taken by storm the global narrative on contemporary urbanities: the “smart city”, expression of a paradigm change deriving from the intertwinement between modern ICTs (Information and Communication Te-chnologies) and the city. The concept of smart city refers to the deployment of ICT within the urban environment, and to its social and technological consequences. It in-dicates the instrumentation and digitalisation of cities, the synergy between code and

77 PERSONAL DATA PROTECTION AS A NONFUNCTIONAL REQUIREMENT IN THE SMART...

space1 within modern-day conurbations, big data deriving from and applied to every dimension of urban living, management, and governance. Urbanities face an increasing amount of challenges of social, economic, and environmental nature: instrumenting the city with ICT and data analytics solutions –making cities “smart”– can provide the necessary answers.

The smart city is conceptually linked to a multiplicity of other topoi that are core to contemporary discourses about the role of ICT in society. There is, however, not a univocally accepted characterisation, and the boundaries of the notion appear to be fuzzy at best2. The smart city can be framed considering the relationship between code and architecture, their confluence within the built environment, and their capacity as regulatory actors. It can be linked to big data collection and analytics, and hence to algo-rithmic transparency and governance; to data-driven urbanism3, and to evidence-based policymaking. Indeed, the defining traits of the concept of smart city are overly blurry.

Ultimately, however, the smart city is all about data. The instrumentation of the built environment is symptomatic of a bigger trend where, as summarised by Shoshana Zuboff’s three laws4, everything that can be automated will be automated, everything that can be “informated” will be “informated”, and –in the absence of countervailing restrictions and sanctions– every digital application that can be used for surveillance and control will be used for surveillance and control, regardless of its originating function. Considering their scale and role, smart cities are a prime example of the promises and the perils of the rampant “datafication” of society.

The purpose of this paper is to unfold the concept of smart city, highlighting the social consequences underlying the instrumentation of the built environment, and ar-guing for the conceptualisation of the right to personal data protection as a nonfunctio-nal5 requirement to be applied to its development. After this introduction, we delve

1 Kitchin, R., & Dodge, M. (2011). Code/space: Software and everyday life. MIT Press; Bratton, B. H. (2016). The stack: On software and sovereignty. MIT Press.

2 “The consensus from the critical smart cities literature is that little is known about the underlying principles of the smart city model beyond the advertising campaigns of IT companies and the self-pro-motion of cities”: Gaffney, C., & Robertson, C. (2016). Smarter than Smart: Rio de Janeiro’s Flawed Emergence as a Smart City. Journal of Urban Technology, 4.

3 Kitchin, R. (2015). Data-driven, networked urbanism (Programmable City Working Paper No. 14). 4 Zuboff, S. (2013). The Surveillance paradigm: Be the friction - Our Response to the New Lords

of the Ring. Retrieved 15 October 2016, from http://www.faz.net/aktuell/feuilleton/the-sur-veillance-paradigm-be-the-friction-our-response-to-the-new-lords-of-the-ring-12241996.html

5 Functional requirements dictate the functions a technology must have, specifying e.g. speed or efficiency. Nonfunctional requirements relate to the values and ideals on which that technology rests: see e.g. Manders-Huits, N., & van den Hoven, J. (2009). The need for a value-sensitive

http://www.faz.net/aktuell/feuilleton/the-surveillance-paradigm-be-the-friction-our-response-to-the-new-lords-of-the-ring-12241996.html



into the notion of smart city, highlighting its defining traits, its social and technological scope, and the fact that the concept is still an umbrella label. The third section deals with the right to data protection, and makes the case for its inclusion as a nonfunctional re-quirement for the smart city’s development. Our conclusions follow in the final section.

2. WHAT IS A SMART CITY?

The definitions of “smart city” given by literature, standards, and corporate output are highly diverse, and paint a chaotic picture. “Smart city” is an umbrella term, fit to indicate a large array of products, processes, and policies relating to the instrumentation of the built environment. Intelligent city6, sustainable city7, digital city8, real-time city9, even Metropticon10: the terminology changes according to the aspects of the built envi-ronment considered, and to the document in which the definition is included.

The lack of a commonly agreed-upon definition of smart city is to be expected: there cannot be a single model of smart city, as much as there cannot be a single model of city tout court. Every city is indeed certainly unique11. At the same time, it has some characteristics that are comparable to other cities, some functions performed in a similar way. It is thus certainly possible to discuss cities as a general category, and to compare

design of communication infrastructures. In P. Sollie & M. Düwell (Eds.), Evaluating New Technologies (51–60). Springer.; van den Hoven, J. (2013). Architecture and value-sensitive design. In C. Basta & S. Moroni (Eds.), Ethics, design and planning of the built environment (135–141). Springer.

6 Nam, T., & Pardo, T. A. (2011a). Conceptualizing smart city with dimensions of technology, people, and institutions. In Proceedings of the 12th Annual International Digital Government Research Conference: Digital Government Innovation in Challenging Times (282–291). ACM.

7 ITU-T Focus Group on Smart Sustainable Cities. (2014). An overview of smart sustainable cities and the role of information and communication technologies.

8 Albino, V., Berardi, U., & Dangelico, R. M. (2015). Smart Cities: Definitions, Dimensions, Performance, and Initiatives. Journal of Urban Technology, 22(1); Cocchia, A. (2014). Smart and digital city: A systematic literature review. In R. P. Dameri & C. Rosenthal-Sabroux (Eds.), Smart City (13–43). Springer.

9 Kitchin, R. (2014b). The real-time city? Big data and smart urbanism. GeoJournal, 79(1), 1–14; Townsend, A. M. (2013). Smart cities: big data, civic hackers, and the quest for a new utopia. WW Norton & Company.

10 Finch, K., & Tene, O. (2013). Welcome to the Metropticon: Protecting Privacy in a Hypercon-nected Town. Fordham Urb. LJ, 41(5), 1581.

11 “Each deployment of “smart city” technologies reflects local patterns of growth, urban governance models, and knowledge transfer networks” – Gaffney & Robertson, 2016, 2.


them in function of their scale, but one must be mindful that each of them is the by-product of several factors that render it distinctive. Its environmental and geographical setting, for instance, and its climate; its history, demographics, and social context; its laws, norms, and economy; its governance, the division of competences between local and national government, and between the agencies operating within the city. Each co-nurbation has its own actors and activities, its hard and soft infrastructure, its priorities and objectives.

The smart city is highly contextual. The main finding deriving from the review un-dertaken is that a holistic understanding of the smart city implies considering how the instrumentation of the built environment is not only a technological issue, but implies a shift in urban governance and management too, and involves natural persons both as city dwellers and as human capital. In a nutshell, smart cities appear to be understood by the literature reviewed according to three different –yet connected– perspectives, each assigning a different weight to the factors characterising the concept of smart city. The first one, the technological perspective, reigns sovereign, its prominence12 hardly ques-tioned by the literature reviewed13. The second perspective focuses on the organisational aspects of the smart city. Central to this perspective is the fact that the digitalisation and networking of the built environment has a direct impact on the urban management, governance, and organisational practices through which cities are run. It highlights how a city’s intelligence is not just a technological issue, but also a structural one. Finally, an anthropocentric view highlights how cities are inhabited by humans, run by people, and largely shaped by how individuals interact within them: the concept of smart city is thus deeply entwined to the one of “smart citizen” as well.

The main driver of the smart city is ICT. There is a wide range of technologies that have been identified as building blocks of the concept of smart city. Ubiquitous compu-

12 “ICT is central to the operation of the future city”: Batty, M., Axhausen, K. W., Giannotti, F., Pozd-noukhov, A., Bazzani, A., Wachowicz, M., … Portugali, Y. (2012). Smart cities of the future. The European Physical Journal Special Topics, 214(1), 481–518.

13 Even if the smart city deals with innovation in general, which does not necessarily have to be ICT based: see Anthopoulos, L. G., Janssen, M., & Weerakkody, V. (2015). Comparing Smart Cities with different modeling approaches. In Proceedings of the 24th International Conference on World Wide Web Companion (525–528).


ting – pervasive computing, ambient intelligence14, “everyware”15 –enables computation everywhere and through many devices. Broadband networking and cloud computing remove the constraints which bound information before– low bandwidth, and local storage. Big data technologies allow to process high-dimensional, complex, and dyna-mic datasets. Large arrays of distributed and networked sensors embedded in several devices –the Internet of Things (IoT)– allow to gather huge and varied amounts of data, often in real time, with increasing granularity and detail. GISs (Geographic Information Systems) and BIM (Building Information Modelling) tie the spatialities of the smart city to its informational components, allowing its digital representation and modelling. E-Government facilities provide a new interface between the city’s administration and its citizens, linking them through ICT infrastructure and services16. The smart city de-finitions examined have in ICT a common element, sometimes as their core, some other times as a component to be present –necessary but not in itself sufficient– when qualifying a city as smart.

The literature examined highlights how cities becoming smart also means a shift in the organisational and decisional practices on which urban governance, management, and development are based17. Urban governance is bound to become evidence-based, data-driven18: “governing a smart city is about crafting new forms of human collaboration through the use of information and communication technologies […] technology by itself will not make a city smarter: building a smart city requires a political understanding of technology, a process approach to manage the emerging smart city and a focus on both eco-nomic gains and other public values”19. The smart city is thus more than the sum of the technologies it employs. It is a shift towards different governance frameworks, a new

14 Ahonen, P., Alahuhta, P., Daskala, B., Delaitre, S., De Hert, P., Lindner, R., … Verlinden, M. (2008). Safeguards in a world of ambient intelligence. (D. Wright, S. Gutwirth, M. Friedewald, E. Vildjiounaite, & Y. Punie, Eds.). Springer; Crang, M., & Graham, S. (2007). Sentient cities ambient intelligence and the politics of urban space. Information, Communication & Society, 10(6), 789–817.

15 Greenfield, A. (2010). Everyware: The dawning age of ubiquitous computing. New Riders. 16 See ISO/IEC JTC1, 2014.17 E.g. Alawadhi, S., Aldama-Nalda, A., Chourabi, H., Gil-Garcia, J. R., Leung, S., Mellouli, S.,

… Walker, S. (2012). Building understanding of smart city initiatives. In Electronic government (40–53). Springer; Nam & Pardo, 2011a; Nam, T., & Pardo, T. A. (2011b). Smart city as urban innovation: Focusing on management, policy, and context. In Proceedings of the 5th interna-tional conference on theory and practice of electronic governance (185–194). ACM.

18 Kitchin, 2015.19 Meijer, A., & Bolívar, M. P. R. (2015). Governing the smart city: a review of the literature on

smart urban governance. International Review of Administrative Sciences, 1.


approach on urban management, based on the information gathered by the sensors the city is instrumented with, and then further processed by its computing infrastructure. In the majority of the instances examined, even when the perceived focus would lie on the governance and organisational aspects of the smart city, ICT and analytics still occupy a prominent role within its definition.

The organisational perspective is closely linked to what could be defined as a hu-manist or anthropocentric perspective20 on smart city environments. It focuses on smart citizens –informed, creative, inclusive and included people– and on their role in the ci-ties of the future. This approach emphasises how inhabitants are the main beneficiaries and the main agents for and through which cities are turning smart, and how human capital21 is one of the main drivers behind this shift. City residents are what cities revol-ve around, both in their capacity as individuals and collectively, as belonging to those social formations in which individualities aggregate. “Smart citizens” are considered a major driver pushing cities’ intelligence forward22. As it has been noted, “the issues for the creative city of the future will focus upon its ‘soft infrastructure’ [...] This more ‘humanist’ emphasis ties in with other related discourses of smart communities”23.

2.1. The instrumentation of the built environment

The smart city is the urban facet of the data revolution24. A paradigm shift, enabled by modern technological developments and by the deployment of ICT within the built environment, which influences people both as single human beings and as the social formations they collectively form. ICT is instrumental for the smart city’s development, but ultimately the paradigm shift is driven by data –by its availability and granularity, and by our possibility to process it to foster efficient decision-making, determine service

20 “(W)hat defines the smart city is not the infrastructures or networks it offers, but the ways in which its citizens interact with these systems as well as each other”: Walravens, N., Breuer, J., & Ballon, P. (2014). Open Data as a Catalyst for the Smart City as a Local Innovation Platform. Communi-cations & Strategies, (96), 20. See also Albino, Berardi and Dangelico, 5: “(T)he smart city concept is no longer limited to the diffusion of ICT, but it looks at people and community needs”.

21 E.g. Caragliu, A., Del Bo, C., & Nijkamp, P. (2011). Smart Cities in Europe. Journal of Urban Technology, 18(2), 65–82; Albino, Berardi and Dangelico, 2015, 9: “[people] are the protagonists of a smart city […] The social infrastructure […] is an indispensable endowment to smart cities”.

22 Six dimensions are considered by most smart city definitions and models: people, government, economy, mobility, environment, and living; Anthopoulos et al., 2015.

23 Hollands, R. G. (2008). Will the real smart city please stand up? Intelligent, progressive or en-trepreneurial? City, 12(3), 309.

24 Kitchin, R. (2014a). The data revolution: Big data, open data, data infrastructures and their conse-quences. Sage.


provisioning within a geographic area, and rationalise the existing resources to maximise their utility25. Data infrastructures have the same kind of significance the introduction of cars had for last century’s urban development: it is not only about the technology itself, it is about how it shapes the environment. The diffusion of automobiles caused urbanities’ structure to change, adapting to that revolution in transportation; people’s individual and collective habits changed accordingly. Data infrastructures change cities the same way, shaping them –and their citizens’ behaviour– according to what results from the information they process.

There is a good case for the instrumentation and “datafication” of the built en-vironment, particularly where the information gathered by public administrations is subsequently released as open data to foster scientific innovation and economic growth. Data allows for more efficient service delivery, accurate enforcement actions, evidence-based and data-driven governance, and more rational infrastructural improvements26. For example, datafication allows for benchmarking a city’s performance and characteris-tics through a multiplicity of urban indicators, and then to report and represent them visually through dashboards27. Urban indicators, benchmarks, and dashboards enable or facilitate data-driven governance and evidence-based decision-making28, and are one of the main links that binds the right to data protection to cities’ instrumentation

The representation of the urban environment must be considered within its broa-der social and political context. Cities are too complex to be represented as a collection of data points. Any technological system monitoring and measuring a city’s performance and indicators is not merely translating that city’s characteristics into information, but is actively contributing to its framing and future development. Kitchin et al.29 underline that urban indicators, benchmarks, and dashboards are data assemblages –socio-techni-cal systems “composed of many apparatuses and elements that are thoroughly entwined”30. Rather than offering a neutral portrait of a city’s reality, they actively produce it31. In-

25 Goerge, R. M. (2014). Data for the public good: challenges and barriers in the context of cities. In J. Lane, V. Stodden, S. Bender, & H. Nissenbaum (Eds.), Privacy, big data, and the public good: Frameworks for engagement. Cambridge University Press, 153.

26 Goerge, 2014; Walravens et al., 2014.27 Kitchin, R., Lauriault, T. P., & McArdle, G. (2015). Knowing and governing cities through

urban indicators, city benchmarking and real-time dashboards. Regional Studies, Regional Sci-ence, 2(1), 6–28.

28 Kitchin et al., 2015, 15 ss.29 Kitchin et al., 2015.30 Kitchin et al., 2015, 17.31 Kitchin, R. (2016). Urban data and city dashboards: Six key issues. Retrieved 15 October 2016,

from osf.io/sv8eb.

http://osf.io/sv8eb


dicators, benchmarks, and dashboards reflect a top-down approach to the smart city in that both their architectural design and their interpretation are expression of the choices made by the local government and by who developed them. Code and architecture come together to shape human behaviour according to a predefined set of decisions and values on which individual city dwellers have often little to say.

2.2. Technology as policy

Technology functions as a regulatory instrument. Its physical dimension (architecture)32, its digital counterpart (code)33, and their merger (code/space)34, have the potential to shape human behaviour as much as the law or social norms have. To curb cars’ speed in a residential neighbourhood, a local administration could rely so-lely on regulation by law –e.g. setting a low speed limit and a high speeding fine– or on architectural design, e.g. by placing speed bumps or speed traps. To keep intruders out of a computer network, one could rely on the norms that criminalise unauthorised access, or deploy an intrusion detection system as well. Architecture performs a regu-latory function by expressing and imposing cultural or symbolic meanings; by directly affecting how people interact; and by being biased towards certain social groups, values, or practices35.

At the same time, artefacts are inherently political36: they embody a set of values deriving from the choices of who engineered them. If their scope is sufficiently wide, their regulatory capacity shapes both individual and collective behaviour according to the values transferred by who designed or deployed those technologies. The smart city relies on technologies of such a scale and regulatory capacity. For example, to promote sustainable growth and efficiency, a local administration might decide to instrument rubbish bins and rationalise waste collection. It might decide to use sensors to detect when the bin is at capacity, hence alerting waste collection operators only when neces-sary, saving some expenditures to the city. It might also decide, however, to instrument those bins with access control mechanisms so that only e.g. households that have paid

32 Boyd, D., & Crawford, K. (2012). Critical Questions for Big Data. Information, Communica-tion & Society, 15(5), 662–679.

33 Lessig, L. (1999). Code and other laws of cyberspace. Basic books; Leenes, R. E., & Koops, B.-J. (2005). ‘Code’ and Privacy - Or How Technology is Slowly Eroding Privacy. In E. Dommering & L. Asscher (Eds.), Essays on the Normative Role of Information Technology. TMC Asser Press.

34 Kitchin & Dodge, 2011.35 Shah & Kesan, 2007.36 See Winner, L. (1986). The Whale and the Reactor: A Search for Limits in an Age of High

Technology. University of Chicago Press.


waste disposal taxes have access to it, or with a sensor system designed to identify (and then fine) who violates recycling norms37.

The artefacts that instrument that system of systems we define as city have regula-tory capacity, are a political issue38, and embody an underlying set of values. The realist epistemology through which the smart city is portrayed as a mere stack of neutral tech-nologies is a misleading narrative: the instrumentation of the built environment actively translates certain values into reality39, and regulates human behaviour.

3. DATA PROTECTION AS A NONFUNCTIONAL REQUIREMENT

We claimed, so far, that there is not a unitary definition of smart city, and that its best characterisation is of a paradigm shift in urban governance and management, enabled by ICT developments, towards data-driven and evidence-based urban policy-making. We also underlined how the ICT that instruments the built environment acti-vely shapes individual and collective behaviour according to its underlying set of values.

The smart city, if ill-conceived or poorly scoped, is possibly threatening for indivi-duals’ rights to privacy and data protection40. The instrumentation of the built environ-ment means the placement of an array of interconnected sensors, CCTV cameras, big data analytic platforms, cloud computing infrastructures, IoT devices –potentially very intrusive technologies. It also means the “datafication” of the built environment, and its visual representation through dashboards– activities that do not merely represent reality, but shape it on their own. The smart city is however bigger than the mere sum of its technological parts: it implies a holistic shift in urban governance and management, and pushes forth an anthropocentric view of the built environment’s development that is, in our view, necessarily bound to take data protection into account.

In the absence of a countervailing push, every digital application that can be used for surveillance and control will be used for surveillance and control, regardless of its

37 Example inspired by van Zoonen, L. (2016). Privacy concerns in smart cities. Government Information Quarterly, 33(3).

38 See Sadowski, J., & Pasquale, F. A. (2015). The spectrum of control: A social theory of the smart city. First Monday, 20(7); van den Hoven, 2013.

39 “Information technology has become a constitutive technology […] It shapes our discourses, practices and institutions and experiences in important ways”: Manders-Huits & van den Hoven, 2009, 68.

40 See Edwards, L. (2016). Privacy, Security and Data Protection in Smart Cities: A Critical EU Law Perspective. European Data Protection Law Review, 2(1).


original function41. The “datafication” of the built environment and the technologies enabling it can be engineered or used for such purposes, evading the checks and balan-ces that legitimise those activities in a democratic society. The smart city’s design must therefore consider data protection as a right and as a value, since the regulatory capacity of the technologies, practices, and policies in which the concept unfolds shapes what we do and are, as individuals and as a collectivity.

We argue that the instrumentation of the built environment can threaten indivi-duals’ rights to privacy and data protection to an unprecedented scale, scope, and granu-larity, and that thus those rights should be considered as a primary nonfunctional requi-rement in the design, development, and deployment of the technologies underlying the smart city. As opposed to functional requirements, which dictate the concrete functions a technology must have, nonfunctional requirements relate to the overarching values and ideals on which a technology is based. The objectives of the smart city are extremely multifaceted, and yet all somehow aiming at increasing its citizens’ general quality of life. For that, it is paramount for the technologies underlying the smart city environ-ment to consider, from their very outset, the rights and interests their misuse might infringe. Amongst them, the ones to privacy and data protection are prominent.

3.1. The right to data protection in the smart city environment

The right to data protection stems from the right to privacy. Traditionally, the right to private life as protected under Article 8 of the European Convention of Human Rights (ECHR) was interpreted as covering the right to privacy, its scope extended to data protection by the case law of the European Court of Human Rights (ECtHR)42. However, as attested by Articles 7 (“Respect for private and family life”) and 8 (“Protection of personal data”) of the Charter of Fundamental Rights of the EU (CFR), there is a difference between privacy and personal data protection.

Indeed, “privacy embodies a range of values that are only partially advanced by data protection”43. The right to data protection has been framed both as integral to privacy – a subset of its norms – or, by more modern doctrine, as an entirely different right44.

41 See Zuboff, 2013.42 De Hert, P., & Gutwirth, S. (2009). Data protection in the case law of Strasbourg and Luxem-

burg: Constitutionalisation in action. In S. Gutwirth, Y. Poullet, P. De Hert, C. de Terwangne, & S. Nouwt (Eds.), Reinventing data protection? (3–44). Springer.

43 Bennett, C. J., & Raab, C. D. (2006). The governance of privacy: policy instruments in global perspective. MIT Press, 237.

44 González Fuster, G. (2014). The Emergence of Personal Data Protection as a Fundamental Right of the EU. Springer, 214.


While privacy relates to some qualitative requirements (e.g. legality, necessity, legitima-cy, proportionality) deriving from the European Court of Justice’s (ECJ) and ECtHR’s jurisprudence, data protection can be likened to a set of rules stemming from the Fair Information Processing Principles (FIPPs). Through those rules, the regulator set up a legislative wireframe meant to ensure fairness in data processing operations – the same kind of activities on which the smart city ecosystem’s analytics are based.

Data protection stemmed from the advances in computing capabilities, which grew exponentially from the mainframe era on, and from the risks that became associa-ted with them. Over the years, many scholars, professionals, tinkerers, and thinkers45, drew attention on the threats arising from the power and information asymmetries deri-ving from the capacity of some actors to store, process, and make sense of a quantity of information that was not conceivable only a few decades before. The debate around the interaction between computers and privacy gave rise to the notion of privacy as control over one’s personal information46, a precursor to the right to personal data protection. Computers were novel, and potentially scary, considering the values upheld by the con-cept of privacy: it appeared sensible to constrain data processing with an amount of principles meant to ensure fairness within information processing activities. The right to data protection is a set of rules instrumental for the safeguard of all the rights and free-doms that can be dented by the power and information asymmetries running between controllers and data subjects.

In the modern smart city ecosystem the power of technology and its regulatory capacity still warrant a system of checks and balances meant to curb information asym-metries. While computing capacity became distributed –from mainframes to personal computers to ubiquitous computing– real informational power remains arguably cen-tralised by a network of private and public actors with unparalleled access to data and processing capacity. Technology corporations, social networks, Internet providers, data brokers, and state administrations have –each in its own way– a processing capability and an information availability that allows them to exert a considerable power on indi-viduals and on the social formations in which they assemble. The smart city is a prime example of a bundle of technologies whose regulatory capacity warrants a cautionary approach, just as mainframe computing and databanks were.

45 E.g. Miller, A. R. (1971). The assault on privacy: computers, data banks, and dossiers. Uni-versity of Michigan Press; Packard, V. (1964). The Naked Society. D. McKay Co.; Westin, A. F. (1967). Privacy and freedom. Athenaeum.

46 González Fuster, 2014, 27 ss.


It would be unfair to characterise the smart city’s “quest for a new utopia”47 as a measly bundle of technologies48. If the smart city revolution really is a paradigm shift where “investments in human and social capital and traditional (transport) and modern (ICT) communication infrastructure fuel […] a high quality of life, with a wise manage-ment of natural resources, through participatory governance”49, then the technologies un-derlying its functioning need to be informed to the same principles and values on which its theory rests. We argue that data protection must be considered from the outset of the process of instrumenting the built environment – from the design phase on – as a nonfunctional requirement in the development of the smart city ecosystem. We ground our argument on the values that the smart city’s development is purportedly meant to uphold, and on the recent explicit introduction of the principles of data protection by design and by default within the EU legal framework.50

3.2. Value-Sensitive Design and data protection

In the past three decades, there has arguably been a disciplinary shift within the fields of design and ethics, a convergence of interests that has led to see technology as bound to accommodate a range of human values. Design turned to ethics, and ethics to design, in what has been dubbed “The Design Turn in Applied Ethics”51. Value-Sensitive Design (VSD) aims at embedding values in technology’s design. It assumes that values and norms can inform the things we build, and exhorts at taking into consideration in advance the ethics, regulatory capacity, and political value of technology.

Data protection is instrumental to those values. Its violation, as a right52 and as a principle53, has been linked to a variety of harms54. Its balancing with opposing rights and values is often conflictual, each clash to be solved on a case-by-case basis. However, its essence and importance as human right and value is hardly questionable.

47 Townsend, 2013.48 Mattern, S. (2017). A City Is Not a Computer. Places Journal.49 Caragliu et al., 2011, 50.50 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on

the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regula-tion), 2016, OJ L 119/1, Art. 25.

51 Manders-Huits & van den Hoven, 2009, 54.52 Solove, D. J. (2006). A taxonomy of privacy. University of Pennsylvania Law Review, 154, 477–560.53 van den Hoven, J. (1997). Privacy and the varieties of moral wrong-doing in the information

age. Computers and Society, 27, 33–37.54 See Christl, W., & Spiekermann, S. (2016). Networks of Control. Facultas.


The smart city is a prime example of the push towards embedding values in design. The city’s instrumentation aims at ensuring better living conditions to inhabi-tants, embedding certain values (e.g. safety, sustainability, efficiency) within the urban tissue. The ICT underlying the smart city can however enable a disproportionate level of tracking and surveillance, in the absence of a countervailing push. Data protection embodies that drive: a set of values, and a related right, that aim at ensuring the res-pect for individuals’ privacy, autonomy, and (informational) self-determination. Data protection by policy acts through the law as a regulatory instrument. Data protection by design embeds fair information processing within a technological artefact’s requi-rements, making its design sensitive to the values and rights data protection is meant to uphold, and exploiting the regulatory capacity of technology. Considering data protection as a nonfunctional requirement in the development of the ICT used to instrument the built environment is in line with the smart city’s purposes, and contri-butes to framing such a blurry notion.

Such an approach is now explicitly sanctioned by EU law: according to the Ge-neral Data Protection Regulation (GDPR), individuals’ right to data protection must be considered ex ante, from the design phase on, not as an afterthought but engineered within the technologies through which urban environments are being instrumented. As clarified by the GDPR’s recital 78, when developing, designing, and deploying any technology or service based on the processing of personal information, producers must consider individuals’ right to data protection, and make sure that the entities using the technologies or running the services are able to fulfil their obligations. Article 25, “Data protection by design and by default”, mandates that – considering the state of the art, costs, nature, scope, context, and purposes of processing, and the related risks for individuals – the controller must implement appropriate technical and organisational measures, designed to apply the GDPR’s principles.

Article 25 of the GDPR, if read on its own, could be mistaken for a mere statement of principle. However, when considered in conjunction with e.g. the articles relating to administrative fines ex Art. 83, or to the security of the processing operations ex Article 32, its practical and concrete enforceability results clear. The legislator explicitly manda-tes the inclusion of the values data protection is meant to uphold within the design of information processing technologies and processes. It implicitly recognises the political character and regulatory capacity of the technology on which the notion of smart city is based. The smart city embodies exactly the kind of area in which data protection by de-sign is crucial: a stack of potentially highly intrusive technologies that inevitably inform and regulate citizens’ behaviour, and that has a profound impact on its social context. The instrumentation of the built environment is highly sensitive to the values on which its development is based, as smart as the design of the ICT on which it runs. Data pro-tection must therefore be recognised by the smart city’s stakeholders as a nonfunctional but vital requirement in the development of the built environment.


4. CONCLUSION

The smart city is a fuzzy concept, evading a unitary definition. From the review undertaken, it resulted how the notion of smart city is broader than its technological components, and could be better understood as a paradigm shift. The smart city, while enabled by technological development, is the inception of a horizontal social change whose consequences are yet to be seen. The ICT underlying the smart city has regulatory capacity, and thus influences both urban governance and management practices, and the life and behaviour of individual city dwellers.

It is paramount to recognise how the technologies underlying the smart city ecosys-tem have an inherently political nature. The instrumentation of the built environment, its “datafication” and subsequent visualisation, are not neutral processes, but have a normative effect, and shape reality according to the values on which they are based. The technologies on which smart cities run can be used to the detriment of individuals’ fundamental rights, if carelessly designed or repurposed.

Data protection needs therefore to be considered from the outset of the process of instrumenting the built environment, eventually balanced with other conflicting rights, interests, and values, but still embedded in the city’s ICT from its design phase on. On one hand, this is unequivocally sanctioned by EU data protection law. On the other, the purposes for which the smart city is supposedly being built – sustainability, demo-cracy, participation, evidence-based governance – embed the very values to which data protection is instrumental to. We thus argue that data protection must be considered as a nonfunctional requirement in the design of the technologies on which the smart city runs, its rules hard-coded into the built environment. Ultimately, a city is as smart as the values on which its development is informed.

5. ACKNOWLEDGEMENTS

This research was performed with the financial support of the Dutch STW-Maps4Society program (project number 13718).

6. BIBLIOGRAPHY

Ahonen, P., Alahuhta, P., Daskala, B., Delaitre, S., De Hert, P., Lindner, R., … Verlinden, M. (2008). Safeguards in a world of ambient intelligence. (D. Wright, S. Gutwirth, M. Friedewald, E. Vildjiounaite, & Y. Punie, Eds.). Springer.

Alawadhi, S., Aldama-Nalda, A., Chourabi, H., Gil-Garcia, J. R., Leung, S., Mel-louli, S., … Walker, S. (2012). Building understanding of smart city initiatives. In Electronic government (40–53). Springer.


Albino, V., Berardi, U., & Dangelico, R. M. (2015). Smart Cities: Definitions, Di-mensions, Performance, and Initiatives. Journal of Urban Technology, 22(1).

Anthopoulos, L. G., Janssen, M., & Weerakkody, V. (2015). Comparing Smart Cities with different modeling approaches. In Proceedings of the 24th International Conference on World Wide Web Companion (525–528).

Batty, M., Axhausen, K. W., Giannotti, F., Pozdnoukhov, A., Bazzani, A., Wa-chowicz, M., … Portugali, Y. (2012). Smart cities of the future. The European Physical Journal Special Topics, 214(1), 481–518.

Bennett, C. J., & Raab, C. D. (2006). The governance of privacy: policy instruments in global perspective. MIT Press.

Bratton, B. H. (2016). The stack: On software and sovereignty. MIT Press.Caragliu, A., Del Bo, C., & Nijkamp, P. (2011). Smart Cities in Europe. Journal of

Urban Technology, 18(2), 65–82.Christl, W., & Spiekermann, S. (2016). Networks of Control. Facultas.Cocchia, A. (2014). Smart and digital city: A systematic literature review. In R. P. Da-

meri & C. Rosenthal-Sabroux (Eds.), Smart City (13–43). Springer.Crang, M., & Graham, S. (2007). Sentient cities ambient intelligence and the politics

of urban space. Information, Communication & Society, 10(6), 789–817.De Hert, P., & Gutwirth, S. (2009). Data protection in the case law of Strasbourg

and Luxemburg: Constitutionalisation in action. In S. Gutwirth, Y. Poullet, P. De Hert, C. de Terwangne, & S. Nouwt (Eds.), Reinventing data protection? (3–44). Springer.

Edwards, L. (2016). Privacy, Security and Data Protection in Smart Cities: A Critical EU Law Perspective. European Data Protection Law Review, 2(1).

Finch, K., & Tene, O. (2013). Welcome to the Metropticon: Protecting Privacy in a Hyperconnected Town. Fordham Urb. LJ, 41(5), 1581.

Gaffney, C., & Robertson, C. (2016). Smarter than Smart: Rio de Janeiro’s Flawed Emergence as a Smart City. Journal of Urban Technology, 1–18.

Goerge, R. M. (2014). Data for the public good: challenges and barriers in the context of cities. In J. Lane, V. Stodden, S. Bender, & H. Nissenbaum (Eds.), Privacy, big data, and the public good: Frameworks for engagement. Cambridge University Press.

González Fuster, G. (2014). The Emergence of Personal Data Protection as a Funda-mental Right of the EU. Springer.

Greenfield, A. (2010). Everyware: The dawning age of ubiquitous computing. New Riders.Hollands, R. G. (2008). Will the real smart city please stand up? Intelligent, progres-

sive or entrepreneurial? City, 12(3).ITU-T Focus Group on Smart Sustainable Cities. (2014). An overview of smart sustain-

able cities and the role of information and communication technologies.


Jucevičius, R., Patašienė, I., & Patašius, M. (2014). Digital dimension of smart city: critical analysis. Procedia-Social and Behavioral Sciences, 156, 146–150.

Kitchin, R. (2014a). The data revolution: Big data, open data, data infrastructures and their consequences. Sage.

Kitchin, R. (2014b). The real-time city? Big data and smart urbanism. GeoJournal, 79(1), 1–14.

Kitchin, R. (2015). Data-driven, networked urbanism (Programmable City Working Paper No. 14).

Kitchin, R. (2016). Urban data and city dashboards: Six key issues. Retrieved from osf.io/sv8eb

Kitchin, R., & Dodge, M. (2011). Code/space: Software and everyday life. MIT Press.Kitchin, R., Lauriault, T. P., & McArdle, G. (2015). Knowing and governing cities

through urban indicators, city benchmarking and real-time dashboards. Regional Studies, Regional Science, 2(1), 6–28.

Koonin, S. E., & Holland, M. J. (2014). The Value of Big Data for Urban Science. In J. Lane, V. Stodden, S. Bender, & H. Nissenbaum (Eds.), Privacy, big data, and the public good: Frameworks for engagement. Cambridge University Press.

Leenes, R. E., & Koops, B.-J. (2005). ‘Code’ and Privacy - Or How Technology is Slowly Eroding Privacy. In E. Dommering & L. Asscher (Eds.), Essays on the Nor-mative Role of Information Technology. TMC Asser Press.

Lessig, L. (1999). Code and other laws of cyberspace. Basic books.Manders-Huits, N., & van den Hoven, J. (2009). The need for a value-sensitive de-

sign of communication infrastructures. In P. Sollie & M. Düwell (Eds.), Evaluating New Technologies (51–60). Springer.

Mattern, S. (2017). A City Is Not a Computer. Places Journal.Meijer, A., & Bolívar, M. P. R. (2015). Governing the smart city: a review of the lit-

erature on smart urban governance. International Review of Administrative Sciences.Miller, A. R. (1971). The assault on privacy: computers, data banks, and dossiers. Univer-

sity of Michigan Press.Nam, T., & Pardo, T. A. (2011a). Conceptualizing smart city with dimensions of tech-

nology, people, and institutions. In Proceedings of the 12th Annual International Digital Government Research Conference: Digital Government Innovation in Chal-lenging Times (282–291). ACM.

Nam, T., & Pardo, T. A. (2011b). Smart city as urban innovation: Focusing on manage-ment, policy, and context. In Proceedings of the 5th international conference on theory and practice of electronic governance (185–194). ACM.

Packard, V. (1964). The Naked Society. D. McKay Co.Sadowski, J., & Pasquale, F. A. (2015). The spectrum of control: A social theory of the

smart city. First Monday, 20(7).

http://osf.io/sv8eb

http://osf.io/sv8eb


Shah, R. C., & Kesan, J. P. (2007). How architecture regulates. Journal of Architectural and Planning Research, 24(4), 350–359.

Solove, D. J. (2006). A taxonomy of privacy. University of Pennsylvania Law Review, 154, 477–560.

Townsend, A. M. (2013). Smart cities: big data, civic hackers, and the quest for a new utopia. WW Norton & Company.

van den Hoven, J. (1997). Privacy and the varieties of moral wrong-doing in the infor-mation age. Computers and Society, 27, 33–37.

van den Hoven, J. (2013). Architecture and value-sensitive design. In C. Basta & S. Moroni (Eds.), Ethics, design and planning of the built environment (135–141). Springer.

van Zoonen, L. (2016). Privacy concerns in smart cities. Government Information Quarterly, 33(3).

Walravens, N., Breuer, J., & Ballon, P. (2014). Open Data as a Catalyst for the Smart City as a Local Innovation Platform. Communications & Strategies, (96), 15.

Westin, A. F. (1967). Privacy and freedom. Athenaeum.Winner, L. (1986). The Whale and the Reactor: A Search for Limits in an Age of High

Technology. University of Chicago Press.Zuboff, S. (2013). The Surveillance paradigm: Be the friction - Our Response to the

New Lords of the Ring. Retrieved from http://www.faz.net/aktuell/feuilleton/the-surveillance-paradigm-be-the-friction-our-response-to-the-new-lords-of-the-ring-12241996.html




7

LA RESPONSABILIDAD CIVIL DE LOS PADRES Y CENTROS EDUCATIVOS POR EL USO INDEBIDO POR LOS MENORES DE LAS REDES SOCIALES1

Patricia Escribano TortajadaProfesora ayudante doctora de Derecho Civil de la Universitat Jaume I de Castellón

Profesora colaboradora de la Universitat Oberta de Catalunya

RESUMEN: Hoy en día existe una rigurosa protección de los menores en Internet y las redes sociales, debido obviamente a sus cualidades personales y la posibilidad de vulnerar más fácilmente sus dere-chos. Pero podemos plantearnos la situación inversa, es decir, ¿qué ocurre cuando es un menor de edad el que está vulnerando los derechos de terceros en Internet y las redes sociales? ¿Quién es el responsable de indemnizar al perjudicado? Recientemente se ha planteado un supuesto de este tipo en la SAP de Guipúzcoa de 27 de mayo de 2016. En este caso, es precisamente el menor el sujeto activo de la lesión, es decir, quién vulnera los derechos de un adulto. La sentencia condena al padre y al centro educativo, al primero su por falta de control y al colegio por no adoptar las medidas adecuadas. Si bien se trata de una sentencia puntual, el tema es de suma importancia debido a los casos que pueden presentarse en un futuro.

PALABRAS CLAVE: menores, progenitores, centros educativos, responsabilidad civil, redes sociales

1. INTRODUCCIÓN

El uso por parte de los menores de edad de las Tecnologías de la Información y la Comunicación ha crecido de forma considerable en los últimos años, y cada vez em-piezan a utilizarlas a una edad más temprana. Hoy en día tienen ordenadores, tablets, smartphones, cuyo uso no se centra única y exclusivamente en el ámbito personal, sino que algunos centros escolares conscientes de las ventajas que pueden aportar en la edu-cación de los alumnos los utilizan en sus clases.

Internet, por otro lado, ha supuesto un impacto positivo en nuestras vidas, sin embargo, no podemos desconocer los potenciales riesgos que entraña, si no se adoptan determinadas precauciones al respecto. Los menores de edad, debido a sus circunstancias

1 Este trabajo se enmarca dentro del proyecto de investigación “Internet y los derechos de la personalidad: un replanteamiento de su protección jurídica en el siglo XXI” (Referencia P1·1B2015-56), financiado por la Universitat Jaume I de Castellón.

94 LA RESPONSABILIDAD CIVIL DE LOS PADRES Y CENTROS EDUCATIVOS...

personales, son más proclives que un mayor de edad a ver lesionados sus derechos. Claro está, y esto no es cuestionable, el menor requiere un mayor grado de protección. Sin embargo, puede ocurrir que sea el propio menor de edad quien se convierta en el sujeto activo de la lesión, es decir, el agente causante del daño.

Recientemente, la Audiencia Provincial de Guipúzcoa se ha pronunciado en la sen-tencia de 27 de mayo de 2016, precisamente sobre este tema: la responsabilidad civil por los daños causados por menores en las redes sociales. Consideramos que no es un tema que se deba obviar, así que el objeto de este trabajo es analizar dicha sentencia para determinar cuál es la problemática que se plantea en la actualidad al respecto, y cuáles son las consecuencias en el ámbito civil que pueden generarse como consecuencia de las manifestaciones de los menores en las redes sociales.

2. REDES SOCIALES: CONCEPTO, TIPOLOGÍA Y EDAD MÍNIMA PARA SU ACCESO

Como comentamos anteriormente, el uso generalizado de Internet y las redes so-ciales, por parte de los menores de edad, es una realidad que no se puede negar. Dada la preocupación de la sociedad en esta cuestión, existen varios estudios en los que se puede constatar la incidencia de las redes sociales en su vida diaria. Podemos citar a este res-pecto, el estudio “Menores y Redes Sociales” que se realizó a escolares de 10 a 18 años2, o la “Encuesta sobre los Hábitos de uso y seguridad de Internet de Menores y Jóvenes en España” del Ministerio de Interior, elaborada en 2014, en la que se tenía en consi-deración a menores entre 10 y 173 años, documentos que exponen con gran claridad la situación actual.

Hoy en día existen una multitud de redes sociales que pueden clasificarse aten-diendo a diversos criterios. No obstante, antes de analizar la distinta tipología hemos de precisar su concepto. Existen también diferentes definiciones de red social online, sin embargo, vamos a traer a colación la aportada por el Instituto Nacional de Tecno-logías de la Comunicación (INTECO) y la Agencia Española de Protección de datos. Su Estudio sobre la privacidad de los datos personales y la seguridad de la información en las redes sociales online las define como “servicios prestados a través de Internet que

2 Bringué, X. y Sádaba, CH. (2011). Menores y redes sociales. Foro Generaciones Interactivas y Fundación Telefónica. Recuperado el 15 de febrero de 2017 en: http://familiadigital.net/files/resources/Libro-Menores-y-Redes-Sociales_.pdf

3 Recuperado el 15 de febrero de 2017 en: http://www.interior.gob.es/documents/10180/2563633/Encuesta+sobre+h%C3%A1bitos+de+uso+y+seguridad+de+internet+de+menores+y+-j%C3%B3venes+en+Espa%C3%B1a/b88a590a-514d-49a2-9162-f58b7e2cb354

http://familiadigital.net/files/resources/Libro-Menores-y-Redes-Sociales_.pdf


http://www.interior.gob.es/documents/10180/2563633/Encuesta+sobre+h%C3%A1bitos+de+uso+y+seguridad+de+internet+de+menores+y+j%C3%B3venes+en+Espa%C3%B1a/b88a590a-514d-49a2-9162-f58b7e2cb354




permiten a los usuarios generar un perfil público, en el que plasmar datos personales e información de uno mismo, disponiendo de herramientas que permiten interactuar con el resto de usuarios afines o no al perfil publicado”4.

Por lo que respecta a su tipología, podemos encontrar redes sociales de distintos tipos, que responden a diferentes criterios de clasificación. El Estudio de INTECO y la AEPD habla de redes sociales generalistas o de ocio, definidas como aquellas cuyo “ob-jetivo principal radica en el hecho de facilitar y potenciar las relaciones personales entre los usuarios que la componen”, o las de contenido profesional cuya finalidad es que se puedan establecer contactos de carácter profesional. Dentro de las primeras menciona las que se destinan al intercambio de información o contenidos, por ejemplo Youtube; las que se basan en perfiles, como Facebook o Tuenti o las de microblogging o nanoblogging, como puede ser Twitter5. Se habla también de redes sociales horizontales y verticales, clasificación que atiende al perfil de los usuarios. Las primeras son aquellas de carácter generalista, que lo que pretenden es que los usuarios creen un perfil y puedan publicar contenido e interactuar con otros, mientras que las verticales se dirigen a un tipo de usuario específico, como puede ser profesional, con unos intereses comunes de ocio o de difusión de conocimiento6. No obstante, las redes sociales son un fenómeno en continuo desarrollo y su temática es muy variada.

En este punto hemos de determinar cuál es la edad mínima para poder acceder a las redes sociales. Pues bien, como regla general para crearse un perfil la edad necesaria es de

4 Disponible en: https://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/com-mon/Estudios/est_inteco_redesso_022009.pdf. Por lo que respecta al concepto de redes sociales puede consultarse entre otros: Campuzano Tomé, H. (2011). Las redes sociales digitales: concepto, clases y problemática jurídica que plantean en los albores del siglo XXI. Actualidad Civil, nº. 1, quincena del 1 al 15 de enero, pp. 18-32. Ortiz López, P. (2013). Redes sociales: funcionamiento y tratamiento de información personal. En Artemi Rallo Lombarte y Ricard Martínez Martínez (ed.), Derecho y redes sociales. Navarra: Civitas Thomson Reuters, p. 22 a 25. Agustinoy Guilayn, A., y Monclús Ruiz, J. (2016), Aspectos legales de las redes sociales. Barcelona: Wolters Kluwer, pp. 15 a 21. Moreno Navarrete, M.A. (2010). Aspectos jurídico privados de las tecnologías Web 2.0 y su repercusión en el derecho a la intimidad. En Javier Boix reig (dir), Ángeles Jareño Leal (Coord). La protección jurídica de la intimidad. Madrid: 2010, pp. 339-342. Davara Fernández de Marcos, L. (2015). Implicaciones socio-jurídicas de las redes sociales. Navarra: Thomson Reuters Aranzadi, pp. 53-62. Noain Sánchez, A. (2016). La protección de la intimidad y vida privada en internet: la integridad contextual y los flujos de información en las redes sociales (2004-2014). Madrid: Agencia Estatal Boletín Oficial del Estado, pp. 168 y ss.

5 INTECO y AEPD. Estudio sobre la privacidad de los datos personales…, cit., pp. 45 a 51.6 Agustinoy Guilayn, A., y Monclús Ruiz, J. (2016). Aspectos legales de las redes sociales…, cit.,

pp. 21 y 22.

https://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/common/Estudios/est_inteco_redesso_022009.pdf

https://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/common/Estudios/est_inteco_redesso_022009.pdf


14 años. Así suele establecerse en sus condiciones legales7, pero en caso que no constara, hemos de remitirnos al art. 13 del Real Decreto 1720/2007, de 21 de diciembre, por el que se aprueba el Reglamento de desarrollo de la Ley Orgánica 15/1999, de 13 de diciembre, de protección de datos de carácter personal8. Dicho precepto dispone que, como regla general, para el tratamiento de los datos de carácter personal se requiere el consentimiento de los mayores de 14 años, mientras que si son menores de esa edad se necesita el consentimiento de sus progenitores o guardadores9. No obstante, hay otras que requieren, obviamente, la mayoría de edad para crearse un perfil como Meetic, Badoo o eDarling, entre otras, dado que son redes sociales destinadas a conocer gente10. Tuenti, por ejemplo, en sus condiciones de uso no establece una edad en concreto, pero sí contiene la siguiente estipulación: “Recuerda que no podrás ser usuario de Tuen-ti salvo que cuentes con la capacidad legal suficiente para leer, comprender y aceptar estas condiciones”11.

El tema de la edad está íntimamente vinculado con la capacidad para ser conscien-tes de los actos que estamos realizando y sus implicaciones. Como sabemos la capacidad de obrar plena se adquiere en nuestro ordenamiento jurídico al alcanzar la mayoría de edad, esto es, a los 18 años (art. 315 Código Civil). Sin embargo, esto no implica que el menor de dicha edad no pueda realizar actos con trascendencia jurídica. Por ejemplo, el Código Civil permite realizar testamento (salvo el ológrafo) a los menores que han cumplido los 14 años (art. 663 CC) o contraer matrimonio a los 16. Por otro lado, desde el ámbito del Derecho Penal, la Ley orgánica, 5/2000, de 12 de enero, reguladora de la responsabilidad penal de los menores, les hace responsable penalmente a partir de dicha edad (art. 1)12. Por tanto, podemos cuestionarnos si los 14 años es una edad coherente para poder prestar el consentimiento en las redes sociales. En este sentido consideramos que, si se permite hacer testamento con dicha edad, dadas las repercusiones patrimo-niales que ello conlleva y, hacerle responsable penalmente podrá prestar perfectamente el consentimiento para poder crearse un perfil en una red social. No obstante, existirán

7 Instagram: http://help.instagram.com/478745558852511 Google +: https://support.google.com/accounts/answer/1350409?hl=es8 Publicado en el BOE núm. 17, de 19 de enero de 2008.9 En algunos casos, es incluso sorprendente que se exija esa edad y no se limite, como es el el caso

de LinkedIn dado que se trata de una red social profesional, lo que nos hace cuestionarnos, el porqué de esta edad si hasta los 16 en nuestro país no se puede trabajar, hasta que se alcanza dicha edad. https://www.linkedin.com/legal/user-agreement?_l=es_ES

10 Puede verse una enumeración exhaustiva de las diversas redes sociales en Davara Fernández de Marcos, L. (2015). Implicaciones socio-jurídicas de las redes sociales…, cit., pp. 108-123.

11 http://corporate.tuenti.com/es/legal 12 BOE núm. 11, de 13 de enero de 2000.

http://help.instagram.com/478745558852511

https://support.google.com/accounts/answer/1350409?hl=es

https://www.linkedin.com/legal/user

http://corporate.tuenti.com/es/legal


menores con una edad inferior que son plenamente conscientes de las implicaciones del uso de las redes sociales, y puede haber mayores de dicha edad que no lo sean. Además, a pesar de las limitaciones que imponen las mismas la práctica demuestra que es relati-vamente sencillo burlar los controles de verificación de edad13.

3. EL USO DE INTERNET Y LAS REDES SOCIALES POR PARTE DE LOS MENORES

Mark Prensky acuñó en 2001 los términos “nativos digitales” e “inmigrantes digi-tales” para hacer referencia, en el primer caso, a aquellas personas que han nacido en la edad tecnológica, frente a estos últimos que se han tenido que adaptar a la misma14. En la actualidad, para los menores las TIC son una parte inherente de su vida. El Estudio del INTECO “Estudio sobre hábitos seguros en el uso de las TIC por niños y adolescentes y e-confianza de sus padres” pone de relieve la concepción que tienen los menores del uso de Internet. Tal y como señala el documento “Internet constituye una herramienta básica de relación social y de identidad y, como tal, la presencia de los niños y niñas en Internet es una realidad “vital”, y el aprovechamiento que hacen del medio apoya esta certeza”15.

Obviamente, su uso conlleva ventajas importantes, sin embargo, hemos de ser conscientes de los riesgos que entrañan y la necesidad de realizar un empleo adecuado de la Red16. Por ese motivo, la sentencia objeto de comentario pone de manifiesto un problema que es necesario tener en cuenta: el uso indebido de las redes sociales por los menores y su posible impacto en los derechos de terceras personas.

13 Solo por poner algún ejemplo al respecto, podemos citar la SAP de Madrid de 4 de diciembre de 2015 (ARP 2015\1382) que, en un caso de delito continuado de abusos sexuales, se demuestra que una menor que le faltaba poco para cumplir los 13 años creó perfiles falsos en redes sociales afirmando que tenía 16 o 17 años. Otro supuesto en el que se comprueba la posible facilidad con la que saltarse los controles de edad es el caso de la SAP de Valencia de 24 de octubre de 2013 (ARP 2013\1338), en el que una de las testigos del caso explicó que, como la afectada era menor de 14 años, cuando quiso crearse un perfil en una red social poniendo cuál era su verdadera edad, no pudieron crearlo. Solo pudieron hacerlo cuando pusieron en el formulario la edad de 14 años.

14 Prensky, M. (2001). Digital Natives, Digital Immigrants. Recuperado el 1 de marzo de 2017 en: http://www.marcprensky.com/writing/Prensky%20-%20Digital%20Natives,%20Digital%20Immigrants%20-%20Part1.pdf

15 INTECO. (2009). Estudio sobre hábitos seguros en el uso de las TIC por niños y adolescentes y e-con-fianza de sus padres, p. 46.

16 El estudio de INTECO de 2009 ya ponía de relieve los diversos peligros que pueden entrañar las TIC para los menores: adicciones, vulneración de propiedad intelectual, acceso a contenidos inadecuados o inapropiados, acoso sexual, ciberbulling entre otros, pp. 70 y ss.

http://www.marcprensky.com/writing/Prensky%20-%20Digital%20Natives,%20Digital%20Immigrants%20-%20Part1.pdf

http://www.marcprensky.com/writing/Prensky%20-%20Digital%20Natives,%20Digital%20Immigrants%20-%20Part1.pdf


El menor, debido a sus condiciones personales por no haber alcanzado la mayoría de edad, ha de ser objeto de una protección integral por parte de las diversas ramas del ordenamiento jurídico, dado que se les considera un colectivo vulnerable17. Pero junto esta protección por parte del Derecho, la formación que se le pueda dispensar por parte de los progenitores y de los centros educativos en la utilización de las nuevas tecnologías juega un papel esencial.

No se puede poner en duda que el uso de Internet y las redes sociales posee un im-pacto positivo en el menor. Les permite fomentar las relaciones sociales, interactuar con otras personas, buscar recursos para su formación, etc. Gracias a Internet el menor puede desarrollar determinadas facetas de su personalidad en la participación de herramientas como los foros, pero sobre todo a las redes sociales18. Es decir, puede desarrollar algunos de sus derechos como su libertad de expresión.

Éste es un derecho fundamental reconocido a todos los ciudadanos, en el art. 20 de nuestra Carta Magna, obviamente, con independencia de la edad. No obstante, por lo que respecta a los menores de edad existe un reconocimiento más exhaustivo en la normativa internacional. En este sentido, la Convención de los derechos del niño de 20 de noviembre de 1989 proclama el derecho a la libertad de expresión de los mismos en el art. 13. Su apartado primero dispone que: 1. El niño tendrá derecho a la libertad de expresión; ese derecho incluirá la libertad de buscar, recibir y difundir informaciones e ideas de todo tipo, sin consideración de fronteras, ya sea oralmente, por escrito o impresas, en forma artística o por cualquier otro medio elegido por el niño. No obstante, en su apartado segun-do establece una serie de limitaciones a dicho precepto, y en particular, por el tema que a nosotros nos interesa el establecido en la letra a), es decir, “el respeto de los derechos o la reputación de los demás”19. A pesar de que nuestra Constitución no lo establezca ex-presamente, han sido nuestros tribunales, sobre todo el Tribunal Supremo y el Tribunal

17 Marcos Martín, T. (2013). Los derechos de la personalidad de las personas-menores en el con-texto internacional y su aplicación en el ordenamiento español. En Salvador Pérez Álvarez, Leyre Burguera Ameave, Kepa Paul Larrañaga (Dir.). Menores e Internet, Navarra: Thomson Reuters Aranzadi, p. 161 pone de manifiesto que, dado que el surgimiento de las nuevas tecnologías ha provocado la necesidad de reforzar los derechos de las personas, es necesaria una mayor tutela para los menores de edad, al ser sujetos vulnerables, en los que según señala la autora de forma textual “cualquiera proyección pública de su vida es posible que incida desfavorablemente en su desarrollo”.

18 Fernández-Coronado, A., Pérez Álvarez, S. (2013). La libre formación de la conciencia del menor a través de Internet. En Salvador Pérez Álvarez, Leyre Burguera Ameave, Kepa Paul Lar-rañaga (Dir.). Menores e Internet, Navarra: Thomson Reuters Aranzadi, p. 199.

19 En el ámbito estatal, la Ley orgánica 1/1996, de 15 de enero, de Protección Jurídica del Menor, de modificación parcial del Código Civil y de la Ley de Enjuiciamiento Civil (BOE núm. 15, de 17 de enero de 1996) consagra la libertad de expresión de los menores en su art. 8.


Constitucional, quienes han ido delimitando el contenido de la libertad de expresión. Las resoluciones judiciales de ambos órganos son claras al respecto: la libertad de expre-sión nunca va a amparar el insulto ni las expresiones vejatorias o denigrantes20. Por tanto, con independencia de la edad, podemos ejercer nuestra libertad de expresión en la Red, pero no es absoluta y, por tanto, no se pueden vulnerar los derechos de terceros.

Como hemos dicho, los padres y guardadores juegan un papel básico en el correcto uso de los menores de las redes sociales. Estos han de incidir en la importancia de ha-cer un uso responsable de las mismas, alertarles de sus riesgos y que tampoco está todo permitido en la red, es decir, que no pueden actuar libremente sin ser conscientes de los efectos sus actos. Además, de la información que les proporcionen deberían supervisar el uso que realicen de Internet y las redes sociales. Pero hemos de matizar, tal y como pone de relieve la doctrina, que es necesario encontrar un punto de equilibrio. Es decir, algu-nos autores consideran que el no dejar participar a los menores en redes sociales, debido a la alarma de alguno de ellos por los riesgos que pueden entrañar, puede comportar una extralimitación de los deberes inherentes a la patria potestad, dado que se le estaría impidiendo su libre desarrollo de la personalidad, sobre todo si el menor es consciente de las implicaciones del acto que está realizando21.

Desde diversos operadores de la sociedad se han propuesto determinadas soluciones en relación con el uso de las redes sociales por parte de menores de 14 años sin control alguno. Por ejemplo, se ha planteado la necesidad de que las redes sociales configuren un entorno seguro, reforzando las medidas de seguridad, rediseñando las políticas de privacidad, entre otras22. Otra de las soluciones que se proponen es verificar la edad con el DNI electrónico, dado que se les exige tenerlo a los mayores de 14 años23. Sin embar-

20 Existe una abundante jurisprudencia al respecto. Sólo a título meramente ejemplificativo pode-mos citar: SSTC de 25 de noviembre de 1997 (RTC 1997\204), de 15 de octubre 2001 (RTC 2001\2049), de diciembre de 2002 (RTC 2002\232), 19 de julio de 2004 (RTC 2004\127) y SSTS de 12 de julio de 2004 (RJ 2004\4373), de 17 de septiembre de 2008 (RJ 2008\5775) o de 13 de mayo de 2015 (RJ 2015\4274).

21 Fernández-Coronado, A., Pérez Álvarez, S. (2013). La libre formación de la conciencia del menor a través de Internet…, cit., p. 202.

22 Herrán Ortiz, A. (2010). Las redes sociales digitales: ¿hacia una nueva configuración de los derechos fundamentales en Internet? Revista Vasca de Administración Pública, 87-88, p.554.

23 Fernández-Coronado, A., Pérez Álvarez, S. (2013). La libre formación de la conciencia del menor a través de Internet…, cit., p. 209. De Priego Fernández, V. (2012). La protección ju-rídica del derecho a la intimidad de los menores en la red. En Eva Jordá Capitán, Verónica de Priego Fernádez, Jesús Alberto Messía de la Cerda Ballesteros y Jesús Flores Rodríguez (Coord.). Los derechos de la personalidad de los menores y las Nuevas Tecnologías. Madrid: El Derecho, p. 70, quien manifiesta que también es necesario el compromiso y la autorregulación por parte de los titulares de redes sociales.


go, el problema creo que radicará no tanto a partir de los 14, si no en los menores que todavía no los hayan cumplido y no dispongan aún del mismo

4. LA SENTENCIA DE LA AUDIENCIA PROVINCIAL DE GUIPÚZCOA 139/2016, DE 27 DE MAYO

Los hechos que dieron lugar al pronunciamiento de la Audiencia Provincial de Guipúzcoa son los siguientes: una menor, que en el momento de los hechos tenía 13 años, empieza a publicar en junio de 2011 en una red social insultos, comentarios ve-jatorios y despectivos realmente graves e impactantes sobre una profesora, propiciados por el hecho de que ésta le había requisado el móvil. Esta publicación inicial fue seguida por otra serie de comentarios tanto de la demandada como de otros compañeros. La demandante tiene conocimiento de estas manifestaciones en octubre. Éste digamos fue el desencadenante de una profunda depresión que sufrió, porque en el propio centro educativo estaba siendo objeto de burlas y actitudes despectivas. La profesora afectada demanda al progenitor de la menor, al centro educativo y la compañía aseguradora de éste. Pues bien, el Juzgado de Primera Instancia nº 8 de San Sebastián desestima su petición, motivo por el cual recurre en apelación ante la Audiencia Provincial, que le da la razón a la recurrente en una extensa sentencia. En la misma se hace responsables tanto al progenitor, al colegio y condena también a la compañía aseguradora al pago de la indemnización, por las circunstancias que ahora se explicarán.

¿Por qué el tribunal condena al padre al pago a la indemnización? Pues bien, éste fue quien proporcionó los diversos dispositivos electrónicos y tecnológicos a su hija y, según consta, en ningún momento le advirtió del uso que debía darle a los mismos ni tampoco realizó ningún tipo de control sobre ella, sobre todo teniendo en cuenta que dichas medidas debían extremarse al tener la menor 13 años. Sólo mostro una conducta activa una vez conocidos los hechos. Por tanto, considera que la depresión que sufrió la profesora también se debió, en cierta medida, a la falta de supervisión del padre respecto su hija, el cual tenía obligación de enseñarle “fundamentos básicos sobre el uso de los medios de comunicación que le entregó”, tal y como señala la resolución, y de adoptar las cautelas necesarias para impedir que se comportara como lo hizo.

Por su parte, entiende la Audiencia Provincial que el colegio tampoco actuó correc-tamente por varios motivos. En el centro educativo no existía una normativa sobre el uso de dispositivos tecnológicos, únicamente había un código de conducta, que según se desprende de la resolución no se respetaba en ocasiones por los alumnos, mientras que el equipo docente del colegio no sabía exactamente cómo actuar en algunas situaciones. Los profesores del centro educativo pusieron en conocimiento de la dirección del centro el comportamiento inadecuado de algunos alumnos, a lo que el colegio hizo caso omiso, sólo empezó a actuar cuando los hechos llegaron a conocimiento del profesorado y a los progenitores de los alumnos, lo que causó un gran estado de alarma.


Por tanto, el tribunal es claro y considera que el colegio tuvo que actuar y adoptar medidas de carácter “severo y contundentes”, para evitar el comportamiento indisciplinado de algunos estudiantes, en relación con el uso de los dispositivos tecnológicos24. De este modo, considera que tanto el padre como el centro educativo han de responder, de forma solidaria, de los daños sufridos por la profesora, es decir, por responsabilidad civil extra-contractual del artículo 1902 CC25 en relación con el art. 190326 del mismo texto legal.

El tribunal es tajante y determina que la depresión de la profesora vino motivada, en cierto modo, por la falta de control y vigilancia del padre respecto a su hija, y a la au-sencia de actuación por parte del centro docente, el cual ni estableció unas pautas claras de comportamiento, ni adoptó las medidas oportunas para poner fin a la situación que se estaba produciendo dentro de sus dependencias (FJ 8º). Condena también al pago de la indemnización a la compañía aseguradora, dado que el colegio tenía subscrita una póliza de responsabilidad civil para las actividades que se realizaran en el colegio.

En el fundamento jurídico décimo de la sentencia se trata el tema de la cuantía de la indemnización de daños y perjuicios. Queda probado que la apelante tardó casi 8 meses en superar la depresión que tenía, además, sufrió un considerable perjuicio moral, razón por la cual el tribunal le concede la cantidad de 24.000 euros que había reclamado.

Como hemos visto la sentencia indemniza a la profesora en virtud del art. 1903 por la depresión que sufrió, propiciados por los comentarios de la menor en la red social, agravados en cierto modo por la omisión de medidas del centro escolar ante la situación que estaba soportando. Sin embargo, esta cuestión plantea otra serie de cuestiones que pueden estar directamente relacionados y que no se mencionan en la resolución judicial.

24 La sentencia pone de relieve que otra profesora del mismo curso tuvo que coger también la baja antes de la demandante.

25 “El que por acción u omisión causa daño a otro, interviniendo culpa o negligencia, está obligado a reparar el daño causado”.

26 “La obligación que impone el artículo anterior es exigible no sólo por los actos u omisiones propios, sino por los de aquellas personas de quienes se debe responder.

Los padres son responsables de los daños causados por los hijos que se encuentren bajo su guar-da. Los tutores lo son de los perjuicios causados por los menores o incapacitados que están bajo su autoridad y habitan en su compañía.

Lo son igualmente los dueños o directores de un establecimiento o empresa respecto de los per-juicios causados por sus dependientes en el servicio de los ramos en que los tuvieran empleados, o con ocasión de sus funciones.

Las personas o entidades que sean titulares de un Centro docente de enseñanza no superior responderán por los daños y perjuicios que causen sus alumnos menores de edad durante los períodos de tiempo en que los mismos se hallen bajo el control o vigilancia del profesorado del Centro, desarrollando actividades escolares o extraescolares y complementarias.

La responsabilidad de que trata este artículo cesará cuando las personas en él mencionadas prue-ben que emplearon toda la diligencia de un buen padre de familia para prevenir el daño”.


No podemos obviar, que con las manifestaciones que realiza la menor en la red social se está vulnerando el derecho al honor de la profesora, consagrado en el art. 18 CE. Este derecho, desde el punto de vista civil, está protegido mediante la Ley Orgánica 1/1982, de 5 de mayo, de protección civil del derecho al honor, a la intimidad personal y familiar y a la propia imagen27. El art. 7 establece un elenco de supuestos que se conside-ran intromisiones ilegítimas y, en particular, el séptimo hace referencia a “La divulgación de expresiones o hechos concernientes a una persona cuando la difame o la haga desmerecer en la consideración ajena”. Por tanto, está claro que la menor vulneró el derecho al honor de la profesora, aunque no se mencione en la resolución judicial. Por su parte, el art. 9 establece los medios de tutela efectiva y, concretamente, el apartado 3º determinar los criterios para cuantificar la indemnización, siendo uno de ellos el medio de difusión donde se haya producido la vulneración del derecho. Dada la extensión del trabajo no nos podemos detener a analizar esta cuestión, sin embargo, hemos de poner de relieve que esta ley se promulgó a principios de la década de los ochenta. El legislador no pudo prever el impacto que tendría hoy Internet y, como muchas lesiones de los derechos de la personalidad se producen precisamente a través de este medio.

Otra de los aspectos que no contiene la sentencia es el tema de la responsabilidad de los intermediarios de la sociedad de la información. Esta cuestión está regulada en la Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico28. Concretamente, hemos de atender al art. 16 relativo a la Responsabilidad de los prestadores de servicios de alojamiento o almacenamiento de datos. En este pre-cepto se parte de la idea de que los mismos no serán responsables de los contenidos que se alojen siempre y cuando: no tengan “conocimiento efectivo” de que la información que almacenan es ilícita y vulnera derechos de terceros; teniendo conocimiento de esta circunstancia, actúen diligentemente para retirar los contenidos o impidan el acceso a los mismos. En la sentencia no se explica si la red social tuvo o no conocimiento efectivo de los hechos. Si actuó con la diligencia correspondiente retirando los comentarios veja-torios según la LSSI no respondería. Ahora bien, si tuvo constancia de los mismos y no hizo nada sería responsable de los daños ocasionados29.

27 BOE núm. 115, de 14 de mayo de 1982.28 BOE núm. 166 de 12 de Julio de 2002.29 La doctrina se ha pronunciado sobre lo que ha de entenderse por conocimiento efectivo y la

responsabilidad de los servicios de la sociedad de la información. Puede consultarse al respecto, entre otros: Peguera Poch, M. (2007). “Sólo sé que no sé nada (efectivamente)” la apreciación del conocimiento efectivo y otros problemas en la aplicación judicial de la LSSI. IDP: revista de Internet, derecho y política, núm. 5; (2007). La exclusión de responsabilidad de los intermediarios en Internet, Granada: Comares.


La última cuestión que queremos poner de relieve es que las manifestaciones pro-feridas por la menor podrían considerarse injurias. Pero la causante del daño tenía 13 años, por tanto, no se le aplicaría la LO 5/2000, que como ya mencionamos se aplica a partir de los 14 años. No obstante, el art. 3 de la norma para el supuesto en que el cau-sante del daño no hay cumplido dicha edad remite a las normas sobre protección de me-nores del CC y demás disposiciones vigentes. En este punto se ha cuestionado por qué la edad de 14 años. Jiménez Díaz mantiene que la irresponsabilidad penal se basa en que son personas inimputables con independencia de la madurez mental que tengan. Son cuestiones de seguridad jurídica, siendo la edad una presunción iuris et de iure, aunque como sostiene su madurez mental lo pueda permitir30. Además, la propia Exposición de motivos señala textualmente que: “las infracciones cometidas por los niños menores de esta edad son en general irrelevantes y que, en los escasos supuestos en que aquéllas pueden produ-cir alarma social, son suficientes para darles una respuesta igualmente adecuada los ámbitos familiar y asistencial civil, sin necesidad de la intervención del aparato judicial sancionador del Estado”. Después del caso de la sentencia deberíamos cuestionarnos si realmente estos hechos pueden considerarse como “irrelevantes”, teniendo en cuenta, además, que el ciberacoso o ciberbullying es muy frecuente entre menores de edad. Lo que está claro es que en estos supuestos los perjudicados tendrían que acudir a la vía civil para poder reclamar en función de los arts. 1902 y ss31.

5. LA RESPONSABILIDAD CIVIL DE LOS PROGENITORES Y LOS CENTROS EDUCATIVOS

La resolución judicial es clara y categórica, y podemos resumirla de la siguiente forma: “cuidado con lo que escriben nuestros hijos y nuestros alumnos en las redes so-ciales”. En cierto modo, y si se nos permite la expresión, el tribunal está dando “un toque de atención” tanto a progenitores, con la finalidad de que extremen las medidas para controlar el uso que pueden realizar los menores de edad de las redes sociales, como a los centros escolares para que actúen y dispongan de protocolos sobre el uso de teléfonos móviles en sus instalaciones.

Realmente quien causa el daño de forma directa es la menor de edad, pero como hemos visto el tribunal condena al progenitor y al centro docente en virtud del art. 1903 CC. En este sentido Gómez Calle pone de manifiesto que si el menor es quien ocasiona

30 Jiménez Díaz, M.J. (2015). Algunas reflexiones sobre la responsabilidad penal de los menores. Revista Electrónica de Ciencia Penal y Criminología, núm. 17-19, p. 14

31 De la Rosa Cortina, J.M. (2012). Responsabilidad civil por daños causados por menores. Valen-cia: Tirant lo Blanch, pp. 424-425.


un daño de forma culposa es él quien ha de responder de forma directa según el art. 1902 CC. Lo que no obsta para que las personas comprendidas en el art. 1903 también puedan ser responsables, pudiendo concurrir ambas en el mismo caso. Sin embargo, la persona perjudicada suele dirigirse frente a las personas responsables de los menores, porque verán más fácilmente satisfechas sus pretensiones32.

El caso de la responsabilidad de los padres, por las conductas de sus hijos, cons-tituye un supuesto de responsabilidad por hecho ajeno. Gómez Calle señala que el art. 1903 es una responsabilidad por culpa, aunque con inversión de la carga de la prueba, y que quien responde lo hace porque con su propia negligencia ha propiciado, aunque sea de forma indirecta y frecuentemente por omisión, que otra persona, sobre la cual tenía un deber de cuidado frente a terceros, ocasionara un daño33. Se trata de la respon-sabilidad por culpa in eligendo o in vigilando34, o por culpa in educando35 (en el caso de los progenitores).

Los padres ostentan la patria potestad de sus hijos salvo que se les haya privado de la misma en virtud del art. 170 CC. Su contenido se menciona en el art. 154 CC siendo una de esas facetas la de “educarles y procurarles una formación integral”. La doctrina señala que la responsabilidad de los padres entronca o se deriva precisamente de esos deberes inherentes a la patria potestad36. Por tanto, podemos entender que en este caso el padre debía haberle proporcionado determinadas pautas respecto al uso de los dispo-sitivos tecnológicos que le entregaba, precisamente porque esta conducta se incardina bajo el deber de educación inherente a la patria potestad. En estas situaciones para que los progenitores no respondan han de probar que actuaron con la diligencia debida. Sin embargo, tal y como pone de manifiesto la doctrina es muy difícil probar en estos casos que actuaron correctamente, hasta el punto de calificarlo como “prueba irrebatible”37. En este sentido, Yzquierdo Tolsada mantiene que es muy difícil encontrar un caso en el

32 Gómez Calle, E. (1995). La responsabilidad civil del menor. Derecho Privado y Constitución, núm.7, pp. 96 a 98. De la misma autora, (2003). Los sujetos de la responsabilidad civil. La re-sponsabilidad por hecho ajeno. En L. Fernando Reglero Campos (Coord.) Tratado de responsa-bilidad civil, pp. 430- 431.

33 Gómez Calle, E. (2016). Artículo 1903. En Ana Cañizares Laso, Pedro de Pablo Contreras, Javi-er Orduña Moreno y Rosario Valpuesta Fernández (Dirs.). Código Civil Comentado. Volumen IV. Navarra: Civitas Thomson Reuters, p. 1375.

34 Concepción Rodríguez, J.L. (1997). Derecho de Daños. Barcelona: Bosch, p. 120.35 Palacios González, D. (2016). Responsabilidad civil y derecho de daños. Tras las Reformas Legisla-

tivas de 2015. Lisboa: Juruá Editorial, p. 73.36 De la Rosa Cortina, J.M. (2012). Responsabilidad civil por daños causados por menores, cit., p. 93.37 Yzquierdo Tolsada, M. (2015). Responsabilidad civil extracontractual. Parte general. Delimitación

y especies. Elementos. Efectos y consecuencias. Madrid: Dykinson, p. 275.


que los padres hayan probado que han sido diligentes en la vigilancia o educación del menor, por tanto, “responden los padres, sencillamente, porque son padres”38.

La actuación del padre en este caso estaba clara. Sin embargo, si el padre le hubiera explicado cómo usar los dispositivos tecnológicos, le hubiera dado unas pautas de con-ducta y, además, hubiera controlado su actividad en las redes sociales, no debería respon-der por su hija. Desde nuestro punto de vista, hay casos en que los progenitores, aunque sea diligentes y les eduquen conforme unos valores, los hijos pueden “desviarse” de las pautas o valores que les han marcado e inculcado. Si se prueba (que como hemos visto es muy complicado) que el padre no ha sido negligente y ha desplegado toda la diligencia debida, entendemos que no debería responder por su hija. Sin embargo, esta actitud de los progenitores de tener un control exhaustivo de la actividad de los menores en las redes sociales, implicaría que los padres puedan acceder a los perfiles de sus hijos, y cómo sabemos precisamente no es una cuestión que les agrade, recelosos de su intimidad.

Por lo que respecta a la responsabilidad del centro, matiza Gómez Calle que la responsabilidad que atribuye el art. 1903 al titular del centro docente, lo es porque es a él quien compete la organización del mismo, es decir, ordenar las actividades, decidir el personal y el material, así como controlar y gestionar las instalaciones y el personal. Mientras que en caso de que fuera un centro público se sujetaría al régimen de responsabilidad patrimonial de la Administración39. A diferencia, de los progeni-tores, en el caso de los centros escolares es más fácil que se produzca una exoneración de responsabilidad40.

En el caso concreto que hemos visto la dirección del centro hizo caso omiso a los re-querimientos de los docentes, que estaban viendo cómo se agravaba la situación debido a la falta de unas directrices sobre el uso de teléfonos móviles en el colegio. Los centros educativos también juegan un papel fundamental en la educación del menor, por tanto, en casos como éste deberían tener unas directrices básicas sobre el uso de los teléfonos en

38 Yzquierdo Tolsada, M. (2015). Responsabilidad civil extracontractual…, cit., p. 277. De la misma opinión es Durany Pich, S. (2000). Padres y maestros. Indret 1/00, p. 1. Por su parte, Palacios González, D. (2016). Responsabilidad civil y derecho de daños…, cit., p. 76 señala que los progenitores podrían liberarse de responsabilidad si prueban que ha habido caso fortuito, fuerza mayor o culpa exclusiva de la misma. Por otro lado, Concepción Rodríguez, J.L. (1997). Derecho de Daños…, cit., p. 125 se cuestionaba hasta donde se ha de extender el deber de vigilancia de los progenitores, dado que la jurisprudencia pronunciada hasta el momento parecía que quisi-era extenderlo las veinticuatro horas del día, de tal forma que se podía convertir en un deber de imposible cumplimiento teniendo en cuenta que los menores de edad, salen de los hogares familiares durante parte del día, siendo, además, que los progenitores trabajan.

39 Gómez Calle, E. (2016). Artículo 1903…, cit., p. 1383.40 Yzquierdo Tolsada, M. (2015). Responsabilidad civil extracontractual…, cit., p. 334.


los colegios. La falta de actuación de la dirección del centro escolar, según considera la sentencia, propició que la situación se agravara, por tanto, le está haciendo responsable en cierto modo de la depresión de la profesora.

6. CONCLUSIONES

Como regla general, las redes sociales exigen tener 14 años para poder crearse un perfil. Nos parece una edad adecuada en consonancia con la exigida, en nuestro ordena-miento jurídico, para realizar determinados actos con trascendencia jurídica. El impacto de su uso, en el menor, es positivo, sin embargo, además de los riesgos a los que pueda es-tar sometido, también ha de ser consciente que no todo le está permitido. Puede ejercer, en el caso concreto que hemos visto su libertad de expresión, pero no puede ser absoluta y, por tanto, no puede lesionar los derechos de la personalidad de terceros.

Los progenitores y los centros educativos han de jugar un papel esencial en la edu-cación tecnológica del menor, en el primer caso, porque es una manifestación de la pa-tria potestad. En ese sentido, es necesario que los padres realicen un determinado control del uso que está realizando el menor de las redes sociales. Obviamente, a medida que vaya creciendo, este control parental puede ser menor, pero es una forma de desplegar la diligencia que le exige el ordenamiento jurídico en el ejercicio de sus funciones. No obstante, este control tampoco ha de ser extremo. Es decir, se ha de buscar un equilibrio entre los derechos del menor, como la intimidad, y el desarrollo de las funciones de los padres.

Esto es debido a que como hemos visto, estos son responsables civilmente de las conductas que puedan realizar sus hijos en la Red. Consideramos acertado el pronun-ciamiento de la sentencia comentada, tanto por lo que respecta a la responsabilidad del progenitor, como del centro docente. Sin embargo, dada la dificultad que puede presen-tarse en la práctica de supervisar la actuación de los menores en las redes sociales que, en determinadas ocasiones, pueden escapar del “control” parental, siempre y cuando los progenitores demuestren que han desplegado la diligencia debida al respecto, deberían estar exentos de responsabilidad.

7. BIBLIOGRAFÍA

Agustinoy Guilayn, A., y Monclús Ruiz, J. (2016). Aspectos legales de las redes sociales. Barcelona: Wolters Kluwer.

Bringué, X. y Sádaba, CH. (2011). Menores y redes sociales. Foro Generaciones In-teractivas y Fundación Telefónica. Disponible en: http://familiadigital.net/files/resources/Libro-Menores-y-Redes-Sociales_.pdf




Campuzano Tomé, H. (2011). Las redes sociales digitales: concepto, clases y prob-lemática jurídica que plantean en los albores del siglo XXI. Actualidad Civil, nº. 1, quincena del 1 al 15 de enero, pp. 18-32.

Concepción Rodríguez, J.L. (1997). Derecho de Daños. Barcelona: Bosch.Davara Fernández De Marcos, L. (2015). Implicaciones socio-jurídicas de las redes

sociales. Navarra: Thomson Reuters Aranzadi. De La Rosa Cortina, J.M. (2012). Responsabilidad civil por daños causados por menores.

Valencia: Tirant lo Blanch.De Priego Fernández, V. (2012). La protección jurídica del derecho a la intimidad de

los menores en la red. En Eva Jordá Capitán, Verónica de Priego Fernández, Jesús Alberto Messía de la Cerda Ballesteros y Jesús Flores Rodríguez (Coord.). Los dere-chos de la personalidad de los menores y las Nuevas Tecnologías. Madrid: El Derecho, pp. 35-72.

Durany Pich, S. (2000). Padres y maestros. Indret 1/00. Fernández-Coronado, A., Pérez Álvarez, S. (2013). La libre formación de la con-

ciencia del menor a través de Internet. En Salvador Pérez Álvarez, Leyre Burguera Ameave, Kepa Paul Larrañaga (Dir.). Menores e Internet, Navarra: Thomson Reu-ters Aranzadi, pp. 185-212.

Gómez Calle, E. (1995). La responsabilidad civil del menor. Derecho Privado y Con-stitución, núm.7, pp. 87 a 133.

Gómez Calle, E. (2003). Los sujetos de la responsabilidad civil. La responsabilidad por hecho ajeno. En L. Fernando Reglero Campos (Coord.) Tratado de responsabilidad civil, pp. 415 a 476.

Gómez Calle, E. (2016). Artículo 1903. En Ana Cañizares Laso, Pedro de Pablo Con-treras, Javier Orduña Moreno y Rosario Valpuesta Fernández (Dirs.). Código Civil Comentado. Volumen IV. Navarra: Civitas Thomson Reuters.

Herrán Ortiz, A. (2010). Las redes sociales digitales: ¿hacia una nueva configuración de los derechos fundamentales en Internet? Revista Vasca de Administración Pública, 87-88, pp. 521-566.

Jiménez Díaz, M.J. (2015). Algunas reflexiones sobre la responsabilidad penal de los menores. Revista Electrónica de Ciencia Penal y Criminología, núm. 17-19, pp. 1-36.

Marcos Martín, T. (2013). Los derechos de la personalidad de las personas-menores en el contexto internacional y su aplicación en el ordenamiento español. En Salva-dor Pérez Álvarez, Leyre Burguera Ameave, Kepa Paul Larrañaga (Dir.). Menores e Internet, Navarra: Thomson Reuters Aranzadi, pp. 161-184.

Moreno Navarrete, M.A. (2010). Aspectos jurídico privados de las tecnologías Web 2.0 y su repercusión en el derecho a la intimidad. En Javier Boix Reig (dir), Ánge-


les Jareño Leal (Coord). La protección jurídica de la intimidad. Madrid: 2010, pp. 335-360.

Noain Sánchez, A. (2016). La protección de la intimidad y vida privada en internet: la integridad contextual y los flujos de información en las redes sociales (2004-2014). Madrid: Agencia Estatal Boletín Oficial del Estado.

Ortiz López, P. (2013). Redes sociales: funcionamiento y tratamiento de información personal. En Artemi Rallo Lombarte y Ricard Martínez Martínez (ed.), Derecho y redes sociales. Navarra: Civitas Thomson Reuters, pp. 21 a 37.

Palacios González, D. (2016). Responsabilidad civil y derecho de daños. Tras las Refor-mas Legislativas de 2015. Lisboa: Juruá Editorial.

Peguera Poch, M. (2007). “Sólo sé que no sé nada (efectivamente)” la apreciación del conocimiento efectivo y otros problemas en la aplicación judicial de la LSSI. IDP: revista de Internet, derecho y política, núm. 5.

Peguera Poch, M. (2007). La exclusión de responsabilidad de los intermediarios en Inter-net, Granada: Comares.

Prensky, M. (2001). Digital Natives, Digital Immigrants, disponible en: http://www.marcprensky.com/writing/Prensky%20-%20Digital%20Natives,%20Digital%20Immigrants%20-%20Part1.pdf

Yzquierdo Tolsada, M. (2015). Responsabilidad civil extracontractual. Parte general. Delimitación y especies. Elementos. Efectos y consecuencias. Madrid: Dykinson.

http://www.marcprensky.com/writing/Prensky - Digital Natives, Digital Immigrants - Part1.pdf



8

RIESGOS JURÍDICOS DE LA INSPECCIÓN PROFUNDA DE PAQUETES TCP/IP

José Luis González San JuanDoctorando en Derecho Privado,

Universidad de Salamanca.

RESUMEN: La Inspección Profunda de Paquetes comprende un conjunto de técnicas que permiten el acceso al interior de los paquetes de Internet, en tiempo real (sin tener que ralentizarlos o detener-los), y cuyo objetivo es discriminarlos de alguna forma, bien en función del contenido o de cualquier otra característica de los mismos.En este trabajo, tras explicar brevemente cómo funciona la Inspección Profunda de Paquetes y enume-rar sus campos de aplicación más importantes, estudiaremos los principales problemas jurídicos que el uso de estas técnicas plantea, centrándonos especialmente en los relacionados con la protección de los derechos fundamentales, y en concreto de los siguientes: derecho al secreto de las comunicaciones, derecho a la intimidad personal y familiar, derecho a la protección de datos de carácter personal, y libertades de expresión y de información.Como conclusión, y dada la importancia de los derechos fundamentales que pueden verse afectados, consideramos que es necesario establecer una regulación específica y detallada de la Inspección Pro-funda de Paquetes, con el objetivo de determinar qué usos de la misma deben ser autorizados, y bajo qué condiciones y circunstancias podrán ser realizados. Además, dado el carácter universal de Internet, esta regulación solo será plenamente eficaz si es implantada de forma global.

PALABRAS CLAVE: inspección profunda de paquetes, protección de datos, intimidad, secreto de las comunicaciones, libertades de expresión e información, neutralidad de red.

1. INTRODUCCIÓN

Internet nació y se ha desarrollado bajo la neutralidad de red, un principio que muchos consideran la clave de su éxito, y que impide discriminar los datos que viajan por ella. Pero, con el desarrollo tecnológico, han surgido equipos de conmutación de red cada vez más potentes, que permiten extraer información relativa a los datos encapsula-dos en los paquetes TCP/IP, en tiempo real.

110 RIESGOS JURÍDICOS DE LA INSPECCIÓN PROFUNDA DE PAQUETES TCP/IP

Estas técnicas, denominadas genéricamente Inspección Profunda de Paquetes1 (DPI), permiten a los ISP (Internet Service Provider) establecer reglas discriminatorias de gestión del tráfico.

Además de quebrar la neutralidad de red2, piedra angular de Internet, la DPI plan-tea serios problemas en relación con los derechos fundamentales de los usuarios, espe-cialmente con los siguientes: secreto de las comunicaciones, intimidad, protección de datos y libertades de expresión y de información.

En este trabajo, tras explicar en qué consiste la DPI y repasar sus principales cam-pos de aplicación, comentaremos los riesgos jurídicos que suscita, centrándonos espe-cialmente en los relacionados con los derechos fundamentales anteriores.

2. CONCEPTOS PREVIOS

2.1. Red distribuida y principio end-to-end: la neutralidad de red

Una red de topología distribuida es aquella que no tiene nodos centrales3 (ni siquie-ra locales), de forma que existen diferentes caminos alternativos para enrutar la informa-ción, lo que las hace mucho más robustas frente a la desaparición o malfuncionamiento de alguno de sus nodos (incluso de un número muy elevado de ellos). Además, en estas redes es muy difícil establecer controles o discriminaciones, pues para que sean eficaces, deben realizarse en la práctica totalidad de los nodos.

Por otra parte, el principio end-to-end se traduce en que las aplicaciones residen en los nodos finales de la comunicación, eso es, la inteligencia está en los extremos4, limi-tándose la red únicamente a transmitir la información. Así, el control de las aplicaciones y de los datos se encuentra en dichos extremos5, y lo tienen los usuarios particulares y los ASP (Application Service Provider).

1 En inglés: DPI (Deep Packet Inspection).2 Fush (2012), p. 49.3 No existen nodos privilegiados que puedan discriminar la información. Vid. Alcántara (2010),

pp. 25-294 “The network itself is dumb, and the intelligence is at the edges”. Vid. Bendrath (2009), p. 10.5 Cerf (2009), p. 18.1.


Que Internet sea una red distribuida bajo el principio end-to-end, facilita que tam-bién cumpla con la neutralidad de red6, que establece que todos los datos que viajan por la red sean tratados igualitariamente, con independencia de su procedencia, destino, naturaleza, tipo de servicio, o cualquier otra circunstancia relativa a los mismos, no per-mitiéndose ningún tipo de discriminación7.

2.2. Modelo ISO de Interconexión de Sistemas Abiertos y protocolos TCP/IP

En lo que respecta a la conexión de los equipos y de la electrónica de red, Internet sigue el modelo OSI8 de interconexión de sistemas abiertos. Este modelo se desarrolló en 1980 y fue fijado posteriormente como estándar9 por la Organización Internacional de Normalización (ISO).

El modelo OSI se basa en siete niveles o capas, que cubren desde el nivel físico o de cableado (nivel 1), hasta el de aplicación (nivel 7), que es el más cercano al usuario.

Además, en Internet los datos son encapsulados utilizando los protocolos10 TCP/IP11, protocolos que definen las reglas para trocear los datos, empaquetarlos y transpor-tarlos hasta su destino, de forma que allí sea posible desempaquetarlos para reconstruir el mensaje, con independencia del fabricante del hardware y software de los equipos origen, destino e intermedios.

Cada uno de los casi cien protocolos que forman la familia TCP/IP se asocia a uno o varios de los niveles OSI, y el paquete resultante de cada protocolo constituye el dato de entrada del protocolo inferior.

2.3. Empaquetado de los datos en Internet

Para explicar mejor cómo viajan los datos por Internet, utilizaremos un símil. Su-pongamos que queremos enviar un libro a un amigo que reside en otra ciudad, y hace-mos lo siguiente:

6 La neutralidad se realiza mediante un enfoque “mejor esfuerzo sin memoria”. Vid. SEPD (2012), p. 7.7 González (2016), p. 39.8 Modelo de interconexión de sistemas abiertos (Open System Interconnection).9 ISO (1994). Este estándar fue ratificado por AENOR en 1995 (norma UNE-EN ISO/IEC

7498-1:1995).10 Un protocolo es un conjunto de reglas que permiten a dos equipos intercomunicarse, y sería el

equivalente a un idioma, en términos humanos.11 También denominados protocolos de Internet, y que deben su nombre a los dos protocolos más

conocidos, el TCP (Transmission Control Protocol) y el IP (Internet Protocol).


Separamos la primera hoja del libro, la metemos en un sobre12, lo cerramos, y pegamos una etiqueta referenciando la hoja y el libro. A continuación, introducimos el sobre en una caja de madera, la cerramos y la etiquetamos también. Esta caja de madera la metemos, a su vez, en un contenedor (tipo transporte marítimo), lo precintamos y colocamos una nueva etiqueta.

Finalmente, enganchamos el contenedor a una caja tractora, colocamos otra eti-queta en la cabina con las direcciones del remitente y del destinatario, y lo transporta-mos por carretera hasta su destino, donde abriremos los distintos paquetes para recupe-rar la hoja. Si repetimos este procedimiento con el resto de hojas, nuestro amigo podrá recomponer el libro cuando lleguen todas, ayudándose de la información contenida en las etiquetas.

Pues bien, algo parecido sucede en Internet cuando enviamos o recibimos la infor-mación. Por ejemplo, al descargar una página Web, los protocolos de los niveles supe-riores13 (7, 6 y 5) la trocean y meten sus porciones en diferentes paquetes (equivalentes a los sobres del símil).

Cada uno de estos paquetes se introduce, a su vez, en un paquete del nivel 4 (trans-porte), siguiendo el protocolo TCP, con un encabezado que identifica los puertos de origen y destino (TCP es como la caja de madera, y el encabezado su etiqueta). La trama TCP se empaqueta nuevamente, con el protocolo IP (nivel 3 o de red), y en el encabeza-do se añaden las direcciones IP de origen y destino (similar al contenedor y su etiqueta).

Finalmente, el paquete IP se encapsula dentro del protocolo Ethernet (niveles 2 o de enlace y 1 o físico), y como cabecera se añaden las direcciones MAC14 de origen y destino (caja tractora y etiqueta). Las tramas Ethernet viajan de forma independiente15 por Internet, a veces por caminos diferentes.

Además de ayudarnos a entender el empaquetado de los datos en Internet16, este símil permite visualizar la gran dificultad existente para inspeccionar los paquetes du-rante su transportan, pues sería preciso detenerlos para abrirlos (al igual que un policía no puede ver el contenido de los camiones que circulan velozmente por una autopista, sin pararlos y abrirlos).

12 Para simplificar, se envía una sola hoja, pero podríamos enviar en un sobre tantas hojas como entraran en él.

13 En las páginas Web, el protocolo de nivel 7 es el HTTP (no entramos en los detalles de los nive-les 6 y 5).

14 La MAC Address es un número único que identifica cada tarjeta de conexión a la red.15 Si alguna trama se pierde, el equipo destino lo detecta y solicita el reenvío únicamente de dicha

trama.16 A menudo se compara este empaquetado con las muñecas Katiuscas.


Tradicionalmente, los equipos de conmutación de red sólo podían acceder a los encabezados de las tramas Ethernet, pero desde hace algo más de una década, existen tecnologías que permiten ver su carga útil17, sin detenerlas o ralentizarlas.

Es como si tuviéramos un poderoso equipo de rayos X para ver el contenido de los camiones, sin pararlos y sin que se enteren. Pues bien, la DPI es ese potente equipo de rayos X, y lo preocupante es que normalmente no estará en manos de la policía, sino en las de los dueños de las autopistas, que podrán desviar, ralentizar o parar el tráfico de Internet, en función de sus propios intereses.

3. INSPECCIÓN PROFUNDA DE PAQUETES

Se denomina Inspección Profunda de Paquetes (DPI), a cualquier técnica que ac-ceda al interior de los paquetes de Internet, mientras pasan por un nodo que no sea un punto final de la comunicación, y sin ralentizar la transmisión, para filtrarlos o discrimi-narlos18 en función del contenido o de cualquier otra característica.

Antes de aparición de la DPI también se realizaban inspecciones, aunque sólo de los encabezados19, pero ahora la DPI escanea el contenido completo de los paquetes20, en todas las capas OSI21, hasta llegar incluso a los datos del mensaje.

La DPI permite a los ISP monitorizar, acelerar, censurar o filtrar todo el tráfico, algo que algunos autores consideran como el fin del principio end-to-end, pues se in-troduce inteligencia en los nodos intermedios22, haciendo que los usuarios y los ASP pierdan el control, y provocando una quiebra de la neutralidad de red, al ser posible discriminar la información en función del contenido.

No obstante, la DPI es una herramienta intrínsecamente neutra, y será la utiliza-ción que hagamos de ella en cada caso23, lo que determinará si va a ser beneficiosa o no, en esa situación concreta.

17 Toda la parte del paquete que no es encabezado.18 Esta discriminación no implica necesariamente retardar el paquete, pues puede ser para priorizarlo. 19 Por ejemplo, la SPI (Shallow Packet Inspection), también denominada Stateful Packet Inspection.

Vid. Bendrath (2009), p. 14; Yoonjae (2013), p. 5 y Kolar (2015), p. 262.20 Umer (2016), p. 343.21 Yoonjae (2013), p. 5.22 Bendrath (2009), pp. 4 y 12.23 Puede usarse para filtrar malware o pornografía infantil, usos que todos aceptamos, pero tam-

bién puede vulnerar derechos fundamentales, al priorizar o discriminar contenidos. Vid. Ben-drath (2009), p. 13.


4. PRINCIPALES USOS DE LA INSPECCIÓN PROFUNDA DE PAQUETES

La DPI nació para mejorar la seguridad de red24, pero hoy en día sus usos han cre-cido considerablemente, y es utilizada por muchos otros actores, además de los ISP25. Estas aplicaciones las podemos clasificar en dos grupos26: usos privados y usos públicos.

4.1. Usos privados

Son aplicaciones realizadas por entidades privadas, normalmente motivadas por un interés comercial, siendo las más relevantes las siguientes:

• Seguridad de red: fue el primer uso de la DPI, y sigue siendo muy importante hoy en día. Comprende el bloqueo de virus y malware, la detección de ataques, y el control del spam.

• Calidad del servicio y gestión del tráfico: los ISP pueden utilizar DPI para garantizar la calidad del servicio27, y también para realizar una gestión del tráfico28 más eficaz.

• Servicios especiales o tarifas diferenciadas: los ISP pueden crear carriles rápidos para aplicaciones especiales29 y tarifas diferenciadas, obteniendo ingresos adiciona-les de los usuarios30 y los ASP31.

• Publicidad comportamental: la DPI permite obtener datos sobre los hábitos de navegación de los usuarios, de forma que es posible incluir publicidad a la carta32 en los sitios visitados por éstos.

24 Inspeccionar sólo los encabezados no permite detectar ciertas amenazas y ataques, por ejemplo, ataques DDoS (Dristibuted Denial of Service). Vid. Yoonjae (2013), p. 5 y Bendrath (2009), p. 17.

25 De hecho, algunos autores defienden que la capacidad actual de los ISP para acceder a los datos es bastante más limitada que la de otros actores, como los ASP. Vid. Swire (2016), p. 23.

26 Clasificación propuesta por K. Ball. Vid. Ball (2014), p. 22.27 En inglés QoS (Quality of Service). Vid. Cortés (2014), p. 23 y Kolar (2015), p. 262.28 En la UE no se precisa consentimiento si la DPI se utiliza sólo para evitar la congestión de la red, no

existe otro método menos intrusivo, y se garantiza la confidencialidad. Vid. SEPD (2012), p. 10.29 Como la telecirugía (cirugía a distancia con un robot controlado por un cirujano a través de

Internet). Sobre los servicios especiales, Vid. Marsden (2012), p.27 y Beltrà (2016), p. 6.30 Cobrando a los abonados por los servicios utilizados (Internet a la carta).31 Priorizando las aplicaciones de un ASP frente a las de la competencia.32 Denominada publicidad comportamental o Ad Injection. Vid. SEPD (2012), p. 8 y Bendrath

(2009), p. 21.


• Censura privada: los ISP pueden discriminar el tráfico, estableciendo una censura privada33, por diversos motivos: detectar contenidos protegidos por derechos de autor34, bloquear el tráfico de la competencia, evitar ciertos servicios (por ejemplo, P2P35), etc.

• Control interno en las empresas36: para proteger redes locales (LAN) contra el robo de datos (interno o externo), y como cortafuegos para evitar contenidos no deseados: virus, spam, etc.

• Protección de sistemas industriales: es un uso emergente de la DPI37, para evitar ataques a instalaciones civiles críticas conectadas a Internet (instalaciones nuclea-res, aeropuertos, etc.).

4.2. Usos públicos

Son los realizados por el Gobierno u otros poderes del Estado, normalmente por razones de orden público o de seguridad nacional. Los más importantes son los siguientes:

• Investigación judicial y policial: la DPI puede ser una importante arma contra el terrorismo, el narcotráfico y el crimen en general, tanto en prevención como en investigación policial y judicial.

• Censura pública: los Gobiernos pueden utilizar DPI para perseguir a la oposición o para censurar contenidos no deseados, y además, con algunos tipos de DPI pueden modificarse los mensajes.

• Inteligencia, contrainteligencia y aplicaciones militares: la DPI puede ser utilizada por las agencias gubernamentales en labores de inteligencia y contrainteligencia38, para garantizar la seguridad nacional, y también por las fuerzas armadas con fines militares.

33 Los ISP controlarían la libre expresión y la libre circulación de la información. Vid. Barata (2012), p. 48.

34 Vid. SEPD (2012), p. 3 nota a pie 9 y Bendrath (2009), p. 24.35 Vid. Riley (2009), p. 4.36 R. Bendrath las denomina self-contained practices. Vid. Bendrath (2009), p. 26. 37 Vid. Ulloa (2015), p. 257.38 Vid. Bendrath (2009), p. 25, y Cortés (2014), p. 26


5. RIESGOS JURÍDICOS DE LA INSPECCIÓN PROFUNDA DE PAQUETES

A pesar de las indudables ventajas que presenta la DPI, evidentemente no está exenta de inconvenientes.

Dejando a un lado los problemas técnicos39 y económicos40, que quedan fuera del alcance de este artículo, nos centramos exclusivamente en analizar sus riesgos jurídicos.

5.1. Conflictos con el secreto de las comunicaciones

El secreto de las comunicaciones, contemplado41 en el art. 18.3 CE, consagra la libertad de las comunicaciones privadas, estableciendo el secreto42 de las mismas43, de forma que éstas queden libres de toda injerencia de terceros ajenos a la comunicación44, protegiéndolas tanto frente a las intromisiones de los poderes públicos, como de los particulares45.

La titularidad de este derecho corresponde a todos, incluyendo personas físicas y jurídicas, y también se protege a quienes tengan un interés legítimo, aunque no partici-pen en la comunicación46.

39 Es difícil implantarla a velocidades muy altas y no funciona con datos encriptados. Una alterna-tiva es el análisis de patrones, que analiza datos agregados sin vulnerar la privacidad, tiene menor peso computacional y puede utilizarse con datos encriptados. Vid. Umer (2016), p. 343.

40 Desincentiva las inversiones y reduce la innovación, al aumentar las barreras de entrada, pues los nuevos actores no pueden pagar para tener mayor prioridad. Vid. Riley (2009), pp. 7-13.

41 Y también está incluido en todas las cartas internacionales: art. 8 del Convenio Europeo de Derechos Humanos (CEDH), art. 7 de la Carta de Derechos Fundamentales UE (CDFUE), art. 12 de la Declaración Universal de los Derechos Humanos (DUDH), art. 17 del Pacto Internac-ional de Derechos Civiles y Políticos (PIDCP), etc.

42 Como afirma Agustín Romero, “el concepto de secreto tiene un carácter formal despojado de la naturaleza pública o privada del dato protegido”. Vid. Romero (2012), p. 8; Rebollo (2000), p. 360, y STC 114/1984 FJ 7.

43 Imponiendo el secreto se protege la libertad de comunicación. Vid. Jiménez (1987), p. 51; Re-bollo (2000), p. 360, y STC 114/1984, FJ 7.

44 No se vulnera el art. 18.3 CE si quien interviene en ella la divulga, aunque si fuera íntima, podría vulnerarse el derecho del art. 18.1. Vid. Gimeno (2011); Rebollo (2000), p. 360, y STC 114/1984, FJ 7.

45 Tanto el TC como la doctrina mayoritaria, consideran que es un derecho oponible erga omnes, que protege frente a toda injerencia de terceros ajenos a la comunicación (SSTC 123/2002, FJ 5 y 114/1984, FJ 7).

46 Vid. Rebollo (2000), pp. 360 y 364, y STC 214/1991 FJ3.


Según nuestro TC, este secreto va más allá de ser una garantía de libertad indivi-dual, y se conforma como un instrumento de desarrollo cultural, científico y tecnológico colectivo47.

Protege toda comunicación, con independencia de que el contenido sea o no ínti-mo o privado48, y dicha protección no se limita al mensaje, sino que cubre todo el pro-ceso comunicativo49, y sólo puede ser excepcionado mediando autorización judicial50. También se vulnera con el simple conocimiento antijurídico de lo comunicado o de ciertos datos relativos a la comunicación51.

Aunque no toda información que viaja por Internet tiene la consideración de co-municación52 a los efectos del artículo 18.3 CE53, con cierta frecuencia sí la tendrá, y entonces la utilización de técnicas tan invasivas como la DPI, puede vulnerar el secreto de las comunicaciones.

Como afirma el Supervisor Europeo de Protección de Datos (SEPD), además de acceder al contenido del mensaje54, que está dirigido exclusivamente al destinatario, y poder vulnerar por ello directamente el secreto de las comunicaciones, la DPI permite conocer datos de tráfico, que también están protegidos por este derecho55, pues realiza una vigilancia indiscriminada, masiva y sin garantías, permitiendo acceder a toda la in-formación que pasa por el nodo56.

Además, ciertos tipos de DPI también permiten modificar el mensaje, de forma que puede utilizarse para desinformar, algo que va más allá de la mera intervención o in-

47 STC 123/2002, FJ 5. 48 SSTC 123/2002, FJ 5 y 114/1984, FJ 7.49 Se protegen también los datos relativos a la comunicación (su existencia, identidad de los comu-

nicantes, fecha y hora, etc). Vid. Jiménez (1987), p. 48; Romero (2012), p. 2; SSTEDH de 2 de agosto de 1984 (caso Malone), FJ 7 y de 3 de abril de 2007 (caso Copland); SSTC 145/2014, FJ 4; 123/2002, FJ 5 y 114/1984, FJ 7.

50 Que ha de ser con carácter previo (salvo en el supuesto del art. 579.3 LECrim).51 SSTC 145/2014, FJ 4; 230/2007, FJ 2 y 114/1984, FJ 7.52 No lo será cuando sea una comunicación abierta, por ejemplo, utilizando un blog. Además, debe

ser un proceso, transmitir un mensaje y utilizar un medio técnico. Vid. Jiménez (1978), pp. 42-50.

53 Aunque se hace referencia expresamente a las postales, telegráficas y telefónicas, la doctrina es unánime en considerar que esta lista es ejemplificativa, existiendo un numerus apertus de co-municaciones protegidas.

54 Vid. SEPD (2012), pp. 2, 7.55 Gimeno (2011).56 Ball (2014), p. 21-22.


terceptación de la comunicación, y que normalmente tendrá consecuencias más graves, especialmente si la realiza el Estado.

5.2. Conflictos con la intimidad personal y familiar

El derecho a la intimidad57 se encuentra consagrado en el art. 18.1 CE, está con-templado en la práctica totalidad de las cartas de derechos a nivel mundial58, y es posi-blemente el derecho que más tensiones59 enfrenta en el universo digital.

A diferencia del secreto de las comunicaciones60, este derecho es exclusivo de las personas físicas, y determina una esfera íntima que rodea al sujeto, cuya extensión queda fijada por sus propios actos, y que debe quedar libre de injerencias de terceros.

Existe unanimidad en la doctrina61 al considerar que las técnicas de DPI constitu-yen un importante riesgo para la intimidad, pues al inspeccionar todo el contenido de los paquetes, de forma indiscriminada y sin garantías, permiten acceder también a datos o informaciones pertenecientes a la esfera íntima de los usuarios.

Aunque estamos de acuerdo con que la gestión del tráfico resulta necesaria para garantizar un servicio de calidad, evitando la congestión y los contenidos maliciosos62, y a veces es imprescindible utilizar la DPI para que resulte eficaz, también consideramos que es fundamental que dicha gestión se realice respetando la intimidad63, y en su caso con el consentimiento del interesado.

Por otra parte, el hecho de que la DPI pueda llevarse a cabo fácilmente sin que los usuarios sean conscientes, agrava en gran medida sus implicaciones negativas sobre la intimidad64, puesto que es mucho más difícil que éstos puedan tomar medidas para protegerse.

57 La STS 270/2012, de 19/04/2012, en su FJ 4 define este derecho.58 Art. 8 CEDH, art. 7 CDFUE, art. 12 DUDH, art. 17 PIDCP, etc.59 Vid. Cortés (2014), p. 10.60 Ambos derechos son independientes, y puede ocurrir que una transmisión esté protegida por el

secreto de las comunicaciones sin ser íntima, o lo contrario, que sea privada sin estar sujeta al secreto. Y por supuesto, también puede ser ambas cosas a la vez, o ninguna.

61 Por todos: Umer (2016), p. 343; Bendrath (2009), p. 17 y Ball (2014), p. 23.62 También puede realizarse esta gestión para priorizar servicios críticos, detectar contenidos ilícitos

y obtener ingresos adicionales, tanto de los usuarios como de los ASP.63 Vid. Beltrà (2016), p. 13.64 Vid. SEPD (2012), p.14.


5.3. Conflictos con la Protección de Datos de Carácter Personal

En palabras de nuestro TC, el art. 18.4 CE consagra un auténtico derecho funda-mental65, diferente y adicional a los restantes del artículo 18 CE, denominado habeas data66, para garantizar el control sobre los datos relativos a la propia persona (libertad informática), aunque no sean íntimos67.

Con mucha frecuencia, los paquetes TCP/IP van a incluir datos personales68, pues además de los que pueda contener el mensaje propiamente dicho, existen ciertos datos de los encabezados que también pueden serlo, por ejemplo, las direcciones IP, las direc-ciones MAC y otros metadatos69.

En relación con la dirección IP, el Tribunal de Justicia de la UE (TJUE), ha estable-cido en varias ocasiones que normalmente será un dato personal70, y respecto a la direc-ción MAC, como ésta es única para cada tarjeta de red, permite identificar al usuario si se la asociada con algún otro dato adicional (como la fecha y hora de la conexión), por lo que también será frecuentemente un dato personal71.

Por ello, la utilización de la DPI, constituye un importante riesgo para la protec-ción de los datos personales, y su uso debe estar limitado, realizándose la gestión del tráfico exclusivamente con la información de las cabeceras72 siempre que sea posible.

Cuando existan datos personales, quien decida realizar la DPI será el responsable del tratamiento73, y deberá obtener el consentimiento previo de los usuarios, que debe

65 Nuestra Constitución fue pionera en contemplar expresamente este derecho, incluido implícita-mente también en el art. 8 CEDH, el art. 12 DUDH y el art. 17 PIDCP, y explícitamente en el art. 8.1 CDFUE.

66 STC 292/2000, FJ 5.67 Se puede vulnerar este derecho aun cuando no exista comunicación protegida por el 18.3 CE, y

tampoco sea una información íntima o personal (18.1 CE).68 En el artículo 3.a de la Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de

Carácter Personal (LOPD), transposición de la Directiva 95/46/CE, se define el concepto de “datos de carácter personal” como: “cualquier información concerniente a personas físicas iden-tificadas o identificables”.

69 Información adicional sobre los datos que se incluye en las cabeceras. Vid. SEPD (2012), p.8, nota 24.

70 SSTJUE de 24/11/2011, caso Scarlet Extended (C-70/10), apartado 51, y de 19/10/2016, caso Breyer (C-582/14), apartado 49.

71 Son válidos, mutatis mutandi, los argumentos aplicados a las direcciones IP, en las sentencias de la nota anterior.

72 Beltrà (2016), p. 13.73 Como normalmente realizará físicamente la DPI, será también el encargado del tratamiento.


ser real, específico e informado74, para lo cual es necesario que éstos dispongan de una información previa, adecuada y comprensible.

Además, el consentimiento deberán darlo todos los usuarios implicados en la co-municación, y de una forma explícita, puesto que el consentimiento implícito no cum-pliría los requisitos anteriores75.

5.4. Conflictos con las Libertades de Expresión y de Información

Como han afirmado tanto el TS como el TC, las libertades de expresión y de infor-mación, además de ser derechos subjetivos, tienen una posición inicial prevalente cuan-do se ponderan con otros derechos fundamentales, pues contribuyen a la formación de una opinión pública libre, indispensable para el pluralismo político que exige un estado democrático76, aunque atendiendo a las circunstancias específicas del caso concreto, esa posición puede decaer frente a otros derechos.

Como vimos, los gobiernos pueden utilizar la DPI para establecer una censura pública77, con el objetivo de realizar una persecución política, étnica o religiosa, o sim-plemente impedir la difusión de ciertos contenidos no aceptados por el régimen.

Así, por ejemplo, Irán utiliza la DPI para desinformar, modificando el contenido de los mensajes78, y China dispone de sistemas de filtrado de información basados en DPI, que impiden el acceso a ciertos contenidos, como los pornográficos, los religiosos y los mensajes políticos contrarios al régimen.

Pero con la DPI también puede establecerse una censura privada79, bien por los ISP o por otros actores (casi siempre por razones económicas), de forma que se limite o impida el acceso a la información (por ejemplo, a obras protegidas por derechos de autor80 sin autoriza-ción), o se realice un filtrado discriminatorio81 de ciertos servicios o aplicaciones, como P2P82.

74 Según se establece en el art. 2.h de la Directiva 95/46/CE y art. 3.h de la LOPD.75 Vid. SEPD (2012), p. 13.76 SSTC 21/2000 FJ 4, 19/2014 FJ 6, y STS 127/2013 de 25/02/2013, FJ 3.77 Sobre el uso de la DPI para el control gubernamental, véase Bendrath (2009), p. 25. 78 También China ha utilizado la DPI para modificar mensajes. Vid. Ball (2014), p. 7 y 22.79 Vid. Barata (2012), p. 48, y Bendrath (2009), p. 24.80 Debemos recordar que los derechos de autor protegen la forma, esto es, la expresión concreta

que el autor ha dado a las ideas (la obra), pero no protege las ideas, que deben fluir libremente. Vid. Carbajo (2010), p. 128.

81 Vid. Bendrath (2009), p. 1982 El primer caso en el que existen bases sólidas para pensar que se ha utilizado la DPI para bloquear el

tráfico P2P, fue el de la operadora norteamericana Comcast, en el año 2007. Vid. Riley (2009), p. 4


Otro uso de la DPI que limita el acceso a la información es la denominada Internet a la carta83 (tarifas diferenciadas en función de los servicios utilizados), pues hace impo-sible el acceso a la totalidad de los contenidos de Internet para los usuarios con menores recursos, al resultarles muy onerosa.

En todos los casos anteriores, la limitación del acceso a la información (control de con-tenidos), va a traducirse prácticamente siempre en una vulneración de las libertades de expre-sión y de información, pues sin acceso pleno a la información no existe una verdadera liber-tad de expresión, ni tampoco es posible un ejercicio completo de la libertad de información84.

Adicionalmente, el simple hecho de saber que existen controles o inspecciones, produce recelo o miedo a comunicarse libremente en Internet, algo que también limita ambas libertades85, al coaccionar a los usuarios.

5.5. Otros Riesgos Jurídicos de la DPI

Además de los problemas anteriores, la DPI presenta otros riesgos jurídicos, entre ellos los siguientes:

• Vulneración de la libertad religiosa86: La DPI puede utilizarse para censurar ideas o prácticas religiosas, así como para obligar a cumplir la religión oficial en Estados confesionales.

• Violaciones de las libertades de reunión y de asociación87: ambos derechos pueden vulnerarse con la DPI, por ejemplo, si se utiliza para conocer la identidad de los miembros de una asociación, o para identificar a los asistentes a una manifestación analizando el tráfico de datos de sus móviles88.

• Discriminación racial, sexual o religiosa89: mediante el empleo de la DPI, también es posible establecer discriminaciones raciales, sexuales, religiosas, o de cualquier otro tipo.

83 SEPD (2012), p.4.84 Vid. Barata (2012), p. 48 y Sturges (2010), p. 21.85 Ball (2014), p. 23.86 Cortés (2014), p. 37.87 Ibíd.88 En Kiev (Ucrania), en enero de 2014, personas que estaban cerca de unos disturbios masivos, re-

cibieron un sms indicándoles que quedaban registrados como participantes en los disturbios (se utilizó información de las antenas de telefonía móvil, pero sería posible usar DPI para prácticas similares). Vid. Cortés (2014), p. 40.

89 Fuchs (2012), p. 50


• Competencia desleal y libre competencia: priorizar aplicaciones propias o de em-presas del grupo frente a las de la competencia90, empleando DPI, puede vulnerar las normas de la libre competencia, o traducirse en prácticas de competencia desleal o de abuso de posición de dominio.

• Presunción de inocencia91: utilizar la DPI para prevenir delitos puede conducir a una vulneración de la presunción de inocencia, cuando se realicen interpretaciones incorrectas, que lleven a considerar sospechosas a personas inocentes.

6. ENCAJE DE LA DPI EN LA LEGISLACIÓN ACTUAL

Como ha puesto de manifiesto el SEPD92, y dado que la utilización de la DPI pue-de vulnerar los derechos fundamentales de los usuarios, es preciso que exista una base jurídica adecuada para poder utilizarla en cada caso.

Con carácter general, esta base jurídica será el consentimiento de los usuarios, aun-que puede defenderse que dicho consentimiento podría no ser necesario, cuando la DPI se utilice con alguno de los objetivos siguientes:

• Ofrecer el servicio: ya que los ISP están autorizados a tratar los datos de tráfico que sean necesarios para conducir la comunicación93, especialmente los de los encabe-zados.

• Garantizar la seguridad: puesto que los ISP están obligados a adoptar medidas para garantizar la seguridad de sus servicios94, y para ello con frecuencia será necesario utilizar DPI.

• Minimizar la congestión: priorizar el tráfico es una medida legítima para evitar la con-gestión, ya que la alternativa podría ser la caída del servicio por la saturación de la red.

Sin embargo, como el marco jurídico actual no hace referencia expresa a la DPI, esta interpretación podría ser fácilmente cuestionada, provocando una cierta insegu-ridad jurídica, por lo que creemos necesaria una reforma legislativa, cuyas principales líneas serán comentadas más adelante.

90 Marsden (2012), p. 28.91 Vid. Ball (2014), p. 23, y Fuchs (2012), p. 5092 SEPD (2012), p. 9.93 Artículo 6.1 de la Directiva 2002/58/CE, sobre privacidad y comunicaciones electrónicas.94 Artículo 4 de la Directiva 2002/58/CE.


Finalmente, una posible consecuencia adicional de la DPI, cuando sea llevada a cabo por los ISP, es que puede impedir que éstos se acojan a la exención de responsabili-dad del artículo 1295 de la Directiva 2000/31/CE, de comercio electrónico.

El motivo es que dicho artículo exige, como condición para poder aplicarse, que el ISP no seleccione ni modifique los datos transmitidos96, y el filtrado realizado utilizando DPI po-dría ser considerado, bajo ciertas circunstancias, como una auténtica selección de dichos datos.

7. MEDIDAS PARA MINIMIZAR LOS RIESGOS DE LA DPI

A pesar de los problemas que hemos visto, correctamente utilizada, la DPI resulta muy eficaz para optimizar el funcionamiento de Internet y garantizar su seguridad.

No obstante, es necesario que los usuarios conozcan sus riesgos, pues pocos son cons-cientes de que estas técnicas permiten que terceros accedan a toda la información que se envía o recibe por Internet. Por ello, deben realizarse campañas de divulgación, para ex-plicar los riesgos que existen y recomendar prácticas adecuadas para combatir sus efectos.

La encriptación97 minimiza los riesgos de la DPI, pues impide el acceso a la carga útil de los paquetes, ayudando a salvaguardar el secreto de las comunicaciones, la intimi-dad personal y familiar, y también, la protección de los datos personales.

No obstante, no es una solución perfecta98, pues prácticamente siempre van a que-dar datos no encriptados en los paquetes, por ejemplo, las direcciones IP99 o las MAC, que si se encriptasen harían imposible el enrutado100.

95 Art. 14 de la Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico.

96 Salvo que la manipulación se realice por razones estrictamente técnicas.97 Muchos sitios Web utilizan por defecto HTTPS (versión encriptada del protocolo HTTP). El

tráfico HTTPS ha pasado del 13.3% en 2014, al 48.6% en 2016 (respecto del total de tráfico Web). Vid. Swire (2016), pp. 36-38.

98 Siempre será posible acceder a los encabezados y también realizar análisis estadísticos, pudien-do violar la intimidad, la protección de datos o el secreto de las comunicaciones. Vid. SEPD (2012), p. 13. Además presenta otros inconvenientes: requiere más medios técnicos, incrementa los costes, y ralentiza la comunicación.

99 A veces pueden ocultarse las direcciones IP, como en la red TOR (The Onion Router), que es uti-lizada para acceder a la Internet profunda o Deep Weep, evitar la censura, o eludir persecuciones navegando de forma anónima.

100 No obstante, conviene matizar que tanto las IP como las MAC están en los encabezados, de forma que éste no es un problema específico de la DPI, sino que también se produce con la inspección superficial de paquetes, que también puede vulnerar estos derechos fundamentales, aunque de una forma muchísimo más limitada.


Por otra parte, el cifrado resulta poco eficaz para proteger las libertades de expresión y de información101, pues aunque impide el acceso al interior de las tramas, quien realice la DPI puede censurar cualquier paquete encriptado, bloqueándolo o ralentizándolo102.

Otra medida posible sería utilizar servidores DNS (y también servidores proxy103), diferentes a los que proporciona el ISP, algo que dificulta el seguimiento de los paque-tes, pero tampoco es una solución perfecta, ya que dificulta utilizar la DPI, pero no lo impide completamente.

Por todo ello, consideramos necesario regular expresamente los usos autorizados de la DPI, en los términos siguientes:

• Con carácter general, el uso de la DPI deberá estar limitado a aquellos casos en los que exista un consentimiento libre, específico e informado de todos los usuarios in-volucrados, que además, deberá realizarse con carácter previo y de forma explícita.

• No obstante, los ISP podrán utilizar la DPI con fines de gestión del tráfico y de seguridad de red, sin necesidad de un consentimiento específico, siempre que los usuarios dispongan de toda la información previa sobre cómo va a realizarse, y se respete el principio de proporcionalidad104.

• La utilización de técnicas de DPI para investigar delitos debe estar sujeta, en todos los casos, a una autorización judicial previa.

• La ley debe prohibir expresamente el uso de DPI para establecer cualquier tipo de censura, tanto pública como privada.

• Finalmente, es necesario disponer de organismos nacionales e internacionales de control, para supervisar a los actores que utilicen la DPI, y garantizar que se respe-ten los derechos fundamentales de los usuarios.

Por último, como Internet carece de fronteras y la información viaja por ella a nivel global, con frecuencia existirá un tránsito internacional de paquetes105, pudiendo llevarse a cabo la DPI en terceros países (distintos del emisor y receptor).

101 Y también otros derechos fundamentales, como la libertad religiosa y la libertad de asociación.102 Vid. Marsden (2012), p. 28.103 Es posible utilizar una red privada virtual o VPN (Virtual Private Network), que combina ser-

vidores proxy de terceros con encriptación, pero presenta los mismos inconvenientes que el encriptado. Vid. Swire (2016), pp. 31.

104 Deben utilizarse técnicas menos invasivas siempre que sea posible, y en caso de tener que limitar el tráfico, debe ser por el tiempo estrictamente necesario. Vid. Beltrà (2016), p. 5.

105 Normalmente se desconoce la ruta exacta por la que viajan los paquetes.


Esta situación provoca dos problemas: por una parte, dificulta el conocimiento de que la DPI se está realizando, y por otra, hace que sea mucho más complicado implantar medidas para evitar sus riesgos, y por ello la regulación de la DPI ha de tener un carácter global106 o será ineficaz107.

8. CONCLUSIONES

La DPI comprende diversas técnicas para clasificar y filtrar el tráfico, mediante la inspección de la carga útil de los paquetes de Internet, pudiendo llegar incluso al propio mensaje.

Aunque la DPI puede utilizarse para evitar la saturación de la red o garantizar su seguridad, también es posible realizar minería de datos, intervenir las comunicaciones, discriminar contenidos, y censurar la información, vulnerando derechos fundamentales de los usuarios, especialmente el secreto de las comunicaciones, la intimidad, la protec-ción de datos y las libertades de expresión y de información.

Para evitar estos riesgos, la DPI debe estar legalmente limitada a casos excepciona-les, utilizándose técnicas menos invasivas siempre que sea posible, y cuando ésta resulte inevitable, deberá existir una total transparencia e información, así como un consenti-miento previo e informado de los usuarios.

Si bien la encriptación no resuelve todos los problemas jurídicos de la DPI, resulta muy apropiada para minimizarlos, especialmente para la protección del secreto de las comunicaciones, de la intimidad y de la protección de datos.

Dado que consideramos que la legislación actual resulta insuficiente, proponemos que, de lege ferenda, se regule expresamente la utilización de la DPI, estableciendo unos límites claros y precisos, que garanticen el equilibrio entre la protección de los derechos fundamentales de los usuarios y la necesaria gestión de la red, y que impidan o minimi-cen el resto de riesgos asociados a dichas técnicas.

Esta legislación deberá tener un carácter global o será ineficaz, y además, es preciso disponer de organismos control que supervisen a los ISP, tanto a nivel nacional como internacional.

106 Ball (2014), p. 23.107 Una solución podría ser la denominada lex mercatoria del ciberespacio, regulación consuetudi-

naria aún muy incipiente, aunque es poco probable que los ISP acepten voluntariamente unas normas que limiten la DPI. Vid. Vidal (2010), p. 470.


9. BIBLIOGRAFÍA

Alcántara, J. (2010). La neutralidad de la red. Puerto Rico: El Arte de las Cosas. https://www.versvs.net/la-neutralidad-de-la-red/ (consulta 28/02/2017).

Ball, K. et al. (2014). Vigilancia, Privacidad y Seguridad. ¿Cuál es su opinión? Surveil-lance, Privacy and Security (SURPRISE). Recuperado el 14/02/2017, en: http://surprise-project.eu/wp-content/uploads/2015/03/Surprise_2014_es.pdf

Barata, J. (2012). El concepto de net neutrality y la tensión entre regulación pública y au-torregulación privada de las redes. IDP Revista de Internet, Derecho y Política, 13, pp. 44-52.

http://idp.uoc.edu/124/volume/0/issue/13/ (consulta 14/02/2017).Beltrà, G. (2016). Net Neutrality In Europe: Time for Clear Rules of the Game. Bureau

Européen des Unions de Consommateurs (BEUC). Recuperado el 15/02/2017, en: http://www.beuc.eu/publications/beuc-x-2016-049_gbe_net_neutrality_in_eu-time_for_clear_rules_of_the_game.pdf

Bendrath, R. (2009). Global technology trends and national regulation: Explaining Variation in Governance of Deep Packet Inspection. Recuperado el 14/02/2017, en: http://userpage.fu-berlin.de/bendrath/ISA09_Paper_Ralf%20Bendrath_DPI.pdf

Carbajo, F. (2010), Creación, edición y lectura en la sociedad de la información: entre la propiedad intelectual y el acceso a la cultura, Pliegos de Yuste 11-12, pp. 127-134. http://www.pliegosdeyuste.eu/n1112pliegos/pdfs/125-134.pdf (consulta 13/03/2017).

Cerf, V. (2014). The open Internet: what it is, and why it matters. Telecommunications Journal of Australia, 59(2), pp. 18.1-18.10. http://arrow.monash.edu.au/vital/ac-cess/manager/Repository/monash:110689

Cortés, C. (2014). Vigilancia de las comunicaciones en Colombia. El abismo entre la capacidad tecnológica y los controles legales. Bogotá: Centro de Estudios de Derecho, Justicia y Sociedad, Dejusticia. http://www.dejusticia.org/files/r2_actividades_re-cursos/fi_name_recurso.643.pdf (consulta 20/02/2017).

Fush, C. Implications of Deep Packet Inspection (DPI) Internet Surveillance for Society. Recuperado el 15/02/2017, en http://www.apc.org/en/node/14843

Gimeno, V. (2011). La intervención de las comunicaciones telefónicas y electrónicas, El Notario del Siglo XXI, 39.

http://www.elnotario.es/index.php/hemeroteca/revista-39/697-la-intervencion-de-las- comunicaciones-telefonicas-y-electronicas-0-2863723191305737(consulta 06/03/2017).

González, J. L. (2016). Neutralidad de red en Internet. IBERSID 11(2), pp. 39-44. http://www.ibersid.eu/ojs/index.php/ibersid/article/view/4308 (consulta 05/03/2017).

ISO (1994). Information Technology - Open Systems Interconnection – Basic Reference Model: The Basic Model. International Standar ISO/IEC 74981 (1994).

https://www.versvs.net/la-neutralidad-de-la-red/

https://www.versvs.net/la-neutralidad-de-la-red/

http://surprise-project.eu/wp-content/uploads/2015/03/Surprise_2014_es.pdf

http://surprise-project.eu/wp-content/uploads/2015/03/Surprise_2014_es.pdf

http://idp.uoc.edu/124/volume/0/issue/13/

http://www.beuc.eu/publications/beuc-x-2016-049_gbe_net_neutrality_in_eu-time_for_clear_rules_of_the_game.pdf

http://www.beuc.eu/publications/beuc-x-2016-049_gbe_net_neutrality_in_eu-time_for_clear_rules_of_the_game.pdf

http://userpage.fu-berlin.de/bendrath/ISA09_Paper_Ralf%20Bendrath_DPI.pdf

http://www.pliegosdeyuste.eu/n1112pliegos/pdfs/125-134.pdf

http://arrow.monash.edu.au/vital/access/manager/Repository/monash:110689

http://arrow.monash.edu.au/vital/access/manager/Repository/monash:110689

http://www.dejusticia.org/files/r2_actividades_recursos/fi_name_recurso.643.pdf

http://www.dejusticia.org/files/r2_actividades_recursos/fi_name_recurso.643.pdf

http://www.apc.org/en/node/14843

http://www.elnotario.es/index.php/hemeroteca/revista-39/697-la-intervencion-de-las-comunicaciones-telefonicas-y-electronicas-0-2863723191305737

http://www.elnotario.es/index.php/hemeroteca/revista-39/697-la-intervencion-de-las-comunicaciones-telefonicas-y-electronicas-0-2863723191305737

http://www.ibersid.eu/ojs/index.php/ibersid/article/view/4308



Jiménez, J. (1987). La garantía constitucional del secreto de las comunicaciones. Revista española de Derecho Constitucional, 7(20), pp. 35-82.Kolar, N. B. (2015). Deep Packet Inspection Tecnology. International Journal on Emerg-

ing Technologies (Special Issue on NCRIET-2015), 6(2), pp. 262-265. http://www.researchtrend.net/ijet/ijet61/50%20NCRIET.pdf (Consulta 15/02/2017).

Marsden, T. (2012). Neutralidad de la red: Historia, regulación y futuro. IDP Revista de Internet, Derecho y Política, 13, pp. 24-43. http://idp.uoc.edu/124/volume/0/issue/13/ (consulta 14/02/2017).

Rebollo, L. (2000). El secreto de las comunicaciones: problemas actuales. Revista de Dere-cho Político, 48-49, pp. 351-382. http://revistas.uned.es/index.php/derechopoliti-co/article/view/8796 (consulta 08/03/2017).

Riley, M. C. (2009). Deep Packet Inspection: The end of the internet as we know it? Recuperado el 14/02/2017, en: http://www.policyarchive.org/handle/10207/20222Romero, A. (2012). Intervención de las comunicaciones. Diario La Ley, nº7816, 12 de

marzo de 2012. SEPD (2012). Dictamen del Supervisor Europeo de Protección de Datos sobre la neutrali-

dad de la red, la gestión del tráfico y la protección de la intimidad y los datos personales. 2012/C 34/01. Recuperado el 14/02/2017, en:

http://eur-lex.europa.eu/legal-content/ES/TXT/?uri=CELEX%3A52012XX0208(01)Sturges, P. (2010). Misterio y transparencia: el acceso a la información en los dominios

de la religión y la ciencia. IBERSID 4, PP. 21-28. http://www.ibersid.eu/ojs/index.php/ibersid/article/view/3863 (consulta 13/03/2017).

Swire, P. (2016). On line privacy and ISPS: ISP access to consumer data is limited and of-ten less than access by others. Recuperado el 20/02/2017, en: http://www.iisp.gatech.edu/working-paper-online-privacy-and-isps

Ulloa, M. A. I. (2015). Principales vulnerabilidades de los sistemas de automatización industrial y posibles acciones para evitar ciberataques. Actas de las XXXVI Jornadas de Automática, 2 al 4 septiembre 2015, pp. 252-259.

Disponible en: http://www.ehu.eus/documents/3444171/4484751/121.pdf (consulta 15/02/2017).

Umer, M. F. et al. (2016). Towards Multi-Stage Intrusion Detection using IP Flow Records. International Journal of Advanced Computer Science and Applications, 7(10), pp. 343-

347. https://thesai.org/Downloads/Volume7No10/Paper_46-Towards_Multi_Stage_Intrusion_Detection.pdf

Vidal, J. I., (2010). Cloud Computing: su problemática jurídica. Actas de Derecho Industrial y Derecho de Autor (ADI), 31, pp. 449-474.Yoonjae, L. et al. (2013). The Development of Deep Packet Inspection Platform and Its

Applications.

http://www.researchtrend.net/ijet/ijet61/50%20NCRIET.pdf

http://www.researchtrend.net/ijet/ijet61/50%20NCRIET.pdf



http://revistas.uned.es/index.php/derechopolitico/article/view/8796

http://revistas.uned.es/index.php/derechopolitico/article/view/8796

http://www.policyarchive.org/handle/10207/20222

http://eur-lex.europa.eu/legal-content/ES/TXT/?uri=CELEX%3A52012XX0208(01)



http://www.iisp.gatech.edu/working-paper-online-privacy-and-isps

http://www.iisp.gatech.edu/working-paper-online-privacy-and-isps

http://www.ehu.eus/documents/3444171/4484751/121.pdf

https://thesai.org/Downloads/Volume7No10/Paper_46-Towards_Multi_Stage_Intrusion_Detection.pdf

https://thesai.org/Downloads/Volume7No10/Paper_46-Towards_Multi_Stage_Intrusion_Detection.pdf


III International Conference on Intelligent Computational Systems, enero 2013 Hong Kong (China)

http://psrcentre.org/images/extraimages/2.%20ICECEBE%20113833.pdf (consulta 14/02/2017).

http://psrcentre.org/images/extraimages/2.%20ICECEBE%20113833.pdf

9

BUILDING A CYBERSECURITY CULTURE IN THE EU THROUGH MANDATORY NOTIFICATION OF DATA BREACHES AND INCIDENTS: DIFFERENCES AND SIMILARITIES OF DATA VULNERABILITY REPORTING TOOLS

Lina JasmontaiteDoctoral student at

Research Group on Law, Science, Technology & Society (LSTS)Vrije Universiteit Brussel (VUB)

ABSTRACT: Cybersecurity has been identified as a policy priority for nation states, business, and individuals as well as international and regional organizations. The EU has been particularly acti-ve within this domain and has refurbished the ‘outdated’ laws by introducing new principles and requirements. Requirements to notify data breaches and incidents perhaps are the most illustrative attempts to attain objectives of the EU’s 2013 Cybersecurity Strategy and to create a more secure and well-functioning Digital Single Market. While both new regulatory measures call for a culture of risk management, to enhance legal certainty it is important to consider synergies between the two measures. To this end, the author will firstly introduce each of the mechanism and then will identify similarities and differences between the two data vulnerability reporting mechanisms. By doing so the author hopes to contribute to the ongoing academic and business discussions on the contribution of the two measures to cybersecurity.

KEYWORDS: data breach, EU, incident, notification, cybersecurity, data vulnerability

1. INTRODUCTION

Calls for building a cybersecurity culture followed the recognition that states, pu-blic and private organizations as well as individuals depend on information technologies for the provision of and access to numerous services. The UN Resolution 57/239 titled ‘Creation of a global culture of cybersecurity’ can be considered to be one of the first at-tempts of such call on international level. The Resolution, adopted in 2001, emphasised the importance of international cooperation and proposed the following principles that should that should be exercised in a cumulative manner, namely: awareness raising; taking responsibility appropriate to individuals’ roles; timely and cooperative incident response; ethical behavior (e.g., respect the legitimate interests of others); security solutions should be in compliance with the key values and principles of democratic societies; all partici-pants should conduct periodic risk assessments that identify threats and vulnerabilities;

130 BUILDING A CYBERSECURITY CULTURE IN THE EU THROUGH MANDATORY...

security by design; a holistic and dynamic approach to security management.1 This Reso-lution, like its ensuing documents, was not legally binding and thus it did not create any legal obligations for its addressees. It rather provided recommendations for ‘participants’ that in this particular context referred to users of information systems and networks.

Compromised cybersecurity may affect nearly every aspect of modern live. This can be illustrated by the most recent cases that include the global spread of malicious soft-ware named WannaCry which, among many others, has affected Britain’s National Health Service and some telecom providers, such as Telefónica, and the email hacking incidents reported by presidential candidates in the US and France. Consequently, a statement that cybersecurity is a major consideration for areas ranging from critical information infras-tructure, the economy and national security to democrac is no exaggeration.

Cybersecurity is nowadays not just a technical issue, relevant for computer science and engineering but it is also a concern for ‘collective and institutional systems, reflec-ting the influence of political and national security actors’.2 Cybersecurity also relates to ‘ICT sensitive’ liberties, such as privacy and data protection.3 Certainly, the recognition of cybersecurity as an important issue served a precondition for a wider deployment of cybersecurity measures but efforts of stakeholders so far have been diverse and rather scattered. Following up on this observation, the European Union (EU) has adopted measures that can potentially aid this situation.

One of such measures is the Directive concerning measures for a high common level of security of network and information systems across the Union (‘NIS Directive’). The NIS Directive has been primarily seen as a remedy ensuring reliability and security of network and information systems and services. At the same time, it can be anticipa-ted that once transposed into domestic laws of the Member States, the NIS Directive will have wider implications. The NIS Directive and domestic laws implementing its provisions will co-exist with numerous other regulatory tools that also shape actions of governments and business. These regulatory tools include but are not limited to: Direc-tive 2008/114/EC –identification and designation of European critical infrastructures and assessment of the need to improve their protection, Directive (EU) 2016/680– on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or

1 UN, Resolution adopted by the General Assembly (A/57/529/Add.3) 57/239. Creation of a global culture of cybersecurity.

2 Nissenbaum, Helen (2007). When Computer Security meets National Security, in Cybercrime, Digital Cops in a Networked Environment, ed. Jack M. Balkin et al. (New York University Press).

3 Porcedda, Maria Grazia, Data Protection and the Prevention of Cybercrime - The EU as an Area of Security? (August 1, 2012). EUI Working Papers LAW No. 2012/25. Available at SSRN: https://ssrn.com/abstract=2169340

https://ssrn.com/abstract


prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘General Data Protection Regulation’ or ‘GDPR’). This paper will not ponder about the overall impact of the NIS Directive. Instead it will examine the incident notification mechanism and will consider its relation to the data breach notifi-cation requirement introduced by the General Data Protection Regulation.

Starting from the premise that both the NIS Directive and the GDPR introduce transparency obligations, the paper will firstly introduce each of the mechanism and then will identify similarities and differences between the two data vulnerability repor-ting mechanisms. The first part of the paper will examine the concept of the incident notification developed within the NIS Directive whereas the second part will focus on data breach notification regime launched by the GDPR. After brief introduction of each regulatory tool, rationale and provisions introducing notification obligations will be examined. The third part of the contribution will aim at elaborating on the extent to which the two measures share similar elements and objectives.

2. INCIDENT NOTIFICATION UNDER THE NIS DIRECTIVE

2.1. The NIS Directive

The NIS Directive is a minimal harmonization measure and therefore Member Sta-tes are free to choose a form and methods to implement requirements stemming from the regulatory tool, such as the adoption of national strategies on the security of network and information systems. This flexibility may be seen as a weakness of minimal harmo-nization tools which provides Member States with some leeway when implementing provisions that aim at achieving a higher level of security of network and information systems. At the same time, directives are considered to be the best tool when introducing a new regulatory area.4

The underlying objective of the NIS Directive is explained in its Recital 5, which claims that ‘[t]he existing capabilities are not sufficient to ensure a high level of secu-rity of network and information systems within the Union’.5 The recital explains that

4 Craig & De Búrca, EU Law: Text, Cases, and Materials, (Oxford University Press, 4th ed, 2008) 855 Directive 2016/1148 of the European Parliament and of the Council concerning measures for a

high common level of security of network and information systems across the Union


Member States have very different levels of preparedness, which has led to fragmented approaches across the diverse Member States’ practices with regards to cybersecurity measures hinders the protection awarded to consumers and business, and thus to ‘the overall level of security of network and information systems’.6 To aid the allegedly unde-sirable the situation, the NIS Directive has been adopted.

The adoption of the NIS Directive has been the main milestone foreseen in a joint communication presenting a Cybersecurity Strategy for the EU (EU Cybersecurity Strategy) published in 2013. Building upon the key objective of this Strategy ‘to make the EU’s online environment the safest in the world’,7 the NIS Directive requires Member States 1) to introduce mandatory technical and organizational measures for operators of essential services and digital infrastructure that would allow to prevent, manage and res-pond to risks and incidents affecting network and information systems and 2) to create a cooperation mechanism, namely the Cooperation Group, that would allow to share and coordinate data about information risks and incidents.

At the same time, as stated above the NIS Directive will a wider impact as it will in some cases affect the protection of individuals’ rights to privacy and data protec-tion when handling incident notifications. Incident notification to the NIS competent authority or the Computer Security Incident Response Teams will be a mandatory re-quirement for operators of essential services and some digital service providers. in cases where an incident have a substantial impact on the provision of a service. As explained by the European Data Protection Supervisor, it is highly likely that in the context of incident notification the processed data will include some types of personal data, such as IP addresses or names of contact persons of affected providers of essential services. Buil-ding on this observation, this contribution will analyze requirements listed in Articles 14 and Article 16 covering requirements for incident notifications under the NIS Directive.

2.2. Incident notification: New wine in old bottles

2.2.1. Definitions

According to Article 4 of the NIS Directive (7) ‘incident’ means any event having an actual adverse effect on the security of network and information systems. In order

6 Directive 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union

7 European Commission and High Representative of the EU for Foreign Affairs and Security Policy (2013), Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace, Brussels, 7.2.2013 JOIN(2013) 1 final, 3.


to have a comprehensive understanding of this definition, it should be read together with the meaning provided for the term ‘security of network and information sys-tems’. The latter ‘means the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems’.8 Rea-ding together the two definitions it appears that the EU understanding of incident is very broad as it includes: any event having an actual adverse effect on the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems. Incidents should be notified by operator of essential services and digital service providers.

Operator of essential services can entail both public and private entities that pro-vides a service which (a) is essential for the maintenance of critical societal and/or eco-nomic activities; (b) depends on network and information systems; and (c) would be disrupted in case of an incident.9 Each Member State will have to identify entities that meet this criteria. Annex II of the NIS Directive lists sectors (as well as sub-sectors and types of entities) that fall within the scope of this new regulatory measure, namely: ener-gy, transport, banking, financial market infrastructures, health sector, drinking water supply and distribution, and digital infrastructure.

Digital service providers are considered to be legal persons that provide digital services. A digital service here means ‘any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services’.10 Annex III of the NIS Directive spe-cifies that online marketplaces, online search engines and cloud computing service will fall within this framework.

2.3. The rationale

The rationale for establishing the mandatory incident notification mechanism is that sharing information about incidents can not only provide for a better understan-ding of the types of threats, but it can also facilitate the selection and development of adequate countermeasures and result in better investment decisions in the future.11 It

8 NIS Directive, Article 4(2)9 NIS Directive, Article 5(2)10 Directive (EU) 2015/1535 of the European Parliament and of the Council, Article 1(1) b11 Wolff, Josephine (2014). Models for Cybersecurity Incident Information Sharing and Report-

ing Policies. TPRC 43: The 43rd Research Conference on Communication, Information and Internet Policy Paper


is believed that more precise information about prevailing information security threats could improve the current situation where with IT security companies reporting ever growing investments, mass scale data breaches are reported on a frequent basis.

The origins of incident notification mechanisms can be traced back to early hu-man attempts to monitor their environment. Yet perhaps the best known examples of attempts to reduce safety risks can be find in the fields of transportation, medicine and consumer goods. Reporting incidents on drug effects, railways, aircrafts and marine vessels is not only considered to be a good practice but it is also often mandatory by law. Within these fields the rationale behind the reporting mechanisms is typically presented in a straightforward fashion. For example, one of the marine accident reporting forms says that data provided in a form will be used in order ‘to determine causes surrounding reportable marine casualties’ and it will be also used for the purposes of ‘promoting the safety of life, property, and the protection of the marine environment through preven-ting the reoccurrence of accidents’.12 In other words, the report will be used to capture lessons learned and use them from prevention purposes.

The development for a mandatory incident notification for operators of essential services and digital service providers seems to be a reasonable one as sharing information about incidents is at the core of effective information management practices which have become ever more important as societies, such as the EU, increasingly depend on digi-tal infrastructures. The incident notification mechanism aims at stretching the existing information sharing practices within the scope of the Critical Infrastructure Warning Information Network and the European Banking Authority, which thus far has focused on identifying cybersecurity threats that are of varied and diffused nature. It can be suggested that a mandatory obligation to share information about information security incidents and data vulnerabilities for a wide range of entities will allow the generation of more precise information which is in the interest of all stakeholders involved in the digital environment.

However, contours of the notification mechanism are muddy and there is little information on how it will function in practice. Before the end of this summer the European Commission will adopt implementing acts clarifying obligations arising from the NIS Directive for digital service providers. Perhaps, after implementing acts are adopted, it would be possible to determine to what extent the NIS notification mechanism builds on existing practices in the finance, telecommunication or critical infrastructures sectors.

12 For example, https://www.uscg.mil/forms/CG/CG_2692.pdf

https://www.uscg.mil/forms/CG/CG_2692.pdf


2.4. Practical implementation: High hopes for implementing acts

As said earlier, the NIS Directive is a minimal harmonization measure and provi-des only for the core principles and objectives that Member States should implement. Provisions introducing incident notification obligations will be further clarified by the implementing acts adopted by the European Commission.

Consequently, this means that notification requirements are phrased in a rather ambiguous way. Indeed, as described earlier, the definition of the term ‘incident’ is rather broad and may entail a wide range of events (for more details see section 2.2.1).

The NIS Directive in Article 14 requires Member States to ensure that operators of essential services without undue delay inform ‘the competent authority or the CSIRT of incidents having a significant impact on the continuity of the essential services they provide. […] In order to determine the significance of the impact of an incident, the following parameters in particular shall be taken into account: (a) the number of users affected by the disruption of the essential service; (b) the duration of the incident; (c) the geographical spread with regard to the area affected by the incident’.13 These are rather high level criteria that require further specification and contextualisation. Article 14 (7) foresees a possibility that competent authorities acting together within the Cooperation Group may develop and adopt guidelines concerning the circumstances in which opera-tors of essential services are required to notify incidents’. Whereas Article 16 concerning digital service providers foresees that the European Commission will further clarify ele-ments and criteria of incident notification by 9 August 2017.

Noteworthy, while Article 11 of the NIS Directive provides a list of tasks that the Cooperation Group will have to carry out, it does not detail the way in which single points of contact must cooperate and share information about encountered incidents. The NIS Directive only foresees that as of August 2018, and every year thereafter, a national competent authority for cybersecurity matters will have to provide a summary report to the Cooperation Group on the notified incidents, including the number and nature of notifications, and the actions taken in response to them (Article 10). Each CSIRT will be responsible for monitoring incidents at a national level; providing early warning, alerts, announcements and dissemination of information to relevant stake-holders about risks and incidents; responding to incidents; providing dynamic risk and incident analysis and situational awareness.

In order to improve the level of cybersecurity, the EU insists that the Member Sta-tes pool their resources and act in a cooperative manner that would facilitate exchange of information between the relevant stakeholders. In practice, this means that for a smooth

13 NIS Directive, Article 14 (3)


functioning of the internal market to become a reality, the EU promotes cross-border cooperation on cybersecurity issues of relevant authorities that may have limited power to engage into such information sharing practices under the applicable domestic law.

2.5. Vision of notifications: Close cooperation of all stakeholders

Recital 62 of the NIS Directive foresees that competent authorities should act to-gether where it is appropriate. At the same time, this recital, ‘encourage[s] operators of essential services and digital service providers to report incidents of a suspected serious criminal nature to the relevant law enforcement authorities.’ Indeed, as noted by the recital, ‘[i]ncidents may be the result of criminal activities, the prevention, investiga-tion and prosecution of which is supported by coordination and cooperation between operators of essential services, digital service providers, competent authorities and law enforcement authorities’.14

While the NIS Directive does not impose any obligation on the competent autho-rities to which the notifications should be reported, it provides some guidance regarding cooperation in Recital 59. This recital requires competent authorities ‘to pay due atten-tion to preserving informal and trusted channels of information-sharing’. 15 In accor-dance with the proportionality principle, this Recital insists that ‘[p]ublicity of incidents reported to the competent authorities should duly balance the interest of the public in being informed about threats against possible reputational and commercial damage for the operators of essential services and digital service providers reporting incidents’.

16 Conversely to worries expressed by various operators of essential services and digital service providers, reported incidents to competent authorities and the CSIRTs will be bound by confidentiality obligations and ‘should [the authorities should] pay particular attention to the need to keep information about product vulnerabilities strictly confi-dential, prior to the release of appropriate security fixes’.17

2.6. A light-touch regime for providers of digital services?

The NIS Directive in Article 16, requires digital service providers to notify the competent authority (-ies) or the CSIRT without undue delay about incidents having a substantial impact on the provision of a services, in particular, online marketplaces, online search engines and cloud computing services. While supposedly digital service

14 NIS Directive, Recital 6215 NIS Directive, Recital 5916 NIS Directive, Recital 5917 NIS Directive, Recital 59


providers are subject to a lighter notification regime, the criteria defining a substantial impact is more elaborate than the one for operators of essential services and includes the following elements: (a) the number of users affected by the incident, in particular users relying on the service for the provision of their own services; (b) the duration of the inci-dent; (c) the geographical spread with regard to the area affected by the incident; (d) the extent of the disruption of the functioning of the service; (e) the extent of the impact on economic and societal activities. To bring some more clarity into this framework and the requirements, the European Commission will adopt an implementing act. It hosted a first stakeholders meeting on this matter on 27 March 2017. Not surprisingly, represen-tatives of key multinational companies were present at this meeting and presented their points of view. While one could offer critique about the limited outreach of the consul-tation to mostly the so-called Brussels-bubble representatives, there is a more worrisome remark to make: multinational companies, which will be required to notify about inci-dents they experience, are concerned only about limiting the scope of their obligations and not the rationale behind the mechanism – improving overall cybersecurity.

3. DATA BREACH NOTIFICATION UNDER THE GDPR

3.1. The GDPR

The GDPR replaces the EU Data Protection Directive, adopted in 1995, which aimed at harmonising data protection regulation among EU Member States and faci-litated the free flow of personal data within the EU. It should be noted that Directive 95/46/EC was not a directly applicable legal instrument; it provided a minimum set of rules for the EU Member States. Similarly to other directives, Directive 95/46/EC was binding, ‘as to the result to be achieved’ and left it to the discretion of the Member States to choose methods implementing legal requirements.18 All of the EU Member States have implemented rules set forth by the Directive into their national laws regula-ting data processing.19 However, due to different choices made while implementing the Directive, the EU data protection framework has been harmonised to a limited extent. One of the underlying goals of the GDPR was to reduce this fragmentation.20

18 Consolidated Version of the Treaty on European Union and the Treaty on the Functioning of the European Union (2010/C 83/01); The Treaty on the Functioning of the European Union, Article 288.

19 Note: the Directive has been implemented by the members of the European Economic Area that are not part of the EU, namely Iceland, Liechtenstein and Norway.

20 Communication, A Digital Single Market Strategy for Europe, 2015


The GDPR ‘applies to the processing of personal data wholly or partly by auto-mated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.’21 The GDPR alike the Data Protection Directive assigns a very broad meaning to the term ‘processing’. In the context of the Directive, the processing entailed ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.’22 In practice, this means that any operation performed upon personal data (e.g. an entry of data about a person, location of a person, or a description of person’s health condition) constitutes data processing.

3.2. Definitions

Article 4 (12) of the GDPR defines ‘personal data breach’ as a ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised dis-closure of, or access to, personal data transmitted, stored or otherwise processed’. This definition reiterates the wording of the revise Directive 2002/58/EC, which in Article 2 (h) foresaw that an incident is ‘a breach of security leading to the accidental or un-lawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community’.23 Interestin-gly, this obligation morphed out of the incident notification obligation foreseen in the initial Directive 2002/58/EC, which in Article 4 (2) required to notify subscribers of the service about incidents that the service provide experience 24

21 GDPR, Article 222 GDPR, Article 423 See, Directive 2009/136/EC of the European Parliament and of the Council of 25 November

2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws

24 In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved.


The content of notification requirements to the competent national authorities as well as subscribers was further detailed in Annex I of Regulation 611/2013 on the measures applicable to the notification of personal data breaches. The minimum ne-cessary information provided to the competent authorities should have included the following types of information: the name of the provider; identity and contact details of the data protection officer or other contact point where more information can be obtained; whether it concerns a first or second notification; initial information on the personal data breach (for completion in later notifications, where applicable); date and time of incident (if known; where necessary an estimate can be made), and of detection of incident; circumstances of the personal data breach (e.g. loss, theft, copying); nature and content of the personal data concerned; technical and organi-sational measures applied (or to be applied) by the provider to the affected personal data; relevant use of other providers (where applicable). Regulation 611/2013 en-couraged telecom providers to provide more detailed information about the security breaches.25 As breach notification obligation concerned data processed by telecom-munication network providers, typically notifications were provided either to data protection or telecommunications authorities. For example, internet access providers or providers of public telephone services in the Netherlands and Sweden have to inform the independent telecommunications authorities, whereas in Poland entities providing the same services (in case of a personal data breach) should notify the data protection authority.

3.3. The rationale

The initial proposal for the data breach notification within the general EU data protection regime, can be traced back to the Joint Contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protec-tion of personal data which reasoned that following ‘[a] general privacy breach notifi-cation should be introduced in the new legal framework.’26 Within this proposal a data breach notification was regarded to be primarily in the interest of data subjects (i.e., individuals whose data was processed).

The Working Party 29 has been keen on extending the practice of the incident no-tification introduced in ePrivacy Directive applicable in the telecoms sector. That could have been anticipated as in the Opinion 03/2014 on Personal Data Breach Notification,

25 See for more details: Regulation 611/2013 Annex I, Section 2 26 Article 29 Working Party, The Future of Privacy: Joint contribution to the Consultation of

the European Commission on the legal framework for the fundamental right to protection of personal data


the EU data protection regulators concluded that even though notification obligation is not mandatory for all data controllers, ‘[n]otification of data breaches […] constitutes a good practice’.27

A data breach notification is considered to be part of the risk-based approach. In particular, Recital 85 of the GDPR, explains that ‘[a] personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-ma-terial damage to natural persons such as loss of control over their personal data or limi-tation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disad-vantage to the natural person concerned’. Recital 86 explains that the controller should inform the data subject about personal data breach only in situations ‘where that perso-nal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions’. Such notification should ‘describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects’.

Data breach notification obligation foreseen in Article 33 of the General Data Protection Regulation can be considered to be other measure that can potentially have a positive impact on the overall cybersecurity.

3.4. Not a game changer but…

Even though data breach notification was not part of obligations created under Directive 95/46/EC, it can be claimed that its incorporation into the GDPR is no game changer. Data breach notification was mandatory for data controllers within the telecoms sector and therefore expanding the scope of this obligation to other controllers does not entirely constitute a new development within the EU data protection law. Fur-thermore, as per Turle, data breach notification obligation was implicit. He explained that data breach notification obligation resulted partially from the cumulative interpre-tation of the regime applicable to the processing of personal data in the telecoms sector, namely Directive 95/46/EC and ePrivacy Directive, and partially from the transparency obligations applicable to data controllers.28 Transparency obligations, according to the author, included registration and notification of the processing, the fair processing prin-

27 Article 29 Working Party, Opinion 03/2014 on Personal Data Breaches28 Marcus Turle, Data security: Past, present and future, Computer Law & Security Review,

Volume 25, Issue 1, 2009, Pages 51-58, ISSN 0267-3649, http://dx.doi.org/10.1016/j.clsr.2008.11.001. (http://www.sciencedirect.com/science/article/pii/S0267364908001659)

http://dx.doi.org/10.1016/j.clsr.2008.11.001


http://www.sciencedirect.com/science/article/pii/S0267364908001659


ciple, information notice provided to data subjects, facilitation of data subjects’ access requests. 29

On the other hand, a data breach notification introduced in the GDPR should be read cumulatively with other provisions of the new legislation, in particular Article 23 governing accountability of controllers and Article 25 on data protection by design and default. The two articles require controllers to be proactive (i.e., implement appropriate technical and organizational measures and regularly revise the choice of these measures) and prepared (i.e., to document their actions, consider risks arising from the processing and be able to demonstrate their compliance with the GDPR requirements). It can be suggested that both of these articles also foster the cybersecurity culture.

4. INCIDENT NOTIFICATION AND DATA BREACHES: A COMPARISON OF APPLES AND ORANGES

As a result of newly introduced mandatory incident and data breach notification requirements, entities may be considering adopting new policies and approaches in or-der to implement new obligations. Perhaps, a provider of essential services is also a data controller? Or what if an operator of essential services or a digital infrastructure is a pro-cessor? Or is an operator of essential services or a digital service infrastructure, or both, a processor and a controller? Perhaps, ‘extracting’ commonalities of the two laws may provide for a good solution? Indeed, as the Recital 63 of the NIS Directive notes, ‘[p]ersonal data are in many cases compromised as a result of incidents.’30

Unfortunately, the answer is not that straight forward even though both legal ins-truments could be considered to impose transparency obligations. In fact, entities that are subjected to the new requirements may have to consider domestic laws, in particular laws implementing provisions of the NIS Directive, and guidance provided by the regu-latory authorities (i.e., DPAs). Perhaps, the confusion brought by the two mechanisms could be reduced if regulators (at national or EU level) would explain the rationale behind each mechanism. Recitals of both law are phrased in a rather vague fashion and are of little help.

29 Marcus Turle, Data security: Past, present and future, Computer Law & Security Review, Volume 25, Issue 1, 2009, Pages 51-58, ISSN 0267-3649, 56 http://dx.doi.org/10.1016/j.clsr.2008.11.001. (http://www.sciencedirect.com/science/article/pii/S0267364908001659)

30 NIS Directive, Recital 68





5. CONCLUSION

There is no doubt as to whether mandatory incident and data breach notification requirements will generate more knowledge about the actual information security level as well as security problems in the EU. Regulatory authorities and end-users will also learn more about the cyber threats that their data and they themselves are exposed to on a daily basis. It can be speculated that the added value of the two mechanisms will de-pend not only on efforts put by the regulators but the actual follow-up of the reporting (e.g., to what extent it will affect the security awareness level or whether it will lead to bigger investments in technical and organisational security measures). It seems that opi-nions over the two mechanisms are controversial. For example, the ENISA has suggested that ‘extension of mandatory notifications would potentially conflict with other regula-tory authorities and, as a result, the jurisdiction of regulatory authorities would have to be clearly defined’.31 Business representatives on several occasions conveyed a message that the two mechanisms may have negative effects on their competiveness and business activities in comparison with entities operating outside the EU. But can it be that the two mechanisms will contribute to the creation of the cybersecurity culture in the EU?

Acknowledgments

The research for this paper was made possible thanks to the funding from the Euro-pean Union’s Horizon 2020 Framework Programme for research and innovation under the CANVAS (Constructing an Alliance for Value-driven Cybersecurity) project, grant agreement no. 700540.

6. BIBLIOGRAPHY

Article 29 Working Party, Opinion 03/2014 on Personal Data BreachesArticle 29 Working Party, The Future of Privacy: Joint contribution to the Consultation

of the European Commission on the legal framework for the fundamental right to protection of personal data

Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applica-ble to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communi-cations

31 ENISA, Data breach notifications in the EU, 2011, 33


Consolidated Version of the Treaty on European Union and the Treaty on the Function-ing of the European Union (2010/C 83/01); The Treaty on the Functioning of the European Union, Article 288.

Directive 2016/1148 of the European Parliament and of the Council concerning mea-sures for a high common level of security of network and information systems across the Union

ENISA, Data breach notifications in the EU, 2011European Commission and High Representative of the EU for Foreign Affairs and Secu-

rity Policy (2013), Joint Communication to the European Parliament, the Coun-cil, the European Economic and Social Committee and the Committee of the Regions: Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace, Brussels, 7.2.2013 JOIN(2013) 1 final

European Parliament and the Council, ‘Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural per-sons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regula-tion)’ OJ L119/1, 4.5.2016

Turle, Marcus, Data security: Past, present and future, Computer Law & Security Review, Volume 25, Issue 1, 2009, Pages 51-58, ISSN 0267-3649, http://dx.doi.org/10.1016/j.clsr.2008.11.001 (http://www.sciencedirect.com/science/article/pii/S0267364908001659)

Nissenbaum, Helen (2007). When Computer Security meets National Security, in Cybercrime, Digital Cops in a Networked Environment, ed. Jack M. Balkin et al. (New York University Press)

Porcedda, Maria Grazia, Data Protection and the Prevention of Cybercrime - The EU as an Area of Security? (August 1, 2012). EUI Working Papers LAW No. 2012/25. Available at SSRN: https://ssrn.com/abstract=2169340

UN, Resolution adopted by the General Assembly (A/57/529/Add.3) 57/239. Creation of a global culture of cybersecurity.

Wolff, Josephine (2014). Models for Cybersecurity Incident Information Sharing and Reporting Policies. TPRC 43: The 43rd Research Conference on Communication, Information and Internet Policy Paper





https://ssrn.com/abstract

10THE GENERAL DATA PROTECTION REGULATION AND THE RISE OF CERTIFICATION AS A REGULATORY INSTRUMENT

Eric Lachaud PhD candidate at TILT, the Tilburg Institute for Law, Technology, and Society,

Tilburg University, the Netherlands

ABSTRACT: This paper argues that the European lawmaker, with the endorsement of certification in the General Data Protection Regulation (hereinafter GDPR) contributes to extend the scope of this procedure to the enforcement of fundamental rights. It also leverages the flexibility with which certification schemes can be arranged to turn this procedure into something other than a voluntary process for attesting the conformity with technical standards. It voluntarily contributes to make this procedure a monitored self-regulation instrument seeking to fill the gap between self-regulation and regulation.

KEYWORDS: data protection certification, privacy certification, data protection seal, privacy seal, co-regulation, self-regulation.

1. INTRODUCTION

The Economist1 recently suggested a meaningful comparison about the progress made by computing power during the last decades. “If cars and skyscrapers had im-proved at such rates since 1971”, the newspaper said, “The fastest car would now be capable of a tenth of the speed of light; the tallest building would reach halfway to the Moon”. Nordhaus2 notices that chips produced today are 400 000 time more powerful than it was at the beginning of the 70s. In the meantime, the capacity of data storage

1 ’The future of computing’ The Economist, Mar 12th 2016. http://www.economist.com/news/lead-ers/21694528-era-predictable-improvement-computer-hardware-ending-what-comes-next-fu-ture“Intel CEO Brian Krzanich explained that if a 1971 Volkswagen Beetle had advanced at the pace of Moore’s law over the past 34 years, today “you would be able to go with that car 300,000 miles per hour. You would get two million miles per gallon of gas, and all that for the mere cost of four cents.” in Moore’s Law Keeps Going, Defying Expectations Annie Sneed for the Scientif-ic American May 19, 2015: http://www.scientificamerican.com/article/moore-s-law-keeps-go-ing-defying-expectations/

2 Nordhaus, W.D. (2001) The Progress of Computing. Cowles Foundation Discussion Paper No. 1324., 28 Available at SSRN: http://ssrn.com/abstract=285168

http://www.economist.com/news/leaders/21694528-era-predictable-improvement-computer-hardware-ending-what-comes-next-future



http://www.scientificamerican.com/article/moore

http://ssrn.com/abstract

145 THE GENERAL DATA PROTECTION REGULATION AND THE RISE OF CERTIFICATION...

available rocketed3. In 15 years, Chip4 stresses, “hard disks had increased their capacity 1,000-fold.” The success of the TCP/IP protocol made of the Internet something more than a simple technical innovation. As quoted by the Internet founders5 , “the Internet is at once a world-wide broadcasting capability, a mechanism for information disse-mination, and a medium for collaboration and interaction between individuals and their computers without regard for geographic location”. The mix of the breakthroughs described above enhanced and broadened businesses’ capacity to collect, store and ex-change digitized data from any location around the world. The growing complexity of data processing6 widened the information asymmetry existing between data controllers7 and individuals. It also created new types of data born from the interactions between individuals and machines and these metadata8 can be very sensitive when they are deri-ved from the behavior and the body conditions. The sanction policy suggested so far in Directive 95/46/EC in case of non-compliance9 did not ensure an effective deterrence on data controllers. In addition, the territorial scope on which Directive 95/46/EC has been based10 limits the rights of European citizens11 to the borders of the Union and does not offer a satisfying response to the growing cross border data flows12. The natio-

3 “Toshiba: hard drives will be 40TB by 2020, SSDs will be 128TB by 2018” by Matthew Hum-phries on Geek.com Aug. 28, 2015. http://www.geek.com/chips/toshiba-hard-drives-will-be-40tb-by-2020-ssds-will-be-128tb-by-2018-1632425/

4 Walter, Chip (August 2005). “Kryder’s Law”. Scientific American.5 Leiner, Barry M. et al. “Brief History of the Internet”. Available on the website of the Inter-

net Society. http://www.internetsociety.org/internet/what-internet/history-internet/brief-histo-ry-internet

6 Arbesman, S. (2016). Overcomplicated: Technology at the Limits of Comprehension. Penguin.7 Article 2 (d) of Directive 95/46/EC defines the data controller as the natural or legal person

which alone or jointly determines the purposes and means of the processing8 “Metadata is structured information that describes, explains, locates or otherwise makes it eas-

ier to retrieve, use, or manage an information resource. Metadata is often called data about data or information about information.” NISO (2004) “Understanding Metadata”, NISO Press, 1: http://www.niso.org/publications/press/UnderstandingMetadata.pdf

9 Article 24 of Directive 95/46/EC suggests the Member States establish their own sanction policy.10 Article 4 Directive 95/46/EC 11 See law case: Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Ma-

rio Costeja González See law case: Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információsz-abadság Hatóság and comments on the law case in “EU court ruling outlines which countries’ data protection laws apply to businesses with interests in multiple EU countries” Outlaw blog entry of the 2nd of October 2015. Last accessed 25/09/2016.

12 Even if Article 25.1 requires that the country in which the data is transferred to ensure adequate level of protection

http://Geek.com

http://www.geek.com/chips/toshiba-hard-drives-will-be-40tb-by-2020-ssds-will-be-128tb-by-2018-1632425/

http://www.internetsociety.org/internet/what-internet/history-internet/brief-history-internet

http://www.internetsociety.org/internet/what-internet/history-internet/brief-history-internet

http://www.niso.org/publications/press/UnderstandingMetadata.pdf


nal data protection authorities do not have enough time, money, and competences to enforce more than a very limited number of processing. The self-regulation instruments set up by companies to complete the legal framework have never demonstrated their effectiveness in the absence of stringent enforcement13. The long awaited General Data Protection Regulation14 (hereinafter GDPR) enacted in April 2016 intends addressing these shortcomings and, among other improvements, the framework makes data con-trollers and processors accountable for their compliance15. It encourages them to use certification procedures16 to voluntarily demonstrate their compliance with the new le-gal framework. This paper suggests assessing how the GDPR, by endorsing certification in the data protection framework, contributed to the rise of certification as a regulatory instrument. The first section of this paper defines the regulatory nature of certification and demonstrates that the scope of this procedure has progressively extended. The se-cond shows that the European lawmaker, by endorsing certification in the GDPR, pur-posely planned to make this instrument a regulation instrument, I suggested to call this monitored self-regulation, located between self-regulation and co-regulation.

2. REGULATORY NATURE OF CERTIFICATION

Defining the regulatory nature of certification remains tough because the flexi-bility with which this procedure can be arranged and endlessly rearranged transforms this procedure into a moving target. Trying to define this procedure through its pur-

13 Nielsen, N., (2013). Hundreds of US companies make false data protection claims.14 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

The GDPR is completed with two dedicated data protection Directive applying to the indi-viduals under prosecution and travelling by plane. Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

15 Article 22 of the GDPR16 Article 42 of the GDPR


poses appears more fruitful but the analysis of its scope shows it continuously broa-dened over time and the endorsement of certification in the GDPR even contributed to extend it anymore.

2.1. Moving target

Some authors17 defines certification as a conformity assessment process. They argue certification is a voluntary assessment process fulfilled by an external and accredited auditor18 on the basis of requirements issued by a recognized authority. The assessment, if successful, leads to the issuance of a written attestation of conformity19, sometimes, with a graphic sign the certified body is allowed to affix on its products or/and docu-mentation. A second approach20 envisages certification primarily as an attestation of conformity. Its issuance is conditioned by the conformity with the requirements and its maintenance over time that is periodically challenged. The approach focusing on the assessment process appears more logical if one assumes that the attestation of conformity

17 “Certification is a method of (conformity) assessment” Eijlander, P. et al (2003). De inkadering van certificatie en accreditatie in beleid en wetgeving

[The framing of certification and accreditation policies and legislation]. A study commissioned by the Ministry of Economic Affairs. Instituut, Centrum voor Wetgevingsvraagstukken, Univer-siteit van Tilburg, 2003 - 194 pp, 12.

18 “Certification is the (voluntary) assessment and approval by an (accredited) party on an (accred-ited) standard”

Meuwissen, M. (2003) Technical and economic considerations about traceability and certifica-tion in livestock production chains, In Jahn, G. et al. (2005) The Reliability of Certification: Quality Labels as a Consumer Policy Tool, Journal of Consumer Policy, 28, 57

19 ‘Certification schemes ... provide assurance (through a certification mechanism) that certain characteristics or attributes of the product or its production method or system, laid down in specifications, have been observed’.

EU best practice guidelines for voluntary certification schemes for agricultural products and foodstuff (2010/C 341/04)

20 “Third party attestation related to products, processes, systems or persons” in ISO/IEC 17000:2004 –Conformity assessment –Vocabulary and general principles– subclause 5.5 «A process by which a third party give a written assurance that a product, a process or a service is conform to the specified requirements” in ISO/EN 45020:2007 - Standardization And Related Activities

- General Vocabulary - “Certification includes all activities under which an independent, expert and reliable in-

stitution adopts and writing that there is a justified confidence that a clearly defined object (product, process, system or the competence of a person) meets predetermined requirements” Dutch Ministry of Industry (2003) Kabinetsstandpunt over het gebruik van certificatie en ac-creditatie in het kader van overheidsbeleid’


is issued once the assessment concludes to the conformity. Theoretically, the attestation of conformity cannot be issued without a successful assessment but this relationship is not always true. Some certifications are issued following a self-assessment or even a self-declaration of conformity without any assessment21.

From a legal point of view, certification is commonly defined as a trademark22 pro-tecting the rights of third parties authorized to use it. Certification is also a management system23 in which a set of components24 are interacting with each other to produce an output, offering the word certification to either designate the process or its result.

21 A Trustmark may be“ [a] label or visual representation showing participation in a Trustmark scheme. A subscriber to a Trustmark scheme can display a Trustmark if he meets the Trustmark requirements.” UNICE-BEUC e-confidence project, 2001 (Glossary).

“A signal adherence to a set of rules (hereafter referred to as a code of conduct) in order to in-crease the consumer’s confidence in the online trader.” In Trzaskowski, J. (2006) E-Commerce Trustmarks in Europe - an overview and comparison of Trustmarks in the European Union, Iceland and Norway European Consumer Centre Denmark, 11.

22 ‘A certification mark is statutorily defined as an indication that goods, or services in connection with which the mark is used, are certified by the proprietor in respect of origin, material, mode of manufacture of goods or performance of service, quality, accuracy or other characteristics’ UK Trade Mark Act of 1994. In Belson, J. (2002) Certification Marks. London: Sweet and Maxwell, 20

23 “Certification is not only an assessment. It’s a complete ecosystem”. Conroy, M.E. (2001) Can Advocacy-Led Certification Systems Transform Global Corporate

Practices? Evidence and Some Theory Program on Development, Peacebuilding, and the Envi-ronment, 64

24 “What a certification scheme contains is - A Standard

- A Process to check initial and over time compliance - A Mark to reward compliance”

Conroy, M.E. (2007) Branded! How the certification revolution is transforming global corpora-tions”. New society publish, 12

A certification scheme involves: - Set of requirements, - Assessment process, - Certification can be issued by self-assessment or 1/3 party. Civic Consulting (2012) A Pan-European Trustmark for E-Commerce: Possibilities and Oppor-

tunities - Study for the Directorate-General for internal Policies – European Parliament, 40-41 “certification scheme contains in general the following components: - the (interpretation of the) norm(s) - the operating procedures and methodology to be used for inspections - the certification criteria and rules with regard to non-compliance - additional qualification criteria and demands for certification personnel”


One finds a huge diversity in the arrangements of certification schemes25. Some schemes are pure self-regulation instruments26 fully designed and managed by the pri-vate certification bodies. Others are co-regulated tools27 in which the authorities are involved at some stages of the process, like in the GDPR28. Others again are fully re-gulated instruments, established and operated by a public authority29 or even, what Haufler called a multi-stakeholder instrument30, in which civil society representatives contributes to the design and management of the schemes31 in addition to the private bodies and the authorities.

Staaij, J.V.D (2008) Certification as sustainable self-regulation” Master Thesis - Rotterdam School of Management Erasmus University, Department Business-Society Management, 35

25 The Ecolabel index is currently is referencing «465 ecolabels in 199 countries and 25 industry sectors » as described on its website. See < http://www.ecolabelindex.com/ > Last accessed on the 01/05/2017

26 For a complete overview of the different types of self-regulation see Koops, B.-J. et al. (2014). Should Self-Regulation be the Starting Point, in: Self-Regulation and Legalization: Making Global Rules for Banks and Corporations, Global Issues. Palgrave Macmillan UK.

27 Co-regulation involves both the government and the private sector in the processes of regulation, with market actors often delegated the task of developing standards and the public sector applying sanctions for non-compliance” in HAUFLER, V. (2003) New Forms of Governance: Certification Regimes as Social Regulations of the Global Market. In n Chris Elliott, Errol Meidinger, and Gerhard Oesten, eds. Social and Political Dimensions of Forest Certification (Remagen- Oberwinter, Germany: Forstbuch Verlag , 238

Co-regulation “combin[e] state and non-state regulatory activities” and contrasting it with self-reg-ulation which operate without any state involvement”. In Strauss, J. and Rogersson, K.S (2002) Policies for Online Privacy in the United States and the European Union, 19 TELEMATICS AND INFORMATICS pp.173-188

28 Lachaud, E. (2016) ‘Why the certification process defined in the General Data Protection Reg-ulation cannot be successful’ Computer Law & Security Review 32(6), 814

29 The French data protection authority CNIL‘s labels are fully designed and managed by the French data protection authority following the Article 11.3 C of data protection law n° 78-17 du 6 janvier 1978 modifiée relative à l’informatique, aux fichiers et aux libertés.

30 Haufler, V. (2003). New Forms of Governance: Certification Regimes as Social Regulations of the Global Market, in: N Chris Elliott, Errol Meidinger, and Gerhard Oesten, Eds. Social and Political Dimensions of Forest Certification (Remagen- Oberwinter, Germany: Forstbuch Ver-lag. 2003), 237

31 The Forest Stewardship Council (FSC) is certainly the most emblematic multi-stakeholder cer-tification scheme.

See Lang, B. (2006) Experiences with voluntary standards initiatives and related multi-stake-holder dialogues.

See also Kirton, J. Trebilcock, M.J., eds. (2004). Hard choices, soft law: voluntary standards in global trade, environment, and social governance. Aldershot,

http://www.ecolabelindex.com/


The flexibility with which this procedure can be endlessly rearranged makes any attempt of definition tough. Another option could be to use its nature of management system and define certification through its core components. A certification scheme contains, at least, certifiable requirements and a certification process. However, the cer-tification process can be multifarious and make any attempt of typology tough. Another option, which sounds easier and more fruitful, defines certification from its purposes. The next section follows this path and shows that the regulatory nature of certification has been built according additional layers progressively added to its core purpose.

2.2. Extending Scope

Certification is a very ancient procedure originally used to validate the reality of a claimed situation. One found out first traces of this procedure in a codex written in Germany on the 8th century BC. The word certificatio appears in 1295 BC when two bishops certify a charter granted by the Duke of Lorraine32. In 1452 BC, a collection of certified charters confirms the rights of Robert de Chamberlenc, Lord of Tancarville, on a series of estates in Normandy. In 1630, the court of the holy inquisition delivers a certificate to the Duke of Medinasidonia33 confirming its ability to the highest positions in the Holy Office in Roma. George Washington34 , at the end of the 18th century, hand-writes a certificate confirming the role played by a certain Colonel B.R Woodbridge during the War of Independence of the United States. One can still find the trace of this original purpose of certification in the modern hallmarking activity that is delivering certification marks confirming the claimed amount of precious metal in gold exchanges and jewelry. It still also bases the European Geographical Identifications35 that certify the characteristics and taste of agricultural products with respect to their geographical origin.

The scope of certification first broadened when certification comes to be used, at the beginning of the 20th century, to enforce the conformity of industrial products with the newly published technical standards36. A British Standard Mark is introduced to certify the conformity of tramway rails with technical standards. The use of certification

32 Bibliothèque Nationale de France (BNF) - Département des manuscrits - Ref : NAL 2530. III n° 54

33 Biblioteca Nacional de España (BNE) Ref : VC/250/6434 Benjamin R. Woodbridge, December 22, 1775, Military Certifications. The library of Congress35 Regulation No. 510/2006 of the 20 of March 2006 on the protection of geographical indica-

tions and designations of origin for agricultural products and foodstuffs - OJ L 93, 31.3.2006, 12

36 Woodward, D.C., (1972). Buying with assurance: the Kitemark and other certification schemes, in: The Story of Standards. British Standards Institution, 78–84.


marks remains very limited until the UK Trademark Act of 1919 in which the lawmaker suggests, in accordance with the recent progress of statistics, to test only a defined sam-ple of the product rather than all the series before delivering the certificate. This change ensures a quick success to the conformity certification37 and speed up its adoption in other countries38. The conformity certification represents today the core activity of cer-tification activity and a few multinationals39 dominate this global market by offering conformity certification as a paying service40.

The quick rise of mass-market after WW2 offered another goal to certification when the quality certification certifies the outstanding features of the products and ser-vices. Hence, it promotes certified items from the non-certified one and it offers to the

37 The first is the General Electric bulbs in 192638 The Kema-Keur has been established in the Netherlands in 1924 and the marque NF in 1939

in France.39 The conformity assessment business represented a turnover of 5 billion € in 2013. A few mul-

tinationals in Europe dominate this market. The swiss SQS, the French Bureau Veritas, The German TÜV and the English Intertek. In the US, Underwriters Laboratories still occupies a very dominant position on the certification market.

The Société Générale de Surveillance (SGS) has been founded in 1878 in Geneva to ensure inspec-tions in agriculture, SGS is now the largest assessment and certification body in the world with 70,000 people worldwide with a turnover of 4.8 billion Swiss francs (€ 3.9 billion) and € 364 million for the certification activity.

Bureau Veritas (BV) was founded in the wake of a series of shipping disasters occurring during the winter of 1821, which caused 2,000 ships sink and 20,000 people die says his site. This series of disasters also caused the loss of many marine insurance companies. The Office of Informa-tion for Marine Insurance was founded in 1828 in Antwerp. It became Bureau Veritas in 1829. His initial mission as Lloyd Register of London was to inform the insurers about the state of the vessels to evaluate the premium to pay to the ship-owners. Its activity gradually extended. Further classification, Bureau Veritas verifies the compliance with various regulations and tech-nical standards, environmental and social regulations. Bureau Veritas is also a certification body through its subsidiary Bureau Veritas Certification founded in London in 1988 under the name of Bureau Veritas Quality International. Bureau Veritas employs 52,000 people in 140 countries for a turnover of € 3, 4 billion in 2011, including € 321 million for its certification division. Intertek Testing Services became Intertek Moody in 2002. Intertek Moody is an assessment body established by the successive acquisition of national control bodies in England, America and Canada. Intertek Moody Group employs 33,000 in more than 100 countries and has a turnover of 1,7 billion £ (around € 2.0 billion)

40 The international standardization activity does not certify the compliance with the standards they publish. The British Standardization Institution (BSI), l’Agence Française de Normalisa-tion (AFNOR) and even the European standardization body (CEN) developed certification activities aside their core activity of standardization body. They offer to certify the compliance with their own standards raising thus a threat of conflict of interest.


manufacturers an interesting collective brand, especially to those which are unable to afford the design and management of their own brand41. Cochoy and Woodward42 argue that the huge success of quality certification43 should be closely related to the develop-ment of quality standards. The release of the ISO 9000 standard family along with the enactment of the European New Approach policy and the Agreement on Technical Ba-rriers to Trade (TBT)44 actively contributed to the development of quality certification. This activity still represents today, especially with the quality management defined the ISO 9001 standard, an important market of certification business45.

The consumers, in developed countries, are increasingly concerned with the social and environmental manufacturing conditions of the products they are buying46. The Non-Governmental Organizations47 (hereinafter NGOs) used this growing conscientious consumerism48 to increase their pressure on multinationals to improve workers’ conditions in outsourcing countries. Some media campaigns organized against multinationals, such as the iconic Vietnamese subcontractor of Nike in 199749, have had a huge impact on a more sensitive public. The recourse to certification processes have been suggested by

41 Cochoy, F (2000). “De l’AFNOR” à “NF”, 77 42 Cochoy, F (2000), Ibid see also Woodward D.C. (1972). The Story of Standards, 7843 The Kitemark delivered by the British Standard Institution (BSI) met a huge success during the 1950s

and the 1960’s. The number of certified soars from 171 in 1939 to 1 450 at the end of the 1960’s. Woodward D.C. (1972). The Story of Standards. London: British Standards Institution, 80. The notoriety of the NF mark in the public from the AFNOR also boomed. NF mark was known by 8 % of the people in 1961 and 64 % by 1965. in Cochoy F. (2000). De “l’AFNOR” à “NF, 81

44 The Agreement on Technical Barriers to Trade requires signatory countries to rec-ognize the conformity assessments made in the country of origin of the product. Belson, J. (2002). Certification Marks. Sweet and Maxwell – London, 92

45 More than 1.5 million ISO 9001 certification have been issued since the beginning of the 1990s. See the ISO survey

46 Micheletti, M. (2003), Political Virtue and Shopping: Individuals, Consumerism, and Collec-tive Action, New York: Palgrave Macmillan.

47 A. Florini defines the “third force” as “someone acting as a global conscience” in Florini, A.M.N.Kokusai and K. Senta (2000) The Rise of Transnational Civil Society - Carnegie En-dowment for International Peace

48 Bartley, T et al. (2015). Looking behind the label: global industries and the conscientious con-sumer. Indiana University Press.

49 Greenhouse, S. (1997) Nike Shoe Plant in Vietnam Is Called Unsafe for Workers - New York Times Nov. 08,1997

http://A.M.N.Kokusai


NGOs to the multinationals as an exit strategy50 to stop the media campaigns that were highly detrimental for their brand image. As Conroy51 notices, the globalization of trade turned the brand into a strategic asset52 and its wider exposure makes it very sensitive to all events that could be detrimental. Then, certification represents a business strategy to “avoid the risk of brand damage...an insurance against malfeasance” he concludes. Fio-rini53 analyze it as a possible new division in the regulation tasks between the state and civil society with the emergence of new actors such as NGOs that intend representing a global consciousness. Conroy54 argues that the globalized capitalism fostered a “new era of corporate accountability” and certification could be, analyzed Barnes55, a toolbox with which the companies would be able to implement positive behaviors.

The globalization of trade and the different food crisis occurred in Europe during the 1990’s encouraged suppliers to secure their supply chain by using certification sche-mes56 as a risk management tool. The outsourcing of manufacturing processes to foreign suppliers located in countries that do not always guarantee social and environmental protections created a demand to cover the legal risk raised by the absence of reliable regulation. Van Der Meulen57 argues that certification offered a suitable response to the legal uncertainty created by globalization of trade and the incapacity of the authorities

50 Conroy M.E. (2007). Branded! How the certification revolution is transforming global corpo-rations. New society publish, 68

51 The value of Coca Cola brand has been evaluated at $ 136 billion in 2002. For the 12% of com-panies having the highest market value, their brand represents more than 50% of their own value. Conroy, M.E. (2007). Branded! How the certification revolution is transforming global corpo-rations. New society publish. chap 1, 9

52 The value of the brand Coca Cola represented $ 136 billion in 2002. For the 12% of companies whose brand is the most expensive in the world, the brand value represented more than 50% of their overall value. In Conroy, M.E. (2007). Branded! How the certification revolution is transforming global corporations. New society publish. chap 1, 9

53 Florini, A. et al. (2000) « The Rise of Transnational Civil Society» - Carnegie Endowment for International Peace

54 Conroy, M.E., (2005) Certification Systems as Tools for Natural Asset Building: Potential, Experiences to Date, and Critical Challenges. Political Economy Research Institute (PERI) Uni-versity of Massachusetts Amherst Working Papers, 3

55 Barnes, P. (2006) «Capitalism 3.0: A Guide to Reclaiming the Commons (San Fransisco: Ber-ret-Koelher Publishers, 2006)

56 Havinga, T, Verbruggen, P., (2014). Hybridisation of Food Governance: Trends Types and Re-sults. Presented at the Panel Hybridization of RegGov: Trends, Types and Results of Public-Pri-vate Interaction ECPR on Standing Group on Regulatory Governance Conference, Barcelona 25-27 June 2014

57 Van Der Meulen, B. (2011), 59


to enact binding transnational regulations. Cafaggi58 and Havinga59 see, in the rise of certification, one of the outcome of the growing intertwinement between public and private regulators in transnational regulation processes. Bartley60 rather suggests that certification represents a compromise solution in the balance of power between mul-tinationals, authorities and civil society representatives61. The multinationals adhere to the certification to protect their brand image. The authorities consider this procedure as a soft monitoring preventing new administrative burden and NGOs see it as a “shift in firm’s acceptable behavior”62. Cochoy63 underlines, by using the economics words, that certification could be the outcome of a long run effort of the businesses to internalize their externalities. In other word, certification could be a management solution sugges-ted by companies to address the issues created by their own business operations. Volun-tarily adopting such a process would offer to the companies an opportunity to pre-empt and even substitute the public regulation.

2.3. GDPR and certification of fundamental rights

The rise of Internet Technologies at the turn of the millennium encouraged businesses, in Europe and in the US, to promote self-regulation64 instruments in data protection because the

58 Cafaggi, F. (2014). A comparative analysis of transnational private regulation: legitimacy, qual-ity, effectiveness and enforcement, Private Transnational Regulatory Regimes - Constitutional Foundations and Governance Design. Hague Institute For The Internationalisation of Law.

59 Havinga, T., 2012. Conceptualizing Regulatory arrangements: Complex Networks of Actors and Regulatory Roles Nijmegen Sociology of Law Working Papers Series 2012/01.

60 Bartley T. (2007) Ibid, 30161 What J. Knight defines as a “cooperation-for-collective-benefits” in Knight, J. (1992). Institutions

and Social Conflict. New York: Cambridge University Press. cited in Bartley, T. (2007) p. 306 Certification is considered as the “by-product of conflicts over distributional gains” in KNIGHT, J. (1992). Institutions and Social Conflict. New York: Cambridge University Press, 19

62 Vogel, D. (2008). Private Global Business Regulation. Haas School of Business, Department of Political Science, University of California. Berkeley, 262

63 Cochoy, F., (2005). La normalisation sociale ou le fétichisme de la marchandise renversé. Centre d’Etude et de Recherche Travail Organisation Pouvoir (CERTOP).

64 Self-regulation may be defined as “the possibility for economic operators, the social partners, non-governmental organisations or associations to adopt amongst themselves and for them-selves common guidelines at European level” European Commission, European Parliament & European Council of Ministers, ‘Inter-Institutional Agreement on Better Lawmaking’, OJ C 321, 31.12.2003, p.1 in Van Heesen-Lacléa, S.D and Meuwese. A.C.M (2007) The legal framework for self-regulation in the Netherlands Utrecht Law Review, Volume 3, Issue 2 (December), 116


authoritative top down rules enshrined in the Directive 95/46 EC65 were unable to address the challenges without requiring a complete overhaul of the framework. Self-regulation agreements have been encouraged66 especially for regulating transborder data flows between Europe and the US67. Self-regulation offered speed, flexibility and maybe an opportunity to postpone the law-maker’s intervention in this nascent and promising activity.

However, the self-regulation instruments introduced have been quickly undermined by the lack of stringent enforcement68 and, although the recent efforts deployed by the US authorities

See, for instance, The Online Behavioural Advertising (OBA) of the European Interactive Dig-ital Advertising Alliance (EDAA) for instance. See a full presentation on the website of the EDAA. Last accessed < http://www.edaa.eu/>

65 «First, regulation contains the idea of control by a superior: It has directive function.... Second-ly, it is a public law that in general it is for the state (or its agents) to enforce the obligations, which cannot be overreached by private agreement between the parties concerned. Thirdly... it is typically centralised» in Ogus, A. (1994) Regulation: Legal Form and Economy Theory Oxford: Clarendon Press, 355 pp,

66 “In 1998, the FTC called strongly for industry self-regulation of online privacy and threatened that, if it were not forthcoming, the government would move towards direct regulation. The Online Privacy Alliance (OPA), a group that leading Internet firms had formed in the mid-1990s,123 responded by issuing a set of Guidelines for Online Privacy Policies” in Hirsch, D.D., (2010). The Law and Policy of Online Privacy: Regulation, Self-Regulation or Co-Regu-lation? ExpressO.

67 The Safe Harbor agreement has been concluded in 2000 between the US Department of Com-merce and the European Commission allowing the US companies to transfer European citizen Data towards the US. The Safe Harbor is a self-regulation process in which the US companies self-certify to respect a series of high level principles. After persisting criticisms about its reli-ability (see following note 67) the Safe harbor has been invalidated by the Court of Justice of the European Union (CJEU) in its Schrems decision Schrems v. Data Prot. Comm’r in 2015 and replaced by the Privacy Shield (See note 69).

68 See Weichert, T. (2010) 10th Anniversary of Safe Harbor – many reasons to act, but none to celebrate ULD press release. Accessed 21/12/2015. See also Hunton and Williams’ blog (2013) Commissioner Reding Criticises Safe Harbor Framework. Blog post from Privacy and Informa-tion Security Law, July 23, 2013.

See also Hunton and Williams’ blog (2013) Commissioner Reding Criticises Safe Harbor Framework. Blog post from Privacy and Information Security Law, July 23, 2013

See Marotta-Wurgler, F., (2016) Understanding Privacy Policies: Content, Self-Regulation, and Markets. New York University Law and Economics Working Papers 4–2016. The study con-cluded that only 66 out of 261 policies studied comply with more than half of the 2012 FTC guidelines.

http://www.edaa.eu


to enforce data controllers and providers69 and address the shortcomings of initial frameworks70, the self-regulation approach is still the subject of harsh criticisms71.

There is a strong belief in Europe, based on international experiences72 and firmed-up during the preliminary discussions of the framework reform73, that certification could be a solu-tion for ensuring an effective enforcement of self-regulation instruments.

69 The US Federal Trade Commission condemned, in 2014, the certification body Truste because they did not ensure the renewal assessments of companies although their claim to have done it. Federal Trade Commission, (2014) TRUSTe Settles FTC Charges it Deceived Consumers through Its Privacy Seal Program. Press Release.

70 The Privacy Shield intends to address the shortcomings of the Safe Harbor arrangement underlined by the European Commission and later by the Court of Justice of the European Union (CJEU) in its Schrems decision Schrems v. Data Prot. Comm’r in 2015. The Privacy Shield suggests to implement improved data protection principles, better enforcement by the U.S. authorities, redress mechanisms for EU citizens and safeguards surrounding law enforcement and intelligence activities. The Privacy Shield is a still a self-regulatory system: companies that want to participate in the system agree to a set of data protection principles, and implement those principles within their organization.

71 Data Privacy Shield: MEPs alarmed at undermining of privacy safeguards in the US. Press re-lease - Justice and home affairs − 06-04-2017. Last accessed: <http://www.europarl.europa.eu/news/en/news-room/20170329IPR69067/data-privacy-shield-meps-alarmed-at-undermining-of-privacy-safeguards-in-the-us>

See also Article 29 Data Protection Working Party Opinion 01/2016 on the EU – U.S. Privacy Shield draft adequacy decision adopted on 13 April 2016. Last accessed on 01/05/2017

The European Data Protection Supervisor (EDPS) opinion 4/2016 issued on the 30th May 30, 2016. Last accessed on 01/05/2017 <https://edps.europa.eu/sites/edp/files/publica-tion/16-05-30_privacy_shield_en.pdf>

72 The Cross-border Privacy Rules System (CBPR) set up by the Asia Pacific Economic Coopera-tion (APEC) Board in 2011 assigns to an accredited certification body - The accountablity agent - the task of certifying the conformity of international of data flows between the 21 member countries of the APEC against the privacy principle included in the Privacy framework.

See Chatelois, D. et al. (2011). APEC’s Cross-Border Privacy Rules System - A New Model for Accountable Data Flows. Presented at the IAPP Canada Privacy symposium, Toronto.

73 “Voluntary certification schemes would enable verification that a data controller has put in place measures to comply with the legal instrument...” in the European Council Of The European Union (2011) European Council conclusion on the communication from the commission to the European Parliament and the European Council - A comprehensive approach on personal data protection in the European Union, Recital 11 The European Data protection Supervisor (EDPS) fully supports this aim (to explore the creation of EU schemes for privacy)... The provision should complement the provisions on accountability and privacy by design”. EDPS Opinion (2011) A comprehensive approach on personal data protection in the European Union, 24 “The techno-logical data protection principles and the ensuing concrete criteria should be used as a basis for awarding labels of quality (certification schemes) in a framework of a data protection audit“ in WP 168, “ The Future of Privacy” 2009, 15

http://www.europarl.europa.eu/news/en/news-room/20170329IPR69067/data

http://www.europarl.europa.eu/news/en/news-room/20170329IPR69067/data

https://edps.europa.eu/sites/edp/files/publication/16-05-30_privacy_shield_en.pdf

https://edps.europa.eu/sites/edp/files/publication/16-05-30_privacy_shield_en.pdf


Although data protection schemes met a very limited audience74 in Europe during the last decade and nobody never demonstrated the contribution of this procedure to the level of compliance75, the European lawmaker decided to give a chance to certification in the GDPR and certification has been endorsed as self-regulation tool with codes of conduct in Section 5 of Regulation (EU) 2016/67976 enacted in April 2016.

For the first time, the European lawmaker officially endorsed and organized a full certification and accreditation process77 in the European Law. Certification can be used, defines Regulation (EU) 2016/679, for demonstrating the conformity with the general accountability requirement78 set by the law or for demonstrating data controller’s com-pliance in some special processing79.

The GDPR contributed at extending the scope of certification to the enforcement of legal provisions and even to legal provisions recognized as fundamental rights80. Cer-

74 The oldest certification scheme set up in 2000 by the data protection authority of Schlesswig Holstein had certified around 200 bodies in 2014. The EuropriSe label set up in 2008 at the European level had certified 30 bodies in 2014.

See Rodrigues, R. et al. (2014) Study on EU Privacy Seals. Trilateral research and Vrije Universiteit Brussel for the Institute for the Protection and Security of the Citizen (IPSC)

75 The scholar research on certification is still very limited. To date, there is no general study available on the certification procedure. One can find some literature on the certification schemes in the food regulation and in sustainable development. However, there are a very few studies on data protection certification. See Rodrigues, R. et al. (2014) Study on EU Privacy Seals. Trilateral research and Vrije Universiteit Brussel for the Institute for the Protection and Security of the Citizen (IPSC)

76 Article 40 and 41 of Regulation (EU) 2016/67977 Article 42 and 4378 Article 24 of the GDPR establishes a general principle of accountability that can be demonstrat-

ed, among other means, by the use of certification procedures. See Article 22.2 (b).79 The certification procedures may also be used in order to demonstrate sufficient guarantees

brought by the processors in Article 26. 2 (aa), to make the demonstration of an accurate level of security in the processing in Article 30.2 (a) and appropriate safeguards are put to ensure lawful transfer of data towards third countries in Article 42.2 (d)

80 The data protection is fully recognized as fundamental rights in Article 16 of the Treaty on the Functioning of the European Union and Article 8 European Convention on Human Rights and Article 8 of Charter of Fundamental rights of the European Union. Even if Article 16 of the Treaty on the Functioning of the European Union recognized a general right to the data protection and entitle the European authorities to establish the adequate legislations to protect it, Article 8 of the Charter of Fundamental rights of the European Union seems more restrictive in the scope of this right when it states in its first paragraph, that ‘everyone has the right to the protection of personal data concerning him or her’. In the second paragraph, it states that ‘such data must be processed fairly for specified purposes and on the basis of the consent of the person


tifying the conformity with the data protection law signifies certifying the compliance with fundamental rights.

The GDPR extend the use of certification procedures to the corporate social respon-sability (Hereinafter CSR) issues Caroll81 defined as “the economic, legal, ethical, and discretionary expectations that society has of organizations at a given point in time”.

Some private certification schemes already offered to enforce the confomity with fundamentals workers’ rights82 and the European New Approach policy83 is also using

concerned or some other legitimate basis laid down by law’, and that ‘everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified’. Finally, in the third paragraph, it states that ‘compliance with these rules shall be subject to control by an independent authority’. Does it mean that all the provisions of the GDR should be considered as fundamental rights or only the principles specified in Article 8 of the Charter?

See Hustinx, P. (2013) EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation,” Course given at the European University Insti-tute’s Academy of European Law, 24th Session on European Union Law, 1-12 July 2013, 16

81 Carroll,A. B. 1979. “A Three-Dimensional Conceptual Model of Corporate Performance.”Acad-emy of Management Review 4(4): 500

82 The SA 8000 standard has been elaborated during the 1990s by the American association for the defense of human rights in the world of work - Social Accountability International (SAI). This standard turned into the global benchmark for corporate social responsibility (CSR) in the world. The reasons for this success are related to circumstances. There was in the 1990s no requirements available allowing multinational to demonstrate their goodwill in decent working conditions in the context of their offshore activities in emerging countries.

The SA 8000 standard proposed a short but auditable framework. As recognized in 1998 the President of PricewaterhouseCoopers at the time, Dominic A. Tarantino, the SA 8000 stan-dards was “the first universal standard on ethics” and it remains to this day a best seller for the certification bodies even if its hegemony in the field of corporate social responsibility has been challenged with the publication of the ISO 26000.

see Idowu, S.O. et al. (2015). Dictionary of Corporate Social Responsibility: CSR, Sustainabil-ity, Ethics and Governance. CSR, Sustainability, Ethics and Governance. Springer International Publishing, 503

83 The New Approach policy has been adopted in Europe by the Council Resolution 85/C136/01 of the 7th of May 1985. This policy aimed at speeding-up the harmonization of EU requirements for product safety and reduces the technical barriers existing between member states in order to realize the single market before 1992. The «New Approach» Legislative Com-mission. The New Approach policy suggested that essential requirements should be enacted by the legislator and included in clear and concise provisions in the annexes of New Approach Directives. The essential requirements could be translated, at the request of the legislator, in technical standards by the European standardization bodies. Once the standard agreed between the stakeholders involved in its drafting, the standard would become mandatory, har-monized in the wording of the European Commission, and replacing all the former standards


certification procedures to assess the conformity with safety and health principles84 in-cluded in dedícated Directive.

However, the data protection lawmaker introduced noticeable particularities in the design and the management of certification the second section of this paper intends exploring.

3. DATA PROTECTION MAKES OF CERTIFICATION A MONITORED SELF-REGULATION TOOL

Certification in the GDPR remains a voluntary process initiated by data contro-llers providing a presumption of conformity without any legal consequences. However, the authorities are, at the same time, involved into the design and the management of the schemes. But, the authorities monitor or substitute private bodies rather than they organize and collaborate with them. Hence, certification in the GDPR appears as a

issued on the same subjects and already in force in the standards’ library of member states. The New Approach policy defined four main principles: (i) The products must at least comply with the principles laid down in directives before to be introduced on the market.

(ii) These principles are defined in the Directives so-called «New Approach». They are available at the request of the legislator in technical standards by the European standardization bodies. These standards are technical specifications designed to facilitate compliance with the principles set out in the Directives “New Approach». These standards called harmonized standards are mandatory in all member states. Member states must repeal that all texts that contradict these harmonized standards.

(iii) The application of standards remains voluntary. (iv) The products that comply with the standards benefit of a «presumption of conformity»

with the principles set out in the Guidelines. They can be distributed in all the Member states. See Mark. R. Barron. (2007) “Creating Consumer Confidence or Confusion? The Role of Product Certification in the Market Today”, (Marquette Intellectual Properties Maw review, Volume 11 Issue 2), 427. A full presentation of the basics of the CE marking process can be found in the ‘Blue Guide’ on the implementation of EU product rules issued by the European Commission” 2014, 6. http://ec.europa.eu/growth/tools-databases/newsroom/cf/itemdetail.cfm?item_id=7326. See also Jacques Pelkmans “The New Approach to Technical Harmoniza-tion and Standardization”. Journal of Common Market Studies, XXV, No 3 3 March 1987. Accessed June 14, 2015 https://courses.washington.edu/eulaw09/supplemental_readings/Pelk-mans_New_Approach_Harmonization.pdf.

84 Charter of Fundamental Rights of the European Union - 2012/C 326/02 in Article 31 and 32 intends to protect safety and health at work, Article 38 of the Charter ensures the right of con-sumer protection and Article 37 the environmental protection.

http://ec.europa.eu/growth/tools-databases/newsroom/cf/itemdetail.cfm?item_id=7326.


https://courses.washington.edu/eulaw09/supplemental_readings/Pelkmans_New_Approach_Harmonization.pdf



mixed bag between self-regulation and co-regulation that can be defined as a monitored self-regulation instrument.

3.1. Self-regulation

The introduction of certification in the GDPR can be analyzed in different ways85 but it represents, at least, a voluntary attempt from the lawmaker to fill the gap existing between the traditional command and control regulation86 underlying Directive 95/46 EC and self-regulation instruments that flourished at the margin of the framework without a sufficient level of enforcement.

The endorsement of certification recognizes that somebody else than the authori-ties is allowed to enforce the conformity to the law. This novelty modifies the traditional architecture of the enforcement of the law by introducing a new optional and voluntary layer delegated to private bodies. It also establishes a new hierarchy in the enforcement of the law. Data controllers with private certification bodies ensure an optional level, offering a presumption of conformity87 without legal consequences88. Another level, always assigned to the authorities, randomly assesses the conformity with the law, even for certified controllers89, and creates contractual and legal consequences in case of non-compliance90.

Certification, in this case, remains a pure self-regulation process. This is a voluntary and private enforcement process suggested to data controllers. It does not have any legal consequences91 and can be challenged, at any time, by the authorities “where the requi-rements for the certification are not or are no longer met”92.

This legal status of certification in the GDPR is consistent with the status of cer-tification in the European Law and this status remains largely unclear. The European

85 Lachaud, E., (2016), 820.86 The Command and control regulation is the traditional state of the regulation specified by “the

promulgation of an authoritative set of rules, accompanied by some mechanism, typically a public agency, for monitoring and promoting compliance with these rules” in Jordana, J. and Levi-Faur, D. (2004) The Politics of Regulation in the Age of Governance, 2004, 3. In Jacint Jordana, David Levi-Faur, “Handbook on the Politics of Regulation”, Edward Elgar Publishing, 335 pp.

87 Article 83.2 (j) of Regulation (EU) 2016/67988 Article 42.4 89 Article 42.7 of Regulation (EU) 2016/67990 Article 43.691 Article 42.492 Article 42.7


Geographical Indications93 has as status of collective mark94 while the CE marking95 is neither a collective mark nor a certification mark96. On one hand, The CE marking grants a full access to the European market for manufacturers that obtain it97. On the other, it lets manufacturers fully liable even if their products received a third-party certification98.

93 See note 2994 Belson J. (2002). Certification Marks. Sweet and Maxwell – London, 2095 Bock, C (2009) CE Marking : What can legal metrology learn from intellectual property - Mile-

stone in Metrology III - Rotterdam conference 2009. http://fr.slideshare.net/cbock/ce-mark-ing-what-can-legal-metrology-learn-from-intellectual-property

96 The UK Trade Mark Act (TMA) of 1938 was the first to introduce the notion of “Certification Trade Mark” in the European legal framework. The framework suggested by the UK TMA estab-lishes the principles that can be found in all legal systems about the certification mark in Europe and also the United States. The recognition of the certification mark was done later in Europe than in the United States where it occurred at the turn of the 20th century. The case Pillsbury-Washburn Flour Mills Co. et al v. Eagle in 1898 gave a legal recognition to the certification scheme of geo-graphical origins. The judge admitted in this case that the appellation of origin about flour can’t be applied to a product if the product is not originated from the region mentioned onto the certifica-tion. The Trademark Act of 1905 recognizes the right to register a certification mark as a trade mark.

The certification mark is a registered trademark. This legal recognition gives its owner an ex-clusive right to use the certification mark. The unauthorized and unfair use may trigger a civil action for misuse or infringement.

The registration of the document describing the requirements to obtain the mark is the le-gal basis of the certification mark. It differentiates the certification mark from the collec-tive mark. A collective mark is a trademark that intended to identify products and services from an association «of manufacturers, producers, suppliers of services, or traders». The col-lective mark is required to register a trademark regulation but no requirements are required. A certification mark like the collective mark are available to the exclusive use of third parties. These two marks cannot be used by the owner of the mark to identify its products or services. This feature differentiates the certification mark and the collective mark from the traditional trademark. The latter is established for the exclusive use of the owner or his representative. The third-party must be authorized by the owner to use the certification mark. However, pur-suant to the principle of the open door existing in the common law, a certification mark like the collective mark, may not be refused to those who fulfill the conditions for obtaining it. The owner of the mark or his representative has the duty to ensure that the certification mark is used in accordance with the specified requirements. This control is necessary to protect the credibility of the mark. The Italian law allows the certified body suing the owner for negligence in the absence of control of the certification mark.

97 See note 7798 The Directive on General Safety of Products allows the Member State to remove from the market

the products identified as dangerous even if they have demonstrated their compliance against the European technical standards. Article 8 of Directive 2001/95/EC of the European Parliament and of the European Council of 3 December 2001 on General Safety of Products (OJ L 11, 15.1.2002)

http://fr.slideshare.net/cbock/ce-marking-what-can-legal-metrology-learn-from-intellectual-property

http://fr.slideshare.net/cbock/ce-marking-what-can-legal-metrology-learn-from-intellectual-property


The legal status of certification is also inconsistent between the different Member States99. Some Member States have endorsed certification in a dedicated framework100 while some others assimilate certification to a collective mark. The majority of them did not even recognize certification at all101.

The inconsistencies in the legal status of certification turns any attempt to establish a pan-European scheme into a real nightmare102 and without a harmonized legal status or at least a mutual recognition agreement between the Member States, the future of pan-European certification schemes103 described in the GDPR104 remains very unlikely.

But, providing a legal value to certification remains highly questionable. Delegate some public power to a private body challenges the relationship between public and private authorities and exposes public authorities to a threat of authority capture as Eijlander et al.105 already demonstrated in the Netherlands.

In addition, the huge success met by certification in food regulation created confusion in the public about the significance and value of certification schemes. This situation forced the stakeholders at establishing what Verbruggen and Havinga called meta-regulators106 to monitor the reliability of the growing number of unregulated private certification schemes.

3.2. Co-regulation

To address this issue, the GDPR suggested an arrangement mixing public and pri-vate involvement. Private bodies are free to suggest their own requirements and certifi-cation processes but they are required to submit them, for approval, to the authorities107.

99 Uzcategui-Angulo, A.C. (2006) Las marcas de certificacion p 152100 The french law, for instance, assimilates the certification mark to a collective certification mark

in Article L. 715-1 al.2 du Code de Propriété Intellectuelle. In the UK Trade Mark Act of 1994, the certification mark is seen as an additional layer to the collective mark in TMA 1994 Section 62 in BELSON J. (2002)

101 Ibid.102 Heavner, B., Justus, M.R., (2009). World-wide Certification-Mark Registration A Certifiable

Nightmare. Bloomberg Law Reports.103 Article 42.1 and Recital 100 of Regulation (EU) 2016/679104 Lachaud, E. (2016), 814.105 Eijlander,P. (2008) ‘Over de Groei En Bloei van Certificatie: Haarlemmerolie Voor Het Handha-

vingstekort?’ [On the Growth and Development of Certification Panacea for the Enforcement Deficit?].” Tijdschrift Voor Bouwrecht, 2008, 607–15.

106 Verbruggen, P., & Havinga T. (2014) “The Rise of Transnational Private Meta-Regulators,” TBGI Project Subseries No. 20, Vol. 10/Issue. 16

107 Article 42.5 of Regulation (EU) 2016/679


The law also requires private certification bodies to declare and justify the certification they intend to issue108 to the authorities and the national data protection authorities keep the right to randomly enforce the compliance of certified bodies and, eventually, withdrawing this certification in case of non-compliance109.

The processes suggested in the GDPR above modifies the arrangement existing in the conformity and quality certification. It adopts what some scholars defined as a hy-brid model110 combining different arrangements between private bodies, authorities and, even sometimes, civil society representatives.

This governance model has been initiated in food regulation and sustainable de-velopment during the 1990s. Loconto and Busch111 see in this arrangement the emer-gence of what they called the Tripartite Standard Regime (hereinafter TSR) they analy-ze as a “shift from binding to voluntarist, neo-corporatist regulation through private standards and with varying levels of accountability, which have a quasi-governmental function112”. The TSR, they add, represents a form of governance aiming “at produ-cing security through the market strategy of self-governance that pre-empts state-led regulation of markets113”.

The TSR also modifies the status and role of the standard in the certification sche-me. In conformity and quality certification, the standard remains the master piece of the process and is optionally certifiable. In the TSR model, the standard is mainly, if not

108 Article 42.6 109 Article 42.7110 “For Bartley, for example, an ‘hybrid approach’ is a combination of command and control, mar-

ket based, and voluntary approaches involving ‘a variety of actors and institutions pursuing different strategies and interacting in complex ways.” “Levi-Faur distinguishes four hybrid forms of regulation, three involve a combination of regulator and regulatee, the fourth is multilevel regulation. Thus, for Levi-Faur an hybrid form can consist of only state or only non-state actors as long as they perform different roles or operate on a different level” Havinga,T. and Verbruggen, P. (2014) “Hybridisation of Food Governance: Trends, Types and Results Panel Hybridisation of RegGov: Trends, Types and Results of Public/Private Interaction”, 2014. ECPR on Standing Group on Regulatory Governance Conference, Barcelona 25/27 June 2014, 6

111 Van Der Meulen, B., (2011). Private food Law: Governing food chains through contract law, self-regulation, private standards, audits and certification Schemes (p. 436). Wageningen Aca-demic Publishers See also Galland, J-P., (2015). Big Third-Party Certifiers and the Construction of Transnational Regulation. Presented at the Society for the Advancement of Socio-Economics, London.

112 Loconto, A., Busch, L. (2010). Standards, techno-economic networks, and playing fields: Per-forming the global market economy. Review of International Political Economy 17, 510

113 Loconto, A., Busch, L., (2010), 509


exclusively, a set of requirements especially designed to be certified114. In conformity and quality certification, the standard pre-exists to the certification process and, even-tually, lead to the establishment of a scheme115.

The GDPR116 turns the standard into a sub-legal instrument using a technical wording to define social boundaries117 to a technical issue118. Thus, the endorsement of certification in the GDPR could represent what Bartley, following Cashore et al.119, calls a political settlement and an institution-building project seeking at addressing the issues raised in data protection by the advent of the Information Technologies.

114 Article 43.9 refers to « technical standards for certification mechanisms”115 Some standards are not certifiable. For instance, the ISO 26000:2010 – guidance on social

responsibility and the ISO/IEC 29100:2011- Privacy framework did not give birth to a certifi-cation scheme.

116 The standard is an organizational document collecting and organizing the scientific and tech-nical knowledge in order to suggest solutions to a constant technical problem. This standard is primarily “ une forme conventionnelle qui assure la coordination des activités en situation d’incertitude critique” argues Benezech, D. (1996). “La norme: une convention structurant les interrelations technologiques et industrielles,» Revue d’économie Industrielle, Programme National Persée, vol. 75(1), 33

This is also an archive compiling the technical knowledge to facilitate the innovation and rela-tionships between industrial partners. See ISO/CEI Guide 2:2004 subclause 3.2

See also O’Connell, J. (1993). Metrology: The creation of universality by the circulation of particulars. Social studies of science, 23(1), 129-173.This is finally a reference allowing the manufacturers to objectively evaluate the quality of their output in relation with some specified criteria

Foray, D (1994). Diversité, sélection et standardisation: les nouveaux modes de gestion du changement technique. In: Revue d’économie industrielle. Vol. 75. 1er trimestre 1996. p. 257. Private standards and public regulations are two similar and sometimes overlapping forms of governance, or of what Foucault called governmentality in Busch, L., 2012. The Power of Stan-dards, in: Standards: Recipes for Reality. MIT press, p.27

117 « Standards are often (perhaps always) boundary objects» argues Busch, L. 2012. “The Power of Standards.” In Standards: Recipes for Reality. MIT press. p.25

118 The GDPR delegates to the private bodies and the European Commission the task of drafting the standard in Article 42.5 and 43.8 of Regulation (EU) 2016/679

119 Bartley, T. (2007), ‘Institutional Emergence in an Era of Globalization: The Rise of Transnation-al Private Regulation of Labor and Environmental Conditions’, American Journal of Sociology, 113 (2), 297-351. See also Cashore, B. et al. 2004, Governing through Markets: Forest Certifi-cation and the Emergence of Non-state Authority, New Haven: Yale University Press. Cited in Bartley, Tim. (2010), 10

http://129-173.This


This process organizes a transfer of legal content towards a non-legal document raising a question about the legal status of this document and the legitimacy120 of its drafters. A technical standard, also called de jure standard, is legitimatized by the consen-sus121 with which it is adopted122. The GDPR, following the European New Approach policy123, introduced new sources of legitimacy in the standard setting process. The

120 The legitimacy can be defined as ‘a generalized perception or assumption that the actions of an entity are desirable, proper, or appropriate within some socially constructed system of norms, values, beliefs, and definitions. In Scott, W. R., and Meyer, J. W. (1994). Institutional environ-ments and organizations: Structural complexity and individualism. Sage. There are different sources of legitimacy. It can be a legal mandate, due process, efficiency, effectiveness and exper-tise to which may be added says J. Black the representativeness and / or democratic mandate, and conceptions of justice. Black, J. (2008). Constructing and contesting legitimacy and accountability in polycentric regulatory regimes. Regulation and Governance, 2(2), 137-164.

See also Baldwin, R. and McCrudden, J.C (1987) Regulation and Public Law (London: Wei-denfeld and Nicholson), and R. Baldwin and Cave, M. (1999) Understanding Regulation. (Ox-ford: OUP)

121 IEC/ISO Guide 2:2004 subsection 1.7 defines a consensus mode upon which the technical standard are adopted at the ISO as a “general agreement, characterized by the absence of sus-tained opposition to substantial issues by any important part of the concerned interests and by a process that involves seeking to take into account the views of all parties concerned and to reconcile any conflicting arguments. NOTE Consensus need not imply unanimity.

122 Hauert argues that the legitimacy of the international standardization bodies in Europe also relies on their recognition by the states as organized bodies and their exclusive competence in technical matters in Hauert, C. and Graz, JC, (2013) “La Normalisation des Services Aux États-Unis et en Europe.” In Services Sans Frontières, Presses de Sciences Po., 65–102,

123 The New Approach policy has been adopted in Europe by the Council Resolution 85/C136/01 of the 7th of May 1985. This policy aimed at speeding-up the harmonization of EU require-ments for product safety and reduces the technical barriers existing between member states in order to realize the single market before 1992. The «New Approach» Legislative Commis-sion. The New Approach policy suggested that essential requirements should be enacted by the legislator and included in clear and concise provisions in the annexes of New Approach Directives. The essential requirements could be translated, at the request of the legislator, in technical standards by the European standardization bodies. Once the standard agreed between the stakeholders involved in its drafting, the standard would become mandatory, harmonized in the wording of the European Commission, and replacing all the former standards issued on the same subjects and already in force in the standards’ library of member states. The New Approach policy defined four main principles:

(i) The products must at least comply with the principles laid down in directives before to be introduced on the market.

(ii) These principles are defined in the Directives so-called «New Approach». They are available at the request of the legislator in technical standards by the European standardization bodies. These standards are technical specifications designed to facilitate compliance with the principles


GDPR entitled the private bodies and the European Commission to draft standards124. In the New Approach policy, the lawmaker delegated the standards setting process to the European standardization bodies125. The food regulation and the sustainable deve-lopment even went further by including civil society representatives in the design of the requirements arguing that the largest involvement increases the legitimacy of the requirements126. Even if the European Parliament127 envisaged something similar in data protection, the final of version the GDPR has given-up this approach.

One can argue that the lawmaker purposely endorsed certification under a co-regulation arrangement for preventing these issues.

set out in the Directives “New Approach». These standards called harmonized standards are mandatory in all member states. Member states must repeal that all texts that contradict these harmonized standards.

(iii) The application of standards remains voluntary. (iv) The products that comply with the standards benefit of a «presumption of conformity»

with the principles set out in the Guidelines. They can be distributed in all the Member states. See Mark. R. Barron. (2007) “Creating Consumer Confidence or Confusion? The Role of Product Certification in the Market Today”, (Marquette Intellectual Properties Maw review, Volume 11 Issue 2), 427. A full presentation of the basics of the CE marking process can be found in the ‘Blue Guide’ on the implementation of EU product rules issued by the Europe-an Commission” 2014, 6. http://ec.europa.eu/growth/tools-databases/newsroom/cf/itemdetail.cfm?item_id=7326. See also Jacques Pelkmans “The New Approach to Technical Harmoniza-tion and Standardization”. Journal of Common Market Studies, XXV, No 3 3 March 1987. Accessed June 14, 2015: https://courses.washington.edu/eulaw09/supplemental_readings/Pelkmans_New_Approach_Harmonization.pdf

124 Article 43.8 125 The standardization bodies are mandated by the European Commission at the request of the

European Parliament 126 Conroy, M.E., (2007). Branded ! How the certification revolution is transforming global corpo-

rations, New society publish. ed.127 The European Parliament version of former Article 39. 3 stated “ The Commission shall be

empowered to adopt, after requesting an opinion of the European Data Protection Board and consulting with stakeholders, in particular industry and non-governmental organizations, del-egated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1-1h, including requirements for accreditation of auditors, conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries. These delegated acts shall confer enforceable rights on data subjects”. European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Coun-cil on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM (2012)0011 – C7-0025/2012 – 2012/0011(COD)






The GDPR entitled the national data protection authorities and the European Data Protection Board to approve the requirements drafted by the private bodies in order to ensure the legitimacy of the requirements.

The monitoring introduced in the issuance and the withdrawal of the certification intends at preventing the need for private meta-regulators that is only moving the relia-bility issue to another level rather than it solves it.

3.2 Monitored self-regulation

When co-regulation128 suggests a discussion and a collaboration between the di-fferent stakeholders, the GDPR rather suggests a monitoring from the authorities. The arrangement mixing self-regulation and co-regulation in the GDPR could be a volun-tary attempt of the European lawmaker to preserve the flexibility of self-regulation and overcome the enforcement issue with the introduction of co-regulation measures.

Power129 argues that the introduction of audit processes in the European regulation has been “a way of reconciling contradictory forces: on the one hand, the need to extend a traditional hierarchical command conception of control, in order to maintain existing structures of authority; on the other the need to cope with the failure of this style of control, as it generates risks that are increasingly hard to specify and control.”

Schulz and Held130 talks about it as enforced self-regulation and see it as a third way for regulating the information society. They are foreshadowing, with the information society, the emergence of a continuum of regulation instruments starting from pure self-regulation tools until the full regulation one without clean-cut separation between them. The introduction of this monitored self-regulation can be the way to fill the gap existing between self-regulation and regulation instruments.

128 “Co-regulation combines binding legislative and regulatory action with actions taken by the actors most concerned, drawing on their practical expertise. The result is wider ownership of the policies in question by involving those most affected by implementing rules in their prepara-tion and enforcement. This often achieves better compliance, even where the detailed rules are non-binding”. European governance - A white paper/COM/2001/0428

See also note 27 for co-regulation definitions129 Power, M (2014) The Audit Explosion, Demos, 5130 Schulz, W., Held, T., (2002). Regulierte Selbstregulierung als Form modernen Regierens. Im

Auftrag des Bundesbeauftragten für Angelegenheiten der Kultur und der Medien. Endbericht. Hamburg: Verlag Hans-Bredow-Institut.


One could also argue that the rise of certification as a regulation instrument could result in the transposition of the quality management131 introduced in the industry at the end of the 1980s with the publication of the ISO 9001 standard. It could offer the opportunity to the authorities to manage the entire lifecycle of the regulation132 from the design of the requirements to the monitoring of their good implementation and, thus, apply the Plan-Do-Check-Act approach democratized with the Deming wheel133.

4. CONCLUSION

This paper argues that the GDPR played, one more time, a trailblazing role in the European Law with the endorsement of the data protection certification. The law-maker voluntarily leveraged the flexibility with which the certification procedures can be arranged to turn data protection certification into an instrument located between self-regulation and co-regulation. The absence of legal consequences of this instrument and the fact it remains optional clearly locates it as a self-regulation instrument but the involvement of the authorities in the design and the management of the schemes make it also a co-regulated instrument. However, the authorities rather monitor rather than they collaborate with private stakeholders. Thus, the word monitored self-regulation, sounds more suitable to define this instrument. This monitored self-regulation instru-ment intends to fill the gap existing between self-regulation and regulation instruments and, maybe, prepares the future of Information Technologies regulation as noticed by some authors. This tool is still in the implementation stage to the extent that the GDPR will enter in force on May 2018. It would be interesting to evaluate, after the regulation will be live, how the different stakeholders are organizing and using this instrument.

131 Quality Management suggests to manage the quality of the production system rather than the quality of products. It results in the transfer in the industrial field of Quality Assurance (QA) programs initiated in US military programs during the 60’s. The QA is also a legacy of the sem-inal work initiated by the BSI in the early 1970’s and inherited the ideas of theorists such as E. Deming , K. Ishigawa or A. Feigenbaum.

132 Robert Baldwin et al., finds three basic elements in the regulation. (i) Standard settings, (ii) monitoring compliance and (iii) enforcement cited by Havinga,T. and Verbruggen, P. (2014), 6

133 The contribution of W.E Deming in quality management is presented on the website of the American Society of Quality (ASQ). Last accessed on 01/05/2017

<http://asq.org/about-asq/who-we-are/bio_deming.html>

http://asq.org/about-asq/who-we-are/bio_deming.html


5. BIBLIOGRAPHY

Arbesman, S., (2016). Overcomplicated: Technology at the Limits of Comprehension. Baldwin, R., McCrudden, J.C., (1987) Regulation and Public Law (London: Weiden-

feld and Nicholson)Baldwin, R., Cave, M., (1999) Understanding Regulation (Oxford: OUP)Barnes, P., (2006) «Capitalism 3.0: A Guide To Reclaiming The Commons (San Fran-

sisco: Berret-Koelher Publishers, 2006)Bartley, T et al. (2015). Looking behind the label: global industries and the conscien-

tious consumer. Indiana University Press.Bartley, T., (2010). “Certification as a Mode of Social Regulation.” Department of

Sociology Indiana University Bloomington Bartley, T., (2007), ‘Institutional Emergence in an Era of Globalization: The Rise of

Transnational Private Regulation of Labor and Environmental Conditions’, Amer-ican Journal of Sociology, 113 (2)

Black, J., (2008). Constructing and contesting legitimacy and accountability in poly-centric regulatory regimes. Regulation and Governance, 2(2)

Belson, J., (2002) Certification Marks. London: Sweet and Maxwell, 20Benezech, D., (1996). «La norme: une convention structurant les interrelations tech-

nologiques et industrielles,» Revue d’économie Industrielle, Programme National Persée, vol. 75(1)

Busch, L., (2012). The Power of Standards, in: Standards: Recipes for Reality. MIT press.Cashore, B. et al. 2004, Governing Through Markets: Forest Certification and the

Emergence of Non-state Authority, New Haven: Yale University Press. Cited in Bartley, Tim. (2010) p 10

Civic Consulting (2012) A Pan-European Trustmark for E-Commerce: Possibilities and Opportunities - Study for the Directorate-General for internal Policies – European Parliament

Conroy, M.E., (2001) Can Advocacy-Led Certification Systems Transform Global Corporate Practices? Evidence and Some Theory Program on Development, Peace-building, and the Environment

Conroy, M.E., (2005) Certification Systems as Tools for Natural Asset Building: Po-tential, Experiences to Date, and Critical Challenges. Political Economy Research Institute (PERI) University of Massachusetts Amherst Working Papers

Conroy, M.E., (2007) Branded! How the certification revolution is transforming glob-al corporations”. New society publish

Cochoy, F., (2000). “De l’AFNOR” à “NF” p. 77 and Woodward D.C. (1972). The Story of Standards


Cochoy, F., (2005). La normalisation sociale ou le fétichisme de la marchandise renver-sé. Centre d’Etude et de Recherche Travail Organisation Pouvoir (CERTOP).

Dutch Ministry of Industry (2003) Kabinetsstandpunt over het gebruik van certificatie en accreditatie in het kader van overheidsbeleid’

Eijlander, P. et al. (2003). De inkadering van certificatie en accreditatie in beleid en wetgeving. A study commissioned by the Ministry of Economic Affairs. Instituut, Centrum voor Wetgevingsvraagstukken, Universiteit van Tilburg, 2003 - 194 p

EU best practice guidelines for voluntary certification schemes for agricultural products and foodstuff (2010/C 341/04)

Florini, A. et al. (2000) « The Rise of Transnational Civil Society» - Carnegie Endow-ment for International Peace

Foray, D.. (1994). Diversité, sélection et standardisation: les nouveaux modes de ges-tion du changement technique. In: Revue d’économie industrielle. Vol. 75. 1er trimestre 1996.

Galland, J-P., (2015). Big Third-Party Certifiers and the Construction of Transnation-al Regulation. Presented at the Society for the Advancement of Socio-Economics, London.

Gdaniec, D.E., (2012) “Comparison of Different Certifiable and Non-Certifiable Corporate Social Responsibility Standards in the European Telecommunications Industry.” Master Thesis realized in cooperation with Deutsche Telekom AG, Uni-versiteit Utrecht, 2012.

Hauert, C. and Graz, JC, (2013) “La Normalisation des Services Aux États-Unis et en Europe.” In Services Sans Frontières, Presses de Sciences Po

Haufler, V. (2003) New Forms of Governance: Certification Regimes as Social Re-gulations of the Global Market. In Chris Elliott et al., eds. Social and Political Dimensions of Forest

Havinga T., Verbruggen, P. (2014). Hybridisation of Food Governance: Trends Types and Results. Presented at the Panel Hybridization of RegGov: Trends, Types and Results of Public-Private Interaction ECPR on Standing Group on Regulatory Governance Conference, Barcelona 25-27 June 2014

Hustinx, P. (2013) EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation,” Course given at the European University Institute’s Academy of European Law, 24th Session on European Union Law, 1-12 July 2013, 16

Idowu, S.O. et al. (2015). Dictionary of Corporate Social Responsibility: CSR, Sus-tainability, Ethics and Governance. CSR, Sustainability, Ethics and Governance. Springer International Publishing, 503

ISO/IEC 17000:2004 - Conformity assessment - Vocabulary and general principles


Jahn, G. et al. (2005) The Reliability of Certification: Quality Labels as a Consumer Policy Tool, Journal of Consumer Policy

Lachaud, E., (2016). Could the CE Marking Be Relevant to Enforce Privacy by Design in the Internet of Things? in: Gutwirth, S., Leenes, R., De Hert, P. (Eds.), Data Protection on the Move: Current Developments in ICT and Privacy/Data Protec-tion. Springer Netherlands, Dordrecht, 135–162.

Lachaud, E., (2016) ‘Why the certification process defined in the General Data Protec-tion Regulation cannot be successful’ Computer Law & Security Review 32(6) 814.

Loconto, A., Busch, L., (2010). Standards, techno-economic networks, and playing fields: Performing the global market economy. Review of International Political Economy 17,

Micheletti, M. (2003), Political Virtue and Shopping: Individuals, Consumerism, and Collective Action, New York: Palgrave Macmillan.

Bartley, T et al. (2015). Looking behind the label: global industries and the conscien-tious consumer. Indiana University Press.

Nordhaus, William D., (2001) The Progress of Computing. Cowles Foundation Dis-cussion Paper No. 1324, 28 Available at SSRN: http://ssrn.com/abstract=285168

O’Connell, J., (1993). Metrology: The creation of universality by the circulation of particulars. Social studies of science, 23(1),

Power, M., (2014) The Audit Explosion, Demos, 5Schulz, W., Held, T., (2002). Regulierte Selbstregulierung als Form modernen Regie-

rens. Im Auftrag des Bundesbeauftragten für Angelegenheiten der Kultur und der Medien. Endbericht. Hamburg: Verlag Hans-Bredow-Institut.

Scott, W. R., and Meyer, J. W. (1994). Institutional environments and organizations: Structural complexity and individualism. Sage.

Staaij, J.V.D (2008) Certification as sustainable self-regulation” Master Thesis - Rot-terdam School of Management Erasmus University, Department Business-Society Management,

Trzaskowski, J., (2006) E-Commerce Trustmarks in Europe - an overview and com-parison of Trustmarks in the European Union, Iceland and Norway European Consumer Centre Denmark

Van Der Meulen, B., (2011). Private food Law: Governing food chains through con-tract law, self-regulation, private standards, audits and certification Schemes (p. 436). Wageningen Academic Publishers.

Verbruggen, P., & Havinga T., (2014) “The Rise of Transnational Private Meta-Regu-lators,” TBGI Project Subseries No. 20, Vol. 10/Issue. 16

Vogel, D., (2008). Private Global Business Regulation. Haas School of Business, De-partment of Political Science, University of California. Berkeley p. 262

http://ssrn.com/abstract=285168


Woodward, D.C., (1972). Buying with assurance: the Kitemark and other certification schemes, in: The Story of Standards. British Standards Institution

11

A TALE OF TWO RIGHTS: THE CLASH AND COLLABORATION OF RIGHT TO DATA PORTABILITY AND RIGHT TO BE FORGOTTEN

Wenlong LiPh.D. Candidate

Edinburgh Law School

ABSTRACT: In response to technological advances that have posed new challenges to the data pro-tection law, EU has undertaken a comprehensive reform in the area of data protection in which two novel rights are created for individuals to strengthen their control over personal data. The two rights –the right to be forgotten and right to data portability– instantly become renowned to the public by their fancy names, but the relationship between the two has not been paid enough attention to. This paper attempts to examine the interplay of these two rights and in particular, two circumstances where the rights are exercised against each other and where the two exercised jointly for better achieving data protection objectives. The paper begins by providing an overview of the GDPR and its new inven-tions. Further, it explores the conceptual relationship between the two rights, with a particular refer-ence to the unique way that the right to data portability is defined and the implications for the rights’ interplay. In terms of the clash of the rights, the social nature of personal data and diversity of values in relation to privacy will be addressed, along with the solution provided by article 20(3) further detailed based on the lessons drawn from existing access requirements. The paper also examines the potential collaboration between the rights in both socio-economic and legal perspectives, and concludes with the necessity to exercise both rights jointly in order to making up for the failing consent mechanism and ultimately, to achieve privacy-related objectives.

KEYWORDS: right to data portability (RDP); right to be forgotten (RTBF); General Data Protection Regulation (GDPR); privacy; big data

1. INTRODUCTION: GDPR AND TWO NOVEL RIGHTS

In the year of 2016, we witnessed the passage of EU’s new General Data Protection Regulation (GDPR), a significant milestone for the EU reform of data protection law that initiated since 2012.1 After two years’ transition time, this new piece of legisla-tion will officially come into effect in 2018, replacing the Directive 95/46/EC that has weathered a good range of technological breakthroughs. The significant challenges they

1 European Commission. Reform of EU data protection rules. Retrieved from http://ec.europa.eu/justice/data-protection/reform/index_en.htm.

http://ec.europa.eu/justice/data-protection/reform/index_en.htm


174 A TALE OF TWO RIGHTS: THE CLASH AND COLLABORATION OF RIGHT TO DATA...

have brought for data protection, e.g. the marginalization of individual efforts and the difficulty of exercising digital rights, have become major concern for EU legislators. Consequently, an approach of empowering individuals and strengthening their control over personal data has been proposed. Among other policy objectives, EU aims to take advantage of the reform to ‘clarify and improve existing rights’, reducing the grey area where individual rights are sometimes not properly respected.2

To be fair, a set of rules providing legal basis for individual participation in data protection has been already in place for years, but they have not worked as effectively as the majority of paternalistic rules –those enforced mostly by data controllers with lim-ited degree of individual participation– for certain reasons. The individual participation principle in place as the foundation of data protection law is indicative of the respect for individual efforts in data protection. The principle underpins a range of individ-ual-centric rules that include roughly the consent mechanism and individual rights. The former, the entry point of individual engagement, has been severely challenged by big data analytics.3 Taking into account the unprecedented scale of data collecting, processing and sharing, along with the common practices of repurposing for big data analysis, the consent scheme has been subject to severe criticism for being the barrier against innovation and an unbearable burden of individuals. The latter, in contrast, has remained largely underutilised for decades. Corporate data controllers, with a view to avoiding compliance costs, would usually find multiple ways to discouraging individuals exercising their rights.4 Further, the increasing complexity of data processing is also a notable barrier for average persons.5

Given the difficulty in incorporating individual participation, the EU has none-theless determined to ‘validate’ individual-centric rules with a view to boosting trust in the new digital environment.6 Clarifications for existing rules have been given in order to facilitate an active role of individuals in data protection. However, it remains debate-

2 COMMISSION STAFF WORKING PAPER on Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). SEC (2012) 72 final. Retrieved from http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52012SC0072

3 Cate, F. H., & Mayer-Schönberger, V. (2013). Notice and Consent in a World of Big Data. International Data Privacy Law, 3(2), 67–73.

4 Tene, O., & Polonetsky, J. (2013). Big Data for All: Privacy and User Control in the Age of Analytics. Northwestern Journal of Technology and Intellectual Property, 11(5), xxvii.

5 European Data Protection Supervisor. (2015). Meeting the Challenges of Big Data (No. Opinion 7/2015) (p. 21). Retrieved from https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf.

6 European Commission, supra note 2.

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52012SC0072

https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf

https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf


able whether such clarifications are strictly formulated within the framework, without any substantial changes to existing rules. This enquiry is particular relevant in the case of the two new rights the GDPR has introduced. The two rights are perceived in the public eyes as, understandably, something of a novelty at least by their names, but this perception can be further developed by an investigation into their connections with the existing rights. The paper attempts to demonstrate that both rights can find its genesis within the data protection framework, but the extent to which they have been further extended on the basis of existing rights varies.

2.1. The right to be forgotten

The right to be forgotten is closely related to the existing right to erasure enshrined in the 1995 Data Protection Directive, and the new name given to this right is designed to provide further clarification of the out-turn of data deletion, namely having an indi-vidual’s certain aspect of online identity completely forgotten by the internet commu-nity. Over the two decades, it has turned out that the practical difficulty to exercise data erasure, especially in an online environment, is virtually insurmountable.7

The GDPR has achieved to clarify existing rules on data deletion with a new clause for this right eight times longer than the original. This lengthened clause, however, does not lead to the conclusion that the right to be forgotten is fundamentally new from the existing right8, which is evidently corroborated by the fact that the first ruling of right to be forgotten by the CJEU was made on the basis of the 1995 Directive in 2015 when the new EU legislation was still waiting for approval.9

2.2. The right to data portability

The nature of right to data portability as extension of the right of access is more per-plexing. To begin with, no explicit notion of data portability can be found in the 1995 Directive. In the European Commission’s proposal though, some stakeholders rendered the new right redundant with the existing rights of access.10 This idea was endorsed by the Rapporteur of European Parliament, Jan Philipp Albrecht, in his report claiming

7 Ibid.8 European Commission. (2014). Factsheet on the “Right to be Forgotten” Ruling (C-131/12).

Retrieved from http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf.

9 Google Spain SL v. Mario Costeja González. The Court of Justice of the European Union. C-131/12.

10 European Commission, supra note 2.

http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf

http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf


that the new right to data portability is the mere specification of right of access.11 Under the influence of such idea, the right to data portability had been entirely amalgamated with the right of access in the European Parliament’s amendment.

However, the distinction between the two rights was made increasingly evident in subsequent legislative texts. Before the finalisation of GDPR, the right to data porta-bility was torn apart from the right of access and repositioned in a completely different section of ‘rectification and erasure’ sitting next to the right to be forgotten. Such repo-sition clearly indicates that the right is actually devised to serve new purposes other than mere information and transparency. It was wisely pointed out by Swire and Lagos that there exists a disparity between the right and its initial policy objective – being a precon-dition for the access right. They concluded that the right to data portability ‘goes quite far beyond existing access requirement’.12 Indeed, EU legislators have been keen on at-tributing additional layers of meaning to data portability that could make the new right disparate from the old. Considering the section under which the right is positioned, it is the rectification rather than access that data portability must closely relate to, given that recital 68 has denied any relevance of the right to data erasure. 13 It is observed that, apart from transparency, there are three specified objectives attached to this right. Primarily, the right facilitates the switch of services among a variety of providers. As is convincingly described in the EC proposal14,

‘With increasing use of certain online service, the amount of personal data collected in this ser-vice becomes an obstacle for changing services, even if better, cheaper or more privacy friendly services become available. This could mean the loss of contact information, calendar history, interpersonal communications exchanges and other kinds of personally or socially relevant data which is very difficult to recreate or restore.’

Notably, the importance of data portability in achieving service switches is not confined to a new copy of personal data obtained by exercising the right of access. Rath-

11 Jan Philipp Albrecht (2013). Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)).

12 Peter Swire & Yianni Lagos. (2013). Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2159157.

13 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Recital 68.

14 European commission, supra note 2.

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2159157.



er, the point of novelty lies in the development of interoperability that enables direct transmission of personal data from one processing system to another. In addition, the exercise of right to data portability also opens the door for individuals to make most of personal data for their own good, with the assistance of applications on the user side.15 It has great potentials that may in the end revolutionise the online market, creating a new form dubbed as ‘intention economy’.16 Lastly, the notion of data portability is derived from, arguably, the area of competition law where a similar mechanism is at play under the conditions such as the dominant market power.17 The right is expected to achieve the similar outcome, fostering a more competitive market by reducing user lock-in.18

In light of the deliberate shaping by the EU legislators, it is concluded that those additional objectives have substantially differentiated the right to data portability from the existing right of access. What the GDPR has brought about is not mere clarifications in this case, but more importantly, a new right serving different purposes.

2. RELATIONSHIP BETWEEN THE TWO RIGHTS: FORGETFULNESS V. PORTABILITY

Under the GDPR, the two new rights sit next to each other in same section titled ‘rectification and erasure’. This section tends to examine both rights serving different purposes and in particular the complex relationship between the two.

2.1. From erasure to ‘be forgotten’

It has been noted that changes brought to the existing right to erasure in the EU reform are not fundamentally revolutionary.19 Rather, the reform aims to provide clarity to the existing rules and in particular address new technological challenges that were not

15 Tene and Polonetsky, supra note 5.16 Searls, D. (2013). The Intention Economy: When Customers Take Charge. Harvard Business Press.17 Gabriela Zanfir. (2012). The Right to Data Portability in the Context of the EU Data Protection

Reform. International Data Privacy Law, 2(3), 149–162. See also Inge Graef et al. (2013). Putting the Right to Data Portability into a Competition Law Perspective. Law: The Journal of the Higher School of Economics, Annual Review, 53–63. See also Weiss, S. (2009). Privacy Threat Model for Data Portability in Social Network Applications. International Journal of Information Management, 29(4), 249–254. Finally, Swire and Lagos, supra note 13.

18 Ibid.19 Giovanni Sartor. (2015). The Right to be Forgotten in the Draft Data Protection Regulation.

International Data Privacy Law, 5(1), 64–72.


anticipated. During the decades, the internet has rapidly turned into a super powerful medium which ‘has unlimited search and memory capacity’.20 As a result, we witnessed a worrying shift of paradigm that forgetting, once the norm of human society for ages, has become the exception while the remembering has become the default with the aid of digital technologies.21 In response to that, the exercise of right to erasure may produce desired outcome that certain aspect of an individual’s online identity will be forgotten in certain circumstances by the borderless internet community.

2.2. Data portability and the precondition of data duplication

In contrast, the right to data portability is a freestanding right distinct from any existing right. It aims to achieve a certain level of data portability but only as a precondition for the exercise of right of access. Notably, this structural limit makes the desired outcome of exercising RDP different from data portability in general, and thus rendering the right to data portability not necessarily in clash with the right to be forgotten. Data portability, in general, refers to the ability to seamlessly transfer data from one database to another.22 Such data transfers in reality, however, are often difficult because the incompatibility of different databases, especially those owned by different entities. Accordingly, data portability rests strictly upon common technical standards adopted by the databases involved, or technically speaking, interoperabili-ty.23 In this context, it might be argued that the two notions mentioned above are in clash with each other as the former dictates the removal of certain personal data from the internet and the latter facilitates data transfer amongst platforms. Data portability can be only achieved under the condition that the data purported to be transferred is still available in the database. This precondition of data retention, however, is the very target of the right to be forgotten.

20 Viviane Reding. (2012, January 22). The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age. Retrieved March 19, 2017, from http://europa.eu/rapid/press-release_SPEECH-12-26_en.htm.

21 Mayer-Schönberger, V. (2009). Delete: the Virtue of Forgetting in the Digital Age. Princeton: Princeton University Press.

22 Article 29 Data Protection Working Party (13 December 2016). Guidelines on the right to data portability. Retrieved from http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp242_en_40852.pdf.

23 GRDI 2020. Data Interoperability. Retrieved from http://www.grdi2020.eu/Repository/FileScaricati/c4fb6ab0-d83b-49ae-ab14-6d8030fc2422.pdf.

http://europa.eu/rapid/press-release_SPEECH-12-26_en.htm

http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp242_en_40852.pdf

http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp242_en_40852.pdf

http://www.grdi2020.eu/Repository/FileScaricati/c4fb6ab0-d83b-49ae-ab14-6d8030fc2422.pdf

http://www.grdi2020.eu/Repository/FileScaricati/c4fb6ab0-d83b-49ae-ab14-6d8030fc2422.pdf


2.3. Forgetfulness v. portability

The clash between data erasure and portability is, however, not necessarily the case under the GDPR. In fact, the right to data portability is defined in a way that it does not intend to interrupt the existing dynamic of data processing. This definition is of high relevance to the connection with the existing right of access, which is exercised on the basis of a new copy of data. Accordingly, what is to be transferred is not the very set of personal data undergoing processing, but a new copy of it. The GDPR has made it explicit that the exercise of right to data portability does not imply the erasure of per-sonal data just copied, and therefore the removal of that specific set of data if intended requires an additional action.24

Taking data duplication as a precondition for data transfers, this approach of data portability has a great impact on the interplay between the two rights concerned in this paper. As the two rights are actually exercised in parallel levels with different sets of per-sonal data, not necessarily do they collide with each other. This allows for the possibility of exercising both rights simultaneously, which I will explain later, in order to achieve the effect that a set of personal data is completely removed from the original database and that there exists no other copies except the one just ported.

In sum, the paper will detail these two specific circumstances in the following sections. The first happens when more than one data subject is involved, with one exer-cising the right to data portability and another claiming for the right to be forgotten against the same set of personal data. The second circumstance is about the possibility for an individual to exercise both his two rights at the same time for certain purposes of data protection.

3. THE CLASH: ‘MORE THAN ONE DATA SUBJECT IS INVOLVED’

The circumstance that two rights may be exercised together by different data sub-jects with conflicting interests had been well captured in discussions about the EU re-form. Ultimately in a recital relating to data portability25, it articulates that ‘where, in a certain set of personal data, more than one data subject is concerned, the right to receive the personal data [the first leg of the right to data portability] should be without prejudice to the rights and freedoms of other data subjects in accordance with this Reg-ulation’. In particular, the same recital continues by singling out the potential conflict

24 GDPR, supra note 14.25 Ibid.


with the right to erasure and be forgotten, and prescribes that the exercise of data port-ability shall be ‘without prejudice to’ the right to be forgotten, expressly giving priority to the right to be forgotten when the two rights are in clash. The paper will explore this circumstance by first, building up the picture of multiple data subject being involved in the same set of personal data, and then making a critical assessment of the solution given under the GDPR.

3.1. Human’s social nature and its reflection in the digital sphere

The information that personal data of an individual contains often relates to an-other person, and this is the reflection of human’s social nature in the digital sphere. As Aristotle wisely depicted, ‘man is by nature a social animal’;26 that social nature is well reflected in the basic units of the digital sphere –personal data. As data contains various information keeping records of human interactions, such data is therefore able to in-volve multiple individuals regardless of whom it belongs to. The name of ‘personal’ data may affect our understanding of the extent to which data relates to multiple persons. However, it is true that a set of personal data can be ‘personal’ to many individuals.

Under the GDPR, personal data is defined as any information ‘relating to an iden-tified or identifiable natural person’.27 Accordingly, the personalness of data, or the rel-evance of certain data subject, relates to the identifiability of the individual concerned. As GDPR has broadly defined the ways personal data relates to natural persons (e.g. including the indirect ways) and a good range of identifiers admissible in this context (e.g. physical, physiological, genetic, mental, economic, culture or social), it is much likely that a set of personal data relates to a group of individuals who share same iden-tifiers. The location data may be a telling example that involves masses of individuals who disclose their whereabouts in exchange for free public WI-FI. The shared locational identifier is able to be used, often in together with further identifiers, to identify every individual having access to that WI-FI, and therefore either the erasure or transfer of such data must relate to more than one individual.

3.2. A comprehensive approach to privacy

The tension caused by social nature of personal data must have been acknowledged and addressed by data protection law, which is instrumental to guarantee that both rights concerned in this paper achieve desired outcomes. Accordingly, a proper balance needs to be stricken when the private interests of different data subjects involved are

26 Aristotle. (2000). The Politics (Rev Ed edition). Middlesex: Pearson.27 Article 4, GDPR, supra note 14.


contradictory to each other. Here, the paper tends to further the picture of private inter-ests involved in the case of erasure versus portability and assess those interests by draw-ing on a particular theory of privacy typology. To be specific, the private interests that lie in the exercise of either rights concerned often relates to the most important policy objective that EU data protection law aims to achieve –the protection of privacy. The traditional approaches of privacy, however, cannot well the changing social norms that modern individuals living in the digital environments, for example, care less about the original convention of privacy, namely the right to let alone28, and have been motivated to exchange private information for (economic) benefits. Further, new legal inventions under the umbrella of data protection –e.g. the two new rights in question – can only be well explained in a broader and more inclusive approach of privacy. Research efforts have been already made by some scholars to reconceptualise privacy in the new digital environment with more comprehensive models proposed, reflecting the evolution of privacy over the decades and in particular in the era of digital age.29 This paper is not devised to advocate any existing model of privacy; rather, it finds certain criteria of conceptualisation relevant and useful to depict a coherent picture of the potential clash between the two rights. Particularly, three dimensions that the traditional approaches of privacy fail to capture will be addressed.

3.2.1. Private-public dichotomy and the semi-private zone

The dichotomy between public and private sphere has been severely challenged by the advances in technology which accordingly creates a semi-private or –public zone. With private information becomes more and more digitalised and available on the in-ternet, the boundaries of private sphere have been blurred and private information in-creasingly out of an individual’s control. Consequently, personal data mostly dwells on the semi-private zone where profit-driven corporations act as the guardian of privacy. However, it has turned out that data abuses happen all the time and the corporate data controllers’ ability and motivation to protect an individual’s privacy are under severe criticism. As the protection of one’s privacy has increasingly relied upon the legal and ethical use of personal data by corporations, the semi-private sphere becomes the major battleground for privacy. The two rights concerned are born to protect personal data in the semi-private spheres and hence plays a critical role in protecting privacy by empow-ering individuals to exercise control against misuse.

28 Warren, S. D., & Brandeis, L. D. (1890). The right to privacy. Harvard law review, 193-220.29 Koops, B.-J. et al. (2016). A Typology of Privacy. Rochester, NY: Social Science Research Network.

Retrieved from https://papers.ssrn.com/abstract=2754043.

https://papers.ssrn.com/abstract


3.2.2. Access-control dichotomy and control-based rights

Another dimension of privacy relevant to the clash between the two rights refers to the access-control dichotomy. The right to privacy can be formulated as either the ability to restrain others from accessing to one’s private information or alternatively, the ability of an individual to control over that information. As big data has becoming the driving force that revolutionises a wide variety of industries, it is evident that mere restraining the access to private information is neither impossible nor favourable. In the age of Directive (1995-2017), the EU data protection law with a limited level of individual participation has been mostly relying on the access-based rules whereas their control equivalents –including the two rights– will soon play a more important role in data protection. The regulatory focus shall be put on the way personal data is used and in particular the ability of individuals to make checks against misuse.

3.2.3. Positive-negative freedoms

Privacy has been often construed in negative terms on the basis of Warren and Brandeis’ ground-breaking work.30 However, it has been gradually explicit that privacy does enjoy a positive dimension, especially in the digital context that the medium of private information, namely personal data, can be and has been unprecedentedly com-mercialised, opening up the grounds for individuals to have an increased level of self-de-termination and encouraging them to make the trade-offs for benefits at the cost of their negative freedom. This dimension of privacy is not prominent in the case of right to be forgotten, but is of particular relevance to one dimension of right to data portability that it facilitates the individual use of personal data for his or her own benefits. Accordingly, the clash between data erasure and portability, or between data subjects with different legal claims, actually has roots in the difference of two dimensions of freedom –positive v. negative– in relation to privacy.

In sum, it is argued that the two new rights to data protection, in light of their hu-man-right based nature, both closely relate to the policy objective of the right to privacy, but reflect different dimensions. It remains unexplored how a balance of interests can be properly achieved when two major dimensions of privacy (negative v. positive) clash with each other, a reflection of the tension between the two rights concerned.

30 Warren & Brandeis, supra note 29.


3.3 The balance: Interpretation of ‘without prejudice to’

3.3.1. The GDPR solution

The GPDR has anticipated the circumstance when the two rights are in clash and claimed by different data subject. As a solution to ease the tension, it prescribes the exer-cise of the right to data portability shall be ‘without prejudice to article 17 [the right to erasure and be forgotten]’. The recital provides further clarification that

‘Where, in a certain set of personal data, more than one data subject is concerned, the right to receive the personal data should be without prejudice to the rights and freedoms of other data subjects in accordance with this Regulation. Furthermore, that right should not prejudice the right of the data subject to obtain the erasure of personal data and the limitations of that right as set out in this Regulation and should, in particular, not imply the erasure of personal data concerning the data subject which have been provided by him or her for the performance of a contract to the extent that and for as long as the personal data are necessary for the performance of that contract.’

Literally, such phrase can be understood as that exercise of the right to data porta-bility shall not a detriment to that of the right to be forgotten, consequently giving the priority to the latter right. This solution seems to be justified in terms of the legislation’s consistency. As indicated above, the right to be forgotten would potentially eliminate the chance of the right to data portability to be triggered if the personal data concerned is completely removed. It also makes sense in the context where the former right stands for proprietary interests whereas the latter represents human right values such as dignity and reputation – which is clearly out of the ambit of this paper. Still, it is open to question whether the blanket policy to always prioritise the right to be forgotten is fair and justifia-ble. Particularly in the context of privacy, should the negative aspect of privacy always take precedence over the positive one? Should a compromise be made in certain circumstance where the positive freedom that privacy entails is more valued than the negative?

3.3.2. Lessons from access requirements

The problem of implementation in cases when conflicting interest of multiple data subjects are involved is shared by the existing right of access and hence lessons can be learnt from existing access rules. For example, the Information Commissioner’s Office has issued a guidance on ‘Personal data of both the requester and others’ in which it discusses the solution to the conflicting interests of several data subjects.31 The guidance particular address the implementation issues of two regulations, both of which entail

31 ICO. Personal data of both the requester and others (2013). Retrieved from https://ico.org.uk/media/for-organisations/documents/1209/personal-data-of-both-the-requester-and-others-foi-eir.pdf.

https://ico.org.uk/media/for-organisations/documents/1209/personal-data-of-both-the-requester-and-others-foi-eir.pdf

https://ico.org.uk/media/for-organisations/documents/1209/personal-data-of-both-the-requester-and-others-foi-eir.pdf


rights of public access to information held by public authorities. Both legislations entail a clause of exemption from the obligation of public authorities to make certain infor-mation available to the requester under data protection law. To be specific, as long as the request under those legislations include private information of a third party, such infor-mation is exempt from the request in general and shall not be disclosed. This default rule is similar to the clause of ‘without prejudice to’ in the article 20(3) under the GDPR as the requests of data portability would be rejected if it prejudice a third party’s right to data protection, and in particular, the right to be forgotten.32 However, the request in question also relates to the requester’s right to data protection, and both individuals involved shall be respected equally as data subjects.

The approach that ICO has proposed tends to first look at the ‘differentiability’ of personal data involved and provides a comprehensive solution that includes several circumstances. First, in cases where the personal data requested is ‘closely linked’ to the personal data of another data subject, a group photo for example, the requested infor-mation shall be considered in its entirety and thus no access shall be allowed. Here, both the ICO guidance and UK case law33 has emphasised the unnecessity to make an assess-ment as to ‘which [personal data] is more significant and to then recognise the rights of protection of that individual and ignore any others’. In other words, if the personal data is not differentiable or technically ‘isolatable’, the decision based on the significance of personal data of either side violates the principle of fairness. Accordingly, there would not be any ‘principal’ or ‘dominant’ data subjects and any request of access is denied on the ground of data protection. Second, there exists case where personal data can be isolated and some of information only relates to third parties. The guidance articulates that, on the one hand, the information that relates only to the third parties is clearly exempt from the access request, and the rest information can be legally accessed on the other, on the condition that the disclosure of which does not contravene data protection principles.

In sum, it is clear that though the access request is considered a right of access under the data protection law34, it cannot outweigh the legitimate interests of others re-lating to data protection, which make a reference to the core value that law protects - the right to privacy and particularly the negative freedom it enables. Accordingly, the access requirements provides an approach that as a default rule, the right to data protection of others cannot be put in the shade of access requirements. However, where technically possible, a compromise can be achieved among data subjects by differentiating the per-sonal data concerned and making the part irrelevant of third parties accessible.

32 Recital 68, GDPR, supra note 14.33 Nicholas George Fenney v the Information Commissioner (EA/2008/0001; 26 June 2008)34 ICO, supra note 32.


From the existing rules regarding access to information held by public authorities, we can learn two main points useful to design the rules that interpret the article 20(3) of the GDPR. First, though the cases exist where the conflicting interests lie in a set of ‘mixed’ and undifferentiatable personal data, those interests are not necessarily mixed in all circumstances. Where personal data can be separated, having certain information utterly irrelevant to third parties, the request can be at least partially allowed. Second, the right of access is generally surpassed by the other rights or freedoms relating to data protection, and in particular an individual’s negative freedom relating to his or her data privacy. Whereas the first point is definitely applicable to the data portability cases against the right to be forgotten, considering the ‘technical differentiability’ in the bal-ance, it is never too circumspect to reconsider the dynamics when it comes to data port-ability. As is made clear above, though the right to data portability is initially phrased as a precondition for further access of the data subjects, it has been further developed into a free-standing right that goes far beyond access for transparency. When constructing the balance, several other outstanding values relating to positive freedom that will poten-tially bring major changes to the access scenario should be duly respected. They include not only the possibility of individual use of personal data with the aid of decentralised technologies,35 rendering an increased level of informational self-determination36, but also the potential direct transfer among interoperable applications that free individuals from unhealthy lock-in. In addition, the right’s contribution to foster a competitive market might also add more weight to the portability side of the balance.

4. THE COLLABORATION: JOINT EXERCISE OF BOTH RIGHTS CONCERNED

Another dimension of the interplay between the two rights relates to a single in-dividual exercising his or her both rights simultaneously for data protection purposes. As is indicated above, the personal data being ported under the GDPR is not what companies have been collecting, processing and sharing, but rather new copies of it . As data duplication is made in the first place, the exercise of the European version of right to data portability creates a parallel world of data, rendering the tension between erasure and portability utterly irrelevant. Further, recital 68 of the GDPR says the exercise of

35 Narayanan, A., Toubiana, V., Barocas, S., Nissenbaum, H., & Boneh, D. (2012). A Critical Look at Decentralized Personal Data Architectures. arXiv:1202.4503 [Cs]. Retrieved from http://arxiv.org/abs/1202.4503.

36 Zanfir, supra note 18.

http://arxiv.org/abs/1202.4503


right to data portability does not ‘imply the erasure of data concerned’37, indicating that data erasure if desired is not automatically triggered but requires a separate claim of the right to be forgotten. It is therefore practically possible for an individual to jointly exer-cise both right to be forgotten and right to data portability as each right is enforced with different copies of personal data though the content of which is purely identical. The practical feasibility, however, does not explain in what case an individual would intend to exercise both rights and for what purposes. It is the purpose of this section to colour in the picture of joint exercise from both a socio-economic and legal perspective, with a reference to the policy objectives of the right to data portability.

4.1. Socio-economic context: the ‘Switching’ economy and individual use of personal data

In an on-demand, instant-gratification world, services have been deeply diver-sified and markets increasingly competitive. As a result, brand loyalty is diminishing and consumer expectation firmly raising.38 It has shown that more than half of the US consumers have much higher expectations that they had before of getting specialised treatment for being ‘good’ customers.39 The dissatisfaction in this competitive environ-ment is increasingly likely to turn to the switch of services. This has even fostered a novel type of economy as statistics have shown that 5 percent of customer turnover can potentially increase profits by 25-95 percent.40 The so-called ‘switching economy’, first coined by Accenture41, refers to the phenomenon that an increasing number of dissatis-fied consumers intends to switch to different brands.

However, the design of the right to data portability based on the new copies of data does not guarantee a seamless transition without further concerns. The regulatory focus has been put on the lock-in and the countermeasures to enable individuals to take up a new service easily, yet it does not, at least within the data portability framework, deal with the original copy still affecting requesters. Without a proper arrangement for the original copy of personal data, the right to data portability has not successfully rea-

37 Recital 68, GDPR, supra note 14.38 Halloran, G. (2015, April 3). The “Switching Economy” and What It Means for Marketers.

Retrieved March 19, 2017, from http://www.1to1media.com/customer-engagement/switching-economy-and-what-it-means-marketers.

39 Global Consumer Pulse Research Study 2013. Accenture. Retrieved from http://www.accenture.com/SiteCollectionDocuments/PDF/Accenture-Global-Consumer-Pulse-Research-Study-2013-Key-Findings.pdf.

40 Halloran, supra note 39.41 Ibid.

http://www.1to1media.com/customer-engagement/switching

http://www.accenture.com/SiteCollectionDocuments/PDF/Accenture-Global-Consumer-Pulse-Research-Study-2013-Key-Findings.pdf




lised its policy objective relating to the facilitation of switching services. This is because the relevant motivation only occurs when the original service is relatively worse, more expensive and entails a range of privacy risks. There is no reason to believe that a dissa-tisfied consumer would come to terms with the plan to switch over but leaves a copy of his or her data for further processing. From a data protection perspective, his private in-terest cannot be fully protected as well simply by allowing another service to share a copy of personal data for a smooth transition. The switch is not ‘compete’ after a successful disintegration of exclusive data procession, but only when collateral concerns have been well taken care of. In other words, the deprivation of access by the dissatisfactory service provider to personal data is entailed by his choice of service switch. This is where the right to be forgotten enters into the picture, as a good companion to the right to data portability which fails to touch on the original copy of data. To be specific, whereas the latter right guarantees a seamless transition, enabling the individual autonomy to choice better service, the former could potentially tackle collateral concerns by terminating the data residues in the original database.

It has to be noted that though the joint exercise is necessary to provide adequate protection to one’s personal data, it does not necessarily lead to the result equivalent of such data being ‘extracted’ from the original database. This is a circumstance anticipated in the recital 68 of the GDPR where it denies the portability of an original copy of data without duplication in advance. It seems that having certain personal data completely copied and ported with the original deleted afterwards would ultimately achieve the ‘por-tability’ of the original copy, yet this is not the case considering the different standards of triggering either right concerned. Article 17 of the GDPR articulates that the right to be forgotten is exercised primarily on the condition that the existence of certain data is ‘no longer necessary in relation to the initiate purposes of collection and processing’42, with a good range of exceptions. In contrast, the right to data portability prescribed in article 20 is triggered by different conditions and the scope of which affected by other factors, such as the source of data collected, the technical feasibility of data transfer, the specific means of data processing etc. Subject to different set of standards, the two rights cannot necessarily make the case that certain personal data can be completely ported from one database to another, without an ex ante data duplication.

4.2. Legal context: The failing consent mechanism and supplements of individual rights

The current data protection regime established upon the OECD framework crea-tes an individual control system that consists of a user consent mechanism along with individual rights. The former provides individuals with an important ex ante point of

42 Article 17, GDPR, supra note 14.


intervention against problematic processing on which the latter, mostly supplementary access-based, cannot sufficiently exert influence. Accordingly, consent mechanism has been playing a predominant role in ensuring a level of informational self-determination for individuals who engages in determining the purpose of data processing.

However, this landscape has been greatly reshaped by the emergence of big data and legislative response to such technological advances. On one hand, the effectiveness of consent scheme has been severely undermined by the big data analytics since that the scale of data collecting/processing has been unprecedentedly rising up to the extent that case-by-case user consent is either impossible or overly time-consuming.43 Further, the purpose of data processing itself can no longer be comprehensible and predictable as big data analytics is undertaken on the basis of frequent repurposing with a view to detecting unpredictable correlations. It is therefore reasonable to be pessimistic about the consent mechanism being able to realise the data protection values attached to it. Some scholars even claimed that such consent-based model is so discredited in face of big data challenges that it is’ beyond any regulatory repair’.44

On the other, the individual rights system, once only supplementary to the con-sent mechanism, has gained much more weight after the EU reform of data protection. In particular, the two control-based rights newly introduced are so powerful that even though the consent mechanism is not able to be properly at play, a certain level of infor-mational self-determination can be guaranteed ex post by their existence. At least, these rights act as a last resort for individuals who are less able to exert influence at the early phase of data collection/processing, to ‘pull the plugs’ if entire dynamic goes well be-yond their control in the end. As a compromise needs to be made nevertheless between private interests and data utilisation, the regulatory focus has been incrementally shif-ted from the initial stage of data collection to data analysis and misuse.45 Accordingly, the potential failure of consent mechanism would become less destructive and can be supplemented by the combination of the two new rights, along with the others. The last point to be made here is that the mere exercise of either right alone is not sufficient if the consent mechanism does not play its part effectively. The joint exercise of both rights are necessary as they represent different aspects of privacy eliminated earlier. To be spe-cific, whereas the right to be forgotten is devised to eliminate any negative implications caused by the existence of certain data, the right to data portability is created mainly for more positive possibilities enabled by data utilisation. It cannot be anticipated to what

43 Cate & Mayer-Schönberger, supra note 4.44 Rubinstein, I. (2012). Big data: The End of Privacy or a New Beginning? International Data

Privacy Law (2013 Forthcoming), 12–56.45 Tene and Polonetsky, supra note 5.


extent does an individual care for the positive or negative aspect of privacy, and accor-dingly, the only viable approach to provide a comprehensive protection of personal data must respect the diversity of values that modern data privacy laws pursue.

5. CONCLUSION

This paper attempts to regale readers with a tale not very familiar to most of them. Though the two rights discussed in this paper are quickly known to the public by their fancy names, their potential interplay, and the significance of it, has not been given enough attention to. The relationship of two rights can find its roots deeply in EU data protection law where there exists a constant conflict between data access and erasure. Whilst the right to be forgotten is merely a clarification of the existing right to erasure, the right to data portability is distinctively defined and goes far beyond its prototype – the right of access. However, it has been still shaped by the rationale behind access right, taking data duplication as a prerequisite and notably applying only to new copies. Two major observations can be made based on the design of this right. First, the potential tension between data erasure and portability in general is defused under the GDPR be-cause the two rights are enforced in ‘a parallel world of data’. Second, the joint exercise of both rights are made not only possible, but also necessary for data protection purposes.

The rest of paper further detailed these two circumstances. The two rights are in clash with each other when more than one individuals are involved. This situation is proved commonly seen on account of the social nature of personal data and the diver-sity in values in relation to privacy. The GDPR deals the clash with a solution pres-cribed in the article 20(3) that prioritise the right to be forgotten. However, based on the lessons drawn from access requirement, it is concluded that such a broadly defined term of ‘without prejudice to’ shall be further detailed. Notably, the technical solutions examining the differentiability of data, for example, shall be encouraged and the diffe-rent aspects of privacy, especially that in relation to positive freedom of an individual, be duly respected.

Aside from the clash of rights, potential collaboration between the two are exami-ned as well. From a socio-economic perspective, evidence has been shown that consu-mers have been increasingly dissatisfied and inclined to switch services. The ‘switching economy’ would be further facilitated by the EU data protection law that guarantees a complete transition, including data transfers. Still, it is argued that the dissatisfaction in relation to consumers’ privacy, for example, cannot be simply satisfied by a counter-measure against exclusive data possession. It further requires a sound arrangement for the original copy of data still undergoing processing. This calls for an additional action and can be achieved by triggering the right to be forgotten. The joint exercise of both rights also makes sense considering the sea change brought to the regulatory landscape


in relation to data protection. The unprecedented level of data processing and frequent repurposing of data practices make the consent mechanism less reliable in a new digital environment. Given the practical difficulty, if not impossibility, to operate an effective consent mechanism, regulatory focus has been incrementally shifted from the initial phase of data protection to that of analysis. As consent model is failing to perform pro-perly, the individual rights system, especially the two new additions, are expected to play a more prominent role in effectively combating against data misuse as the last resort. The two rights shall be equally respected as they represent different aspects of privacy both of which are indispensable to an individual’s private life.

6. BIBLIOGRAPHY

Aristotle. (2000). The Politics (Rev Ed edition). Middlesex: Pearson.Cate, F. H., & Mayer-Schönberger, V. (2013). Notice and Consent in a World of Big

Data. International Data Privacy Law, 3(2), 67–73.Daniel J. Solove. (2006). A Taxonomy of Privacy. University of Pennsylvania Law Re-

view, 477–564.Friedewald, Mi., Finn, R. L., & Wright, D. Seven Types of Privacy. Retrieved from: http://

citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.827.5418&rep=rep1&-type=pdf

Gabriela Zanfir. (2012). The Right to Data Portability in the Context of the EU Data Protection Reform. International Data Privacy Law, 2(3), 149–162.

Inge Graef, Jeroen Verschakelen, & Peggy Valcke. (2013). Putting the Right to Data Portability into a Competition Law Perspective. Law: The Journal of the High-er School of Economics, Annual Review, 53–63.

Julie E. Cohen. (2012). What Privacy is For. Harvard Law Review, 126, 1904.Mayer-Schönberger, V., & Cukier, K. (2013). Big Data: A Revolution that Will Transform

how We Live, Work, and Think. Houghton Mifflin Harcourt.Narayanan, A., Toubiana, V., Barocas, S., Nissenbaum, H., & Boneh, D. (2012). A

Critical Look at Decentralized Personal Data Architectures. arXiv:1202.4503 [Cs]. Retrieved from http://arxiv.org/abs/1202.4503.

Peter Swire, & Yianni Lagos. (2013). Why the Right to Data Portability Likely Re-duces Consumer Welfare: Antitrust and Privacy Critique. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2159157.

Rubinstein, I. (2012). Big data: the End of Privacy or a New Beginning? International Data Privacy Law, 12–56.

Searls, D. (2013). The Intention Economy: When Customers Take Charge. Harvard Busi-ness Press.

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.827.5418&rep=rep1&type=pdf



http://arxiv.org/abs/1202.4503




Tene, O., & Polonetsky, J. (2013). Big Data for All: Privacy and User Control in the Age of Analytics. Northwestern Journal of Technology and Intellectual Property, 11(5), xxvii.

Warren, S. D., & Brandeis, L. D. (1890). The Right to Privacy. Harvard Law Review, 4(5), 193–220.

Weiss, S. (2009). Privacy Threat Model for Data Portability in Social Network Applica-tions. International Journal of Information Management, 29(4), 249–254.

12

PROTECCIÓN DE DATOS DESDE EL DISEÑO DE LOS PROCESOS: VENTAJAS Y DESVENTAJAS

Santiago Martín-Romo RomeroProfesor Organización de empresas Universidad Rey Juan Carlos, Madrid España

Carmen de Pablos HerederoProfesora Organización de empresas Universidad Rey Juan Carlos, Madrid España

RESUMEN: La privacidad desde el diseño (PdD) será próximamente una obligación a cumplir por las empresas en el tratamiento de datos de carácter personal de las personas físicas con las que se in-terrelacionan. Así se recoge en el GDPR (General Data Protection Regulation), la nueva legislación de la UE obligatoria en su cumplimiento a partir de Mayo de 2018, cuyo objetivo es conseguir un mayor nivel de protección de los datos de carácter personal. Aunque este concepto de PdD ya se trata desde los años 90, los métodos que han ido apareciendo se han aplicado para interrelacionarla con el desarrollo de sistemas de información o con temas muy específicos como biometría, telepeaje, contadores inteligentes,… Considerando que la filosofía de la PdD conlleva proactividad orientada a proteger los datos de carácter personal, proponemos comenzar con la protección de la misma desde que se diseñan las actividades de negocio, es decir, desde que se definen los procesos empresariales. La privacidad desde la perspectiva de gestión de procesos de negocio se ha investigado poco y existe una laguna en la literatura actual ya que no se encuentran estudios relacionados con metodologías para integrar la privacidad en los procesos de negocio. En este trabajo se proponen una serie de medidas a implantar por las empresas para abordar la protección de la privacidad desde el diseño de los procesos. Estas medidas se fundamentan en las fortalezas, debilidades, oportunidades y amenazas obtenidas con la aplicación del análisis DAFO. Para ello se ha recogido la opinión de reconocidos expertos en temas de seguridad y de privacidad, tanto del ámbito técnico como del ámbito jurídico.

PALABRAS CLAVE: GDPR; datos personales; procesos; privacidad desde el diseño; DAFO.

1. LA PRIVACIDAD DESDE EL DISEÑO

La realización de actividades empresariales conlleva la utilización de datos de las personas físicas con las que se interrelacionan, ya sean empleados, clientes, proveedores o público en general. Estas personas son titulares de sus datos y tienen un conjunto de derechos, en todo el ciclo que recorren esos datos en las empresas, desde la recogida, su tratamiento hasta la eliminación (Perera, 2015), ya que afecta a su privacidad.

La UE ha propiciado iniciativas de cambio en la legislación relacionada con la pri-vacidad, de tal forma que en 2012 la Comisión Europea propuso un nuevo Reglamento (PREPD Comisión 2012, PREPD Parlamento 2014), actualmente el GDPR, que in-cluye el principio de Privacy by design (PbD), traducido por Privacidad desde el Diseño (en adelante PdD).

193 PROTECCIÓN DE DATOS DESDE EL DISEÑO DE LOS PROCESOS: VENTAJAS...

La PdD es un término introducido en los años 90 por Ann Cavoukian, ex comi-sionada de Información y Privacidad de Ontario, Canadá (Cavoukian 2012). Propone preservar la privacidad llevando a cabo medidas que integran los fundamentos de la pro-tección de datos dentro del sistema tecnológico en el procesamiento de la información. Este enfoque inicial se fue ampliando (Cavoukian 2012) hasta alcanzar tres áreas de aplicación, como son la tecnología, las prácticas de negocios (organizaciones) y el diseño físico (infraestructuras).

Este trabajo está relacionado con la PdD aplicada desde la definición de procesos empresariales, es decir, subiendo un escalón en relación al desarrollo de sistemas. Se propone que las empresas, desde el mismo momento en que prevean una actividad de negocio, incorporen las consideraciones adecuadas en relación al tratamiento de datos de carácter personal que tendrán que respetar en esa actividad de negocio.

Como señala Majdalawieh (2013), la privacidad desde la perspectiva de gestión de procesos de negocio se ha investigado poco y existe una laguna en la literatura actual puesto que no se encuentran estudios relacionados con metodologías para integrar la privacidad en los procesos de negocio. Ya aparecía está aseveración también en Anderson et al. (2008), FTC (2010).

2. ESTUDIO REALIZADO

El objetivo principal del estudio ha sido obtener y analizar la opinión de un grupo de expertos, en privacidad y seguridad de la información, en cuanto a las ventajas y des-ventajas que pueden obtener las empresas al integrar la protección de la privacidad desde el diseño de los procesos de negocio.

Las técnicas utilizadas han sido la encuesta para la recogida de información y el DAFO para encuadrar los resultados obtenidos mediante la estadística descriptiva. Los datos recogidos se han tratado con una herramienta de hoja de cálculo.

Las fortalezas y debilidades se consideran relacionadas con el análisis Interno de la organización (liderazgo, estrategia, personas, alianzas/recursos y procesos).

Las oportunidades y amenazas se consideran relacionadas con el análisis externo de la organización (mercado, sector y competencia).

2.1. Las preguntas planteadas y las respuestas propuestas

La encuesta, que se ha diseñado para facilitar la obtención de información relacio-nada con las debilidades, amenazas, fortalezas y oportunidades que para las empresas puede implicar el integrar la protección de la privacidad desde el diseño de procesos, se ha basado en 8 cuestiones, 4 de ellas con respuestas cerradas, a elegir las que se conside-rasen más apropiadas (preguntas tipo listas de verificación), aunque con la posibilidad de justificar la elección en otras 4 de respuesta abierta.


Las respuestas propuestas para orientar a los expertos en posibles fortalezas, de-bilidades, oportunidades y amenazas, se han trabajado en los aspectos (dimensiones) propuestos por la técnica PEST (Johnson y Scholes, 1997), es decir, dimensión polí-tica (incluyendo la legal), dimensión económica, dimensión social y dimensión tec-nológica.

Las respuestas que pertenecen a los aspectos político-legales se recogen en la Tabla 1.

Tabla 1. Respuestas relacionadas con aspectos político-legales

En cuanto a las respuestas propuestas que pertenecen a los aspectos político-legales, como recoge DPI (2013) la situación respecto a la nueva legislación de privacidad en la UE (GDPR 2016) no hace más que incrementar el nivel de incertidumbre de las empre-sas frente a la implantación del GDPR, que contemplan, inmersas en la crisis económica actual, la carga adicional que puede implicar su implantación, tanto económica como de procesos de trabajo y procedimientos de documentación e información.

En cuanto al grado de cumplimiento actual, según las estadísticas elaboradas se resalta como el número de empresas en España que tiene pendiente el mínimo requisito legal como es el registro de sus ficheros es elevado (INTECO 2012, DPI 2013).

En el GDPR consta en su art. 25 la futura obligación de que las empresas deberán elaborar y aplicar políticas internas de protección de datos que den cumplimientos al principio del “Privacy by desing” y el de “Privacy by default” (GDPR 2016), por ello se ha incluido como una posible oportunidad aplicar esta filosofía.

Las respuestas pertenecientes a los aspectos económicos están recogidas en la Tabla 2.


Tabla 2. Respuestas relacionadas con aspectos económicos

Las respuestas propuestas pertenecientes a los aspectos económicos están relacio-nadas con la reticencia a la auto-adopción de prácticas de privacidad por las empresas, pudiendo la legislación obligarlas, asegurando que siguen los principios de privacidad. A modo de ejemplo, el Reglamento de Protección de Datos de la UE (GDPR 2016) con-templa la aplicación de sanciones de hasta el 4% del volumen de negocios que obtenga la empresa a nivel mundial. Este tipo de fuertes sanciones fomenta la adopción de prácticas de privacidad necesarias para el cumplimiento de la legislación (PRIPARE 2014).

Las recientes brechas de la seguridad de los sistemas de información han convertido a la privacidad en un activo muy valioso para las empresas. La consultora PwC en sus in-formes (PwC 2013, PwC 2014) revela que muchas empresas están dispuestas a confor-mar su negocio en torno a los deseos de los clientes y cómo la mayoría de los CEOs haría cambios con el fin de mantener o hacer crecer la lista de sus clientes. Cada vez los clientes valoran más el respeto por la privacidad y la confidencialidad de sus datos (PwC 2015).

En el barómetro europeo de confianza (Edelman 2014) se confirma que el 85% de los clientes creen que cuando una organización demuestra que protege los datos del cliente, tiene efectos positivos en el compromiso de estos con la empresa y en el va-lor percibido de los productos y servicios, siendo el segundo comportamiento positivo más impactante. Esta afirmación se ve reforzada por estudios como Tsai et al. (2011) o Jentzsch (2012), donde se muestra que los usuarios están dispuestos a pagar más dinero para recibir un servicio que respete la privacidad más que en una alternativa invasiva de la misma. Por lo tanto, las empresas u organizaciones que respetan la privacidad obtie-nen mayores ventajas competitivas (Cavoukian 2008) (Witt 2012) (PRIPARE 2014).

El respeto a la privacidad en las transacciones de los productos y servicios no sólo producirá beneficios en forma de aumento de los ingresos debido a la ventaja competiti-


va, sino también en la reducción del riesgo de posibles infracciones de privacidad (Cavou-kian 2008) (Watson et al. 2009), en consecuencia, evitará la afectación de la reputación corporativa, demandas y costos de multas (Ponemon 2013). Según el estudio realizado en 2015 en 350 compañías (Ponemon 2015) de 11 países, el coste de las brechas de segu-ridad producidas ha supuesto 3,8 millones de dólares de media, un 23% de incremento respecto a 2013. Para esta investigación una brecha de seguridad se produce cuando datos sensibles, protegidos o confidenciales se pierden o los roban y son puestos en riesgo.

Las respuestas pertenecientes a los aspectos sociales están recogidas en la Tabla 3.

Tabla 3. Respuestas relacionadas con aspectos sociales

Las respuestas propuestas pertenecientes a los aspectos sociales están relacionadas con la consecución de mayor transparencia para los ciudadanos, protegiendo uno de los activos más valiosos de la empresa, los datos personales de clientes, de empleados, etc. Watson et al. (2009), DPI (2013).

De la misma manera que la conciencia medio ambiental ha llevado a las empresas a aumentar sus prácticas ecológicas; la concienciación en privacidad conlleva la adop-ción de buenas prácticas en este terreno. Una encuesta realizada por la London School of Economics (2010) proporciona una clara evidencia de que “un bajo nivel de infor-mación de las empresas sobre las PET afecta negativamente a la percepción de sus be-neficios”. Está claro que cuanta más información tenga una organización de las PET y prácticas de privacidad, aumentará su percepción acerca de sus beneficios y por lo tanto se incrementará su adopción. Las prácticas de autorregulación pueden aumentar tanto la conciencia y la adopción de prácticas de privacidad. La autorregulación se convierte en un motor eficaz que puede apoyar y aumentar la adopción de prácticas de privacidad, por ejemplo, la EU PIA-RFID (2011).

En una reciente encuesta a los consumidores realizada por PwC (PwC 2015b), el 24% confirmó que su confianza en la capacidad de las empresas para proteger sus datos personales había disminuido en los últimos 12 meses. Los incidentes de seguridad ci-bernéticos ahora son tan comunes que el número de incidencias detectadas se elevó del 48% en 2013 a 42,8 millones de dólares (PwC 2015). En el pasado año prácticamente todos los sectores se han visto afectados, incurriendo en costes significativos en su inten-to de gestionar y mitigar esos incidentes (PwC 2015). No es de extrañar, entonces, que la preocupación de los CEOs por la seguridad cibernética como amenaza potencial se ha visto aumentada hasta el 61% desde el 48% de hace un año.


En el informe “Hacia un modelo de Total Retail” (PwC 2015c), que analiza las expectativas y hábitos de consumo del comprador online, a partir de 15.000 entrevistas a compradores digitales de todo el mundo y las implicaciones para las compañías del sector de distribución y consumo en los próximos años, un 43% de los encuestados declararon no hacer compras en línea al estar preocupados por la seguridad de sus datos personales.

En los últimos años se han descubierto programas de espionaje, como PRISM (Greenwald 2013), en los que están involucradas grandes compañías relacionadas con las TIC (Facebook, Yahoo Google, LinkedIn o Microsoft) junto con la NSA (Acker-man 2014). Han surgido ya iniciativas por parte de estas mismas compañías para que los gobiernos del mundo hagan frente a las prácticas y leyes que regulan la vigilancia gubernamental de personas y el acceso a su información. Esto está en línea con an-tiguas iniciativas como los principios originales de la OCDE en este tema (OECD 1980), actualizadas en 2013 (OECD 2013) o la Declaración de Madrid de 2009. Esta iniciativa impulsada por la industria muestra la intención de las grandes empresas a adoptar mejores prácticas de seguridad y privacidad que impida los programas de espionaje gubernamentales.

Las respuestas pertenecientes a los aspectos tecnológicos están recogidas en la Tabla 4.

Tabla 4 Respuestas relacionadas con aspectos tecnológicos


En el caso de las respuestas propuestas pertenecientes a los aspectos tecnológicos merece la pena destacar que cuando la tecnología tiene un grado de madurez aceptable es, en general, más fácil de entender por el gran público, gozando así de altos niveles de difusión. Además, la madurez por lo general reduce el coste de la tecnología. Reducir el coste de las prácticas de privacidad, así como comprender mejor su funcionamiento también disminuirá las barreras para su adopción (PRIPARE 2014).

Un vehículo eficaz para transferir los resultados de investigación a la explotación exitosa de mercado es la estandarización. La normalización de las prácticas de privacidad facilita su adopción, la interoperabilidad y puede ofrecer tranquilidad a los consumido-res en la aplicación de las nuevas tecnologías (PRIPARE 2014). Después de la revelación PRISM (Greenwald 2013), una de las áreas de acción para mantener la continuidad de flujos de datos entre la UE y los EE.UU. es “promover las normas de privacidad a nivel internacional” (PREPD Comisión 2012).

Recientes informes como Eurobarometer (EC Eurobarometer 2011) (EC Euroba-rometer 2012) o de empresas independientes (Rainie et al. 2013) reflejan que una gran mayoría de usuarios de internet están preocupados por el uso dado a sus datos cuando se los transmiten a proveedores al pagar con tarjeta y teléfonos móviles en internet.

Estas conclusiones coinciden con investigaciones académicas de Tsai et al. (2011) y Egelman (2012) donde se demuestra que los usuarios que exponen sus datos personales prefieren proveedores que les ofrezcan mejores garantías de privacidad, incluso están dispuestos a pagar un precio más alto por la utilización de sistemas que protejan más su privacidad.

En la industria coexisten varios puntos de vista sobre cómo aumentar la priva-cidad en los sistemas TIC. La adopción de prácticas de privacidad depende, en gran medida, del sector empresarial en el que las industrias obtienen sus ingresos. Mientras que algunos sectores como los servicios financieros o la salud están más abiertos a aceptar prácticas de privacidad, ya que están acostumbrados a un examen más estricto debido a sus obligaciones legales (al tratar datos sensibles), otros sectores que basan su negocio en la explotación de datos de personas (por ejemplo, la publicidad en línea o big data) se oponen a cualquier práctica de privacidad que pueden poner en peligro su modelo de negocio. Esta tendencia se ve confirmada por el informe de ENISA sobre los resultados del Foro Anual de Privacidad, celebrada en 2012: “Se han propuesto una serie de enfoques técnicos para resolver el problema de privacidad, apuntando a diferentes partes de la arquitectura de privacidad. Sin embargo, la falta de iniciativas emblemáticas en el área de la vida privada, donde la industria establecerá los requisi-tos y las iniciativas de sintetizar un modelo completo, se puso de relieve una vez más” (ENISA 2012).

Cabe señalar que en este terreno, se está creando una “industria de la privacidad”, desarrollando y desplegando marcos confiables y soluciones de privacidad para facilitar el cumplimiento de la legislación más estricta.

http://EE.UU


En el proyecto PRIPARE (2013), auspiciado por la UE con el objetivo de propor-cionar un método de protección de la privacidad, integrable en el ciclo de desarrollo de sistemas de información, lanzaron a través de internet un cuestionario con el objetivo de detectar las prácticas de PdD aplicadas actualmente en la industria y los problemas rela-cionados con su aplicación. Entre una de sus preguntas estaba averiguar las motivaciones para aplicar PdD, proporcionando como posibles respuestas algunas de las fortalezas y oportunidades incluidas en nuestro cuestionario. Entre las motivaciones se planteaba:

• Integrar la privacidad proporciona ventajas competitivas• Incentivos económicos reflejados en la reducción de riesgos relacionados con la

recolección de datos sensibles• Cumplimiento legal• Estandarización de requerimientos• Autoregulación en el sector industrial• Madurez y accesibilidad de tecnologías de mejora de la privacidad• Compromiso de protección de la privacidad del cliente

2.2. Participantes en el estudio

Los datos para la realización del estudio se han obtenido de la encuesta realizada a un grupo de expertos en privacidad pertenecientes tanto al ámbito técnico de seguridad de la información como al ámbito jurídico.

En la selección de expertos candidatos a participar en el estudio se han tenido en cuenta los siguientes factores:

• Experiencia y conocimiento en materia de seguridad de la información y privaci-dad / protección de datos, así como reputación en el sector.

• Diversidad de perfiles en el grupo: empresas, universidades, asociaciones empre-sariales, autoridades de control en el ámbito de la protección de datos personales, proveedores de servicios legales y servicios de consultoría y apoyo relacionados con la protección de datos personales.

En un principio se eligieron 25 expertos, candidatos a participar en el estudio. Se han recibido un total de 18 encuestas cumplimentadas y se han realizado contactos para aclaraciones a los largo de 2015.

Con los criterios anteriores, el grupo de expertos participante ha quedado confor-mado por los siguientes perfiles de profesionales detallados en la Tabla 5.


Tabla 5. Organismos y expertos participantes en el estudio

ENTIDAD ROL EXPERTO EN

Empresa consultora en protección de datos Directivo en Protección de Datos Seguridad en SI

iTTi, Innovation & Technology Trends Institute Directivo en Seguridad de SI Seguridad en SI

Universidad de Valencia Profesor en entorno jurídico Entorno Jurídico

Gran entidad financiera Directivo en seguridad de SI Seguridad en SI


Entidad de seguros Directivo en seguridad de SI Seguridad en SI

Entidad Pública Directivo en Seguridad de SI Seguridad en SI

Universidad Castilla La Mancha Catedrático en SI Seguridad en SI


Universidad de Murcia Profesor en entorno jurídico Entorno Jurídico

Universidad Rey Juan Carlos Profesor en entorno jurídico Entorno Jurídico

Organismo regulador en Protección de Datos Directivo Entorno Jurídico

Entidad de seguros Responsable jurídico Entorno Jurídico

Univ. Carlos III de Madrid Catedrático en Organización de empresas Seguridad en SI

Univ. Carlos III de Madrid Profesor en seguridad de los SI Seguridad en SI

Freelance en protección de datos Experto en entorno jurídico Entorno Jurídico

Universidad Politécnica de Valencia Profesor en seguridad de SI Seguridad

Empresa consultora en protección de datos Directivo Entorno Jurídico

2.3. Resultados obtenidos

A continuación se presentan en gráficos las opiniones de los expertos relacionadas con las debilidades, amenazas, fortalezas y oportunidades que consideran que se dan en el caso de implantar la filosofía de integración de la protección de la privacidad en el diseño de procesos.

En el gráfico 1 se muestra que de las fortalezas propuestas, la elegida en primer lugar por los expertos ha sido la obtención de una mayor protección de los datos de los individuos que trata la empresa (opción3 - 94%), siendo más valorada esta opción por los perfiles de seguridad que por los jurídicos. La segunda opción más elegida ha sido la mejora de la gestión de la protección de la privacidad en la empresa (opción7 - 83%), en este caso con porcentaje parecido entre los perfiles jurídicos y los de seguridad. También se valora como fortaleza el incremento general de la seguridad que implica tratar la pri-vacidad desde el diseño de procesos (la opción9 - 67%), aunque en este caso mucho más valorado por los perfiles jurídicos que por los de seguridad. El resto de opciones han sido elegidas aproximadamente por la mitad de los encuestados, sobresaliendo la elección por los perfiles jurídicos de la opción 1 (Ahorro en costes a la larga menos sanciones) y la opción 5 (Menor esfuerzo futuro en atender derechos de los afectados (especialmente de


rectificación, cancelación). La opción menos elegida (opción4 - 39%) es la de conseguir una mayor coordinación y colaboración entre equipos multidisciplinares para la defini-ción de los procesos, que aunque bastante valorada por los perfiles jurídicos no ha sido así en el caso de los perfiles de seguridad.

Gráfico 1. Resultados en fortalezas (elaboración propia)

1. Ahorro en costes a la larga (menos sanciones) 2. Disminución de tiempos y esfuerzos en la posterior implementación del proceso definido 3. Mayor protección de los datos de los individuos que trata la empresa (grado de cumplimiento) 4. Mayor coordinación y colaboración entre equipos multidisciplinares para la definición de los procesos 5. Menor esfuerzo futuro en atender derechos de los afectados (especialmente de rectificación, cancelación) 6. Menor esfuerzo en atender cuestiones relacionadas con la Agencia de Protección de Datos (tutela de afectados) 7. Mejora en la gestión de la protección de la privacidad en la empresa 8. Facilita la detección de casos en los que es conveniente realizar un PIA (Privacy Impact Assessment) 9. Revierte en un incremento de la seguridad en general

En el gráfico 2 se muestra que la oportunidad elegida principalmente (opción 1 - 83%) que proporcionaría la integración de la privacidad en el diseño de procesos es la del fortalecimiento de la imagen de la empresa, valorando en mayor medida esta opción los perfiles jurídicos. En segundo lugar (opción2 - 67%) ha resultado la de mayor con-fianza de los titulares de los datos hacia la empresa, valorada algo más por los perfiles de seguridad y a corta distancia (opción4 – 63%) la de obtener una diferenciación respecto a los competidores en este caso siendo mas valorada por los perfiles jurídicos. No han sido tan consideradas (opción5 - 28%) la alternativa de que esta filosofía está incluida en la propuesta de Reglamento Europeo de Protección de Datos de 2012, aunque algo más valorada por los perfiles jurídicos y la opción6 de posibilitar la contratación de servicios externos que ayuden en la aplicación de esta filosofía, con porcentajes similares en am-bos perfiles. La opción 3 Utilización como elemento de marketing, que ha resultado en el medio, ha sido más valorada por los perfiles técnicos.


Gráfico 2. Resultados en oportunidades (elaboración propia)

1. Fortalecimiento de la imagen de la empresa 2. Mayor confianza de los titulares de los datos hacia la empresa 3. Utilización como elemento de marketing 4. Diferenciación frente a competidores 5. Inclusión de esta filosofía en el borrador de Reglamento Europeo de Protección de Datos de 2012 6. Posibilidad de contratar servicios externos que ayuden en la aplicación de esta filosofía

En el gráfico 3 se muestra que en cuanto a debilidades, la elegida en primer lugar (opción6 - 83%) ha sido la de existencia de escasez de personal preparado (en privacidad y en gestión por procesos) en la Organización para abordar este tipo de enfoques, princi-palmente elegida por los perfiles jurídicos. En segundo lugar (opción7 - 72%) la escasez de métodos para poner en práctica correctamente este enfoque, estando de acuerdo los perfiles jurídicos y los de seguridad. La debilidad menos elegida (opción4 - 6%) ha sido el excesivo esfuerzo para los posibles resultados (matar moscas a cañonazos), apenas elegida ni por los perfiles jurídicos ni por los perfiles de seguridad, lo que muestra la im-portancia que el tema tratado tiene para ellos. Es destacable la valoración de los expertos de los costes que puede suponer implantar este enfoque (opción 1), ya que solo un 28% ha considerado que se incurriría en más costes, estando de acuerdo perfiles jurídicos y de seguridad.

Las opciones “3. La integración de los analistas de la privacidad entre los analistas de procesos no sería bienvenida. Excesivo deseo de independencia entre colectivos” y la “5. Excesivas cuestiones a integrar en la definición de procesos (privacidad, calidad, seguridad, riesgos laborales, medio ambiente,…)” aunque globalmente no sobresalen (en torno al 40%), sí que son bastante elegidas (casi el 60%) por los perfiles jurídicos. Al contrario pasa con la “2. Ralentizaría la definición de los procesos y por ende la puesta en marcha de un negocio nuevo” que es más elegida por los perfiles de seguridad (un 43%) y no llega al 30% en el caso de los perfiles jurídicos.


Gráfico 3. Resultados en debilidades (elaboración propia)

1. Se incurriría en más costes 2. Ralentizaría la definición de los procesos y por ende la puesta en marcha de un negocio nuevo 3. La integración de los analistas de la privacidad entre los analistas de procesos no sería bienvenida. Excesivo deseo de independencia entre colectivos 4. Excesivo esfuerzo para los posibles resultados (matar moscas a cañonazos) 5. Excesivas cuestiones a integrar en la definición de procesos (privacidad, calidad, seguridad, riesgos laborales, medio ambiente,…) 6. Escasez de personal preparado (en privacidad y en gestión por procesos) en la Organización para abordar este tipo de enfoques 7. Escasez de métodos para poner en práctica correctamente este tipo de enfoques

En el gráfico 4 se muestra que las amenazas que puede conllevar una filosofía como la tratada en este estudio según las respuestas de los expertos, son retrasos en el time to market debido a incluir la privacidad desde el diseño (opción 4 - 56%), bastante más elegido por los perfiles de seguridad. En segundo lugar, no ser valorado por los titulares de los datos el esfuerzo realizado por empresa (opción3 - 50%), también más elegido por los perfiles en seguridad y por último, empleo de recursos (coste de oportunidad) en un área no propia de negocio en relación a los competidores (opción1 - 44%), elegida igualmente por perfiles jurídicos y de seguridad. El resto de opciones apenas han sido seleccionadas. Aunque es de destacar la mayor elección de los perfiles jurídicos por las opciones “5. Posibilidad de contratar la aplicación de esta filosofía a profesionales exter-nos no preparados” y “8. La crisis, en el momento actual, no permite dedicar recursos a estos temas”.


Gráfico 4. Resultados en amenazas (elaboración propia)

1. Empleo de recursos (coste de oportunidad) en un área no propia de negocio en relación a los competidores 2. Dar pistas a organismos reguladores de protección de datos si luego no se cumplen los requisitos de la privacidad detectados 3. No ser valorado por los stakeholders 4. Retrasos en el time to market debido a incluir la privacidad desde el diseño 5. Posibilidad de contratar la aplicación de esta filosofía a profesionales externos no preparados 6. Si el grado de cumplimiento de la normativa española en protección de datos no es elevado, la mezcla de ésta con la definición de procesos no se presume exitosa 7. La incertidumbre de cuándo será aprobado (si lo és) el borrador de reglamento europeo de 2012 8. La crisis, en el momento actual, no permite dedicar recursos a estos temas

3. CONCLUSIONES

La incorporación de los requisitos para proteger la privacidad de los individuos, en el tratamiento que de sus de datos se realizan en los procesos de las empresas, se pueden rea-lizar en momentos tempranos al diseñar esos procesos o a posteriori, una vez implantados.

La integración de la privacidad en el diseño de los procesos conlleva una serie de fortalezas, oportunidades, debilidades y amenazas que se han sometido al juicio de un conjunto de reconocidos expertos tanto del entorno jurídico como del entorno técnico (de la seguridad).

Los expertos encuestados consideran que las fortalezas de este enfoque radican principalmente en dotar de mayor protección a los datos de los individuos que trata la empresa y las oportunidades provienen de la mejora de la imagen de la empresa, la ob-tención de mayor confianza de los titulares de los datos hacia la empresa y la consecución de una diferenciación respecto a los competidores. Las debilidades provienen de la falta de formación y escasez del personal preparado (en privacidad y en gestión por procesos)


en la empresa para abordar este tipo de enfoques y de la escasez de métodos para poner-los en práctica. Y las amenazas están relacionadas con la posible influencia del mayor tiempo en que la empresa saca sus productos al mercado (time to market), también por el esfuerzo realizado por empresa empleando recursos (coste de oportunidad) en un área no propia de negocio y por la escasa valoración que los titulares de los datos pueden dar a este enfoque.

Las tres opciones más elegidas para cada concepto del DAFO se recogen en la tabla 6.

Tabla 6. Opciones más elegidas en el DAFO a nivel global

FORTALEZAS DEBILIDADES

Dotar de mayor protección a los datos de los indivi-duos que trata la empresa

Falta de formación y escasez del personal preparado (en privacidad y en gestión por procesos) para abordar este tipo de enfoques

Mejorar la gestión de la protección de la privacidad Escasez de métodos para ponerlos en práctica

Incremento general de la seguridad que implica tratar la privacidad desde el diseño de procesos

Excesivas cuestiones a integrar en la definición de procesos (privacidad, calidad, seguridad, riesgos la-borales, medio ambiente,…)

OPORTUNIDADES AMENAZAS

Mejora de la imagen de la empresa Mayor tiempo en que la empresa saca sus productos al mercado (time to market)

Obtención de mayor confianza de los titulares de los datos hacia la empresa

El esfuerzo realizado por empresa empleando recur-sos (coste de oportunidad) en un área no propia de negocio

Consecución de una diferenciación respecto a los competidores

Escasa valoración que los titulares de los datos pue-den dar a este enfoque

En la tabla 7, se recogen por perfiles (jurídico o de seguridad) las opciones más elegidas. Se resalta la existencia de escasas diferencias en las opciones elegidas por ambos colectivos.


Tabla 7. Opciones más elegidas en el DAFO por perfiles

PERFIL JURÍDICO PERFIL SEGURIDAD

FORTALEZAS 3. Mayor protección de los datos de los individuos que trata la empresa (grado de cumplimiento) 7. Mejora en la gestión de la protección de la privacidad en la empresa 9. Revierte en un incremento de la seguri-dad en general

3. Mayor protección de los datos de los individuos que trata la empresa (grado de cumplimiento) 7. Mejora en la gestión de la protección de la privacidad en la empresa 9. Revierte en un incremento de la segu-ridad en general6. Menor esfuerzo en atender cuestiones relacionadas con la Agencia de Protección de Datos (tutela de afectados) 8. Facilita la detección de casos en los que es conveniente realizar un PIA (Priva-cy Impact Assessment)

DEBILIDADES 6. Escasez de personal preparado (en pri-vacidad y en gestión por procesos) en la Organización para abordar este tipo de enfoques 7. Escasez de métodos para poner en prác-tica correctamente este tipo de enfoques3. La integración de los analistas de la pri-vacidad entre los analistas de procesos no sería bienvenida. Excesivo deseo de inde-pendencia entre colectivos

6. Escasez de personal preparado (en privacidad y en gestión por procesos) en la Organización para abordar este tipo de enfoques 7. Escasez de métodos para poner en práctica correctamente este tipo de en-foques2. Ralentizaría la definición de los proce-sos y por ende la puesta en marcha de un negocio nuevo

OPORTUNIDADES 1 Fortalecimiento de la imagen de la em-presa 4 Diferenciación frente a competidores 3 Utilización como elemento de marketing

1 Fortalecimiento de la imagen de la em-presa 2 Mayor confianza de los titulares de los datos hacia la empresa 4 Diferenciación frente a competidores

AMENAZAS 1. Empleo de recursos (coste de oportuni-dad) en un área no propia de negocio en relación a los competidores 3. No ser valorado por los stakeholders 4. Retrasos en el time to market debido a incluir la privacidad desde el diseño 8. La crisis, en el momento actual, no per-mite dedicar recursos a estos temas

4. Retrasos en el time to market debido a incluir la privacidad desde el diseño 3. No ser valorado por los stakeholders 1. Empleo de recursos (coste de oportuni-dad) en un área no propia de negocio en relación a los competidores

Este conjunto de fortalezas, oportunidades, debilidades y amenazas orientan en la elaboración de las guías de acción o recomendaciones que se ofrecen a continuación y que pueden utilizarse en el momento de implantar el enfoque de privacidad de datos desde el diseño de procesos para reforzar las fortalezas, solucionar las debilidades, evitar las amenazas y explotar las oportunidades.

Según los resultados obtenidos, se proponen las siguientes estrategias y acciones a poner en práctica por las empresas para abordar la privacidad desde el diseño de procesos:


Estrategia ofensiva (fortalezas + oportunidades):• Formalizar la práctica de privacidad desde el diseño dentro de la empresa, creando

procedimientos que ayuden en su aplicación • Incluir como una parte más en la mejora de procesos en la empresa el tratamiento

que realizan de la privacidad.• Obtener cuando, sea posible, certificaciones en privacidad y sellos de garantía de

cumplimiento con la privacidad

Estrategia defensiva (fortalezas + amenazas):• Comunicar a los titulares de los datos el enfoque de privacidad desde el diseño

adoptado por la empresa y las ventajas que supone este enfoque.• Realizar acciones de marketing tendentes a comunicar el tratamiento que la empre-

sa realiza en la protección de la privacidad• Estandarizar tareas que conlleven el tratamiento de la privacidad en la definición

de los procesos y que afecten lo menos posible tanto en tiempo como en coste de recursos a las actividades de negocio en la empresa.

Estrategia de reorientación (debilidades + oportunidades): • Concienciar a los directivos para que tengan en cuenta la privacidad como parte de

todas las decisiones que involucren la recogida y compartición de datos personales.• Integrar el tratamiento de la privacidad en otras disciplinas anexas que apoyen el

ciclo de los procesos en la empresa, incluyéndola por ejemplo en casos de negocio (business cases), en procedimientos de compra, en la gestión de proyectos.

• Desarrollar una cultura y concienciación en privacidad a los empleados.• Realizar campañas y programas de formación a los empleados implicados en la

fases de definición de los procesos de la empresa para sensibilizar de la necesidad de integrar la privacidad en el diseño de procesos

Estrategia de supervivencia (debilidades + amenazas):• Promover y colaborar con empresas consultoras en la utilización de métodos de

integración de la privacidad en la definición de procesos• Crear a nivel organizativo puestos cuya misión sea apoyar la cultura de la priva-

cidad y que puedan responder al personal de la empresa cualquier duda surgida.• Incorporar los riesgos a la privacidad en el análisis y gestión de riesgos que realice

la empresa.


4. BIBLIOGRAFÍA

Ackerman S., (2014). US tech giants knew of NSA data collection, agency’s top lawyer insists”, The Guardian, 19/03/2014. [Fecha de consulta: 8-8-2015]. http://www.theguardian.com/world/2014/mar/19/us-tech-giants-knew- nsa-data-collection-rajesh-de

Anderson, J. and Rachamadugu, V., (2008). Managing security and privacy inte-gration across enterprise business process and infrastructure. IEEE International Conference on Services Computing

Cavoukian A., (2008). Minimize Risk – Maximize Protection and Gain a Competitive Advantage: Privacy is Good for Business.

Cavoukian A., (2012) Privacy by Design. IEEE TECHNOLOGY AND SOCIETY MAGAZINE

DPI (Data Privacy Institute). (2013) Reflexiones sobre el futuro de la privacidad en Europa. II Estudio sobre el impacto en España de la propuesta de Reglamento de Protección de Datos de la UE. ISMS Forum Spain

EC European Commission Eurobarometer (2011). Attitudes on Data Protection and Electronic Identity in the European Union – Special Eurobarometer 359. TNS Opinion & Social. [Fecha de consulta: 8-8-2015]. http://ec.europa.eu/public_opinion/archives/ebs/ebs_359_en.pdf

EC European Commission Eurobarometer (2012).Cyber security – Special Eurobarom-eter 390. TNS Opinion & Social. [Fecha de consulta: 8-8-2015]. http://ec.europa.eu/public_opinion/archives/ebs/ebs_390_en.pdf

Edelman Trust Barometer, (2014). [Fecha de consulta: 8-8-2015]. http://www.edelman.com/insights/intellectual- property/2014-edelman-trust-barometer/.

Egelman S., Felt A., and Wagner D., (2012) Choice architecture and Smartphone privacy: There’s a price for that. University of California, Berkeley.

ENISA. European Union Agency for Network and Information Security, (2012). Re-port on Annual Privacy Forum 2012.. [Fecha de consulta: 8-8-2015]. https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/report-on-annu-al-privacy-forum-2012

EU PIA-RFID (2011) Privacy and Data Protection Impact Assessment Framework for RFID Applications. Annex to the Opinion 9/2011 on the revised Industry Proposal. Brussels: Article 29 Data Protection Working Party. [Fecha de consulta: 8-8-2015]. http://cordis.europa.eu/fp7/ict/enet/documents/rfid-pia-framework- final.pdf.

FTC Federal Trade Commission (Bureau of Consumer Protection) (2010.) A prelim-inary FTC staff report on protecting consumer privacy in an era of rapid change: A proposed framework for businesses and policymakers. Fecha de consulta: 23-9-2015 http://www.ftc.gov/os/2010/12/101201privacyreport.pdf

http://www.theguardian.com/world/2014/mar/19/us-tech-giants-knew-nsa-data-collection-rajesh-de



http://ec.europa.eu/public_opinion/archives/ebs/ebs_359_en.pdf




http://www.edelman.com/insights/intellectual-property/2014-edelman-trust-barometer/

http://www.edelman.com/insights/intellectual-property/2014-edelman-trust-barometer/

https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/report

https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/report

http://cordis.europa.eu/fp7/ict/enet/documents/rfid-pia-framework-final.pdf

http://www.ftc.gov/os/2010/12/101201privacyreport.pdf


GDPR General Data Protection Regulation (2016) Reglamento (UE) 2016/679 del Parlamento Europeo y del Consejo de 27 de abril de 2016 relativo a la protección de las personas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos, disponible en http://ec.europa.eu/justice/data-pro-tection/reform/index_en.htm [Fecha de consulta: 8-10-2016].

Greenwald G. and MacAskill E., (2013) NSA Prism program taps in to user data of Apple, Google and others, The guardian, 7th June,. [Fecha de consulta: 8-8-2015]. http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data

INTECO (2012). Estudio sobre la protección de datos en las empresas españolas. Insti-tuto Nacional de Tecnologías de la Comunicación.

Jentzsch N, Preibusch S, Harasser A, Ikonomou D, Tirtea R. (2012) Study on monetising privacy. An economic model for pricing personal information.

Johnson, G. & Scholes, K. (1997) Dirección Estratégica. Análisis de la estrategia de las organizaciones. Prentice-Hall. Madrid

London School of Economics (2010). Study on the economic benefits of privacy en-hancing technologies (PETs). Final Report to the European Commission. [Fecha de consulta: 8-8-2015]. http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_pets_16_07_10_en.pdf

Majdalawieh M., (2013) Building a privacy model in the business processes of the enterprise: an information systems design science research. Eurasian Journal of Business and Management

OECD Organisation for Economic Co-operation and Development (2013) Recom-mendation of the OECD Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data. Paris. [Fecha de consulta: 8-8-2015]. http://www.oecd.org/internet/ieconomy/privacy-guidelines.htm

OECD Organization for Economic Co-operation and Development (1980) OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,. [Fecha de consulta: 8-8-2015] http://www.oecd.org/sti/ieconomy/oecdguideline-sontheprotectionofprivacyandtransborderflowsofpersonaldata.htm

Perera C., Ranjan R., Wang L., (2015) End-to-End Privacy for Open Big Data Mar-kets.IEEE CLOUD COMPUTING

Ponemon Institute (2013). Cost of Data Breach Study: Global Analysis. Michigan. [Fe-cha de consulta: 8-8-2015]. https://www.symantec.com/

Ponemon Institute (2015). Cost of Data Breach Study: Global Analysis, Michigan. [Fe-cha de consulta: 8-8-2015]. https://www.symantec.com/

PREPD Propuesta Reglamento Europeo Protección de datos Comisión EU COM Commission’s proposal (2012) 11 final, disponible en http://eur-lex.europa.eu/le-gal-content/EN/TXT/?qid=1419003505129&uri=CELEX:52012PC0011 [Fecha de consulta: 8-8-2015].



http://www.theguardian.com/world/2013/jun/06/us

http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_pets_16_07_10_en.pdf

http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_pets_16_07_10_en.pdf

http://www.oecd.org/internet/ieconomy/privacy-guidelines.htm

http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm

http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm

http://Markets.IEEE

http://Markets.IEEE

https://www.symantec.com/

https://www.symantec.com/

http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1419003505129&uri=CELEX:52012PC0011

http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1419003505129&uri=CELEX:52012PC0011


PREPD Propuesta Reglamento Europeo Protección de datos Parlamento European Parliament: general data protection regulation (2014), ordinary legislative pro-cedure:first reading, disponible en http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0212&language=EN&ring=A7-2013-0402

PRIPARE (2013). PReparing Industry to Privacy-by-design by supporting its Applica-tion in REsearch FP7-ICT-2013-1.5

PRIPARE (2014) State-of-play: Current Practices and Solutions. EUROPEAN COM-MISSION. 7th Framework Programme for Research, technological Development and Demonstration Web del pripare

PwC (2013), 10Minutes on building a customer-centered organization PwC (2014) 17th Annual Global CEO Survey.PwC (2015c) Achieving Total Retail survey.PwC (2015), 18th Annual Global CEO Survey.PwC (2015b) Analyse this: Are CEOs embracing the boom in personal data?Rainie L, Kiesler S, Kang R, and Madden M, (2013). Anonymity, Privacy, and Security

Online. Pew Internet Report. [Fecha de consulta: 8-8-2015]. http://pewinternet.org/~/media//Files/Reports/2013/PIP_AnonymityOnline_090513.pdf

Tsai J., Egelman S., Faith Cranor L., Acquisti A., (2011) The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. Information Systems Research Vol. 22.

Watson Hall Ltd and John Leach Information Security Ltd (2009). The Business Case for Investing in Proactive Privacy Protection. WEB del ICO.

Witt S., (2012) Integrated Privacy Modeling and Validation for Business Process Mod-els. Proceeding EDBT-ICDT ‘12 Proceedings of the 2012 Joint EDBT/ICDT Workshops. ACM.

http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0212&language=EN&ring=A7-2013-0402

http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0212&language=EN&ring=A7-2013-0402

http://pewinternet.org/~/media//Files/Reports/2013/PIP_AnonymityOnline_090513.pdf

http://pewinternet.org/~/media//Files/Reports/2013/PIP_AnonymityOnline_090513.pdf

http://edbticdt2012.dima.tu-berlin.de/

13

EL NUEVO MODELO DE GOBERNANZA DEL DERECHO A LA PROTECCIÓN DE DATOS EN EUROPA

Ramón Martín Miralles LópezCoordinador de Auditoria y Seguridad de la Información de la Autoridad Catalana de Protección de Datos

Joana Marí CardonaResponsable de Evaluación y Estudios Tecnológicos de la Autoridad Catalana de Protección de Datos

RESUMEN: El Reglamento General de Protección de Datos, aprobado por el Parlamento Europeo en mayo de 2016, supone un cambio substancial de la gobernanza del derecho a la protección de los datos personales en Europa, que ahora va a pasar a sustentarse en dos pilares, constituidos por el enfoque a riesgos y la responsabilidad proactiva (accountability). En consecuencia, los riesgos para los derechos y libertades de las personas que entrañen las operaciones de tratamiento deberán ser tenidos en cuenta, desde la perspectiva de su gestión, de manera que el Reglamento plantea como obligación material la identificación, análisis y valoración de esos riesgos, y su tratamiento efectivo en base a medidas adecuadas que los modifiquen, es decir, que tiendan a reducir su probabilidad y gravedad, a fin de que los datos personales sean tratados en la condiciones adecuadas. Toma especial transcen-dencia la noción de alto riesgo, ya que su falta de definición en el propio Reglamento, y su relevancia en relación a ciertas obligaciones concretas, como las evaluaciones de impacto o la comunicación de las violaciones de seguridad que afecten a los datos personales, hace que sea necesario concretar en qué momento de las actividades de tratamiento se va a derivar un alto riesgo para los derechos y libertades; el grupo del artículo 29, en su plan de acción para el 2016 en relación a la aplicación del Reglamento, consideró prioritario concretar qué deberá considerarse alto riesgo en relación a las ac-tividades de tratamiento de datos personales. La comunicación analizará ese nuevo enfoque a riesgos y las alternativas para abordarlo, con especial atención a la noción al alto riesgo, máxime teniendo en cuenta que no se trata exclusivamente de gestionar los típicos riesgos relacionados con los sistemas de información, sino que ahora deberán tenerse en cuenta también los riesgos que puedan afectar a los derechos y libertades de las personas cuyos datos vayan a ser objeto de tratamiento.

PALABRAS CLAVE: protección de datos, privacidad, RGPD, riesgo, evaluación de impactos, dere-chos y libertades, gobernanza, Europa

1. NECESIDAD DE UN CAMBIO DE MODELO

El derecho a la protección de datos personales, estrechamente vinculado a la au-todeterminación informativa, tiene por objetivo garantizar a las personas, de manera amplia e individual, el control sobre la información que se refiera a ellas. Tiene por fina-lidad que toda persona pueda controlar sus datos personales. Este derecho que se deriva

212 EL NUEVO MODELO DE GOBERNANZA DEL DERECHO A LA PROTECCIÓN...

de lo previsto en el art. 18 de la Constitución, se enmarca dentro de los denominados derechos de la personalidad, es decir, derechos que protegen facetas del ser humano di-rectamente relacionadas con su condición de persona.

Este objetivo, perseguido por la actual normativa de protección, se estaba viendo diluido por las denominadas tecnologías emergentes, como el big data, la internet de las cosas, la inteligencia artificial, el cloud computing,… que permiten recoger, tratar y ela-borar, a nivel global, ingentes cantidades de datos para generar nueva información con nuevo valor para el mercado, son a la vez tecnologías que frecuentemente resultan poco transparentes para las personas, siendo de difícil comprensión el alcance que pueden llegar a tener en cuanto a la invasión de la privacidad. Tales circunstancias tienen como efecto la pérdida de control por parte de las personas sobre su información y, en definiti-va, sobre su propia identidad. Y, a esto se añadía que las divergencias en la aplicación de la normativa de protección de datos a nivel europeo generaban excesivos costes burocrá-ticos y una cierta inseguridad jurídica a los diversos agentes del mercado.

Todo esto, entre otras cuestiones, lleva a plantear la necesidad de actualizar la nor-mativa europea de protección de datos y hacerla “tecnológicamente resistente”, dar mayor control a las personas sobre sus datos y eliminar obligaciones que, sin aportar garantías a los derechos de las personas, generaban costos a las entidades que trataban los datos.

Después de un iter legislativo largo y complejo, el 25 de mayo de 2016 se aprueba el Reglamento (UE) 2016/679 del Parlamento Europeo y del Consejo de 27 de abril de 2016 relativo a la protección de las personas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos y por el que se deroga la Directiva 95/46/CE (en adelante RGPD).

El RGPD como indica ya en sus primeros considerandos, “pretende contribuir a la plena realización de un espacio de libertad, seguridad y justicia y de una unión eco-nómica, al progreso económico y social, al refuerzo y la convergencia de las economías dentro del mercado interior, así como al bienestar de las personas físicas”, a lo que añade que “el tratamiento de datos personales debe estar concebido para servir a la humanidad. El derecho a la protección de los datos personales no es un derecho absoluto sino que debe considerarse en relación con su función en la sociedad y mantener el equilibrio con otros derechos fundamentales, con arreglo al principio de proporcionalidad”. Los ex-traordinarios avances tecnológicos y la nueva sociedad digital que se está desarrollando, con una nueva visión e interacción con la tecnología, exigen “un marco más sólido y co-herente para la protección de datos en la Unión Europea, respaldado por una ejecución estricta, dada la importancia de generar la confianza que permita a la economía digital desarrollarse en todo el mercado interior. Las personas físicas deben tener el control de sus propios datos personales. Hay que reforzar la seguridad jurídica y práctica para las personas físicas, los operadores económicos y las autoridades públicas”, a la vez que deben asumir una responsabilidad proactiva que les permita demostrar su compromiso con los principios, derechos y obligaciones de la nueva regulación.


Vemos, pues, que existía la necesidad de un cambio normativo para hacer frente a nuevas necesidades en una sociedad que se encuentra ante una evolución sin prece-dentes, incluso demasiado rápida para que puedan ser procesada de forma natural por las personas y, mucho menos por el propio legislador. El RGPD supone un cambio de paradigma para la garantía de la privacidad, introduce un nuevo modelo basado en la transparencia, el control del usuario sobre su información, la responsabilidad proactiva de los responsables y encargados del tratamiento, y la gestión de los riesgos reales para los derechos y libertades de las personas.

No podemos olvidar el carácter instrumental del derecho a la protección de datos, que sirve de garantía para el conjunto de derechos y libertades de las personas, y de prin-cipios y valores como la libertad, la dignidad, el libre desarrollo de la personalidad y el principio de no discriminación.

2. EL REGLAMENTO GENERAL DE PROTECCIÓN DE DATOS: UN MODELO ENFOCADO A LA RESPONSABILIDAD Y A LA VALORACIÓN DEL RIESGO

El RGPD introduce una serie de herramientas dirigidas a los responsables y, en algunos casos, encargados del tratamiento que tienen por objetivo mejorar la gestión de la información de carácter personal partiendo del principio de responsabilidad proactiva (accountability) y centrando la toma de decisiones sobre las operaciones de tratamiento en la gestión del riesgo que los tratamientos de datos personales puedan generar para los derechos y libertades de las personas.

La persona y la protección de sus derechos y libertades es el eje entorno al cual deben decidirse las circunstancias en que se llevarán a cabo los tratamientos. Cual-quier tratamiento de datos personales debe valorarse teniendo en cuenta su potencial impacto en los derechos y libertades de la personas e incorporar los elementos que sean necesarios para controlar los riesgos. Para lograrlo, el Reglamento regula una serie de instrumentos que han de permitir alcanzar este objetivo sin limitar la inno-vación, ni el correcto desarrollo del negocio, del producto o del servicio de la entidad que trata los datos.

Nos encontramos ante un cambio de modelo orientado a la gestión de la infor-mación, a la “gobernanza” de los datos personales que se tratan en las organizaciones y del riesgo que implican. Los responsables y encargados del tratamiento deben contro-lar de forma efectiva la información que gestionan con el objetivo último de proteger los derechos y libertades de las personas cuyos datos son objeto de tratamiento. Para lograr ese “buen gobierno” de la información, las entidades deben integrar la privaci-dad en los procedimientos ordinarios de gestión de la información; las obligaciones establecidas en el RGPD así lo pretenden, al flexibilizar el cumplimiento, en el sentido


de permitir que los responsables del tratamiento determinen cual es la mejor manera de salvaguardar los intereses de las personas, sin olvidar que no se trata exclusivamente de cumplir, ahora deberán estar en disposición de demostrar que cumplen.

2.1. Privacidad en el diseño y por defecto

La privacidad en el diseño y por defecto no son conceptos nuevos en el ámbito de la garantía del derecho a la protección de datos.

En concreto, la privacidad en el diseño (que a la práctica engloba también la pri-vacidad por defecto) implica una determinada actitud en cuanto a garantizar el derecho a la protección de datos, que incluye soluciones de seguridad y privacidad en el mo-mento de diseñar los proyectos, añadiendo nuevos procedimientos comunes a toda la organización, así como en el momento de definir las estructuras organizativas que han de controlar la aplicación de los criterios de privacidad y seguridad, o en el momento de seleccionar la tecnología para tratar la información, ya que estos tres aspectos (pro-cedimiento, organización y tecnología) tienen una incidencia directa en la gestión de la información de carácter personal.

Sólo a título de ejemplo, algunos de los instrumentos que servirán a la incorpora-ción de la privacidad en el diseño son: las evaluaciones de impacto relativas a la protec-ción de datos, la Customer Preference and Choice (CPC), la Information-Centric Security, el responsable de protección de datos, las Privacy Enhancement Technologies (PET), las tecnologías de Data Loss Prevention (DLP).

Estos son sólo algunos de los posibles ejemplos de soluciones que permiten, aten-diendo a las necesidades y particularidades de cada organización, incorporar la privaci-dad en el diseño en las organizaciones, y que tienen como último objetivo prevenir la vulneración del derecho en base a tener en cuenta, en fases tempranas de desarrollo de los proyectos, el conjunto de principios, derechos y obligaciones recogidos en la regulación.

La protección de datos desde el diseño va a permitir a las organizaciones una apro-ximación más flexible al cumplimiento de las obligaciones y la garantía de los derechos y principios regulados en el RGPD, ya que permite incluir junto con la definición de los requerimientos funcionales, económicos, de oportunidad, tecnológicos, etc., los vincu-lados al respeto a la privacidad de las personas afectadas por los tratamientos, es decir, la protección de los datos de carácter personal, lo que ayudará a que no se perciban, tal y como sucede ahora, como dificultades o inhibidores.

El RGPD se refiere a la protección de datos desde el diseño en su art. 25, y lo hace de forma conjunta a la protección de datos por defecto. Aunque debemos tener presente que son dos mecanismos diferentes. De hecho la protección de datos por defecto puede ser considerada como una solución para lograr la protección de datos desde el diseño.

En concreto, el art. 25.1 del RGPD indica que:


“Teniendo en cuenta el estado de la técnica, el coste de la aplicación y la naturaleza, ámbito, contexto y fines del tratamiento, así como los riesgos de diversa probabilidad y gravedad que entraña el tratamiento para los derechos y libertades de las personas físicas, el responsable del tratamiento aplicará, tanto en el momento de determinar los medios de tratamiento como en el momento del propio tratamiento, medidas técnicas y organizativas apropiadas, como la seudonimización, concebidas para aplicar de forma efectiva los principios de pro-tección de datos, como la minimización de datos, e integrar las garantías necesarias en el tratamiento, a fin de cumplir los requisitos del presente Reglamento y proteger los derechos de los interesados”

Vemos, por tanto, que la protección de datos desde el diseño no es otra cosa que la asunción de un compromiso real y efectivo con el derecho a la protección de datos, que lleve a un objetivo muy preciso: proteger los derechos de los interesados a través de la introducción de todas aquellas medidas que sean necesarias para lograr este fin.

Por otra parte, el RGPD en el punto 2 del mismo art. 25, regula la protección de datos por defecto, en los siguientes términos:

“2. El responsable del tratamiento aplicará las medidas técnicas y organizativas apropiadas con miras a garantizar que, por defecto, solo sean objeto de tratamiento los datos personales que sean necesarios para cada uno de los fines específicos del tratamiento. Esta obligación se aplicará a la cantidad de datos personales recogidos, a la extensión de su tratamiento, a su plazo de conser-vación y a su accesibilidad. Tales medidas garantizarán en particular que, por defecto, los datos personales no sean accesibles, sin la intervención de la persona, a un número indeterminado de personas físicas.”

La protección de datos por defecto no es otra cosa que un conjunto de objetivos que deben ser tenidos en cuenta al diseñar las operaciones de tratamiento. El legislador la hace obligatoria al regularla de forma expresa y, por tanto, el responsable del trata-miento debe incorporar en su modelo de gobernanza de la información todos aquellos elementos que sean necesarios para lograr que, con carácter general, sean tenidos en cuenta y se apliquen los principios regulados en el art. 5 del RGPD.

2.2. Evaluación de impacto sobre la protección de datos (en adelante EIPD)

Una evaluación de impacto sobre la privacidad es un proceso sistemático, para evaluar los posibles efectos negativos para la privacidad de las personas que puede llegar a comportar una actuación que trate datos personales, tanto respecto de los efectos de presente, como de los potenciales efectos futuros; dicha evaluación debe incorporar tam-bién las decisiones tomadas para eliminar o minimizar ese impacto.


Corresponde al responsable del tratamiento la obligación de realizar la EIPD. Aun-que, para cumplir con esta obligación, debe contar, en su caso, con el apoyo y la colabo-ración del delegado de protección de datos1 y del encargado del tratamiento2.

En el desarrollo de una EIPD deben tenerse en cuenta diferentes aspectos, que supondrán una mejora en el conjunto de la organización. Entre otros, encontra-mos: el respeto a la privacidad, la reducción del volumen de información, el control sobre la información gestionada, la transparencia de los procesos o las medidas de seguridad.

Las ventajas que aporta la aplicación de una EIPD no sólo se refieren a las perso-nas. También la propia entidad que gestiona la información se puede ver favorecida, por ejemplo, en la mejora de la confianza en la institución e, incluso puede llevar a una reducción de costes en tanto que la mejora de los procesos, y su integración en el sistema general de gestión de la organización, deberían implicar una menor inversión de recursos.

La realización de una EIPD debe llevarse a cabo de forma integrada con el proceso de gestión de proyectos de la organización y su sistema de calidad interna. Debe llevarse a cabo en la fase inicial del diseño conceptual y de definición de los requisitos de un proyecto.

Las EIPD no dejan de ser un instrumento de la privacidad en el diseño. Y, su rea-lización extemporánea puede suponer cambios en el diseño, con el consiguiente incre-mento de los costes y la demora en la puesta en marcha del proyecto.

El RGPD regula este instrumento en su art. 35 incorporando, una nueva obliga-ción para el responsable del tratamiento, la de evaluar el impacto que las operaciones de tratamiento de datos personales pueden tener sobre la protección de estos datos, cuando el uso de tecnologías avanzadas, o el volumen de los datos tratados o su especial sensibi-lidad, puedan poner en riesgo los derechos y libertades de las personas.

Las EIPD no dejan de ser la versión europea de las evaluaciones de impacto sobre la privacidad, conocidas por sus siglas en inglés PIA (Privacy Impact Assessment), que ya tienen un cierto recorrido en el ámbito de la privacidad y la protección de los datos personales, especialmente en el mundo anglosajón.

El RGPD es flexible en cuanto a la metodología que debe emplearse para llevar a cabo una evaluación de impacto, y sólo plantea requisitos en relación al resultado de

1 Este soporte podemos entenderlo como una intervención activa en el diseño y ejecución de la evaluación, ya sea con funciones de coordinación o de interlocución principal con los evaluadores.

2 Respecto de los encargados de tratamiento, se considera que estos deberán cooperar con el re-sponsable del tratamiento, a los efectos de garantizar el cumplimiento de las medidas que result-en de la evaluación de impacto de protección de datos, así mismo deberán hacerlo en relación a la potencial consulta previa a la autoridad supervisora.


la evaluación, no en cómo llegar a él. Aunque, eso sí, deben estar sustentadas en una metodología sistemática de ejecución con el fin de que sean objetivas, repetibles y com-parables. Recordemos que el desarrollo de una EIPD sirve, también, al cumplimiento de responsabilidad proactiva exigida por el Reglamento.

En definitiva, las EIPD están orientadas a asegurar preventivamente que, cuando las operaciones de tratamiento puedan entrañar riesgos especialmente relevantes, se to-men medidas para reducir, en la medida de lo posible, que las operaciones de tratamien-to puedan dañar o perjudicar a las personas, o afectar negativamente a sus derechos y libertades.

La evaluación se concibe como un proceso repetible, ya que deberá ser revisada y actualizada atendiendo a las particularidades de cada tratamiento.

Por otra parte, otra cuestión son las implicaciones que puede tener la evaluación a posteriori, cuando se aplique a tratamientos ya en producción y que no han sido pre-viamente objeto de evaluación o de una gestión de riesgos. Estas implicaciones pueden ser muy relevantes, especialmente en lo que se refiere al coste económico, en cuanto a interferencias y tiempo de adaptación y, por ello, con carácter general, la mayor utilidad de los procesos de evaluación se va a producir cuando estos se apliquen durante el diseño de la solución, y siempre en paralelo a la definición de los procesos de tratamiento y, por supuesto, de forma previa a su implementación técnica.

El resultado de realizar una evaluación no deja de ser un informe que recoge las características del tratamiento evaluado y las decisiones tomadas para mitigar los riesgos en base a la identificación, análisis y evaluación de estos; el RGPD determina cual deberá ser el contenido mínimo de la evaluación, concretamente se refiere a:

a) “una descripción sistemática de las operaciones de tratamiento previstas y de los fi-nes del tratamiento, inclusive, cuando proceda, el interés legítimo perseguido por el responsable del tratamiento”;

b) una evaluación de la necesidad y la proporcionalidad de las operaciones de trata-miento en relación con los fines;

c) una evaluación de los riesgos para los derechos y libertades de los interesados;d) las medidas previstas para hacer frente a los riesgos, incluidas las salvaguardias, medi-

das de seguridad y los mecanismos para garantizar la protección de los datos perso-nales y para demostrar el cumplimiento del RGPD, teniendo en cuenta los derechos e intereses legítimos de los interesados y otras personas interesadas.

Como aspecto destacable, incorporado a las EIPD, el RGPD establece que el res-ponsable del tratamiento, cuando sea apropiado, deberá recabar las opiniones de los interesados o de sus representantes (por ejemplo asociaciones u otras entidades que agru-


pen intereses) en relación al tratamiento que pretende llevar a cabo3. Esta particularidad, será especialmente importante en relación a aquellas operaciones de tratamiento con impacto social o de relevancia para la opinión pública.

En el caso de que a los tratamientos evaluados les sea de aplicación un código de conducta, su cumplimiento también deberá ser objeto de la evaluación.

Si bien no resulta obligatorio, el responsable del tratamiento puede optar por publi-car total o parcialmente la EIPD, eso puede generar una mayor confianza en el proyecto y sirve a la transparencia de los tratamientos y al principio de “responsabilidad proactiva”.

Respecto de los encargados de tratamiento, se considera que estos deberán cooperar con el responsable del tratamiento, a los efectos de garantizar el cumplimiento de las medidas que resulten de la evaluación de impacto de protección de datos, así mismo deberán hacerlo en relación a la potencial consulta previa a la autoridad supervisora.

Sin entrar en detalles, resulta conveniente abordar cuándo deberá realizarse una EIPD. En este sentido, el art. 35 del Reglamento plantea que, con carácter general, “cuando sea probable que un tipo de tratamiento, en particular si utiliza nuevas tecnolo-gías, por su naturaleza, alcance, contexto o fines, entrañe un alto riesgo para los derechos y libertades de las personas físicas”, el responsable del tratamiento deberá, antes de llevar a cabo las operaciones de tratamiento, realizar una evaluación de su potencial impacto.

Con independencia de este supuesto de rango más genérico, en un segundo nivel, y de una manera más concreta, se establece que la EIPD deberá llevarse a cabo en las siguientes circunstancias:

a) Si las operaciones de tratamiento, de carácter automatizado, implican llevar a cabo una evaluación “sistemática y exhaustiva” de aspectos personales relativos a personas físicas, por tanto incluyendo la elaboración de perfiles, y especialmente, si en base al resultado del tratamiento se toman decisiones que produzcan efectos jurídicos sobre el individuo, o pueden afectar significativamente a la persona.

b) El tratamiento a gran escala de las denominadas categorías especiales de datos, pre-vistas en el art. 9, apartado 1, del RGPD, es decir: “el origen étnico o racial, las opiniones políticas, las convicciones religiosas o filosóficas, o la afiliación sindical, y el tratamiento de datos genéticos, datos biométricos dirigidos a identificar de mane-ra unívoca a una persona física, datos relativos a la salud o datos relativos a la vida sexual o las orientación sexuales de una persona física”, así como los datos relativos a condenas e infracciones penales (descritos en el art. 10 del RGPD).

c) La observación sistemática a gran escala de áreas de acceso público.

3 Art. 35.9 del RGPD.


La determinación de sí debe llevarse a cabo una EIPD está muy vinculada a dos conceptos que no están definidos en el reglamento, como son: “tratamiento a gran escala” y “alto riesgo”.

En este sentido conviene tener en cuenta que en febrero de 2016 el Grupo del Artículo 29 público el “Statement on the 2016 action plan for the implementation of the General Data Protection Regulation (GDPR)”, que recogía un primer plan de acción, para lo que en aquel momento ya se preveía como una próxima aprobación del RGPD.

En ese documento, las autoridades de protección de datos europeas se marcaron como una de las prioridades de trabajo (ya para el 2016), precisamente la definición de directrices que ayudaran a la concreción de la noción de “alto riesgo” en relación a las evaluaciones de impacto, ese documento aún no ha sido publicado, pero la previsión es que en breve estará disponible.

Continuando con la descripción de las circunstancias que obligan a llevar a cabo la evaluación de impacto, el Reglamento prevé que las autoridades de control deberán determinar y publicar la lista de los tipos de operaciones de tratamiento que estarán su-jetos a la exigencia de llevar a cabo una evaluación de impacto relativa a la protección de datos. Esas listas serán comunicadas, por la autoridad de control, al “Comité Europeo de Protección de Datos” (órgano que sustituirá al actual grupo de autoridades nacionales de control del artículo 29, si bien con funciones y competencias reforzadas).

En paralelo, las autoridades de protección de datos también podrán establecer y publicar la lista de los tipos de operaciones de tratamiento para los que no se requerirá realizar la evaluación de impacto de protección de datos. Esa lista también deberá ser comunicada al Comité Europeo de Protección de Datos.

El RGPD establece que el responsable deberá llevar a cabo una revisión de la vigen-cia de la evaluación realizada inicialmente, cuando se produzcan cambios relevantes en los tratamientos, especialmente si esos cambios pueden implicar una variación de los ries-gos detectados o de las medida adoptadas, como por ejemplo: recogida de nuevos tipos de datos, migración de plataformas tecnológicas, nuevas aplicaciones, cambios en las me-didas de seguridad, un mayor tiempo de retención de los datos, cambios normativos, etc.

Finalmente, recordar que el art. 36 del RGPD regula las denominadas “consultas previas”, una obligación que recae sobre el responsable del tratamiento, que consiste en consultar a la autoridad de control antes de proceder a iniciar un tratamiento, cuando a resultas de la evaluación de impacto relativa a la protección de los datos, se llega a la conclusión de que el tratamiento entrañaría un alto riesgo, ante la imposibilidad del responsable del tratamiento de tomar medidas eficaces para mitigarlo.


2.3. Principio de seguridad y gestión de riesgos

Tal y como ya se ha indicado, el RGPD regula un modelo de cumplimiento basado en una gestión enfocada al riesgo, y en consecuencia en el art. 32, también se establece ese enfoque en relación a la seguridad de los tratamientos:

“1. Teniendo en cuenta el estado de la técnica, los costes de aplicación, y la naturaleza, el alcance, el contexto y los fines del tratamiento, así como riesgos de probabilidad y gravedad variables para los derechos y libertades de las personas físicas, el responsable y el encargado del tratamien-to aplicarán medidas técnicas y organizativas apropiadas para garantizar un nivel de seguridad adecuado al riesgo…”

Esta obligación de los responsables y encargados de tratamiento de proteger las operaciones de tratamiento de datos de carácter personal, aplicando medidas técnicas y organizativas que garanticen un nivel adecuado de seguridad no constituye ninguna novedad, ya que la aún vigente normativa ya contiene esta obligación. De hecho, las medidas de seguridad siempre han constituido una parte esencial del derecho a la pro-tección de datos de carácter personal. Y, este principio se mantiene en el Reglamento, aunque encontramos una gran diferencia en aquello que afecta a la determinación del riesgo y de las medidas concretas a aplicar.

El Reglamento exige “gestionar” los riesgos de los tratamientos, es decir:

1) Identificar, analizar y valorar los riesgos de una manera objetiva y repetible. 2) Según el resultado, se elegirán las medidas más adecuadas para reducir la probabili-

dad y gravedad de los riesgos; es decir, se procederá a tratar los riesgos.

Por lo tanto, el Reglamento ya no proporciona una lista de medidas de seguridad a aplicar, como sucede en la actual regulación, sino que los responsables y encargados de tratamientos tendrán que gestionar sus riesgos. Es decir, a partir de una evaluación previa, los responsables y encargados habrán elaborado su propia lista de medidas de seguridad.

En todo caso, es oportuno reiterar que el Reglamento incorpora, a todos los efectos y no limitándose exclusivamente a la seguridad de los datos, la gestión de riesgos como una actividad que necesariamente tendrá que llevar a cabo el responsable del tratamiento, con el fin de adoptar las medidas de carácter técnico y organizativo adecuadas. Estas me-didas las deberá aplicar el mismo responsable o, en su caso, el encargado del tratamiento, con el fin de garantizar que el tratamiento se realiza según lo que establece el Reglamento.

A pesar de la importancia que adquiere la gestión del riesgo, en el artículo 4 del Reglamento (dedicado a las definiciones) no se define el concepto «riesgo», ni tampoco otros conceptos vinculados a la gestión de los riesgos. Sin embargo, en el considerando 76 del Reglamento, se hace referencia a la necesidad de realizar una evaluación objetiva de los riesgos. Así pues, se tendrá que aplicar un método repetible que aporte esta obje-tividad y que permita concretar si las operaciones de tratamiento suponen “alto riesgo”, o simplemente “riesgo”.


Del articulado del Reglamento se desprende que los riesgos, tanto respecto a su probabilidad como a su gravedad, pueden ser “variables”, por tanto, a los efectos de escoger y aplicar las medidas técnicas y organizativas, no sería suficiente distinguir sólo esas dos categorías de riesgos, ya que parece razonable establecer la necesidad algún tipo de gradación, o nivel de riesgo.

La gestión de riesgos deberá realizarse de forma que permita:

• Determinar el contexto en el cual se realizan las actividades de tratamiento.• Identificar las situaciones de riesgo.• Analizar los riesgos.• Evaluar los riesgos.• Tratar los riesgos (aplicar medidas para reducir la probabilidad y gravedad derivadas

de las operaciones de tratamiento).• Revisar los riesgos (periódicamente o ante cambios, pero de forma objetiva y repetible).

Y, en cuanto a la selección de medidas a implantar, habrá que ver qué conjunto o modelo de buenas prácticas en seguridad de la información se aplicarán: ya sean las previstas en un estándar tipo ISO 27002, o las previstas en el vigente título VIII del RLOPD o, en el caso de las administraciones públicas, las previstas en el Esquema Nacional de Seguridad o en cualquier otro modelo de seguridad. Actualmente está en elaboración la ISO 29151 que recogerá una propuesta, en forma de estándar, de un conjunto de buenas prácticas (medidas de seguridad) aplicables a los datos de carácter personal.

En el ámbito de la seguridad, merece una mención específica la obligación regu-lada en los arts. 33 y 34 de notificar las violaciones de seguridad a las autoridades de control y a los interesados.

En el primer caso, art. 33, indica que corresponde al responsable la notificación de violaciones de seguridad a las autoridades de protección de datos en el plazo máximo de 72 horas después de que haya tenido constancia de ella. Aunque se establece la excep-ción a la obligación de notificar en el caso que sea improbable que dicha violación de la seguridad constituya un riesgo para los derechos y las libertades de las personas físicas. Si la violación de seguridad tiene lugar en el ámbito del encargado del tratamiento, este deberá notificar sin dilación indebida al responsable la violación.

En el caso de las comunicaciones de violaciones de seguridad a los interesados, el art. 33 establece que éstas deben darse cuando sea probable que la violación de la segu-ridad de los datos personales entrañe un alto riesgo para los derechos y libertades de las personas. Se indica que debe hacerse sin dilación indebida, en este sentido deberá tenerse en cuenta que debería darse a la mayor brevedad posible, especialmente en aquellos casos en que los interesados tengan la posibilidad de adoptar medidas para autoprotegerse de posibles consecuencias negativas derivadas de la violación de seguridad.


Por otra parte, el Reglamento indica que la comunicación al interesado no será necesaria si se da alguna de las circunstancias siguientes:

a) el responsable ha adoptado medidas de protección técnicas y organizativas apropia-das, y estas medidas se han aplicado a los datos personales afectados por la violación de la seguridad de los datos personales,

b) el responsable ha tomado medidas ulteriores que garanticen que ya no exista la pro-babilidad de que se de el alto riesgo para los derechos y libertades

c) suponga un esfuerzo desproporcionado, en este caso, en su lugar deberá realizarse una comunicación pública o una medida similar por la que se informe de manera igualmente efectiva a los interesados.

En todo caso, la autoridad de control, atendiendo a la probabilidad de que la violación entrañe un alto riesgo, puede exigir al responsable que proceda a comunicarlo al interesado.

En cualquier caso, será necesario disponer de un protocolo interno para la rápida y efectiva gestión de estas comunicaciones en caso de ser necesarias.

2.4. Delegado de protección de Datos

Los delegados de protección de datos (en adelante, DPO por sus siglas en inglés) son una figura que ya aparece mencionada en los artículos 18 y 20 de la Directiva 95/46/CE, pero que no fue recogida en la legislación española. El DPO supone que, en el seno de una organización, existe una figura que gestiona todas las cuestiones vinculadas al tratamiento de datos personales. Nos encontramos, pues, ante otro instrumento de gestión de carácter preventivo.

El DPO es una medida organizativa que sirve de mecanismo de relación con las autoridades de protección de datos y como nexo entre éstas y los responsables y encarga-dos de los tratamientos de datos. Asimismo, es también un nexo con las personas inte-resadas. El propio Reglamento establece que sus datos de contacto deben ser públicos y comunicados a la autoridad de control, lo que no supone necesariamente la publicación de los datos nominales del DPO, aspecto que deberá ser evaluado con el responsable o encargado en función del contexto, como recuerda el Grupo del artículo 294.

En concreto, el Reglamento ha recogido esta figura en su sección cuarta, concreta-mente en los artículos 37, 38 y 39.

4 Guidelines on Data Protection Officers. Article 29 Data Protection Working Party, 13 december 2016


El Reglamento regula 3 situaciones en que será necesario nombrar un DPO, pero también señala que el Derecho de la Unión o de los Estados miembros pueden regular otros casos en que sea necesario nombrarlo. Por otra parte, el Grupo del artículo 29 con-sidera que la designación voluntaria de un DPO es una buena práctica, pero insiste que en caso de ser nombrado debe cumplir con los requisitos que establece el Reglamento. Si se nombra una persona encargada del cumplimiento de la normativa de protección de datos, pero que no cumple con las exigencias del Reglamento no deberá hacerse referen-cia a esa persona como DPO, para evitar disfunciones.

Los canales para contactar con el DPO deben garantizar un acceso rápido, fácil, directo y confidencial.

En todo caso, la obligación de designar un DPO corresponde al responsable y al encargado del tratamiento cuando (art. 37.1 del Reglamento):

a) el tratamiento lo lleve a cabo una autoridad u organismo público, excepto los tribu-nales que actúen en ejercicio de su función judicial;

b) las actividades principales del responsable o del encargado consistan en operaciones de tratamiento que, en razón de su naturaleza, alcance y/o fines, requieran una ob-servación habitual y sistemática de interesados a gran escala, o

c) las actividades principales del responsable o del encargado consistan en el tratamien-to a gran escala de categorías especiales de datos personales con arreglo al artículo 9 y de datos relativos a condenas e infracciones penales a que se refiere el artículo 10.

Por otra parte, el Reglamento, en cuanto al número de DPO’s que deben existir en el contexto de los grupos empresariales, indica que el grupo puede nombrar un único DPO pero que este deberá ser fácilmente accesible desde cualquiera de los estableci-mientos del grupo empresarial.

En el caso de las autoridades y organismos públicos, también se podrá designar un único delegado de protección de datos para varias de estas autoridades u organismos, en función de su estructura organizativa y tamaño.

El DPO podrá ser interno o externo, pero en todo caso será designado atendiendo a sus cualidades profesionales y, en particular, a sus conocimientos especializados del Derecho y la práctica en materia de protección de datos y a su capacidad para desempe-ñar las funciones reguladas por el Reglamento. Por otra parte, el Reglamento también se ocupa de dejar claro que el DPO tiene una especial posición en la organización y debe ser respaldado en sus decisiones por el responsable del tratamiento y, en su caso, por el encargado del tratamiento. Se indica que no está sujeto a ningún tipo de instrucción y que sólo rinde cuentas ante la más alta dirección. Debe ser una persona con capacidad de decisión interna.

Para el correcto desempeño de sus funciones, que vienen reguladas en el art. 39 del Reglamento, el responsable y el encargado deben poner a su disposición todos los recur-


sos necesarios. Estos recursos incluyen tanto la disponibilidad de tiempo como, entre otros, los recursos humanos, financieros o de infraestructura. No podemos olvidar que una de las principales características del DPO, directamente vinculada al correcto desa-rrollo de sus funciones, es la independencia dentro de la organización. Esta independen-cia viene determinada tanto por el nivel de dedicación que se le asigne para el ejercicio de esta función como por la posición jerárquica que ocupe dentro de la organización, así como por la dotación de los recursos humanos y materiales necesarios para desarrollar convenientemente sus funciones. Cuanto más elevada sea su posición, mejor se garantiza y facilita el cumplimiento de sus instrucciones y directrices dentro de la organización.

En concreto las funciones a desarrollar se centran, según establece el art. 39 del Re-glamento, en la información y asesoramiento al responsable o al encargado del tratamien-to, en la supervisión del cumplimiento de las obligaciones reguladas en la normativa y en la cooperación con la autoridad de control, siendo el DPO el punto contacto con ésta.

Es importante remarcar que el Reglamento menciona expresamente la obligación del DPO de desempeñar sus funciones prestando la debida atención a los riesgos aso-ciados a las operaciones de tratamiento, teniendo en cuenta la naturaleza, el alcance, el contexto y fines del tratamiento, lo que refuerza el enfoque al riesgo y a su gestión como punto central de la regulación de las obligaciones vinculadas al tratamiento de datos de carácter personal. En este ámbito, el Grupo del artículo 29 señala que el DPO debe priorizar las áreas con mayor riesgo, obviamente sin que ello suponga desproteger al resto de tratamientos.

2.5. Autoridades de control

Dentro del modelo de gobernanza de la información, es necesario hacer una breve mención a las autoridades de control que mantienen y refuerzan su posición como ele-mento esencial de protección de datos.

El Reglamento regula a las autoridades de control en los arts. 51 a 59 en los que se establecen sus características, funciones, poderes y se dedica un artículo específico a regular el requisito de independencia que las define. Es justamente esta característica la que va a garantizar la defensa efectiva del derecho a la protección de datos personales, junto con el establecimiento de fuertes poderes de inspección y sanción.

3. CONCLUSIONES

El RGPD plantea un modelo de cumplimiento de la regulación sustentado en dos pilares básicos, la gestión de los riesgos y la responsabilidad proactiva (accountability), en consecuencia, todas y cada una de las decisiones que tomen los responsables de trata-mientos y en su caso los encargados, deberán tener en cuenta: los riesgos que entrañen


las actividades de tratamiento y la capacidad de demostrar que se está en disposición de cumplir con los principios, derechos y obligaciones que se vinculan al derecho a la protección de los datos de carácter personal.

El modelo de gobernanza de la protección de datos que se deriva del RGPD tiene un alcance que va más allá de Europa, en virtud del ámbito de aplicación territorial que incorpora la nueva regulación.

Ese modelo de gobernanza va a requerir que, todos los agentes implicados en la protección de las personas y de sus derechos y libertades, sustentada en unos requisitos y condiciones para el tratamiento de los datos de carácter personal, van a tener que adaptar sus métodos de trabajo, ahora le cumplimiento ya no podrá ser simplemente formal o documental, ese cambio de paradigma en la protección de los datos lleva a la necesidad de prever una verdadera gestión responsable de los datos personales.

Responsables y encargados de tratamientos, pero también las autoridades de con-trol, y los profesionales que desarrollen funciones de DPO, o las empresas dedicadas a dar soporte especializado en la adecuación y cumplimiento del RGPD, van a tener que modificar sus métodos de trabajo, así como el enfoque que deben dar a las actividades que desarrollan en relación al derecho a la protección de los datos de carácter personal.

Sin olvidar, que las personas ahora van a disponer de un mayor empoderamiento respecto del uso que se da a sus datos personales, lo que en conjunto supone un cambio transcendental de cómo el derecho a la protección de los datos de carácter personal va a tener que ser abordada a partir de la plena aplicación del RGPD.

4. BIBLIOGRAFÍA

REGLAMENTO (UE) 2016/679 DEL PARLAMENTO EUROPEO Y DEL CON-SEJO de 27 de abril de 2016 relativo a la protección de las personas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos y por el que se deroga la Directiva 95/46/CE (Reglamento general de protección de datos)

«Statement on the 2016 action plan for the implementation of the General Data Protec-tion Regulation (GDPR)» - Article 29 data protection working party

«Guidelines on Data Protection Officers (‘DPOs’)» - Article 29 data protection working party

Conferencias de la jornada: « La nueva regulación del derecho a la protección de datos en Europa. Un cambio de modelo con impacto global » - Joana Mari i Ramón Miralles

Materiales del curso: «Realizar La evaluación de impacto relativa a la protección de los datos personales (AIPD)» - Ramón Miralles

14

VIDA MÁS ALLÁ DE LA MUERTE (DIGITAL). LA PROTECCIÓN DE LAS VOLUNTADES DIGITALES EN LA REFORMA DEL DERECHO CIVIL CATALÁN

Albert Ruda González Profesor agregado de Derecho civil, Universitat de Girona

RESUMEN: La comunicación describe y analiza la propuesta de regular las llamadas voluntades dig-itales en el Derecho civil catalán. Dicha propuesta del Gobierno catalán plantea proteger la voluntad de una persona con respecto a una parte de lo que se podría llamar, en sentido amplio, su patrimonio digital, referido a las cuentas de servicios digitales activas de que disponga. Mediante la declaración de voluntades digitales, podría nombrar a una persona que ejecutase las instrucciones del declarante después de la muerte de este, por ejemplo, para cancelar las cuentas que tuviese en vida. De ese modo, la persona encargada, a título de “ejecutor de voluntades digitales”, podría solicitar a una red social u otro prestador de servicios digitales que eliminase el perfil del declarante, una vez que se produjesen las circunstancias determinantes del inicio de la eficacia del encargo. La comunicación debate esa pro-puesta a la luz del Derecho comparado, en particular de la “Loi pour une République numérique” re-cientemente promulgada en Francia, y de la Uniform Fiduciary Access to Digital Assets Act (UFADAA) de los EE.UU.

PALABRAS CLAVE: muerte, voluntades digitales, herencia, patria potestad, tutela.

1. INTRODUCCIÓN

Como es sabido, el Gobierno de la Generalitat de Cataluña ha enviado al Parla-mento autonómico un anteproyecto para regular las llamadas voluntades digitales.1 La presente comunicación lleva a cabo un primer análisis de dicho anteproyecto, a la luz de algunos elementos del Derecho comparado. El propósito de este trabajo, por limitacio-nes evidentes de tiempo y espacio, no es analizar el texto en todo su detalle, sino algunos de sus aspectos más relevantes, en particular respecto de la oportunidad o no de legislar sobre esta materia y sobre la concepción fundamental sobre la que reposa todo el edificio legal propuesto ahora por el legislador catalán.

1 Toda la tramitación del proyecto se puede seguir en la página web del Departament de Justícia: http://justicia.gencat.cat/ca/departament/Normativa/normativa_en_tramit/av_vol_digitals/

http://justicia.gencat.cat/ca/departament/Normativa/normativa_en_tramit/av_vol_digitals/

227 VIDA MÁS ALLÁ DE LA MUERTE (DIGITAL). LA PROTECCIÓN DE LAS VOLUNTADES...

El texto del anteproyecto parte de una primera propuesta elaborada inicialmente por dos profesores de la Universitat Oberta de Cataluña, los Dres. Agustí Cerrillo Ruiz y Miquel Peguera Poch, profesores de Derecho administrativo y Derecho mercantil res-pectivamente. Esa propuesta fue sometida a la Sección de Armonización de la Comisión de Codificación de Cataluña, dependiente del Observatorio de Derecho privado de Ca-taluña. Con el fin de poder analizar la propuesta y reelaborarla en lo que fuese necesario, la Sección constituyó un grupo de trabajo, compuesto por notarios y profesores –entre ellos el autor de esta comunicación. El texto inicial fue objeto de debate y de algunas modificaciones.

2. NECESIDAD O NO DE LA REGULACIÓN

De entrada, puede destacarse el coraje del legislador catalán en proponerse inter-venir en una materia que tiene una gran complejidad técnica. No cabe duda de que el tema de las llamadas voluntades digitales es uno que se sitúa en un terreno en gran medida nuevo y desconocido. Ello se debe en buena parte a que se trata de un ámbito donde las tecnologías evolucionan con rapidez. Lo que se está regulando es no solo cómo vive una persona su existencia en Internet, sino también cómo enfoca su muerte desde el punto de vista digital. En la llamada época del homo digitalis, el legislador no tiene ya bastante con regular la muerte en el sentido físico, en la realidad material, sino que se siente obligado a ocuparse también de la repercusión digital del deceso. Pero al transitar ese camino hacia lo desconocido, el legislador catalán no se encuentra en absoluto solo, dado que otros ordenamientos ya han comenzado a regular la materia. Como se verá, el enfoque catalán se apoya en parte en el Derecho comparado, pero tiene también algunas singularidades que lo distinguen de las demás regulaciones existentes en el mismo.

La primera cuestión que uno podría preguntarse a este respecto es si realmente hace falta que el legislador intervenga en este ámbito. La pregunta se ha formulado en ciertos ámbitos profesionales a raíz de la iniciativa legislativa del Gobierno catalán, y es absolutamente legítima, dado que obviamente habría que oponerse a la aprobación de un texto puramente redundante o que no aportase nada. El mismo legislador da a en-tender que el Derecho existente no regula la cuestión, al afirmar en el Anteproyecto –en su Preámbulo– que “la legislación vigente en materia de sucesiones no da respuesta a estas cuestiones”, algo que en realidad habría que matizar, pues si bien es cierto que no existe una previsión específica, sí que el ordenamiento ya prevé la sucesión hereditaria (y son los herederos los llamados naturalmente a ocuparse de los asuntos del difunto) y la potestad de los padres (a quienes corresponde velar por el cuidado de sus hijos, inclu-so en el ámbito digital). En este sentido, cabe apuntar dos cosas. La primera es que el anteproyecto prevé la creación de un registro público de voluntades digitales (art. 10), registro que por tanto no existe si una disposición normativa no lo crea. Solo por ello la


ley puede decirse que tiene un contenido propio y novedoso. Dicho sea de paso que tal registro es distinto, y por tanto no debe interferir, con el de Actos de Última Voluntad (Anexo II del Reglamento Notarial).

Es cierto, sin embargo, que otros aspectos pueden parecer menos originales. Por ejemplo, el anteproyecto de ley prevé que los padres y los tutores velarán por la presencia adecuada de sus hijos o tutelados en Internet (nuevos arts. 236-17 y 222-36 del Código Civil de Cataluña [CCCat]). Esta es una manifestación concreta de una facultad-deber de protección que ya se podría encuadrar teóricamente en la potestad parental o en la tutela, de un modo genérico, y que el legislador catalán ya ha tratado específicamente mediante una ley del año 2010.2 Lo que el anteproyecto de ley hace en este punto es especificar un aspecto concreto de dicha función de protección. Podría decirse en cierto sentido que la ley desempeñaría a este respecto un cierto cometido didáctico o prope-déutico, y si bien es cierto que no es ese en sentido estricto el papel del legislador (la ley tiene que ordenar, no educar; no tiene que hacer declaraciones, sino ordenar y prescribir; lex iubeat, non doceat),3 el hecho de que la ley lo prevea de modo expreso puede ahorrar más de un juicio inútil en el que algún hijo se oponga a que los padres velen por él en Internet, o en que los padres soliciten inútilmente que el órgano judicial les permita algo que la ley de modo implícito ya les dejaba hacer. A este respecto, puede traerse a colación la repercusión mediática de una reciente sentencia en que se absuelve a una madre de la acusación de maltrato por haber quitado a su hijo el teléfono móvil.4 Al parecer, la madre se vio obligada a forcejear para arrebatarle el aparato –de propiedad de la misma– a su hijo, por lo cual la Fiscalía solicitó nueve meses de prisión (¡!) pero, como señala dicha sentencia, no hay responsabilidad penal porque la madre estaba ejerciendo su función. Aunque el caso obviamente no es de voluntades digitales, sí que pone sobre la mesa que existen hoy en día situaciones en las que los padres pueden no tener claro cómo deben actuar. Desde este punto de vista, una ley que diese unas pautas claras en relación con el empleo de las nuevas tecnologías por parte de los hijos o personas sometidas a tutela parecería conveniente o, al menos, no molestaría. Y a este respecto, resulta fundamental

2 A saber, la Llei 14/2010, del 27 de maig, dels drets i les oportunitats en la infància i l’adolescència (DOGC núm. 5641, de 2 de junio).

3 Entre otros muchos, puede verse sobre este aspecto de la técnica legislativa Fix, U. (2009). Rhe-torik und Stilistik, Band 2. Berlin: Walter de Gruyter, p. 2136 y Hernández Ramos, M. y Heydt, V. (2017). Legislative Language and Styles. En Karpen, U. and Xanthaki, H. (eds.), Legislation in Europe: A Comprehensive Guide For Scholars and Practitioners. Oxford and Portland, Oregon: Bloomsbury Publishing, 129-144, p. 130.

4 Noticia de Codina, E. (2017). Absuelta de maltrato tras quitarle el móvil a su hijo para que estudiase. El País 24.3.2017. http://politica.elpais.com/politica/2017/03/22/diario_de_espa-na/1490202373_864695.html.

http://politica.elpais.com/politica/2017/03/22/diario_de_espana/1490202373_864695.html



partir de la base de que los menores no son unos incapaces, absolutamente indefensos ante las nuevas tecnologías –en contra de lo que diga el anteproyecto, el cual se funda-menta en la premisa de la “incapacidad [de aquellos] de gestionar adecuadamente su presencia en los entornos digitales”, según reza su Preámbulo. En contraste con este enfoque, conviene que el legislador asuma que los menores tienen ciertas aptitudes, las cuales pueden variar según la edad.

Otro punto de vista desde el que se puede enfocar la cuestión de la necesidad o no de regular este tema es el empírico. Aunque los datos pueden ser a veces contradicto-rios, puede bastar con uno bastante revelador: Facebook, una de las redes sociales más conocidas, tiene en la actualidad unos 30 millones de perfiles de personas muertas. Según una fuente, cada día mueren 10.000 de personas con cuenta en dicha red, lo que hace que algunos vaticinen que a menos que se acelere el número de altas en la misma, pronto habrá más cuentas de fallecidos que de personas vivas.5 Esos perfiles de difuntos no necesariamente dejan claro que sus “titulares” han pasado a mejor vida. Es más, en ocasiones, los perfiles siguen interactuando con las amistades digitales. Si la red social no sabe que una persona está muerta en la vida real, puede que siga funcionando con nor-malidad. Puede, por ejemplo, publicar aniversarios (por ejemplo, los usuales aniversarios de amistad entre personas, del tipo “Fulano y tú hace dos años que os conocisteis”), seguirá apareciendo su nombre en los anuncios habituales (del tipo “a Fulano y a 53 más les gusta esta página”) y algunas aplicaciones de terceros puede que sigan publicando en nombre del titular, a pesar de que este esté enterrado en el mundo real.

Ante esta situación, cabe plantearse desde el punto de vista del análisis político las alternativas que tiene el legislador, y obviamente una alternativa es siempre la de no hacer nada, la llamada “alternativa cero”. Pero conviene preguntarse si es sensato o razonable no ocuparse legalmente de esta cuestión cuando los países más avanzados, como EE.UU., o nuestros vecinos franceses, lo están haciendo. Como luego se verá, la inhibición del legis-lador puede conducir a una práctica de auto-regulación que puede resultar perniciosa en determinadas situaciones. Concretamente, como luego se verá, en los EE.UU. la ausen-cia de regulación condujo a una situación en la que prácticamente resultaba imposible acceder a los activos digitales si el causante no lo había autorizado expresamente.6

A parte, en la medida en que la muerte es una cuestión de la que suele rehuirse, parece que puede existir un buen número de gente que presuponga que no morirá nun-ca –o al menos actúe como si ese fuese el caso. En algún sentido es posible que sea así.

5 Puede verse Hiscock, M. (sin fecha). Dead Facebook users will soon outnumber the living. Obtenido el 26 marzo 2017 desde http://www.theloop.ca/dead-facebook-users-will-soon-out-number-the-living/.

6 Puede verse, entre otros, Snyder, K. and Ertel, J. (2016). Estate Planning Digital Age: Protecting Your Digital Assets Today and In the Future. Orange County Lawyer. 58, 29-32, p. 32.

http://www.theloop.ca/dead-facebook-users-will-soon-outnumber-the-living/



Hay páginas web que llevan a cabo registros del contenido de Internet periódicamente (como el caso de Web Archive).7 Mientras ese archivo siga abierto, quedarán ahí “inmor-talizadas” muchas páginas de Internet. Además, gracias al desarrollo de la inteligencia artificial, hay aplicaciones de redes sociales (como es el caso de la red social Eter9)8 que aprenden de uno cuando está vivo y, una vez muerto, publican en Internet e interactúan con los demás como el usuario lo haría si siguiese en este mundo; ello podría hacer posible el sueño de una vida eterna –o convertirlo en una pesadilla, según se mire. La existencia de aplicaciones de este tipo llama la atención nuevamente de la existencia de una necesidad por parte de algunas personas de alcanzar cierta existencia ultra terrena, en Internet, tras la muerte de las mismas.

A parte de lo anterior, parece evidente que el aspecto digital está adquiriendo una importancia cada vez mayor en nuestras vidas. Desde una perspectiva sociológica, cabría tal vez señalar que una porción nada desdeñable de la sociedad seguramente no dejará tras de sí un patrimonio cuantioso, ni tampoco se planteará la necesidad de regular su sucesión mediante un testamento. Incluso, puede haber una parte de la población que no esté dispuesta a asumir el coste económico del testamento mismo. En cambio, el hecho de tener pocos bienes en la vida real no significa que esa misma persona no pueda nadar en la abundancia desde el punto de vista digital. Incluso, a menos que alguien disponga de una gran fortuna es bastante posible que el perfil en línea sea más rico y variado que el que se deje en la realidad física. Desde este punto de vista, personas que tal vez no transmitan muchos bienes mediante su herencia “tradicional” pueden dejar en cambio una enorme cantidad de archivos, de cuentas digitales, etc.

3. LAS FIGURAS DEL SUCESOR Y DEL APODERADO DIGITALES

¿Qué puede hacer el legislador a este respecto? Posiblemente puede hacer muchas cosas. Una de ellas es permitir que una persona designe a otra para que ejecute la voluntad de la primera, a partir de la muerte de esta. En este caso, nos encontramos con un sucesor en el mundo digital, una especie de heredero. Como es sabido, suele aplicarse el término de heredero a la persona que sucede a otra mortis causa a título universal, es decir, “subentra” –como se suele decir– o se coloca en la posición que aquella tenía en todas sus relaciones transmisibles; el legatario le sucede en una o varias de esas relaciones, y el albacea se limita a ejecutar la voluntad del difunto. El anteproyecto de ley catalán distingue convenientemente entre estos conceptos y permite que ese sucesor pueda ser

7 https://archive.org/web/ 8 https://www.eter9.com/auth/login

https://archive.org/web/

https://www.eter9.com/auth/login


el heredero, el legatario, un mero albacea, el administrador de la herencia, o incluso una persona designada como tal –podría hablarse, tal vez, de un “paraheredero”– para ejecu-tar las voluntades digitales (art. 5). Pero en caso de que el causante no especifique nada al respecto, pueden plantearse conflictos.

Igual como sucede en el caso de las voluntades testamentarias, conviene reconocer la posibilidad de que el causante cambie de opinión. La revocabilidad y modificabilidad de dichas voluntades es fundamental, y por ello parece acertado que el anteproyecto de ley la prevea expresamente (art. 5; nuevo art. 411-10.4 CCCat). Se ha sugerido que el testamento notarial debe prevalecer siempre sobre la voluntad expresada en otro tipo de instrucciones, en particular, las que consten en el registro administrativo. Se trata de un aspecto muy sensible que convendría aclarar para poder respetar la voluntad última de la persona en cuestión y al mismo tiempo proporcionar seguridad jurídica.9

Conviene notar a este respecto cómo el anteproyecto de ley se cuida mucho de no interferir con la posibilidad, ya existente en la legislación actual, de modo implícito, de que el heredero –u otro de los llamados a la herencia– reciba el encargo de administrar o de realizar gestiones determinadas respecto de las cuentas digitales de otra persona para el caso de su muerte. El anteproyecto de ley no altera el sistema propio del Derecho suce-sorio, sino que añade una figura nueva, que es ese sujeto (la “persona designada”) que de-berá ejecutar las voluntades digitales, sin que concurra en él un título sucesorio. Además, reconoce ese nuevo contenido posible del testamento en la medida en que prevé que este podrá contener las voluntades digitales del causante (nuevo art. 421-2.2 CCCat).

Interesa destacar también, para evitar equívocos, que esa persona a quien se encarga la ejecución de las voluntades digitales no tiene un cometido mínimo o esencial. No existe, en efecto, una misión o conjunto de facultades naturales, que el causante pueda luego acabar de configurar, sino que la ley simplemente permite diversas posibilidades, a título ejemplificativo, a saber: comunicar la muerte a los prestadores de los servicios digitales, solicitarles la cancelación de cuentas, y solicitarles que ejecuten lo previsto contractualmente para el caso de muerte del titular, incluida la posibilidad de obtener una copia de los archivos correspondientes. Por ende, la ley es clara en el sentido de que no obliga a que el encargado borre siempre la presencia del difunto en Internet, sino que su cometido podría ser otro bien distinto: concretamente, asegurar que dicha presencia no desaparezca, por ejemplo, destinando una parte de la herencia a mantener una página web en su memoria. En ese sentido, existen ya páginas web que ofrecen este tipo de ser-

9 Cf. Fernández-Tresguerres, A. (2017). Anotaciones al proyecto catalán sobre gestión digital. Ob-tenido el 30 de marzo de 2017 desde http://www.notariatresguerres.es/anotaciones-al-proyec-to-catalan-sobre-gestion-digital/

http://www.notariatresguerres.es/anotaciones-al-proyecto-catalan-sobre-gestion-digital/



vicios, como Memorializeme.10 El anteproyecto de ley sólo prevé un contenido mínimo o por defecto en el sentido de que el designado podrá llevar a cabo aquellas actuaciones, pero solo en la medida en que estén previstas en los contratos suscritos por el causante (nuevo art. 411-10.5 CCCat). Conviene que el legislador valore si este enfoque contri-buye o no a generar conflictos con los demás sujetos a los que el anteproyecto se refiere.

Conviene notar que el legislador catalán aprovecha la ocasión de regular la muer-te digital para ocuparse también del supuesto en que una persona quiera que otro gestione sus voluntades digitales incluso en vida del primero. En este supuesto, el interesado puede otorgar un “poder en previsión de pérdida sobrevenida de capaci-dad” (art. 1 del anteproyecto; nuevo art. 222-2 CCCat). No se trata, a diferencia del supuesto anterior, de un caso de sucesión, sino que aquí coexisten las dos personas –el titular de las cuentas, por un lado, y el gestor de las voluntades digitales, por el otro. La posibilidad de otorgar dicho poder no es una novedad del Derecho catalán, pero obviamente sí lo es que se incluya expresamente en la ley la posibilidad de que se apo-dere a otro para la gestión de dichas voluntades digitales. La regulación es paralela a la prevista para el supuesto de muerte, en el sentido de que el apoderado estará legitima-do para actuar frente a los prestadores de servicios digitales con respecto a los cuales el poderdante tenga cuentas activas. Las voluntades digitales entrarán en funciona-miento si el poderdante sufre una “pérdida sobrevenida de capacidad”, según dispone el nuevo precepto. Parece que esa pérdida debe interpretarse como el caso en que una persona se encuentra en situación de que se constituya la tutela respecto a la misma, en virtud de una interpretación sistemática (dado que el precepto se encuentra en sede de tutela). Si se coordina la norma con el resto del precepto, resulta que el apoderado deberá comenzar a ejecutar las voluntades digitales cuando el poderdante no se pueda gobernar a sí mismo (art. 222-2.1 CCCat).

El anteproyecto no prevé que, en el caso en que finalmente se constituya la tutela a pesar de todo, el tutor tenga que obedecer las voluntades digitales del poderdante. Tén-gase en cuenta que si se constituye la tutela, el anteproyecto dispone que la autoridad judicial pueda decretar –luego no es obligatorio– la extinción del poder (nuevo art. 222-2.6 CCCat). Por tanto pueden coexistir la tutela y el poder en previsión. Ello resulta algo extraño, ya que –como es bien sabido– es el tutor a quien corresponde normalmente el cuidado de la persona con la capacidad modificada. Cuando no coexistan ambos cargos o figuras, porque el juez haya ordenado la extinción del poder, simplemente el tutor tendrá que desarrollar su función de protección de la persona sometida a la misma (art. 221-1 CCCat). El tutor, según el anteproyecto, deberá velar para que el pupilo tenga una presencia apropiada en los entornos digitales y protegerlo de los riesgos propios de

10 http://memorializeme.com/

http://memorializeme.com/


los mismos (nuevo art. 222-36.2). No parece, pues, que el tutor esté obligado –en caso de extinción del poder– a seguir las voluntades que hubiese dictado en su momento el poderdante en el poder en previsión. Sin embargo, sí que el anteproyecto requiere que, si el tutor quiere cancelar las cuentas del pupilo, le tenga que escuchar antes (nuevo art. 222-36). Quizás se eche en falta aquí una norma conforme a la cual el tutor tenga que tomar en consideración, en la medida de lo posible, las voluntades digitales que el poderdante hubiese expresado en el referido poder, de existir este, siempre y cuando ello sea posible y no entre en colisión con los deberes propios del tutor.

4. GESTIÓN DE LOS ACTIVOS O CUENTAS DIGITALES

Uno de los aspectos más importantes del anteproyecto de ley es sin duda el tipo de gestión que pueda llevar a cabo el sucesor o el apoderado digital. El hecho de que una persona esté legitimada mediante el título de sucesor digital –sea a título de heredero, etc.– le permitirá aparecer ante terceras personas, generalmente prestadores de servicios digitales, para solicitar la adopción de las medidas conformes a las voluntades digita-les. De ese modo, se pretende que el prestador digital no se escude, por ejemplo, en la circunstancia de que no es el titular de la cuenta mismo, sino otra persona, la que está solicitando la adopción de una determinada medida.

Este tipo de norma, que faculta al sucesor o al apoderado para la gestión de las cuentas frente a los prestadores de servicios digitales ya existe en el Derecho comparado. Se trata, en particular, de uno de los aspectos cruciales de las regulaciones que a este respecto se encuentran en los EE.UU. En efecto, el asunto ya ha sido objeto de una regulación legal en varios estados americanos, que han ido incorporando la propuesta aprobada por la Uniform Law Comission (ULC)11 el 16 de julio de 2014, la Uniform Fiduciary Access to Digital Assets Act (UFADAA). La última versión de dicho texto (la Revised Uniform Fiduciary Access to Digital Assets Act [RUFADAA]), en el momento en que se escribe esta comunicación, es de 2015.12 La revisión ha merecido aplausos en la doctrina en comparación con el texto anterior.13

11 Puede verse su página en Internet: http://www.uniformlaws.org/. 12 Puede verse en http://www.uniformlaws.org/Act.aspx?title=Fiduciary%20Access%20to%20

Digital%20Assets%20Act,%20Revised%20(2015). 13 Puede verse Nelson, S. D. y Simek, J. W. (2016). Technology: When You Die, Will Your Digital

Assets Go To Hell? Res Gestae Indiana Bar Journal. 60, 34-37, p. 36 y Sy, E. (2016). The Revised Uniform Fiduciary Access to Digital Assets Act: Has the Law Caught Up With Technology? Touro Law Review. 32, 647-677, p. 677..

http://www.uniformlaws.org/

http://www.uniformlaws.org/Act.aspx?title=Fiduciary%20Access%20to%20Digital%20Assets%20Act,%20Revised%20(2015)

http://www.uniformlaws.org/Act.aspx?title=Fiduciary%20Access%20to%20Digital%20Assets%20Act,%20Revised%20(2015)


Un estudio del European Law Institute, con sede en Viena, ha propuesto ya que la UFADAA sea un modelo para Europa.14 Desde luego, como se ha apuntado, ya está funcionando como un modelo a seguir en su país de origen, y especialmente el Estado de Delaware es el que la ha seguido más fielmente.15 En esencia, la UFADAA permite que una persona, nombrada a título fiduciario (el llamado fiduciary), pueda gestionar la propiedad de otra persona en el interés de esta última. La propiedad comprende en dicho instrumento no solo los bienes tangibles o corporales tradicionales, sino también los llamados bienes digitales (digital assets). Por su parte, las leyes estatales más o me-nos directamente inspiradas por la UFADAA difieren notablemente entre sí: unas solo permiten el acceso a las cuentas de correo electrónico, otras lo extienden a la gestión de las redes sociales del causante, los blogs, o incluso la información guardada electró-nicamente.16 Aunque este sea un modelo interesante a seguir, conviene advertir que no todos los elementos procedentes del Derecho americano resultan trasplantables en nuestro país. Ello es así porque la distribución de competencias entre la Federación y los Estados americanos es distinta a la que existe en España. Además, los EE.UU tienen un sistema jurídico con unas características marcadamente diferentes, al tratarse de un ordenamiento del llamado common law. En él, por ejemplo se admite la figura del trust, figura aún desconocida en nuestro país. Esto hace que la propuesta de la UFADAA se ocupe en buena medida de cuestiones relativas a cómo puede el trustee, designado en un trust, cumplir su función si no se le da acceso a los bienes del constituyente del trust.

Otro aspecto a tener en cuenta es que el sucesor o el apoderado digital tendrán que probar ante el tercero su condición, a efectos de poder cumplir las voluntades digitales. En caso de muerte, la prueba mediante la previsión en el documento sucesorio de ma-nifestación de las últimas voluntades –testamento, codicilo o memorias testamentarias (nuevos arts. 411-10.3.a) y 421-24.1 CCCat) será suficiente. A falta de previsión en dichos instrumentos, hará falta que el documento de voluntades digitales se inscriba en un registro público (nuevos arts. 411-10.3.b) y 421-24.1 CCCat). La opción de crear un registro público parece válida y oportuna y seguramente dará confianza a las personas que se decidan a expresar sus voluntades digitales en las maneras previstas por la ley.

14 Véase van Erp, S. (2015). A UFADAA for Europe?. Obtenido el 26 de marzo de 2017 desde https://www.europeanlawinstitute.eu/fileadmin/user_upload/p_eli/General_Assembly/2015_conference_materials/Sjef_ELI_2015.pdf

15 Puede verse al respecto Capel, E. H. (2015). Conflict and Solution in Delaware’s Fiduciary Ac-cess to Digital Assets and Digital Accounts Act. Berkeley Technology Law Journal. 30, 1211-1242.

16 Véase Costello, M. W. (2016). The “PEAC” of Digital Estate Legislation in the United States: Should States “Like” That?. Suffolk University Law Review. 49, 429-449, p. 438.

https://www.europeanlawinstitute.eu/fileadmin/user_upload/p_eli/General_Assembly/2015_conference_materials/Sjef_ELI_2015.pdf



En este punto el texto del anteproyecto catalán es similar al de la ley francesa. En efecto, en Francia se aprobó el año pasado una “Ley para una república digital”.17 El legislador francés no habla de unas voluntades digitales, sino de unas directrices, gene-rales o particulares, relativas a los datos personales de la persona después de su muerte (art. 63). Las directrices generales se refieren al conjunto de los datos de la persona, y se pueden inscribir en el registro organizado por un tercero de confianza digital, certificado por una comisión oficial (la Commission nationale de l’informatique et des libertés). Sin embargo, las referencias a dichas directrices se harán constar en un registro único, con-forme a un decreto del Consejo de Estado. Salta a la vista que el enfoque adoptado por el legislador francés en este punto difiere del anteproyecto catalán, que deliberadamente rehúye ocuparse del tratamiento de datos personales por razones de índole competen-cial. Sin embargo, la opción de política legislativa, en el sentido de prever la constancia de las voluntades en un registro, es similar. Cuestión distinta es si puede regularse la he-rencia digital, o en general los activos o cuentas digitales, sin ocuparse al mismo tiempo de la protección de los datos personales. En realidad, las cuentas digitales muy a menudo no pueden deslindarse respecto de datos de terceros, por lo cual nos encontramos ante una situación extremadamente sensible. Por esta razón, se ha planteado en los EE.UU. el poco acierto de permitir que por defecto el heredero digital tenga acceso en bloque a todas las cuentas del causante, sin restringirlo a los datos de terceras personas.18 Habría que ver, pues, si podría un prestador de servicios personales escudarse en la protección de datos personales –al amparo de la Ley Orgánica 15/1999, de 13 de diciembre, de protección de datos de carácter personal19– de terceros para negarse a llevar a cabo las medidas solicitadas por el sucesor o apoderado digital. Queda también puesta sobre la mesa la cuestión de las posibles responsabilidades, tanto por parte del sucesor o apodera-do digitales (en principio, por el art. 1902 ss. CC), como del dicho prestador (conforme al art. 13 ss. de su Ley especial,20 si se entiende que es este el prestador al que se refiere el anteproyecto, lo que tampoco es claro) en caso de que lleven a cabo una conducta inadecuada. En este sentido, la revisión en 2015 de la ya citada propuesta norteamerica-

17 Loi n° 2016-1321 du 7 octobre 2016 pour une République numérique (JORF n°0235 du 8 octobre 2016) https://www.legifrance.gouv.fr/affichLoiPubliee.do?idDocument=JORF-DOLE000031589829&type=general&legislature=14

18 Véase Lee, J. (2015). Death and Live Feeds: Privacy Protection In Fiduciary Access To Digital Assets. Columbia Business Law Review. 654-704, p. 657. Parecidamente, Note (2016). All Blogs Go To Heaven: Preserving Valuable Digital Assets Without the Uniform Fiduciary Access To Digital Assets Act’s Removal Of Third Party Privacy Protections. Georgia Law Review. 50, 593-624, p. 595.

19 BOE núm. 298, de 14.12.1999.20 Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio elec-

trónico (BOE, núm. 166, de 12.7.2002).

https://www.legifrance.gouv.fr/affichLoiPubliee.do?idDocument=JORFDOLE000031589829&type=general&legislature=14

https://www.legifrance.gouv.fr/affichLoiPubliee.do?idDocument=JORFDOLE000031589829&type=general&legislature=14


na, precisamente reforzó la protección de la intimidad (privacy), e introdujo la exigencia de que el titular haya autorizado expresamente el acceso a las cuentas, mediante una herramienta en línea o mediante un testamento, un poder o un trust.21 Ello subraya la estrecha conexión entre los activos o bienes digitales y la protección de datos personales.

Otro aspecto a tener en cuenta es el relativo a las condiciones generales de la con-tratación. Como se ha apuntado en parte más arriba, el éxito de la futura ley catalana de-pende de que el sucesor o apoderado digital sea reconocido como la persona legitimada frente a los prestadores de los servicios digitales para solicitar la adopción de las medidas correspondientes a las voluntades digitales. Dicho objetivo se puede frustrar si el pres-tador se escuda en unas condiciones generales de la contratación, como todo el mundo sabe, no aceptadas realmente por el titular de las cuentas digitales de que se trate. La ley francesa prevé a este respecto que las condiciones generales de la contratación contrarias a la voluntad digital sean consideradas no escritas (art. 63 de la ley antes citada). Esto es importante porque respecto del apoderado digital estas condiciones representan un con-tenido que no ha sido aceptado tampoco por él. En efecto, el ejecutor de las voluntades digitales puede ser un heredero (caso en que sucede el causante, ex art. 1257.2 CCE), y por tanto está obligado como lo estaría el causante, pero –como también se ha vis-to– puede tratarse también de un albacea o de un administrador patrimonial, e incluso de un mero apoderado, y por tanto un tercero que no necesariamente se subroga en la posición que el causante o el poderdante tenía en el contrato.

Quizás no quede por ello del todo claro hasta qué punto podría estar legitimada una actitud obstruccionista del prestador de servicios digitales sobre la base de la llamada letra pequeña del contrato o condiciones generales. La cuestión no es baladí, dado que este tipo de conflictos ya se han comenzado a producir, al menos en los EE.UU. A modo de ejemplo, se dio el caso de un niño del Estado de Virginia, de nombre Eric Rash, que se suicidó a la edad de 15 años. Como resulta fácil suponer, los padres del muchacho querían conservar el perfil online de Facebook para poder acceder al mismo, u obtener información sobre las circunstancias en las que se había podido producir la muerte o las motivaciones que habrían empujado al suicida a quitarse la vida.22 El gobierno de Virgi-nia impulsó una reforma legal para permitir dicho acceso, como había hecho Oklahoma en 2010. Dicho impulso culminó con la Virginia Privacy Expectation Afterlife and Choic-es Act 2015 (PEAC).23 La nueva regulación impide que el prestador bloquee el acceso a

21 Puede verse al respecto Martin, R. and Nairn, S. N. (2016). Estate Planning Guidance For the Protection Of Digital Assets. Los Angeles Lawyer. 39, 15-17. p. 17.

22 Véase Chicago Tribune (2016). Who gets your selfies when you die? States seek to fill privacy law gaps. Obtenido el 26 de marzo de 2017 desde http://www.chicagotribune.com/bluesky/technology/ct-digital-death-privacy-laws-ap-bsi-20161003-story.html.

23 Véase en http://leg1.state.va.us/cgi-bin/legp504.exe?ses=151&typ=bil&val=sb1450

http://www.chicagotribune.com/bluesky/technology/ct-digital-death-privacy-laws-ap-bsi-20161003-story.html


http://leg1.state.va.us/cgi-bin/legp504.exe?ses=151&typ=bil&val=sb1450


los padres, sobre la mera base de que no son el titular de la cuenta. Esta ley permite que la voluntad digital consista también en bloquear el acceso a terceras personas. No es claro que el anteproyecto catalán permitiera llegar a esta misma solución. Por lo tanto es una cuestión para considerar en el futuro.

Además, conviene tener presente a este respecto la posible relevancia del régimen propuesto en conexión con la intimidad de las personas. Hay que recordar que el ejerci-cio de las acciones de defensa de la intimidad, el honor o la propia imagen del difunto corresponde a quien haya sido designado en testamento y, en su defecto, las otras per-sonas mencionadas en la ley (art. 4 de la Ley Orgánica 1/1982).24 Nuevamente, sería necesario coordinar esta previsión legal con la propuesta del legislador catalán, para evitar problemas entre sujetos.

Finalmente, conviene tener presente que parte de los activos digitales a los que afectará la futura regulación catalana estarán sometidos a la legislación sobre propiedad intelectual,25 que es competencia exclusiva del Estado español (art. 149.1.10 de la Cons-titución). Parece necesario tener en cuenta la necesaria coordinación entre ambas regu-laciones, ya que dichos activos en la mayoría de casos estarán sujetos a unas condiciones de uso, generalmente mediante licencia.

5. CONCLUSIÓN

En definitiva, el anteproyecto de ley catalana ha sido presentado ante los medios de comunicación como un instrumento pionero. Sin embargo, ha sido recibido en los foros jurídicos con sentimientos contrarios. De un lado, están aquellos que piensan que el texto no es necesario, ya que lo que prevé ya es posible conforme a la legislación actual-mente vigente. Del otro, están los que opinan que el texto clarifica y llama la atención, a la población en general sobre la conveniencia de ocuparse de su herencia legado digital, y a ciertos sujetos –padres, tutores– del celo que tienen que poner en relación con las cuentas digitales de sus hijos o pupilos.

Desde luego, el terreno en el que se mueve el legislador con esta iniciativa es uno nada fácil, y está de hecho plagado de incertidumbres, en buena medida por la com-plejidad intrínseca de la materia, pero también por las restricciones competenciales que

24 Ley Orgánica 1/1982, de 5 de mayo, de protección civil del derecho al honor, a la intimidad personal y familiar y a la propia imagen (BOE núm. 115, de 14.5.1982).

25 Real Decreto Legislativo 1/1996, de 12 de abril, por el que se aprueba el texto refundido de la Ley de Propiedad Intelectual, regularizando, aclarando y armonizando las disposiciones legales vigentes sobre la materia (BOE núm. 97, de 22.4.1996).


impiden al legislador catalán, en el actual estado de cosas, ocuparse de las voluntades digitales de un modo omnicomprensivo.

Sin embargo, y a pesar de que el anteproyecto de ley no pueda resolver todos los problemas que se plantearán en la práctica, sí que parece que resuelve algunos de los más urgentes, y la valoración global o de conjunto puede ser positiva. En particular, el texto catalán tiene todos los elementos necesarios esenciales de lo que parece una gestión adecuada del patrimonio digital,26 a saber: el anteproyecto prevé un reset definitivo, en el sentido de que faculta al sucesor o apoderado para que cierre o haga cerrar las cuen-tas; prevé también la posibilidad de nombrar un heredero, ejecutor o albacea digital, o también que se haga mediante un apoderamiento y, finalmente permite que el sucesor o apoderado obtenga una copia de los bienes digitales, a modo de una especie de urna o cenizas digitales (nuevo art. 411-10.2.c) CCCat).

6. BIBLIOGRAFÍA

Benach, E. y Pueyo, M. (2012). Mort certa, hora incerta. Lleida: Pagès editors.Capel, E. H. (2015). Conflict and Solution in Delaware’s Fiduciary Access to Digital

Assets and Digital Accounts Act. Berkeley Technology Law Journal. 30, 1211-1242.Chicago Tribune (2016). Who gets your selfies when you die? States seek to fill privacy

law gaps. Obtenido el 26 de marzo de 2017 desde http://www.chicagotribune.com/bluesky/technology/ct-digital-death-privacy-laws-ap-bsi-20161003-story.html.

Codina, E. (2017). Absuelta de maltrato tras quitarle el móvil a su hijo para que estudi-ase. El País 24.3.2017. http://politica.elpais.com/politica/2017/03/22/diario_de_espana/1490202373_864695.html.

Costello, M. W. (2016). The “PEAC” of Digital Estate Legislation in the United States: Should States “Like” That?. Suffolk University Law Review. 49, 429-449.

Fernández-Tresguerres, A. (2017). Anotaciones al proyecto catalán sobre gestión digital. Obtenido el 30 de marzo de 2017 desde http://www.notariatresguerres.es/anotaciones-al-proyecto-catalan-sobre-gestion-digital/

Fix, U. (2009). Rhetorik und Stilistik, Band 2. Berlin: Walter de Gruyter.Hernández Ramos, M. y Heydt, V. (2017). Legislative Language and Styles. En Karp-

en, U. and Xanthaki, H. (eds.), Legislation in Europe: A Comprehensive Guide For

26 Véase a este respecto que Benach, E. y Pueyo, M. (2012). Mort certa, hora incerta. Barcelona: Pagès editors, p. 156 ss.








Scholars and Practitioners. Oxford and Portland, Oregon: Bloomsbury Publishing, 129-144.

Hiscock, M. (sin fecha). Dead Facebook users will soon outnumber the living. Obtenido el 26 de marzo de 2017 desde http://www.theloop.ca/dead-facebook-users-will-so-on-outnumber-the-living/.

Lee, J. (2015). Death and Live Feeds: Privacy Protection In Fiduciary Access To Digital Assets. Columbia Business Law Review. 654-704.

Martin, R. and Nairn, S. N. (2016). Estate Planning Guidance For the Protection Of Digital Assets. Los Angeles Lawyer. 39, 15-17.

Nelson, S. D. y Simek, J. W. (2016). Technology: When You Die, Will Your Digital Assets Go To Hell? Res Gestae Indiana Bar Journal. 60, 34-37.

Note (2016). All Blogs Go To Heaven: Preserving Valuable Digital Assets Without the Uniform Fiduciary Access To Digital Assets Act’s Removal Of Third Party Privacy Protections. Georgia Law Review. 50, 593-624.

Snyder, K. and Ertel, J. (2016). Estate Planning Digital Age: Protecting Your Digital Assets Today and In the Future. Orange County Lawyer. 58, 29-32.

Sy, E. (2016). The Revised Uniform Fiduciary Access to Digital Assets Act: Has the Law Caught Up With Technology? Touro Law Review. 32, 647-677.

van Erp, S. (2015). A UFADAA for Europe?. Obtenido el 26 de marzo de 2017 desde https://www.europeanlawinstitute.eu/fileadmin/user_upload/p_eli/General_As-sembly/2015_conference_materials/Sjef_ELI_2015.pdf.





15

LAS ACCIONES COLECTIVAS DENTRO DEL MARCO DEL REGLAMENTO GENERAL DE PROTECCIÓN DE DATOS

Natalia Wilson AponteBecaria predoctoral de la Universitat de Girona1

RESUMEN: El Reglamento general de protección de datos, entre sus novedades, introdujo la figura de las acciones colectivas. Por tanto, reconoce legitimación activa a ciertas entidades sin ánimo de lucro, para que representen los intereses de quienes se han visto afectados por la vulneración de su derecho a la protección de datos personales. Dichas entidades, en nombre de los interesados, pueden ejercer el derecho a presentar una reclamación ante una autoridad de control, el derecho a la tutela judicial efectiva contra una autoridad de control, el derecho a la tutela judicial efectiva contra un responsable o encargado del tratamiento y, si así lo establece el Derecho del Estado miembro, el derecho a ser indemnizado. En este trabajo se hará referencia al papel de las acciones colectivas en la Unión Europea y a las accio-nes de clase (class actions) propias del sistema de EEUU. Asimismo, se propone señalar en qué con-sisten las acciones colectivas dentro del marco del Reglamento de protección de datos y se esbozarán algunas conclusiones al respecto.

PALABRAS CLAVE: acciones colectivas, class actions, protección de datos, opt-out, opt-in.

1. INTRODUCCIÓN

La profunda transformación económica, política y social del siglo XX, alimentada por el desarrollo tecnológico y la producción de bienes en masa, han puesto sobre la mesa cuestiones relacionadas con la tutela jurídica de los intereses colectivos, en entor-nos diseñados para la tutela de intereses individuales. Y no es para menos, pues el inter-cambio de grandes volúmenes de bienes, la masificación de las relaciones económicas y, al mismo tiempo, la causación de daños en similares proporciones, dan cuenta de la necesidad de garantizar la protección de los intereses colectivos.

Precisamente, uno de los mecanismos que se aproxima al logro de este cometido es el recurso colectivo o acciones colectivas, pues aunque su origen se remonta al siglo XVII en la Court of Chancery de Inglaterra, con el paso del tiempo estas acciones se han ido

1 Trabajo realizado con el soporte del “Programa de Becas de Doctorado para extranjeros de la UdG con financiación de la Obra Social de la Caixa”.

241 LAS ACCIONES COLECTIVAS DENTRO DEL MARCO DEL REGLAMENTO GENERAL...

desarrollando y propagando en diferentes sistemas jurídicos. No obstante, con nombres distintos y en consideración a las particularidades propias de cada sistema (Puede verse la figura No. 1 sobre los países que han adoptado acciones colectivas).

Las acciones colectivas son mecanismos de protección de intereses colectivos, las cuales, al ponerse en movimiento, evidencian un conflicto de igual naturaleza. Es decir, un conflicto colectivo ‘se presenta cuando emerge una pretensión grupal insatisfecha, de una situación concreta y se reclama su tutela’.2 En este sentido, para determinar el alcance y efectos de estas acciones, se ha acudido a la clasificación de los intereses y conflictos colectivos. Así, en distintos países se ha propuesto una amalgama de tipologías que, a grosso modo, pueden reducirse a las siguientes: a) intereses su-praindividuales, colectivos o difusos, de carácter indivisible; b) intereses individuales homogéneos de carácter divisible.

Los primeros se refieren a aquellos intereses que van más allá de los intereses individuales de los integrantes del grupo respectivo, en tanto que, de una parte, la relación entre estos y el objeto de interés no es inmediata (la relación inmediata se presenta entre la colectividad y dicho interés). De la otra, porque el carácter indivisible del objeto impide su fragmentación entre los miembros del grupo. El caso típico es el de la contaminación de un río y el interés de un grupo en que este sea tratado para su recuperación: tanto el interés como el uso y goce del río corresponde conjuntamente a todos los miembros del grupo.

Ahora bien, el grupo puede ser determinado o determinable (intereses colectivos) o indeterminado (intereses difusos), lo cual puede tener cierta influencia para establecer quién está legitimado para el ejercicio de acciones colectivas.3

En cambio, los intereses homogéneos de carácter divisible se refieren a la suma de intereses individuales, compartidos por los integrantes de un grupo, cuya afectación se origina a partir de una misma actividad. Por tanto, al tratarse de intereses individuales, su objeto es divisible y la relación entre este y los integrantes del grupo es inmediata. Pese a ello, la tutela colectiva es necesaria, sobre todo tratándose de daños masivos cuya ocurrencia afecta un número sustancial de personas. Daños que, individualmente considerados, pueden dar lugar al reconocimiento de indemnizaciones poco signifi-cativas. Por lo que aquellas pretensiones encaminadas a buscar la reparación de daños

2 Véase Salgado, J.M. (2011). Tutela individual homogénea. Conflictos, derechos y pretensiones colec-tivas. Buenos Aires: Editorial Astrea, p. 40.

3 La Ley de Enjuiciamiento Civil española recoge este criterio para determinar la legitimación para ejercer acciones colectivas indemnizatorias, como se verá posteriormente.

242 Managing Risk in the Digital Society

masivos o la garantía del hábeas data colectivo, podrían encontrar en el recurso colec-tivo una vía procesal adecuada.4

Otro aspecto a resaltar tiene que ver con el efecto de cosa juzgada de la sentencia que resuelve el conflicto colectivo. En este sentido, existen dos modelos para determinar el alcance de dicho efecto: el opt-in, incluyente o de participación voluntaria y el opt-out, de exclusión o de participación excluyente.

En el opt-in, el efecto de cosa juzgada solo se extiende sobre los miembros del grupo que voluntariamente hayan aceptado formar parte del procedimiento colectivo. En con-secuencia, es necesario que dicha voluntad se exprese en el momento en el cual el grupo se constituye o mediante la adhesión posterior y, en todo caso, antes de la resolución final. De este modo, las personas que participan en el proceso, renuncian a la posibilidad de demandar posteriormente, pues acumulan su acción a la acción que inicie el repre-sentante del grupo. Así, quien no adhiere al proceso colectivo, escapa de su resultado (positivo o negativo). Lo cual, a su vez, puede ser perjudicial ya que se corre el riesgo de obtener sentencias contradictorias a partir de los mismos hechos. Pese a ello y a la complejidad que supone la composición de la parte demandante, este modelo parece, en principio, propicio, sobre todo frente a intereses homogéneos de carácter divisible, pues la determinación de los sujetos que integran la parte demandante facilita la determina-ción del importe de la indemnización o de la adopción de medidas cautelares.

En lo atinente al modelo opt-out, la sentencia se extiende sobre la totalidad de los miembros del grupo, salvo que estos expresamente manifiesten su voluntad de quedar ex-cluidos de la acción iniciada. Por tanto, para formar parte del proceso, no se requiere que las personas involucradas realicen alguna actividad. Por el contrario, pese a su silencio, se verán cobijadas por la sentencia, lo cual, si bien puede generar un efecto disuasorio en la comunidad, puede amenazar la garantía del debido proceso o la defensa de tales personas.

En cuanto al desarrollo práctico de estas acciones, sin lugar a dudas, son las de-nominadas class actions de Estados Unidos –reguladas por primera vez en 1942 por la Federal Equity Rule 48– las que han tenido mayor influencia y despliegue históri-camente, constituyéndose en uno de los mecanismos de tutela más recurrido en este país. Es así como las demandas relacionadas con el tratamiento inadecuado de datos personales son interpuestas, principalmente, mediante estas acciones. De hecho, los

4 Ejemplos propuestos por Salgado. Tutela, cit., p. 42-45. El autor al referirse a los conflictos individu-ales homogéneos advierte que esta clasificación contiene una segunda categoría según la decisión que se le dé al conflicto: con unidad de decisión (si la decisión es general y engloba la totalidad del con-flicto, sin exclusión individual) o con multiplicidad de decisiones (se presentan decisiones diversas entre la colectiva y las que se adjudiquen individualmente).


demandados en este tipo de litigios manifiestan mayor interés en su resolución, que tratándose de otros conflictos.5

Las particularidades de las class actions responden, brevemente, a lo siguiente. En pri-mer lugar, tratándose de la legitimación para su ejercicio, es posible que los reclamantes las ejerciten en defensa de sus intereses y de los intereses patrimoniales de un grupo o clase de personas. Incluso, es posible que quien ejerza dichas acciones sea un tercero con capacidad de representación, según lo establezca el juez respectivo. En consecuencia, una firma de abogados o un abogado específico podría iniciar una acción judicial con vocación de repre-sentatividad si cumple con los requisitos de la Regla 23 (Federal Rule 23 of Civil Procedure).

Asimismo, aunque en el proceso declarativo no se haya individualizado a cada miembro de la clase, la sentencia genera efecto de cosa juzgada respecto de todos sus miembros (opt-out). Precisamente por eso en ciertos asuntos, como los relacionados con la indemnización de daños, es necesario realizar notificaciones individuales, las cuales, aunque garantizan los derechos de defensa de los afectados, exigen inversiones signifi-cativas en tiempo y dinero. En cambio, en asuntos cuya pretensión es la cesación de la conducta, estas notificaciones pueden omitirse, manteniendo incólume el derecho de defensa de los afectados.

De esta manera, las class actions, en los términos descritos, pretenden garantizar y priorizar el acceso a la justicia. Sin embargo, se afirma que se les ha dado un uso abusivo, con ocasión de los incentivos económicos que promueve su ejercicio. Pues ante la pro-babilidad de obtener un porcentaje importante de una indemnización, ciertos abogados demandan por su cuenta y en nombre de terceros a empresas que, por miedo a la mala reputación y a una futura condena indemnizatoria, prefieren establecer acuerdos econó-micos con su contraparte.

5 Un estudio sobre los litigios en EEUU a propósito del tratamiento de datos en Romanosky, S., Hoffman, D., Acquisti, A. (2014). Empirical Analysis of Data Breach Litigation. Journal of Empirical Legal Studies, (11), p 74-104.


Figura 1. Países que han adoptado procedimientos de acciones colectivas para uno o más tipos de reclamaciones legales6

2. GENERALIDADES DE LAS ACCIONES COLECTIVAS EN LA UNIÓN EUROPEA

En la UE las acciones colectivas se han desarrollado sustancialmente en el ámbito del consumo.7 En efecto, los mercados crecen a pasos agigantados, trascienden fronteras y, muchas veces, llevan implícitas prácticas comerciales abusivas capaces de causar daños colectivos. Si bien, existen caminos procesales para que el consumidor dañado acceda a la justicia y ejerza las acciones legales respectivas, la práctica ha demostrado que resulta oneroso, complejo y demorado. Por ende, un consumidor en esas circunstancias nor-malmente prefiere asumir el monto de la pérdida sufrida, que hacer frente a todos los costos del litigio.

6 Esta tabla fue tomada de Hensler, D., Hodges, C., Tzankova, I. (ed.) (2016). Class Actions in con-text: how culture, economics and politics shape collective litigation. Cheltenham: Edward Elgar, p. 5.

7 Para profundizar puede verse Montesinos García, A. (2014). Últimas tendencias en la Unión Europea sobre las acciones colectivas de consumo. La posible introducción de fórmulas ADR. REDUR, (12), p. 87-112.


Así, en sede de la Unión Europea, se ha considerado pertinente implementar el recurso colectivo como mecanismo de fácil acceso a la justicia y de protección de los derechos de los consumidores y, en general, de grupos de personas que resulten perjudi-cadas por la violación de los derechos reconocidos por el Derecho de la Unión, por parte de uno o más operadores económicos u otras personas.8 En otras palabras, mediante la implementación de las acciones colectivas se pretende proteger los intereses de las per-sonas que integran un grupo determinado y que se han visto afectadas dada una misma actividad. Ello les permite unirse y asumir una única posición procesal que combate las barreras de un procedimiento individual (costas, tasas judiciales, etc.). De este modo, el acceso a la justicia resulta menos costoso, más eficiente y con mayores garantías, pues mediante esta vía se busca resolver una cantidad significativa de casos, evitando la mul-tiplicidad o contradicción de fallos cuyos conflictos tienen origen en los mismos hechos.

Es de aclarar que en la UE no existe un mecanismo vinculante que regule la re-clamación colectiva de indemnización por daños y perjuicios, lo que sí ocurre con las acciones de cesación en materia de protección de los intereses de los consumidores en virtud de la Directiva 2009/22/CE.9 Por tanto, las acciones colectivas de indemnización varían de Estado a Estado en aspectos como el alcance, ámbito de aplicación, capacidad jurídica para su ejercicio, etc.

Sin embargo, la Comisión Europea ha asumido un papel activo en esta materia y desde hace más de una década ha adoptado distintos instrumentos jurídicos para garan-tizar el uso adecuado del recurso colectivo, entre estos: el Libro Verde sobre reparación de daños y perjuicios por incumplimiento de las normas comunitarias de defensa de la competencia del año 2005;10 el Libro Blanco que incluía propuestas sobre recursos colectivos específicos contra las prácticas contrarias a las normas de competencia del año 2008;11 el Libro Verde sobre el recurso colectivo de los consumidores del año 2008;12 la consulta pública «Hacia un planteamiento europeo más coherente del recurso colectivo» de 2011;13 la Comunicación al Parlamento Europeo, al Consejo, al Comité Económico

8 Recomendación de la Comisión de 11 de junio de 2013, sobre los principios comunes aplicables a los mecanismos de recurso colectivo de cesación o de indemnización en los Estados miembros en caso de violación de los derechos reconocidos por el Derecho de la Unión (2013/396/UE) (DO L 201/60).

9 Directiva 2009/22/CE del Parlamento Europeo y del Consejo, de 23 de abril de 2009, relativa a las acciones de cesación en materia de protección de los intereses de los consumidores (DOUE L 110 de 1.05.2009).

10 COM (2005) 672 de 19.12.2005.11 COM (2008) 165 de 2.4.2008.12 COM (2008) 794 de 27.11.2008. 13 COM (2010) 135 final de 31.3.2010.


y Social Europeo y al Comité de las Regiones, «Hacia un marco horizontal europeo de recurso colectivo» de 2013 (la Comunicación),14 acompañada de la Recomendación «sobre los principios comunes aplicables a los mecanismos de recurso colectivo de cesa-ción o de indemnización en los Estados miembros en caso de violación de los derechos reconocidos por el Derecho de la Unión» (la Recomendación). Asimismo, el Parlamento Europeo publicó la Resolución «Hacia un planteamiento europeo coherente del recurso colectivo», del 2 de febrero de 2012.15

Conforme a la Comunicación y Recomendación, el recurso colectivo es suscepti-ble de aplicación tratándose de la protección de los consumidores y del Derecho de la competencia, y también para hacer valer los derechos reconocidos por el Derecho de la Unión en otros ámbitos. Entre estos, la protección de los datos personales, del me-dio ambiente, la normativa sobre servicios financieros y la protección de los inversores. Asimismo, destacan las finalidades perseguidas mediante estos instrumentos en tanto que buscan facilitar el acceso a la justicia, erradicar las prácticas ilegales y permitirles a los perjudicados obtener una indemnización por los daños masivos causados por la infracción de los derechos reconocidos por el Derecho de la Unión, sin perjuicio de las garantías necesarias para evitar los litigios abusivos.16 Ello, considerando que existe una tendencia a desconfiar de la conveniencia de estas acciones con ocasión de los abusos cometidos, especialmente, en Estados Unidos.

2.1. Las acciones colectivas en Estados miembros de la UE

A efectos de tener un panorama amplio sobre el desarrollo de las acciones colec-tivas en los estados miembros de la UE, resulta ilustrativo el estudio promovido por la Comisión en 2008.17 Justamente, este estudio concluye que las acciones colectivas han comportado un valor añadido para todos los Estados miembros en los que se han imple-mentado, según el tipo de reclamación de que se trate. Ello obedece, entre otras cosas, a que el recurso colectivo tiene mayor cobertura mediática que los litigios individuales.

14 COM (2013) 401 final.15 [2011/2089 (INI)].16 Un análisis crítico sobre la Comunicación y la Recomendación, en European Law Institute

(ELI) (2014). Statement of the European Law Institute on Collective Redress and Competition Dam-ages Claims, Viena.

17 European Commission–DG SANCO (2008). Evaluation of the effectiveness and efficiency of col-lective redress mechanisms in the European Union, Final report – Part I: Main report. Recuper-ado 17.3.2017 en http://ec.europa.eu/consumers/archive/redress_cons/finalreportevaluation-studypart1-final2008-11-26.pdf

http://ec.europa.eu/consumers/archive/redress_cons/finalreportevaluationstudypart1-final2008-11-26.pdf

http://ec.europa.eu/consumers/archive/redress_cons/finalreportevaluationstudypart1-final2008-11-26.pdf


Para el período de estudio –entre 1998 y 2008 aproximadamente- se documentaron 326 casos de reparación colectiva relevantes para el consumidor. El mayor número de ca-sos tuvo lugar en Francia, seguido por España, Alemania y Austria. Los principales sectores económicos afectados fueron los servicios financieros y las telecomunicaciones (puede ver-se la figura No. 2 sobre el número de casos –país por país– en los que se utilizó la acción).

Adicionalmente se determinó que los consumidores sí sufren perjuicios (pérdida de bienestar) en los Estados miembros que no disponen del recurso colectivo. Económica-mente, esta pérdida se avaluó en 2,1 millones de euros al año.

En suma y conforme a las conclusiones del informe, la introducción de mecanis-mos eficaces de reparación colectiva podría aportar beneficios a los consumidores en los Estados miembros en los que aún no se han establecido, así como en los países en los que ya existen pero que requieren mejoras.

Figura 2. Casos de acción colectiva en los Estados miembros de la UE18

2.2. Acciones colectivas en España

En España, las asociaciones de consumidores y usuarios ejercen acciones colectivas en defensa de los intereses de estos últimos. La Ley 1/2000, de 7 de enero, de Enjui-

18 Figura tomada de European Commission – DG SANCO. Evaluation, cit., p. 7.


ciamiento Civil (LEC),19 facultó a estas entidades para ejercitar acciones colectivas de indemnización de daños y perjuicios sufridos por un grupo amplio de personas. No obstante, antes de esta norma, dichas entidades ejercían acciones colectivas de cesación o inhibitorias en distintas materias, tales como: publicidad ilícita, competencia desleal o cláusulas abusivas.20

No debe perderse de vista que el resarcimiento de daños y perjuicios que se persigue con la acción, beneficia exclusivamente a quienes tienen la calidad de consumidores y usua-rios.21 Restricción que conlleva a lo siguiente: de una parte, el juez tendría que indagar, caso por caso, si todos los miembros de la clase gozan de la calidad de consumidores o usuarios, tarea ‘extraordinariamente costosa y prácticamente inasumible’.22 De otra, estas acciones no resultan aplicables a daños colectivos no causados a consumidores y usuarios,23 por lo que habría que plantearse la posibilidad de aplicar analógicamente la LEC a otros supuestos.

Pese a las limitaciones anteriores, estas acciones se amplían en otros aspectos. Por ejemplo, a diferencia de las class actions, estas acciones permiten perseguir el resarcimien-to de cualquier tipo de daño, trátese de materiales o inmateriales. Adicionalmente, no existe una cuantía determinada –ni de mínimos ni de máximos- para su ejercicio.

Sobre la legitimación para la defensa de derechos e intereses de consumidores y usuarios, es necesario remitirse al artículo 11 de la LEC:24 las asociaciones de consu-midores y usuarios legalmente constituidas están legitimadas para defender en juicio los derechos e intereses de sus asociados y los de la asociación, así como los intereses

19 BOE núm. 7, 8.1.2000.20 Sobre el régimen de las acciones de clase en la LEC, Marín López, J. (2001). Las acciones de

clase en el derecho español. InDret, (3). Recuperado 15.3.2017 en http://www.raco.cat/index.php/InDret/article/view/80689

21 Son consumidores y usuarios las personas físicas que actúen con un propósito ajeno a su activ-idad comercial, empresarial, oficio o profesión, así como las personas jurídicas y entidades sin personalidad jurídica que actúen sin ánimo de lucro en un ámbito ajeno a una actividad comer-cial o empresarial (art. 3 de TR-LGDCU. BOE núm. 287, 30.11.2007).

22 Véase Marín. Las acciones, cit., p. 4.23 Ibídem.24 El artículo 11 de la LEC fue modificado mediante disposición adicional, en virtud de la Ley

3/2014, de 27 de marzo, por la que se modifica el texto refundido de la LGDCU. Dicha modi-ficación ‘pretende resolver la contradicción existente entre la normativa en materia de consumo y la procesal sobre las entidades que deben considerarse legitimadas para interponer una acción de cesación y, a su vez, atribuir legitimación activa al Ministerio Fiscal para ejercitar cualquier acción en defensa de intereses difusos y colectivos de consumidores y usuarios’ (Parte III del Preámbulo de la Ley 3/2014).

http://www.raco.cat/index.php/InDret/article/view/80689

http://www.raco.cat/index.php/InDret/article/view/80689


generales de los consumidores y usuarios, sin perjuicio de la legitimación individual de los perjudicados (art. 11.1).

Ahora bien, si los perjudicados por un hecho dañoso son un grupo de consumido-res o usuarios cuyos componentes están perfectamente determinados o son fácilmente determinables, la legitimación para pretender la tutela de estos intereses colectivos co-rresponde a: a) las asociaciones de consumidores y usuarios; b) las entidades legalmente constituidas cuyo objeto sea la defensa o protección de estos; c) los propios grupos de los afectados (art. 11.2).

En cambio, si los perjudicados son una pluralidad indeterminada de consumidores o usuarios o de difícil determinación, la legitimación para demandar en juicio la defensa de estos intereses difusos corresponde con exclusividad a las asociaciones de consumidores y usuarios que, conforme a la Ley, sean representativas25 (art. 11.3).

De este modo, se pretende tutelar tanto los intereses colectivos como los intereses difusos. Sin embargo, se advierten ciertas dudas para acreditar la capacidad de ser parte. Sobre todo, para el grupo de afectados, en tanto que este solo se conforma una vez ha acaecido el hecho dañoso. Además, sus componentes deben estar perfectamente deter-minados o ser fácilmente determinables y, para demandar en juicio, es necesario que el grupo se constituya con la mayoría de afectados, lo cual no deja de ser problemático.

Asimismo, se echa en falta un cauce procesal adecuado que tenga en cuenta las implicaciones de los conflictos masivos, en tanto que ‘a la sociedad de masas le resulta inservible la concepción individualista con que fueron modelados los institutos proce-sales de peso, como la legitimación para la acción y la sustitución procesal o el alcance subjetivo de la cosa juzgada, entre otros muchos. La LEC no se escapa a esta concepción tradicional de consideración del proceso civil como un asunto entre dos partes, lo que se aplica también a los intereses colectivos’.26

En todo caso y a raíz de la disposición adicional introducida al artículo comentado, resulta positivo que el Ministerio Fiscal también esté legitimado para ejercitar cualquier acción en defensa de los intereses de los consumidores y usuarios (art. 11.5). Así, la en-tidad ya no solo puede ejercer la acción de cesación en defensa de los intereses colectivos y difusos de consumidores y usuarios, si no que ahora podrá acumular dichas acciones junto a las acciones de nulidad e indemnizatorias.

25 Ni la LEC ni otra norma de rango legal, han establecido los requisitos de representatividad. 26 Véase Varela García, C. (2014). Hacia un nuevo proceso civil colectivo en el ejercicio de las acciones

en defensa de los derechos de los consumidores y usuarios. (Ponencia de las Jornadas de ADICAE ‘Sin acción colectiva no hay justicia para los consumidores‘, 2 de octubre de 2014).


Finalmente es de resaltar que estas acciones también han resultado útiles para las organizaciones que buscan defender a los consumidores con ocasión de las cláusulas abusivas sobre protección de datos.27

3. ACCIONES COLECTIVAS EN EL REGLAMENTO DE PROTECCIÓN DE DATOS

El Reglamento General de Protección de Datos,28 entre sus novedades, reconoce la existencia de acciones colectivas. Si bien, la norma no se refiere textualmente a ‘acciones colectivas’, ‘acciones de grupo’, ‘class actions’, sí reconoce la legitimación activa de ciertas entidades sin ánimo de lucro, para representar los intereses de quienes se han visto afec-tados por la vulneración de su derecho a la protección de datos personales.

Dichas entidades, en nombre de los interesados, pueden ejercer el derecho a presen-tar una reclamación ante una autoridad de control, el derecho a la tutela judicial efectiva contra una autoridad de control, el derecho a la tutela judicial efectiva contra un respon-sable o encargado del tratamiento y, si así lo establece el Derecho del Estado miembro, el derecho a ser indemnizado. Así se extrae del artículo 80 sobre la ‘representación de los interesados’. Además es posible establecer lo siguiente.

En primer lugar, la capacidad para interponer la acción de representación parece restrictiva.29 En efecto, la norma circunscribe dicha representación a entidades, organiza-ciones o asociaciones sin ánimo de lucro, correctamente constituidas con arreglo al De-recho de un Estado miembro. Por lo que, a primera vista, estas entidades representantes deben haberse constituido con anterioridad al evento dañoso, con el objeto de tutelar los derechos y libertades de los interesados en materia de protección de sus datos personales. Si bien, cada Estado es libre de determinar los requisitos de constitución de estas enti-dades, no es clara la admisión de entidades ad hoc para ejercer dicha representación. Si

27 Véase Kuschewsky, M. y Bael & Bellis, V. (ed.) (2012). Data Protection & Privacy: Jurisdictional Comparisons. Londres: Thomson Reuters, p. 557.

28 Reglamento (UE) 2016/679 del Parlamento Europeo y del Consejo de 27 de abril de 2016, rel-ativo a la protección de las personas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos y por el que se deroga la Directiva 95/46/CE (Reglamento General de Protección de Datos) (DOUE L 119 de 4.5.2016).

29 Entiéndase por ‘acción de representación’ aquella ‘acción interpuesta por una entidad represent-ante, una entidad acreditada ad hoc o una autoridad pública de representación y en nombre de dos o más personas físicas o jurídicas que declaren correr el riesgo de sufrir daños o haber sufrido daños como consecuencia de daños masivos, cuando dichas personas no sean partes del proced-imiento’ [3.b) Recomendación].


fuese posible, parece necesaria su acreditación por las autoridades nacionales del Estado miembro. Ello, a la luz de la Recomendación de la Comisión, quien además considera viable que las acciones de representación sean ejercidas por órganos jurisdiccionales o, como alternativa general, por las autoridades públicas (punto 4, 6 y 7).

Lo que sí parece claro es que la norma no les reconoce capacidad para interponer una acción a los grupos constituidos por los mismos afectados a partir de la supuesta lesión. Esta consideración es acorde con lo que la Comisión entiende por ‘acción de representación’ y con lo que esta última afirma sobre la capacidad legal para ejercer una acción colectiva. Efectivamente, la Comisión estima que determinados tipos de acciones colectivas, como las acciones de grupo, pueden interponerse conjuntamente por quienes aleguen haber sufrido daños. En cambio, respecto de las acciones de representación, la capacidad legal para ejercer la acción se limita a entidades acreditadas ad hoc, a entidades representantes designadas y ajustadas a ciertos criterios legales o a las autoridades púbicas (Considerandos 17 y 18).

Por tanto, la acción colectiva del Reglamento se encuentra referida exclusivamen-te a la acción de representación, lo que excluye las acciones de grupo. De este modo, quienes conjuntamente aleguen haber sufrido daños como consecuencia de una pérdida causada por una misma actividad -daños masivos-, deben interponer acciones individua-les para ponerle fin al conflicto y para solicitar el reconocimiento de la correspondiente indemnización. Camino procesal que, como se señaló, puede ser ineficiente. O, de otro lado, las personas afectadas podrían conferir mandato a una entidad, organización o asociación sin ánimo de lucro, correctamente constituida con arreglo al Derecho de un Estado miembro, para solicitar la defensa de sus intereses.

En segundo lugar, las facultades del representante para actuar en nombre de los interesados, se concentran en el ejercicio de los siguientes derechos:

1) Derecho a presentar reclamación ante una autoridad de control cuando el trata-miento de datos personales infringe el Reglamento. La autoridad de control deberá informarle al reclamante sobre el curso y el resultado de la reclamación (art. 77 Reglamento).

2) Derecho a la tutela judicial efectiva contra una autoridad de control. Este derecho permite ejercer acciones contra una decisión jurídicamente vinculante de una autori-dad de control; contra dicha autoridad cuando esta no le dé curso a una reclamación o, a pesar de haberle dado curso, no le informe de ello al reclamante dentro del plazo respectivo y cuando no le informe sobre el resultado de la reclamación (art. 78 Re-glamento).

3) Derecho a la tutela judicial efectiva contra un responsable o encargado del tratamien-to. Si el interesado considera que sus derechos han sido vulnerados como consecuen-cia de un tratamiento de sus datos personales, él o su representante, puede acudir ante los Tribunales para solicitar la protección de sus derechos (art. 79 Reglamento).


4) Derecho a ser indemnizado, si así lo establece el Derecho del Estado miembro. Si el Estado miembro considera viable la acción colectiva por daños y perjuicios, es posi-ble reclamar una indemnización por los daños materiales o inmateriales causados por la infracción del Reglamento. De lo contrario, si el Estado miembro no admite esta acción colectiva, cada interesado debe ejercerla individualmente. En este sentido, la acción colectiva queda reducida al resto de derechos señalados (reclamación ante una autoridad de control; tutela judicial efectiva contra una autoridad de control y tutela judicial efectiva contra un responsable o encargado del tratamiento).

Es de aclarar que los derechos enunciados en los numerales 1, 2 y 3 pueden ser ejer-cidos por la entidad, organización o asociación sin ánimo de lucro correspondiente, con independencia del mandato del interesado, si así lo dispone el Estado miembro de que se trate (modelo opt-out). Es decir, cada Estado es libre de admitir o no el ejercicio de estos de-rechos en ausencia de dicho mandato y por parte de las entidades representantes señaladas.

En tercer lugar y contrario a lo anterior, las entidades, organizaciones o asociacio-nes sin ánimo de lucro, no están autorizadas para reclamar indemnización de daños y perjuicios sufridos por los interesados, al margen del mandato de estos últimos (modelo opt-in). Lo cual lleva a pensar que los Estados miembros no están habilitados para modi-ficar esta prohibición. Sin embargo, resulta pertinente traer a colación la recomendación de la Comisión sobre el recurso colectivo de indemnización cuando señala que ‘la parte demandante debería constituirse por consentimiento expreso de las personas físicas o jurídicas que afirmen haber sufrido daños (principio opt-in). Las excepciones a este prin-cipio, en virtud de disposiciones legales o de una resolución judicial, deberían justificarse debidamente por razones de buena administración judicial’ (número 21).30

Por tanto, interpretando el Reglamento a la luz de la Recomendación, parece que el enfoque acogido respecto del recurso colectivo indemnizatorio es el siguiente: como regla general aplica el opt-in y como excepción el opt-out. Aunque, se insiste, no es tan clara la posibilidad de exceptuar la regla.

En cuanto a la previsión específica de las acciones colectivas en el ámbito de la pro-tección de datos, destacan las legislaciones alemana y francesa. En efecto, con ocasión de la entrada en vigor del Reglamento los países han regulado la materia. De una parte, en diciembre de 2015, se aprobó en Alemania la ley que faculta a las asociaciones de pro-

30 Para ELI, refiriéndose a la Recomendación, la Comisión debe revisar sus consideraciones y ten-er en cuenta otras experiencias de los Estados miembros de la UE. Entre estos, Reino Unido, Holanda, Portugal y Dinamarca en tanto que aplican, como regla general, un sistema de opt-out. Asimismo, la experiencia de Bélgica donde se aplica tanto el opt-out como el opt-in, en un siste-ma mixto. Véase ELI. Statement, cit., p 42-46.


tección del consumidor, a las cámaras de comercio y a otras asociaciones empresariales a demandar toda violación de la privacidad de datos que afecte a los consumidores en ciertos ámbitos (publicitarios, de creación de perfiles personales, de comercio de datos, etc.). Sin embargo, estos organismos solo están facultados para solicitar la cesación de la conducta lesiva o la eliminación de datos, y no para presentar demandas de indemniza-ción por daños y perjuicios.

De otra parte, mediante la ‘Ley Francesa de Modernización del Poder Judicial en el siglo XXI’, de 18 de noviembre de 2016, se estableció un nuevo marco para las acciones colectivas y se regularon cuestiones relacionadas con la protección de datos personales. De modo similar a la legislación alemana, la ley francesa excluyó la posibilidad de in-terponer acciones colectivas por daños y perjuicios, permitiéndolas, únicamente, para solicitar medidas cautelares. Asimismo, facultó a ciertas entidades para su ejercicio, entre estas, los sindicatos que representan a sus empleados, las asociaciones debidamente regis-tradas (con una antelación no inferior a 5 años y cuyo objeto, según los estatutos, sea la protección de la privacidad y de los datos personales) y las asociaciones de consumidores reconocidas y aprobadas de conformidad con el Código del consumidor francés, cuando el tratamiento de datos personales afecte a los consumidores.

4. PROS Y CONTRAS

Las acciones colectivas pueden constituir una vía procesal idónea para afrontar los conflictos colectivos actuales -trátese de acciones para adoptar medidas cautelares como las acciones de cesación o de acciones indemnizatorias por los daños y perjuicios sufri-dos. De un lado, se advierte cómo la posibilidad de agrupar demandas e interponerlas colectivamente combate la reticencia de los afectados a acudir individualmente a los tri-bunales. Pues muchas veces no se justifica solicitar la protección de los derechos por los abusos sufridos, teniendo en cuenta los costes económicos y los obstáculos implícitos en los procesos judiciales. Del otro, las acciones colectivas pueden beneficiar a la sociedad en general, al permitir que la actuación del Poder Judicial sea más eficiente, en la medida en que se pase de la resolución particular de casos idénticos, a la resolución colectiva de estos. Y en tanto se evite dictar sentencias contradictorias pese a la homogeneidad de los hechos que las motiven.

Sumado a lo anterior, el recurso colectivo puede resultar eficiente si se considera que los potenciales demandados serán más diligentes en su actuar. Ello, debido a que una demanda colectiva puede constituir una mala publicidad para el demandado o un daño en su fama o reputación. Razón por la cual este último tendrá mayor interés en resolver los conflictos colectivos y tomar medidas adecuadas de prevención.

Desde otro punto de vista, alentar el litigio colectivo no siempre produce los efectos deseados. Incluso podría causar daños sustanciales al incentivar actividades abusivas por


parte de terceros.31 Precisamente esto es lo que se ha predicado del sistema estadouniden-se, cuando se afirma que a partir de las class actions algunas firmas de abogados y terceros inversionistas en litigios, se convierten en entidades de representación para actuar en nombre del público pero en beneficio propio.

Así las cosas y aunque parece prioritario evitar este tipo de abusos (demandas ino-cuas y juicios de responsabilidad por seudo-daños), como reiteradamente lo ha indicado la Comisión Europea, cabe hacer las siguientes precisiones. En primer lugar, las acciones colectivas reguladas en la UE y en sus Estados miembros, no son estrictamente equipa-rables a las class actions norteamericanas. Por tanto, tampoco resulta apropiado equiparar sus efectos. En segundo lugar, en los Estados miembros en donde se han implementado mecanismos de resarcimiento colectivo no se han identificado dichos abusos y, en tercer lugar, no hay que perder de vista que alrededor del tema existen importantes intereses económicos, lo cual plantea si acaso el desprestigio de la figura no obedece a una mala propaganda de la tutela colectiva.32

Por ende, el análisis sobre el desarrollo de estas acciones debería considerar, en mayor medida, la experiencia de los países de la Unión Europea y no tanto la norteame-ricana. Pues así se facilitaría la creación de condiciones jurídicas adecuadas y coordinadas entre los Estados miembros, capaces de garantizar el acceso a la justicia y sin dejar de lado las tradiciones y sistemas jurídicos propios de cada Estado.33

En virtud de lo anterior resulta indispensable plantear diferentes cuestiones. Una, referida a los ámbitos sobre los cuales se ejerce el recurso colectivo. Al respecto la Reco-mendación ha dado un gran paso al mencionar diversos ámbitos, especialmente, el de la protección de datos. Otra, referida a los efectos de la sentencia según el modelo que se

31 Véase Institute for Legal Reform (ILR) (2015). The EU’s Data Protection proposals open the door to abusive mass litigation. Recuperado 15.3.2017 en http://www.instituteforlegalreform.com/.

32 Véase Carballo Piñeiro, L. (2913). Recomendación de la Comisión Europea sobre los principios comunes aplicables a los mecanismos de recurso colectivo de cesación o de indemnización en los Estados miembros en caso de violación de los derechos reconocidos por el derecho de la Unión Europea (Estrasburgo, 11 de junio de 2013). Revista Española de Derecho Internacional. LXV(2), 395-399, 397. La autora señala que ‘las empresas persiguen maximizar beneficios y reducir deudas; las acciones colectivas les obligan a devolver lo indebidamente obtenido y de ahí la oposición radical a las mismas’.

33 En el Informe de la Comisión al Parlamento Europeo y al Consejo (Bruselas, 6.11.2012 COM (2012) sobre la aplicación de la Directiva 2009/22/CE del Parlamento Europeo y del Consejo sobre la aplicación de la Directiva 2009/22/CE del Parlamento Europeo y del Consejo, relativa a las acciones de cesación en materia de protección de los intereses de los consumidores, se consideró que dichas acciones podrían ser una herramienta útil para lograr ese fin. No obstante, reconoció su eficacia desigual en los Estados miembros, dadas las diferencias en la regulación en el Derecho interno.

http://www.instituteforlegalreform.com/


acoja: opt-out/opt-in. Si bien, el primero conlleva costos transaccionales y de litigio ex-cesivos y probablemente inaceptables para la UE,34 su implementación puede garantizar el acceso a la justicia. En cambio, adoptar el modelo opt-in, propuesto por la Comisión, aunque puede ser una medida más cautelosa, también puede ser menos eficiente si lo que se busca es vincular al mayor número posible de afectados. Se trata entonces de en-contrar el balance entre la protección de los miembros ausentes y su derecho de defensa.

En el Reglamento, el recurso colectivo indemnizatorio sigue el modelo opt-in, lo cual, aunado a la facultad que tiene cada Estado para reconocer el derecho a la in-demnización mediante estas acciones y los claros ejemplos de las legislaciones alemana y francesa, permiten prever que esta acción no tendrá un desarrollo significativo, en detrimento de las víctimas que sufran daños por el tratamiento indebido de sus datos. Por el contrario, en relación con las acciones colectivas no indemnizatorias (cesación de actividad, eliminación de datos, etc.), se adoptó el modelo opt-out, vinculante a todos los afectados, salvo manifestación expresa en contrario.

Finalmente, como se advirtió, el Reglamento no les reconoce capacidad legal para interponer una acción, a los grupos de afectados que se conformen a partir de una le-sión. Lo cual limita el acceso a la justicia, pues nada garantiza que en todos los casos en los que se presente un tratamiento indebido de datos exista ‘una entidad, organización o asociación sin ánimo de lucro que haya sido correctamente constituida con arreglo al Derecho de un Estado miembro, cuyos objetivos estatutarios sean de interés público y que actúe en el ámbito de la protección de los derechos y libertades de los interesados en materia de protección de sus datos personales’ para que presente en nombre de los afectados una reclamación (art. 80 Reglamento). Aspecto que también juega en contra de los intereses estos últimos.

En conclusión, no cabe duda que la producción en masa, el crecimiento de las relaciones transfronterizas, la necesidad de fortalecer cada vez más las economías a ni-vel mundial, entre otros factores, facilitan la causación masiva de daños y la lesión de intereses colectivos. Por tanto, se requiere una regulación transversal de la materia, que suministre las herramientas idóneas para tutelar los intereses de quienes resulten afecta-dos con dichas actividades.

Mientras tanto, asuntos como el de Max Schrems v. Facebook35 –demanda a la que han adherido más de 100.000 personas en el mundo debido a la presunta e indiscrimi-nada violación de las normas de protección de datos- u otros ventilados en tribunales

34 Véase Hodges, C. (2008). The Reform of class and representative actions in European legal systems: a new framework for collective redress in Europe. Oxford: Hart Publishing, p. 245.

35 Para seguir paso a paso lo sucedido en el asunto, puede consultarse la página http://www.eu-rope-v-facebook.org/EN/en.html

http://www.europe-v-facebook.org/EN/en.html

http://www.europe-v-facebook.org/EN/en.html


estadounidenses mediante class actions contra redes sociales o buscadores de Internet (Snapchat, Facebook y Google), dan lugar a reflexionar sobre el alcance de los instru-mentos jurídicos actuales y a plantearse la posibilidad de armonizarlos aún dentro de contextos tan disímiles como los de hoy.

5. BIBLIOGRAFÍA

Acosta Estevez, JM. (1995). Tutela procesal de los consumidores. Barcelona: Bosch.Bujosa Vadell, L. (2001). La protección de los consumidores y usuarios de la nue-

va Ley de Enjuiciamiento Civil, Revista jurídica de Catalunya, 100(4), 969-998.Bujosa Vadell, L. (2007). La protección jurisdiccional de los intereses de grupo

(colectivos y difusos): estado de la cuestión en España. En José Vicente Gimeno y María José Cabezudo (coord.), El Tribunal Supremo, su doctrina legal y el recurso de casación estu-dios en homenaje al profesor Almagro Nosete (p. 599-670). Madrid: Iustel.

Carballo Piñeiro, L. (2013). Recomendación de la Comisión Europea sobre los principios comunes aplicables a los mecanismos de recurso colectivo de cesación o de in-demnización en los Estados miembros en caso de violación de los derechos reconocidos por el derecho de la Unión Europea (Estrasburgo, 11 de junio de 2013). Revista Española de Derecho Internacional. LXV(2), 395-399.

European Commission – DG SANCO (2008). Evaluation of the effectiveness and efficiency of collective redress mechanisms in the European Union – country report Spain.

European Commission – DG SANCO (2008). Evaluation of the effectiveness and efficiency of collective redress mechanisms in the European Union, Final report – Part I: Main report.

European Law Institute (ELI) (2014). Statement of the European Law Institute on Collective Redress and Competition Damages Claims. Vienna.

Hensler, D., Hodges, C., Tzankova, I. (ed.) (2016). Class Actions in context: how culture, economics and politics shape collective litigation. Cheltenham: Edward Elgar.

Hodges, C. (2008). The Reform of class and representative actions in European legal systems: a new framework for collective redress in Europe. Oxford: Hart Publishing.

Institute for Legal Reform (ILR) (2015). The EU’s Data Protection proposals open the door to abusive mass litigation.

Kuschewsky, M. y Bael & Bellis, V. (ed.) (2012). Data Protection & Privacy: Jurisdictional Comparisons. Londres: Thomson Reuters.

Marín López, J. (2001). Las acciones de clase en el derecho español. InDret, (3). Montesinos García, A. (2014). Últimas tendencias en la Unión Europea sobre

las acciones colectivas de consumo. La posible introducción de fórmulas ADR. REDUR, (12), p. 87-112.


Romanosky, S., Hoffman, D., Acquisti, A. (2014). Empirical Analysis of Data Breach Litigation. Journal of Empirical Legal Studies, (11), p. 74-104.

Salgado, J.M. (2011). Tutela individual homogénea. Conflictos, derechos y pretensio-nes colectivas. Buenos Aires: Editorial Astrea.

Varela García, C. (2014). Hacia un nuevo proceso civil colectivo en el ejercicio de las acciones en defensa de los derechos de los consumidores y usuarios. (Ponencia de las Jornadas de ADICAE ‘Sin acción colectiva no hay justicia para los consumidores‘, 2 de octubre de 2014).

COMERCIO ELECTRÓNICO Y MERCADO DIGITAL / E-COMMERCE & DIGITAL MARKET

16

THE EUROPEAN COMMISSION’S PRELIMINARY REPORT ON THE E-COMMERCE SECTOR INQUIRY: COMPETITION ENFORCEMENT IN DIGITAL CONTENT MARKETS

Konstantina BaniaEuropean Broadcasting Union – Legal Counsel,

Tilburg Law and Economics Center (Tilec) – Extramural Fellow

ABSTRACT: This paper1 discusses the European Commission’s Preliminary Report on the E-Com-merce Sector Inquiry, focusing on digital content distribution. The objective is to provide a critical overview of the main findings of the Report regarding content licensing practices across the EU. To that end, the paper examines three types of practices identified by the Report as areas where compe-tition issues may arise, namely bundling, exclusivity combined with long duration, and territorial restrictions. The Commission’s preliminary position is assessed against the outcome of competition interventions intended to alleviate similar concerns in broadcasting markets. The analysis draws on several examples that illustrate the drawbacks of antitrust policy (as designed and implemented by the Commission) and concludes that competition in digital content markets would benefit from cautious enforcement, taking due account of the specific conditions of the industry.

KEYWORDS: e-commerce, competition, digital content, exclusivity, territoriality.

1. INTRODUCTION

On 14 September, the European Commission published its preliminary report on the E-Commerce Sector Inquiry.2 Many undertakings were asked to answer questionnaires and provide contracts in the context of the inquiry, which focuses on the online sale of goods and digital services. The Commission is investigating, inter alia, whether rights holders impose terms on content providers that prevent them from offering their servi-ces cross-border. It follows on from the widely reported Karen Murphy case where the

1 This paper builds upon the comments of the EBU on the Preliminary Report on the E-Commerce Sector Inquiry. The submissions to the public consultation are available at: http://ec.europa.eu/competition/antitrust/sector_inquiries_e_commerce.html I would like to thank all EBU Members as well as Dr. Richard Burnley that contributed to earlier drafts with their valuable comments

2 European Commission (2016). Staff Working Document, Preliminary Report on the E-commerce Sector Inquiry, SWD(2016) 312 final. Retrieved April 3rd 2017 from: http://ec.europa.eu/competition/antitrust/sector_inquiry_preliminary_report_en.pdf

http://ec.europa.eu/competition/antitrust/sector_inquiries_e_commerce.html

http://ec.europa.eu/competition/antitrust/sector_inquiries_e_commerce.html

http://ec.europa.eu/competition/antitrust/sector_inquiry_preliminary_report_en.pdf

http://ec.europa.eu/competition/antitrust/sector_inquiry_preliminary_report_en.pdf

260 THE EUROPEAN COMMISSION’S PRELIMINARY REPORT ON THE E-COMMERCE...

Court of Justice of the EU held that preventing a UK pub landlady from obtaining a Greek satellite decoder box was contrary to the EU rules on competition and free mo-vement.3 The issues identified in the Report will not necessarily lead to lengthy investi-gations and infringement decisions. The Commission aims to consult the market and to consider whether there are any trends or patterns that need to be addressed to ensure competitive EU markets.

The aim of this paper is to provide a critical overview of the main findings of the Report concerning content licensing practices. The analysis will focus on three diffe-rent types of practices which are widespread across the EU and which the Commission identifies as practices that may distort competition. The practices in question relate to bundling of online content rights with rights for other transmission technologies, exclusivity combined with long duration, and licensing on a country-by-country basis. The assessment of the Commission’s findings will be made against the backdrop of older decisions that attempted to alleviate concerns arising from those same licensing practi-ces. Taking stock of lessons learnt and paving the way forward, the piece concludes that competition in digital content markets would benefit from prudent enforcement that is driven by the specific conditions governing the industry.

2. BUNDLING OF RIGHTS

The Report notes that “a preliminary finding of the sector inquiry is that the sco-pe of rights actually licensed to distribute digital content services tends to be broader than the minimum set of rights that would be necessary to provide online digital content services, and often encompasses other transmission and access technologies” [emphasis added].4 This statement implies that competition concerns arise in cases where rights for online content provision are licensed together with rights for other distribution te-chnologies. In fact, the way the phrase is drafted seems to suggest that the Commission would be reluctant to exempt such licensing agreements under Article 101(3) TFEU on the grounds that they do not fulfil the “indispensability condition” laid down the-rein (the scope of licensed rights is “broader than the minimum set of rights that would be necessary” [emphasis added]).

Moreover, the Report notes that “public service broadcasters and commercial broadcasters tend to have a relatively high proportion of unrestricted transmission rights”

3 CJEU, Joined cases C-403/08 and C-429/08, Football Association Premier League v QC Leisure and Karen Murphy v. Media Protection Services Limited [2011] ECR I-09083

4 Supra n. 2, paragraph 629


[emphasis added].5 This suggests that, in a case involving a dominant firm, the Commis-sion would adopt a restrictive approach to relevant licensing practices on the grounds that they produce exclusionary effects (acquiring rights for different transmission tech-nologies would likely qualify as “bundling” and “exclusive dealing”,6 the effects of which are exacerbated by the wide scope of the rights involved).

The Commission’s approach to “bundling” in this Report raises at least three issues. First, as already mentioned, the Report uses the term “bundling” to refer to licensing practices whereby rights for online transmission of content are licensed together with the rights for other transmission technologies.7 This definition of bundling is somewhat misleading in that licensing rights for different transmission technologies does not con-cern different content/types of services. More specifically, as the Commission Guidance on Article 102 TFEU lays down, bundling is “the offering of two distinct products sold jointly in fixed proportions”.8 The Guidance further explains that action under Article 102 TFEU would be justified if the bundled products belong to separate product markets.9

By stating that bundling rights for different transmission technologies is a practice that raises competition concerns, the Commission appears to assume that transmis-sion via cable, satellite, online, etc. constitute distinct services, fulfilling different needs, thereby belonging to separate product markets. However, on numerous occasions, the Commission has not distinguished between terrestrial, satellite, cable and other means of transmission.10 For example, in Newscorp/BSkyB, it found that different distribution modes are part of the same product market for the retail distribution of content to consu-mers.11 In view of the above, it appears that the Report makes an assumption that may not reflect market reality.

5 Ibid., paragraph 6566 See Communication from the Commission, Guidance on the Commission’s enforcement

priorities in applying Article 82 of the EC Treaty to abusive exclusionary conduct by dominant undertakings [2009] OJ C 45/02, paragraphs 47 et seq. (on bundling) and 32 et seq. (on exclusive dealing)

7 Supra n. 2, paragraph 6898 Supra n. 6, paragraph 489 Ibid., paragraphs 51 et seq. 10 See Commission decision of 27 May 1998 in Case IV/M.993 – Bertelsmann/Kirch/Premiere,

paragraph21; Commission decision of 2 April 2003 in Case COMP/M.2876 - Newscorp/Telepiù, paragraph 40, 47; Commission decision of 18 July 2007 in Case COMP/M.4505 - SFR/Télé 2, paragraph 40; and Commission decision of 25 June 2008 in Case COMP/M.5121 - Newscorp/Premiere, paragraph 20

11 Commission decision of 21/12/2010 in Case No COMP/M.5932 – News Corp/ BskyB, paragraphs 103 et seq.


Second, the Report notes that “splitting up rights in order to allow a variety of dig-ital content providers to offer their services by using different technologies may increase competition in digital content markets”.12 This implies that “unbundling” the rights would address the competition concerns that arise from licensing for several transmis-sion technologies.

In a number of cases involving arrangements that concerned licensing of premium content, such as UEFA Champions League,13 German Football League14 and the English Football Association Premier League (FAPL),15 the Commission exempted the relevant agreements upon the condition that rights would be broken down into several packages that could only be acquired on the basis of a transparent and non-discriminatory pro-cedure. However, intervention to unbundle rights has been far from a success story. For example, in FAPL, the football association was required to segment the rights for the 2004-2007 seasons into four packages of matches, all packages, however, were ultimate-ly acquired by Sky.16 Similarly, in 2012, the German competition authority accepted DFL’s commitment to divide the rights into more than one package.17 Yet, this did not prevent Sky Deutschland from purchasing the exclusive rights to the Bundesliga for pay-TV, IPTV and mobile for the 2013-2017 seasons. Stricter remedies have also failed to stimulate competition. For example, because Sky acquired all of the Premier League packages for the 2004-2007 seasons during the Commission’s investigation, FAPL un-dertook to specify in the invitations to future tenders that no single operator would be entitled to acquire all of the live audiovisual packages (“no single buyer obligation”).18 The no single buyer obligation may have resulted in Setanta entering the market, but this was of little value. Sky won the rights to five of the six packages (the maximum avail-able to a single bidder) whereas Setanta purchased the rights to the remaining package,

12 See supra n. 2, paragraph 64213 European Commission (2002, June). Commission welcomes UEFA’s new policy for selling the

media rights to the Champions League, Press Release IP/02/806. Retrieved March 31st 2017 from: http://europa.eu/rapid/press-release_IP-02-806_en.htm?locale=it

14 Commission decision, Joint Selling of the Media Rights to the German Bundesliga (Case COMP/C-2/37.214) [2005] OJ L 134/46

15 Commission decision, Joint Selling of the Media Rights of the FA Premier League (Case COMP/C.2/38.173) [2006] OJ L 176/104

16 Ibid., paragraph 1117 European Competition Network. Brief 02/2012, 6. Retrieved from: http://ec.europa.eu/

competition/ecn/brief/02_2012/brief_02_2012.pdf18 Ibid., paragraph 3.2.

http://europa.eu/rapid/press-release_IP-02-806_en.htm?locale=it

http://ec.europa.eu/competition/ecn/brief/02_2012/brief_02_2012.pdf



“generally recognized to be the least attractive”.19 Moreover, Setanta did not manage to exert effective competitive constraints on Sky; in June 2009, it went into administration and its rights were awarded to ESPN, which concluded a wholesale deal with Sky for distribution of the package on Sky’s DSat platform.20 As a result, Setanta customers were ultimately forced to buy a Sky subscription.21 The above examples make clear that, despite what the Commission expects, unbundling rights does not “enhance the possi-bility for more broadcasters, including small and medium-sized companies, to obtain [premium sports] content”.22

Finally, it is important to note that Europeans consume content in many different ways. For example, they may watch a film on their TV sets or their tablets. As a result, “bundling” allows them to consume content using the hardware device and/or techno-logy that best suits their needs. Without “bundling”, a consumer might be forced to pay for the same content more than once. The harm to consumer welfare that “unbundling” remedies may cause is illustrated by FAPL; following the acquisition by Setanta of one of the Premier League packages, consumers on Sky’s satellite platform had to purchase an additional subscription.23

3. EXCLUSIVITY COMBINED WITH LONG DURATION

The Commission is concerned about the fact that rights are licensed on an exclu-sive basis and for a long period of time. According to the Commission, such contractual relationships “are likely to make it more difficult for new players to enter the market, or for existing operators to expand their current commercial activities into e.g. other transmission means such as online, or to other geographical markets” [emphasis added].24

This is not the first time that the Commission expresses concern over the duration of exclusivity agreements for the acquisition of content rights on an exclusive basis. It is submitted, however, that there are valid arguments why the Commission should re-con-

19 Ofcom (2009). Pay TV Phase Three Document: Proposed Remedies, paragraph 2.53. Retrieved April 1st 2017 from: http://stakeholders.ofcom.org.uk/binaries/consultations/third_paytv/summary/paytv_condoc.pdf

20 Ibid., paragraph 1.17., fn. 42 21 Ibid., paragraph 12.4022 Commission decisión, UEFA Champions League (Case COMP/C.2-37.398) [2003] OJ L

291/25, paragraph 171.23 Supra n. 19, paragraph 1.8624 See supra n. 2, paragraph 842 and p. 268

http://stakeholders.ofcom.org.uk/binaries/consultations/third_paytv/summary/paytv_condoc.pdf

http://stakeholders.ofcom.org.uk/binaries/consultations/third_paytv/summary/paytv_condoc.pdf


sider its restrictive approach to such arrangements. These arguments are put forward and explained below.

Long duration has a valid economic justification: purchasing the rights concerned requires a significant investment on behalf of the acquirer. For instance, for a high-cost drama series, the BBC pays the independent producer an average of GB £700k - £900k per hour.25 In Germany, Sky currently pays the Bundesliga a licence fee of € 485.7 million per season26 whereas in the UK, Premier League rights cost Sky GB £760m per year.27 Antitrust intervention that seeks to limit duration may reduce the incentive to ef-fectively compete and/or innovate; this is a plausible scenario in cases where the acquirer has not managed to reap the benefits of the investment. Moreover, it arguably interferes with the involved firms’ freedom to conduct business28 (especially in this area where com-petition is “for the market” rather than “in the market”) in a disproportionate manner.

In taking its decisions the Commission has attempted to address concerns arising from exclusivity in three different ways: (a) by forcing the involved firms to unbundle the rights, (b) by forcing the involved firms to reduce the duration of the agreements under scrutiny, and/or (c) by imposing on the involved broadcasters the duty to sublicense. However, these three types of intervention fell short of stimulating competition.

I have already given examples that illustrate the ineffectiveness of “unbundling” remedies. I refer to Section 2 where I briefly examined the outcome of antitrust deci-sions that established the obligation to split rights into smaller packages. As discussed, this duty did not manage to boost competition.

25 BBC. Tariff Prices for Independents. Retrieved April 2nd 2017 from: http://www.bbc.co.uk/commissioning/tv/how-we-work/business-requirements/tariff-ranges.shtml

26 These fees cover the period from 2013 until 2016. See Briel, R. Sky Deutschland wins all live Bundesliga rights. 18 April 2012, Broadband TV News. Retrieved March 31st from: http://www.broadbandtvnews.com/2012/04/18/sky-deutschland-wins-live-bundesliga-rights/

27 As with the Bundesliga-Sky arrangements, these fees cover the period from 2013 until 2016. See Pearce, J. Premier League rights sold to BT and BSkyB for £3bn. 13 June 2012, the BBC. Retrieved March 31st from: http://www.bbc.com/news/business-18430036 Note that, compared against other costs incurred in the daily operations of a channel, including maintenance and insurance, creation or acquisition of programming is by far the broadcasters’ greatest expense. See, for instance, BBC (2003). Facts and Figures, 2. Retrieved March 31st from: http://stakeholders.ofcom.org.uk/binaries/consultations/psb/responses/mceihil_annex.pdf See also Herbert, U. Commercialising sport: Understanding the TV Rights debate. Speech delivered in Barcelona, 2 October 2003. Retrieved March 31st from: http://ec.europa.eu/competition/speeches/text/sp2003_024_en.pdf

28 Note that “freedom to conduct business” is enshrined in Article 16 of the Charter of Fundamental Rights of the EU [2000] OJ C 364/1

http://www.bbc.co.uk/commissioning/tv/how-we-work/business-requirements/tariff-ranges.shtml

http://www.bbc.co.uk/commissioning/tv/how-we-work/business-requirements/tariff-ranges.shtml

http://www.broadbandtvnews.com/2012/04/18/sky-deutschland-wins-live-bundesliga-rights/

http://www.broadbandtvnews.com/2012/04/18/sky-deutschland-wins-live-bundesliga-rights/

http://www.bbc.com/news/business-18430036

http://stakeholders.ofcom.org.uk/binaries/consultations/psb/responses/mceihil_annex.pdf

http://stakeholders.ofcom.org.uk/binaries/consultations/psb/responses/mceihil_annex.pdf


As regards the duty to reduce duration, it bears noting that an obligation whereby auctions for the content rights must be organized every x years is not sufficient to guar-antee that the rights will be purchased by a different provider. Premium content is very expensive and antitrust intervention to limit the contract length does not necessarily mean that a smaller competitor will have the financial resources to successfully bid for the rights after the contract expires. For example, the decision dealing with the TV rights to the Premier League provides that related agreements shall be concluded for a period not exceeding three seasons.29 This, however, did not prevent Sky from success-fully bidding for the rights in every single auction that was organized after the decision was adopted.30

Sublicensing remedies were poorly conceived and ineffectively implemented. This is illustrated through problems that arose as a result of vague and/or flawed definitions of what qualified as premium content. For example, in the case of Newscorp/Telepiù, the Commission did not include in the sublicensing scheme “basic packages” carry-ing several popular channels (e.g. MTV and Discovery) and US series (e.g. Desperate Housewives and Lost).31 Following the decision, Sky went on to sign a series of exclusive agreements with these basic package channels.32 As a result, this content, which, ac-cording to former IPTV provider Fastweb, was the main reason for becoming a pay-TV subscriber for 70% of the viewers,33 was not available to other pay-TV operators. This may go part way towards explaining why the Italian IPTV market collapsed a few years later. In the second half of 2012, Wind and Fastweb, finding themselves unable to create a sustainable customer base, closed their IPTV services.34 Other issues that have arisen in the implementation of sublicensing remedies relate to inadequate payment mecha-

29 Commission decision Joint Selling of the Media Rights of the FA Premier League (FAPL), Case COMP/C.2/38.173 [2006] OJ L 176/104, paragraph 16

30 In fact, Sky Sports has been broadcasting the Premier League to UK TV viewing audiences since the launch of the league in 1992. See Harris, C. BSkyB Retains Majority of TV Rights to Premier League On UK TV For 2013-16. 13 June 2012, World Soccer Talk. Retrieved March 31st from: http://worldsoccertalk.com/2012/06/13/bskyb-retains-majority-of-tv-rights-to-premier-league-on-uk-tv-for-2013-16/ For recent developments see Williams, C. Virgin Media urges Ofcom crackdown on Premier League TV prices. 30 September 2014, The Telegraph. Retrieved March 31st from: http://www.telegraph.co.uk/finance/newsbysector/mediatechnologyandtelecoms/media/11131139/Virgin-Media-urges-Ofcom-crackdown-on-Premier-League-TV-prices.html

31 Ofcom (2009). Wholesale must-offer remedies: International examples, 932 Ibid., 1433 Ibid.34 Retrieved from: http://mavise.obs.coe.int/country?id=18

http://worldsoccertalk.com/2012/06/13/bskyb-retains-majority-of-tv-rights-to-premier-league-on-uk-tv-for-2013-16/

http://worldsoccertalk.com/2012/06/13/bskyb-retains-majority-of-tv-rights-to-premier-league-on-uk-tv-for-2013-16/

http://www.telegraph.co.uk/finance/newsbysector/mediatechnologyandtelecoms/media/11131139/Virgin-Media-urges-Ofcom-crackdown-on-Premier-League-TV-prices.html



http://mavise.obs.coe.int/country?id=18


nisms that did not take account of market conditions, often leading to the rights holder charging monopoly prices.35

Finally, and perhaps more importantly, in relevant cases, the Commission attempt-ed to justify its decision to limit exclusivity on the basis of the “refusal to supply” line of case law. However, we may raise strong doubts over whether the conditions set by that line of case law are met here. For example, as regards the requirement that the refusal to supply prevents the emergence of a “new product”,36 it bears noting that transmission of premium content and the resulting advertising revenues do not necessarily lead to the production and/or distribution of more original content. With respect to the re-quirement that there is no actual or potential substitute for the product,37 it would be a stretch to argue that premium content fulfils this criterion. For example, even if there is sports content with highly inelastic demand (e.g. Champions League finals), this does not mean that every popular sports event has such unique attributes that excludes other competitions as attractive alternatives. This is particularly so when there is more than one event that may achieve high viewing figures, reach an identifiable audience targeted by the same advertisers, etc.

All things considered, competition rules governing duration and exclusivity are not carved in stone. Put differently, the length of an exclusivity agreement for the acquisition of content rights must be assessed on a case-by-case basis. Factors to be taken out in such an assessment include, for example, whether significant investment into an event or production is required on behalf of the licensee, including to raise brand awareness and build an audience over time; whether the content is a “must have” premium product; whether the contract includes all revenue models (e.g. FTA vs. pay); and (in relation to sports) how often the relevant event takes place. Depending on the assessment of such factors, a long duration of an exclusivity agreement for the purchase of content rights may be deemed “indispensable” to achieve the objectives pursued by the agreement concerned, in line with Article 101(3) TFEU.

35 For a comprehensive overview see supra n. 3136 See, for instance, ECJ, Joined Cases C-241/91 P and C-242/91 P, Radio Telefis Eireann (RTE)

and Independent Television Publications Ltd. v. Commission [1995] ECR I-74337 ECJ, Case C-7/97, Oscar Bronner GmbH & Co. KG v Mediaprint Zeitungs- und Zeitschriftenverlag

GmbH & Co. and others [1998] ECR I-7791, paragraph 41


4. TERRITORIAL RESTRICTIONS

As noted by the Report, digital content rights are normally licensed on a country-by-country basis.38 It is established case law that it is not anticompetitive to grant an exclusive territorial licence to a content provider.39 There are clear reasons for this, based on “specific market conditions” which the Commission has committed to carefully con-sider in its competition law assessments:40

4.1. Specific market conditions from the perspective of rights holders

As a rule, media markets have high entry barriers which are largely associated with highly uncertain consumer demand; there is little doubt that the success of a film or a series depends on viewer preferences that are not easy to predict. This is not just common sense, but an empirically verified hypothesis. For example, De Vany and Walls tested the assumption that the variance of the probability distribution of movie outco-mes is infinite by developing a model that makes distribution conditional on a list of choice variables that may alter the location of the distribution’s probability mass.41 After applying their model to a sample of 2,015 movies, De Vany and Walls concluded that it is impossible to determine the parameters that make a movie successful. Factors such as release strategies, budget and aggressive marketing made no difference, since no pattern could be identified. The above characteristic renders the creation of media content a high-risk undertaking.

High entry barriers are further raised by the costs incurred in content creation; the production of attractive content requires significant investment in terms of funds, time, facilities and other resources.42 For most products it is considered that the social opti-

38 Supra n. 2, paragraph 69739 See Case 262/81, Coditel SA, Compagnie générale pour la diffusion de la télévision, and others v

Ciné-Vog Films SA and others («Coditel II») EU:C:1982:334. 40 See, for instance, Commission Notice. Guidelines on Vertical Restraints. [2010] OJ C130/01,

paragraph 125 and Communication from the Commission. Guidance on the Commission’s enforcement priorities in applying Article 82 of the EC Treaty to abusive exclusionary conduct by dominant undertakings [2009] OJ C 45/02, paragraph 13

41 De Vany, A. and W. David Walls (1999). Uncertainty in the Movie Industry: Does Star Power Reduce the Terror of the Box Office? Paper presented at the annual meeting of the American Economic Association, New York, January 1999. Retrieved March 30th 2017 from: http://pages.stern.nyu.edu/~wgreene/entertainmentandmedia/Devany&Walls.pdf

42 For an overview of entry barriers see Bania, K. (2015). The Role of Media Pluralism in the Enforcement of EU Competition Law, 60-62. Florence: European University Institute (monograph forthcoming 2017)

http://pages.stern.nyu.edu/~wgreene/entertainmentandmedia/Devany&Walls.pdf

http://pages.stern.nyu.edu/~wgreene/entertainmentandmedia/Devany&Walls.pdf


mal price equals marginal cost (this phenomenon is also known as allocative efficiency and it is believed to be one of the main benefits that competition delivers43). However, it would be difficult (if not impossible) to recoup program and film production and distribution costs on the basis of this parameter. Recovering these costs arguably stands in need of price differentiation,44 which is enabled through licensing on a country-by-country basis.45

The above characteristics are arguably valid justifications for licensing on a terri-torial basis. Engaging in price differentiation enables producers and distributors alike to design a distribution strategy whereby financing requirements to create content are balanced with heterogeneous viewer needs and evolving audience expectations.46

4.2. Specific market conditions from the perspective of licensees

Most respondents to the Commission’s Inquiry stated that the cost involved in purchasing content for other territories is excessive. In fact, this is the most im-portant reason why a digital content provider would decide not to make its services accessible in Member States other than those in which it currently operates.47 The cost of a pan-European or multiple territory right would be prohibitive for most content providers.

An estimation of potential audience may be made, but in general if content provi-ders wish to offer their services in a neighbouring country, they must acquire the rights for that entire territory. In addition, the provider must pay all the other costs associated with doing business in a new territory, including libel law issues, consumer provisions, and customer service.48 It goes without saying that only a few global conglomerates have

43 See Whish, R. and David Bailey (2012). Competition Law (7th edition), 4-5. Oxford: OUP44 For an overview of the impact of price discrimination on consumer welfare in audiovisual

markets see Langus G., Damien Neven and Sophie Poukens (2014). Economic Analysis of the Territoriality of the Making Available Right in the EU, 87-88. Retrieved March 30th from: http://ec.europa.eu/internal_market/copyright/docs/studies/1403_study1_en.pdf

45 For an illustrative overview of these issues see BBC (2016). Comments on the European Commission’s Preliminary Report on the E-Commerce Sector Inquiry, 2-4. Retrieved from: http://ec.europa.eu/competition/antitrust/e_commerce_files/bbc_en.pdf

46 See supra n. 2, paragraph 742. As the Commission outlines, an absence of vertical restraints, including exclusive distribution arrangements, “can lead to a sub-optimal level of investment and sales”. See Commission Notice, Guidelines on Vertical Restraints [2010] OJ C130/01, paragraph 107(d) and (h)

47 Supra n. 2, Table C.6.48 Ibid.

http://ec.europa.eu/internal_market/copyright/docs/studies/1403_study1_en.pdf

http://ec.europa.eu/internal_market/copyright/docs/studies/1403_study1_en.pdf

http://ec.europa.eu/competition/antitrust/e_commerce_files/bbc_en.pdf



the financial resources to purchase rights for multiple territories or the whole of the EU. Put differently, any obligation on content providers to offer their content on a multiple-territory or pan-European scale would likely harm rather than benefit competition in European markets.

For the above reasons, it is submitted that content providers should continue to be able to decide for themselves whether to make their services accessible on a cross-border basis.49 The Report seems to acknowledge the importance of the territorial selling of rights, emphasising in addition to some of the above concerns, cultural traditions (which render consumer preferences heterogeneous across the EU), linguistic barriers (and the costs that a digital content provider would need to incur to overcome them), and regulatory differences.50 Indeed, the Commission has long acknowledged such spe-cificities: linguistic, regulatory and cultural differences have traditionally determined the definition of the relevant geographic market in antitrust and merger cases affecting media markets.51 It is submitted that if territorial exclusivity were lost, there would be no incentive for licensees to offer lower prices in markets of less demand, harming smaller providers (including new entrants) and reducing consumer access to content in a way that is adapted to the local audience.

5. CONCLUSIONS

This paper attempted to provide a critical overview of the main findings of the Commission’s Preliminary Report on the E-Commerce Sector Inquiry, focusing on dig-ital content distribution. Given the actual and potential contribution of the sector to the European economy, the design of a forward-looking antitrust policy is of utmost im-portance; competition enforcement plays a crucial role in promoting innovation, whilst ensuring that consumers reap the benefits of the Information Society, including a wide variety of high quality content at low prices.

49 For more information on the adverse effects of breaking down the territorial exploitation of rights on competition, innovation and the European consumer see, for instance, Oxera and O&O (2016). The impact of cross-border access to audiovisual content on EU consumers. Retrieved from: http://www.oxera.com/getmedia/5c575114-e2de-4387-a2de-1ca64d793b19/Cross-border-report-(final).pdf.aspx

50 Supra n. 2, p. 22751 This has been established since the early years of the Commission’s decisional practice. See,

for instance, Commission decision, MSG Media Service (footnote 5), paragraph 46, and Commission Decision 96/346/EC, RTL/Veronica/Endemol, OJ L 134, 5.6.1996, p. 32, paragraph 25.

http://www.oxera.com/getmedia/5c575114-e2de-4387-a2de-1ca64d793b19/Cross-border-report-(final).pdf.aspx

http://www.oxera.com/getmedia/5c575114-e2de-4387-a2de-1ca64d793b19/Cross-border-report-(final).pdf.aspx


Based on statements made throughout the Report, it would appear that some pre-liminary assumptions regarding the approach with which the Commission may address concerns arising from certain licensing practices that are prevalent across the EU are not well-grounded. I reached this conclusion by examining the Commission’s remarks against the outcome of antitrust intervention that took place in the past to resolve similar or identical issues as well as against the characteristics of the affected markets. For example, with respect to bundling, contrary to the Commission’s expectations, splitting up rights did not enhance competition; to the contrary, it led to higher prices for licensees and consumers alike. Similarly, remedies to reduce the length of licensing agreements and/or to reduce the scope of exclusivity by imposing sublicensing obligations, have not been particularly successful. Finally, with respect to territoriality, right holders and licensees alike have traditionally been allowed to exploit content on a country-by-country basis. Were the “territoriality” model to be undermined, right holders would be deprived of the ability to design optimal distribution for each territory and, by extension, to recover costs incurred in content creation. Downstream distribution markets would also arguably suffer in that only a handful of service providers would be able to acquire a pan-European right. In view of the above, competition in digital content markets would benefit from prudent enforcement, taking due account of the specific conditions of the industry.

6. BIBLIOGRAPHY

Bania, K. (2015). The Role of Media Pluralism in the Enforcement of EU Competition Law. Florence: European University Institute.

BBC (2003). Facts and Figures. BBC (2016). Comments on the European Commission’s Preliminary Report on the E-Com-

merce Sector Inquiry. Retrieved from: http://ec.europa.eu/competition/antitrust/e_commerce_files/bbc_en.pdf

BBC. Tariff Prices for Independents.Briel, R. Sky Deutschland wins all live Bundesliga rights. 18 April 2012, Broadband TV

News.Charter of Fundamental Rights of the European Union [2000] OJ C 364/1.Commission decision, Joint Selling of the Media Rights of the FA Premier League (Case

COMP/C.2/38.173) [2006] OJ L 176/104.Commission decision, Joint Selling of the Media Rights to the German Bundesliga (Case

COMP/C-2/37.214) [2005] OJ L 134/46.Commission decision, UEFA Champions League (Case COMP/C.2-37.398) [2003] OJ

L 291/25.Commission decision 96/346/EC, RTL/Veronica/Endemol, OJ L 134, 5.6.1996.




Commission decision Joint Selling of the Media Rights of the FA Premier League (FAPL), Case COMP/C.2/38.173 [2006] OJ L 176/104.

Commission decision of 18 July 2007 in Case COMP/M.4505 - SFR/Télé 2.Commission decision of 21/12/2010 in Case No COMP/M.5932 – News Corp/ BskyB.Commission decision of 25 June 2008 in Case COMP/M.5121 - Newscorp/Premiere.Commission decision of 27 May 1998 in Case IV/M.993 – Bertelsmann/Kirch/Premiere.Commission decision of 2 April 2003 in Case COMP/M.2876 - Newscorp/Telepiù.Commission Notice. Guidelines on Vertical Restraints. [2010] OJ C130/01.Communication from the Commission, Guidance on the Commission’s enforcement

priorities in applying Article 82 of the EC Treaty to abusive exclusionary conduct by dominant undertakings [2009] OJ C 45/02.

Communication from the Commission. Guidance on the Commission’s enforcement pri-orities in applying Article 82 of the EC Treaty to abusive exclusionary conduct by dom-inant undertakings [2009] OJ C 45/02.

Court of Justice of the European Union. Joined cases C-403/08 and C-429/08, Football Association Premier League v QC Leisure and Karen Murphy v. Media Protection Ser-vices Limited [2011] ECR I-09083.

De Vany, A. and W. David Walls (1999). Uncertainty in the Movie Industry: Does Star Power Reduce the Terror of the Box Office? Paper presented at the annual meeting of the American Economic Association, New York, January 1999.

European Commission (2002, June). Commission welcomes UEFA’s new policy for selling the media rights to the Champions League, Press Release IP/02/806.

European Commission (2016). Staff Working Document, Preliminary Report on the E-commerce Sector Inquiry, SWD(2016) 312 final.

European Competition Network. Brief 02/2012. Retrieved from: http://ec.europa.eu/competition/ecn/brief/02_2012/brief_02_2012.pdf

European Court of Justice. Case 262/81, Coditel SA, Compagnie générale pour la diffusion de la télévision, and others v Ciné-Vog Films SA and others («Coditel II») EU:C:1982:334.

European Court of Justice. Case C-7/97, Oscar Bronner GmbH & Co. KG v Mediaprint Zeitungs- und Zeitschriftenverlag GmbH & Co. and others [1998] ECR I-7791.

European Court of Justice. Joined Cases C-241/91 P and C-242/91 P, Radio Telefis Eireann (RTE) and Independent Television Publications Ltd. v. Commission [1995] ECR I-743.

Harris, C. BSkyB Retains Majority of TV Rights to Premier League On UK TV For 2013-16. 13 June 2012, World Soccer Talk.




Herbert, U. Commercialising sport: Understanding the TV Rights debate. Speech deliv-ered in Barcelona, 2 October 2003.

Langus G., Damien Neven and Sophie Poukens (2014). Economic Analysis of the Ter-ritoriality of the Making Available Right in the EU.

Ofcom (2009). Pay TV Phase Three Document: Proposed Remedies.Ofcom (2009). Wholesale must-offer remedies: International examples.Oxera and O&O (2016). The impact of cross-border access to audiovisual content on EU

consumers. Pearce, J. Premier League rights sold to BT and BSkyB for £3bn. 13 June 2012, the BBC.Whish, R. and David Bailey (2012). Competition Law (7th edition). Oxford: OUP. Williams, C. Virgin Media urges Ofcom crackdown on Premier League TV prices. 30 Sep-

tember 2014, The Telegraph.

17

EL SUMINISTRO INMEDIATO DE INFORMACIÓN EN EL IMPUESTO SOBRE EL VALOR AÑADIDO

Ana María Delgado GarcíaCatedrática de Derecho Financiero y Tributario

Universitat Oberta de Catalunya

Rafael Oliver CuelloCatedrático de DerechoESERP Business School

RESUMEN: El Suministro Inmediato de Información es el nuevo sistema de gestión del impuesto sobre el valor añadido, que supone un importante avance en la administración electrónica en el ámbito tributario, así como una intensificación del uso de las tecnologías de la información en las relaciones entre la administración tributaria y el contribuyente.Este nuevo sistema de gestión del impuesto sobre el valor añadido implica la llevanza de los libros registro a través de la sede electrónica de la Agencia Estatal de Administración Tributaria, mediante el suministro prácticamente inmediato de los registros de facturación. Los contribuyentes deben remitir a la administración tributaria los detalles sobre la facturación por vía electrónica, y con esta informa-ción se van configurando, casi en tiempo real, los libros registro del tributo.Los objetivos de la introducción de este nuevo sistema de gestión tributaria son dos. Por un lado, la po-tenciación de la asistencia al contribuyente, al facilitarle una serie de datos fiscales, en una primera fase, y el borrador de la declaración del impuesto, en una segunda fase. Por otro lado, se pretende un mayor y más eficiente control tributario, al disponer de información de calidad en un tiempo muy reducido.

PALABRAS CLAVE: impuesto sobre el valor añadido, Suministro Inmediato de Información, factu-ración, libros registro fiscales, administración electrónica.

1. INTRODUCCIÓN

El Suministro Inmediato de Información (SII) es el nuevo sistema de gestión del IVA, que supone un importante avance en la administración electrónica en el ámbito tributario, así como una intensificación del uso de las tecnologías de la información en las relaciones entre la administración tributaria y el contribuyente.

Este nuevo sistema de gestión del IVA implica la llevanza de los libros registro a través de la sede electrónica de la AEAT, mediante el suministro prácticamente inmedi-ato de los registros de facturación. Los contribuyentes deben remitir a la administración tributaria los detalles sobre la facturación por vía electrónica, y con esta información se van configurando, casi en tiempo real, los libros registro del tributo.

274 EL SUMINISTRO INMEDIATO DE INFORMACIÓN EN EL IMPUESTO SOBRE EL VALOR...

Los sujetos pasivos acogidos al SII están obligados a llevar a través de la sede elec-trónica de la AEAT, mediante el suministro electrónico de los registros de facturación, los libros registro de facturas expedidas, de facturas recibidas, de bienes de inversión y de determinadas operaciones intracomunitarias.

El envío de esta información se realiza por vía electrónica, concretamente mediante servicios web basados en el intercambio de mensajes XML. La estructura de este envío tiene una cabecera común con la información del titular de cada libro registro, así como la información del ejercicio y período en el que se registran dichas operaciones. A esta cabecera le acompaña un bloque con el contenido de las facturas.

Es importante aclarar que, mediante este nuevo sistema de gestión del IVA, no se está estableciendo la obligación de enviar las facturas a la AEAT, pues lo que se debe remitir son los campos de los registros de facturación que se concretan en la Orden HFP/417/2017, de 12 de mayo, por la que se regulan las especificaciones normativas y técnicas que desarrollan la llevanza de los libros registro del IVA a través de la sede electrónica de la AEAT.

En cuanto a la normativa aplicable a este nuevo sistema de gestión del IVA, hay que tener en cuenta, en primer lugar, que la Ley 34/2015, de 21 de septiembre, de modificación de la Ley General Tributaria, introdujo cambios en el art. 29, dedicado a las obligaciones tributarias formales, disponiendo en el apartado tercero, en rela-ción con los libros registro, la posibilidad de que a través de norma reglamentaria se regulara la obligación de llevanza de los mismos a través de medios telemáticos. Asimismo, se modificó el art. 200 para tipificar como infracción tributaria el retraso en la obligación de la llevanza de los libros registro y suministro a través de la sede electrónica de la AEAT. Ambos preceptos, según la DF 12ª LGT, han entrado en vigor el 1 de enero de 2017.

El desarrollo reglamentario del SII se contiene fundamentalmente en el Real De-creto 596/2016, de 2 de diciembre, para la modernización, mejora e impulso del uso de medios electrónicos en la gestión del impuesto sobre el valor añadido.

También resulta de aplicación la Resolución de 13 de marzo de 2017, de la Direc-ción General de la AEAT, por la que se aprueba el documento normalizado para acreditar la representación de terceros en el procedimiento de suministro electrónico de registros de facturación a través de la sede electrónica de la AEAT. Y la Orden HFP/417/2017, de 12 de mayo, por la que se regulan las especificaciones normativas y técnicas que desar-rollan la llevanza de los libros registro del IVA a través de la sede electrónica de la AEAT.

Finalmente, hay que tener en cuenta el Real Decreto 529/2017, de 26 de mayo, por el que se modifica el Reglamento del Impuesto sobre el Valor Añadido aprobado por el Real Decreto 1624/1992, de 29 de diciembre.


2. OBJETIVOS DEL NUEVO SISTEMA DE GESTIÓN

Los objetivos de la introducción de este nuevo sistema de gestión tributaria son dos. Por un lado, la potenciación de la asistencia al contribuyente, al facilitarle una serie de datos fiscales, en una primera fase, y el borrador de la declaración del impuesto, en una segunda fase. Por otro lado, se pretende un mayor y más eficiente control tributario, al disponer de información de calidad en un tiempo muy reducido.

El RD 596/2016 hace referencia a un tercer motivo: la adaptación al desarrollo de las nuevas tecnologías. Así, en el preámbulo de dicha norma se indica que la llevanza de los distintos libros registro ha experimentado una profunda transformación desde el momento en que por primera vez se estableció la obligación hasta nuestros días, en consonancia con el desarrollo de las nuevas tecnologías, el avance en la utilización de medios electrónicos por parte del colectivo empresarial español y la implantación gradu-al del uso de la factura electrónica. De manera que, actualmente, es residual el número de empresarios y profesionales que no utilizan medios electrónicos o informáticos para la llevanza de los libros registro.

A este respecto, el citado preámbulo señala que “parece razonable pensar que el pro-greso sustancial que se ha producido en el uso de nuevas tecnologías para la llevanza de los libros registro permita transformar el sistema de llevanza de los mismos en un sistema más moderno que acerque el momento del registro o contabilización de las facturas al de la realización efectiva de la operación económica que subyace a las mismas”.

Ahora bien, a nuestro juicio, el principal objetivo del SII es el control tributario. Es evidente que la obligación de facilitar información inmediata a la AEAT tiene como finalidad permitir a la administración tributaria llevar a cabo un control más exhaustivo de la veracidad de las autoliquidaciones presentadas, de forma que se pueda evitar el fraude fiscal, asegurándose que el IVA devengado se declare realmente en aquel período en que se ha producido el hecho imponible.

El preámbulo del RD 596/2016 se refiere a este fundamental objetivo del SII, al seña-lar que el control y la prevención del fraude fiscal son objetivos prioritarios de la AEAT, y para ello es necesario disponer de información suficiente y de calidad, así como obtenerla de la forma más inmediata posible. No obstante, indica la citada norma que “debe existir un correcto equilibrio entre la obtención de la información imprescindible para un adecu-ado desarrollo de las actuaciones de comprobación e investigación y los costes indirectos que el suministro de los mismos supone para los obligados tributarios”. En este sentido, este nuevo sistema de llevanza de los libros registro en sede electrónica, “no solo facilitará la lucha contra el fraude fiscal, sino que supondrá una mejora en la calidad de los datos y en la correcta aplicación de las prácticas contables, así como un ahorro de costes y una mayor eficiencia que redundará en beneficio de todos los agentes económicos”.

Además de este objetivo del control tributario, no hay que olvidar el ya señalado de la potenciación de la asistencia al contribuyente, al facilitarle una serie de datos fiscales,


en una primera fase, y el borrador de la declaración del impuesto, en una segunda fase. A este objetivo se refiere también el preámbulo de la norma al señalar que “la información obtenida a través del suministro electrónico de los registros de facturación será pues-ta a disposición de aquellos empresarios o profesionales con quienes hayan efectuado operaciones aquellas personas y entidades que, bien de forma obligatoria o tras ejercer la opción, lleven los libros registro a través de la sede electrónica, constituyendo una herramienta de asistencia al contribuyente en la elaboración de sus declaraciones-liqui-daciones por el impuesto sobre el valor añadido”.

Desde el punto de vista del contribuyente, el SII sin duda va a suponer un aumento considerable de los costes indirectos, especialmente en un primer momento, al implicar un esfuerzo de adaptación a la nueva normativa. Con el tiempo se verá si, como pro-clama el citado preámbulo del RD 596/2016, ha existido o no el “correcto equilibrio entre la obtención de la información imprescindible para un adecuado desarrollo de las actuaciones de comprobación e investigación y los costes indirectos que el suministro de los mismos supone para los obligados tributarios”.

Al margen de estos inconvenientes para el contribuyente, también existen algunas ventajas, como la ya señalada de la potenciación de la asistencia tributaria. Se trata, fun-damentalmente, de la obtención de datos fiscales, ya que el contribuyente dispondrá en la sede electrónica de la AEAT de un libro registro “declarado” y otro “contrastado” con la información de contraste procedente de terceros que pertenezcan al colectivo de este sistema o de la base de datos de la AEAT. Los contribuyentes podrán contrastar dicha información antes de la finalización del plazo de presentación de su declaración mensual de IVA. Y el contribuyente tendrá la posibilidad de corregir los errores cometidos en los envíos sin necesidad de ser requerido por la AEAT para ello.

Otras ventajas del SII para el contribuyente son, por un lado, que se dispondrá de información de calidad en un intervalo de tiempo suficientemente corto como para agi-lizar el sistema de gestión del IVA. Por otro lado, la disminución de los requerimientos de información por parte de la AEAT, ya que muchos de los requerimientos actuales tie-nen por objeto solicitar los libros registro, las facturas o datos contenidos en las mismas para comprobar determinadas operaciones.

También se pueden mencionar como ventajas del nuevo SII para los contribuyentes la modernización y estandarización de la forma de llevar los tradicionales libros registro de IVA, la reducción de ciertas obligaciones formales, suprimiendo la obligación de presentación de los modelos 347, 340 y 390, la reducción de los plazos de realización de las devoluciones, al disponer la AEAT de la información en tiempo casi real y de mayor detalle sobre las operaciones y, por último, que los contribuyentes incluidos en el nuevo sistema verán ampliados en diez días los plazos de presentación e ingreso de sus autoli-quidaciones periódicas del IVA.


3. ÁMBITO SUBJETIVO

Según los arts. 62.6 y 71.3.5º RIVA, el SII es obligatorio para los empresarios y profesionales y otros sujetos pasivos cuyo periodo de liquidación coincida con el mes na-tural: grandes empresas (facturación superior a 6.010.121,04 euros en el año anterior), grupos de IVA e inscritos en el REDEME (registro de devolución mensual del IVA).

Igualmente lo podrán utilizar de forma voluntaria quienes ejerzan la opción a través de la correspondiente declaración censal, en cuyo caso, su período de declaración será mensual.

Respecto a las grandes empresas, resulta de gran trascendencia la correcta deter-minación del volumen de operaciones a 31 de diciembre. Así, es importante realizar el cálculo de dicho importe de forma adecuada en los primeros días de cada año, sin espe-rar a la fecha de presentación de la autoliquidación correspondiente al último período del ejercicio anterior.1

En relación con el ámbito subjetivo del SII, es preciso tener en cuenta que en el RD 596/2016 no se preveía la exclusión de su ámbito de aplicación respecto de los sujetos pasivos que aplicasen el régimen especial simplificado de IVA, o lo que es lo mismo, se interpretaba que estos sujetos pasivos podían optar por aplicar el sistema de SII. No resultaba lógica tal posibilidad, dada la singularidad del régimen especial y las modifica-ciones que a partir de 2018 se van a producir, como es la reducción del límite de ingresos y gastos para quedar dentro del perímetro objetivo de aplicación del régimen especial.

En este sentido, el RD 529/2017, de 26 de mayo, por el que se modifica el RIVA, añade una disposición transitoria quinta a esta norma, que regula la opción por llevar los libros registros a través de la sede electrónica de la AEAT por los sujetos pasivos acogidos al régimen simplificado para el año 2017. Así, “no obstante lo previsto en los artículos 62.6 y 68 bis del RIVA, los sujetos pasivos acogidos al régimen simplificado no podrán optar por llevar los libros registro a través de la sede electrónica de la AEAT, con efectos para el año 2017”.

Por consiguiente, los sujetos pasivos acogidos exclusivamente al régimen especial simplificado en 2017 no pueden optar por aplicar el sistema de SII. Ahora bien, con esta redacción para el año 2018 sí podrán ejercer esta posibilidad, salvo que se prevea una nueva excepción antes de finales de 2017.

1 Tal como indica acertadamente Longás, dado que la remisión de la información debe efectuarse en los cuatro días naturales a contar desde la expedición de la factura, el empresario o profesion-al que tenga dudas acerca del volumen de operaciones del ejercicio inmediato anterior deberá calcularlo en los primeros días del año natural, respecto de la facturación a emitir en esas fechas, pues en caso de que sea inferior a la cifra indicada en el art. 121 LIVA no debería suministrar la información, salvo que se acoja al SII voluntariamente. Longás Lafuente, A. (2017). Suministro Inmediato de Información en la gestión de los libros del IVA (I). Revista de Contabilidad y Tri-butación (408), 52.


Por otra parte, hay que plantearse qué sucede con los sujetos pasivos no establecidos en el territorio de aplicación del impuesto. A este respecto, hay que recordar que los em-presarios o profesionales o sujetos pasivos no establecidos en el territorio de aplicación del impuesto que tengan obligación de presentar autoliquidaciones mensuales estarán obligados a llevar los libros registro del IVA a través de la sede electrónica de la AEAT. No obstante, no está claro si esta obligación se refiere al conjunto de las operaciones de los empresarios y profesionales no establecidos o solo respecto de aquellas que se locali-zan en el territorio de aplicación del impuesto.2

También es conveniente analizar qué sucede con los sujetos pasivos acogidos al régimen especial de la agricultura, ganadería y pesca. Los sujetos que realicen exclusiva-mente actividades acogidas a este régimen especial solo deben llevar el libro registro cor-respondiente a su régimen especial y sobre el mismo no debe suministrarse información mediante el SII, pues el art. 62.6 RIVA solo se refiere a los libros registro que se citan en el art. 47.2 RIVA. Por lo tanto, estos empresarios no pueden acogerse al SII, lo cual es lógico, ya que se pretende simplificar la gestión del impuesto para los sujetos pasivos que aplican este régimen especial.

Algo similar sucede con los sujetos acogidos al régimen del recargo de equivalencia. Los sujetos pasivos acogidos a este régimen especial no están obligados a llevar los libros registro en relación con el IVA. Por lo tanto, si el sujeto pasivo exclusivamente realiza actividades acogidas al régimen especial del recargo de equivalencia no puede acogerse al sistema de SII, por la misma razón que en el caso del régimen especial de la agricultura, ganadería y pesca, es decir, la simplificación en la gestión del impuesto.

Respecto a los sujetos pasivos que realicen exclusivamente actividades exentas o no sujetas al IVA, no quedan dentro del ámbito subjetivo de aplicación del SII, en los casos en los que no se atribuye al sujeto pasivo el derecho a la deducción, según los arts. 92 y 94 LIVA, ya que no tienen que presentar autoliquidaciones del impuesto. En cambio, en el caso de empresarios o profesionales que realicen exclusivamente actividades u opera-ciones exentas que sí generan el derecho a la deducción (como exportaciones o entregas

2 En opinión de Longás, la cuestión radica en concretar en qué medida el legislador nacional puede imponer una obligación que afecta al conjunto de toda la actividad económica del sujeto pasivo no establecido, chocando en este sentido la finalidad antidefraudatoria del sistema de SII que conllevaría a un deber general de suministro, y el de la potestad tributaria territorial que determina que esta obligación se limite a las operaciones localizadas en el territorio de aplicación del impuesto, debiendo ser esta última la conclusión esperada; sin perjuicio de los procedimientos de colaboración que puedan darse entre los Estados miembros de la UE para el supuesto de empresas establecidas en el territorio de otro Estado miembro. Longás Lafuente, A. (2017). Suministro Inmediato de Información en la gestión de los libros del IVA (I). Revista de Contabilidad y Tributación (408), 55-56.


intracomunitarias de bienes), sí que tienen la obligación de presentar autoliquidaciones del impuesto, de forma que quedan dentro del ámbito subjetivo de aplicación del SII, por lo que pueden ser sujetos obligados a suministrar información de los libros registro a través de la sede electrónica de la AEAT (si entran dentro de alguno de los supuestos previstos) o bien pueden voluntariamente acogerse a este sistema.

Finalmente, en cuanto a los empresarios o profesionales que inicien una actividad económica sujeta al impuesto, en el año en que se inicie dicha actividad solo los sujetos pasivos que tengan un período de liquidación mensual tendrán la obligación de sumi-nistrar información de sus libros registro a través de la sede electrónica de la AEAT. En cambio, en el primer año de ejercicio de la actividad, en principio, quedan excluidos de esta obligación los sujetos pasivos que deberían aplicar el sistema exclusivamente en función de la cifra de volumen de operaciones, puesto que en el primer año de ejerci-cio de la actividad no existe este importe (volumen de negocios del ejercicio anterior). Asimismo, aplicarán el SII los empresarios o profesionales que se acojan al sistema de devolución mensual. Y también aquellos sujetos que voluntariamente deseen acogerse al SII, optando por ello en el momento de presentar la declaración de inicio de la actividad, surtiendo efecto dicha opción en el año natural en curso.

4. LA OPCIÓN POR LA LLEVANZA ELECTRÓNICA DE LOS LIBROS REGISTRO

De acuerdo con el art. 68 bis RIVA y la DT 1ª RD 596/2016, la opción por la llevanza electrónica de los libros registro a través de la sede electrónica de la AEAT se deberá ejercer durante el mes de noviembre anterior al inicio del año natural en el que deba surtir efecto, mediante la presentación de la correspondiente declaración censal (modelo 036) o al tiempo de presentar la declaración de comienzo de actividad, surtien-do efecto, en este caso, en el año natural en curso.

La opción para aplicar el SII desde el 1 de julio de 2017 se deberá realizar durante el mes de junio. La opción se entenderá prorrogada para los años siguientes en tanto no se produzca la renuncia a la misma, debiendo cumplir con las obligaciones del SII al menos el año en que se opte.

La renuncia deberá ejercitarse mediante la presentación de declaración censal (mo-delo 036) en el mes de noviembre anterior al inicio del año natural en el que deba surtir efecto. La exclusión del REDEME supondrá la exclusión del SII con efectos desde el primer día del período de liquidación en el que se haya notificado el acuerdo de exclu-sión, salvo que el periodo de liquidación siga siendo mensual.

El cese en el régimen especial del grupo de entidades determinará el cese en el SII con efectos desde que se produzca aquel, salvo que el periodo de liquidación siga siendo mensual.


Como se ha comentado, entre los sujetos pasivos obligados a aplicar el nuevo sis-tema de SII a partir de 1 de julio de 2017 se encuentran aquellos (sean gran empresa o no) que presenten sus autoliquidaciones del IVA mensualmente habiéndose inscrito en el REDEME, así como los sujetos pasivos que apliquen el régimen especial del grupo de entidades. Desde la publicación del RD 596/2016, la administración tributaria venía in-dicando que se establecería un periodo de baja extraordinaria en el REDEME así como para renunciar a la aplicación del régimen especial del grupo de entidades.

Una vez publicada la Orden HFP/417/2017, de 12 de mayo, por la que se modi-ficaban los modelos de declaración censal 036 y 037, era necesario habilitar un periodo anterior a la entrada en vigor del sistema de SII para ejercer las opciones anteriores (se ejercitan en el modelo 036). Pues bien, el RD 529/2017, de 26 de mayo, por el que se modifica el RIVA, regula ambas opciones, añadiendo al RIVA la DT 4ª, bajo el título “Baja extraordinaria en el registro de devolución mensual y renuncia extraordinaria a la aplicación del régimen especial del grupo de entidades durante el año 2017”.

Así, pues, los sujetos pasivos inscritos en el REDEME regulado en el art. 30 RIVA podrán solicitar la baja voluntaria en el mismo, presentando la solicitud hasta el día 15 de junio de 2017 inclusive, con efectos a partir de 1 de julio de 2017.

Y las entidades que apliquen el régimen especial del grupo de entidades regulado en el capítulo IX del título IX de la LIVA podrán renunciar a la aplicación del mismo, presentando la renuncia hasta el 15 de junio de 2017, con efectos a partir de 1 de julio de 2017. En el mismo plazo las entidades acogidas al régimen especial del grupo de entidades podrán presentar la solicitud de baja en el REDEME, que se presentará por la entidad dominante y habrá de referirse a la totalidad de las entidades del grupo que apliquen el régimen especial.

5. CONTENIDO DE LA INFORMACIÓN A SUMINISTRAR

Tal como establecen los arts. 62.6, 63.3 y 64.4 RIVA, las entidades incluidas en el SII, además de la información prevista para los libros registro tradicionales, deberán incluir determinada información adicional.

En relación con el libro registro de facturas emitidas, el tipo de factura (completa o simplificada, facturas expedidas por terceros y recibos del régimen especial de agricultura, ganadería y pesca entre otros); identificación de rectificación registral; descripción de la operación; facturas rectificativas (identificación como tales, referencia de la factura rectifi-cada o las especificaciones que se modifican); facturas sustitutivas (referencia de las facturas sustituidas o las especificaciones que se sustituyen); facturación por destinatario; inversión del sujeto pasivo; regímenes especiales (agencias de viaje, bienes usados, criterio de caja, grupo de entidades, oro de inversión); período de liquidación de las operaciones; indica-ción de operación no sujeta o exenta; acuerdo AEAT de facturación, en su caso; y cualquier otra información con trascendencia tributaria determinada a través de orden ministerial.


Respecto al libro registro de facturas recibidas, el número de recepción se sustituye por el número y serie de la factura; identificación de rectificación registral; descripción de la operación; facturación por destinatario; inversión del sujeto pasivo; adquisición intracomunitaria de bienes; regímenes especiales (agencias de viaje, bienes usados, crite-rio de caja, grupo de entidades); cuota tributaria deducible del período de liquidación; período de liquidación en el que se registran las operaciones; fecha contable y número de documento aduanero (DUA) en el caso de importaciones; y cualquier otra información con trascendencia tributaria determinada a través de orden ministerial.

El suministro electrónico de los registros de facturación se realizará a través de la sede electrónica de la AEAT mediante un servicio web o a través de un formulario electrónico, conforme con los campos de registro aprobados en la correspondiente orden ministerial.

A este respecto, hay que tener en cuenta lo dispuesto por la Orden HFP/417/2017, de 12 de mayo, por la que se regulan las especificaciones normativas y técnicas que desar-rollan la llevanza de los libros registro del IVA a través de la sede electrónica de la AEAT. La finalidad de esta orden ministerial es el desarrollo de las modificaciones necesarias para la correcta implementación del RD 596/2016. Así, en esta Orden HFP/417/2017 se realiza el desarrollo de los campos de registro a informar en los libros registro del IVA y de la forma en que se realizará este suministro a través de la sede electrónica de la AEAT.

Respecto al contenido de los libros registro de facturas expedidas, se establece la tipología de registros de facturas: completa, simplificada, rectificativa, emitida en sus-titución de facturas simplificadas o asiento resumen. También se indican cuáles de las operaciones con trascendencia tributaria que hasta ahora venían informándose a través del modelo 347 o 340 deben identificarse: facturación de agencias de viajes de acuerdo con la DA 4ª del Reglamento por el que se regulan las obligaciones de facturación, operaciones de arrendamiento de local de negocio, cobros por cuenta de terceros de honorarios profesionales, importes percibidos en transmisiones de inmuebles sujetas a IVA, importes percibidos en metálico de más de 6.000 euros al año y operaciones de entidades aseguradoras por las que no se expida factura. Estas dos últimas operaciones se informan con carácter anual.

En relación con el contenido de los libros registro de facturas recibidas, se establece la tipología de registros de facturas: completa, simplificada, asiento resumen, documen-to aduanero (DUA) y justificantes contables. La identificación de la factura recibida como rectificativa o en sustitución de facturas simplificadas es opcional para el receptor. Asimismo, se indican cuáles de las operaciones con trascendencia tributaria que hasta ahora venían informándose a través del modelo 347 o 340 deben identificarse: operacio-nes de arrendamiento de local de negocio, adquisiciones de bienes o servicios al margen de cualquier actividad empresarial o profesional realizadas por entes públicos, compras de las agencias de viajes que facturen de acuerdo con DA 4ª del Reglamento por el que se regulan las obligaciones de facturación y operaciones de entidades aseguradoras por las que no se expida factura. Estas dos últimas operaciones se informan con carácter anual.


Por otra parte, en el anexo I de la Orden HFP/417/2017 se recogen los campos de registro a informar de acuerdo con lo desarrollado en la misma y con lo previsto en los arts. 63 a 66 RIVA. El formato y diseño de los mensajes informáticos a enviar se ajustará a estos campos recogidos en el anexo I y su formato y diseño serán los que consten en la sede electrónica de la AEAT.

Finalmente, respecto al procedimiento para realizar el suministro, según dispone la Orden HFP/417/2017, se podrá efectuar mediante los servicios web basados en el intercambio de mensajes en formato XML. Cada uno de estos mensajes contendrá un número máximo de registros de facturación por envío. Este número máximo será el que se defina en la sede electrónica de la AEAT. Actualmente, este número máximo de regis-tros por cada envío es de 10.000, no obstante el número de envíos es ilimitado. En este caso, solo se pueden realizar envíos con certificado electrónico.

El suministro de la información también se podrá efectuar mediante la utilización del formulario web. En este caso, se permitirá el suministro de los registros de factura-ción de forma individual. Y los envíos se pueden realizar con certificado electrónico y, en su caso, con clave PIN (persona física titular del libro o apoderada).

Hay que destacar, por otra parte, que en el RD 596/2016 se establece que, en el supuesto de facturas simplificadas, emitidas o recibidas, se podrán agrupar, siempre que cumplan determinados requisitos, y enviar los registros de facturación del correspondi-ente asiento resumen.

Por último, en relación con el contenido de la información a facilitar, no hay que olvidar que la AEAT ofrecerá datos de contraste de los registros de facturación suminis-trados, poniendo a disposición del contribuyente la información obtenida de aquellos clientes y proveedores que apliquen el SII. De esta forma, como ya se ha comentado anteriormente, el sistema constituirá una herramienta de asistencia en la elaboración de las declaraciones-liquidaciones por el IVA.

Por lo tanto, de forma similar a lo que sucede en la actualidad con el IRPF, se pre-tende facilitar los datos fiscales para que el sujeto pasivo pueda utilizarlos a la hora de presentar su autoliquidación del IVA. De esta forma, los sujetos pasivos que apliquen el sistema de SII obtendrán los datos fiscales en la sede electrónica de la AEAT y, así, dispondrán de un libro registro “declarado” y otro “contrastado” con la información de contraste procedente de terceros que pertenezcan al colectivo de este sistema o de la base de datos de la AEAT. Como ya se ha comentado anteriormente, esta constituye, a nuestro juicio, la principal ventaja que supone para el contribuyente la adopción del sistema del SII.

6. PLAZOS PARA LA REMISIÓN ELECTRÓNICA DE LAS ANOTACIONES

En relación con los plazos para la remisión electrónica, el art. 69 bis RIVA, la DA única y la DT 4ª RD 596/2016, establecen una detallada regulación.


En relación con las facturas expedidas, el plazo es de cuatro días naturales desde la expedición de la factura, salvo que se trate de facturas expedidas por el destinatario o por un tercero, en cuyo caso, dicho plazo será de ocho días naturales. En ambos supuestos el suministro deberá realizarse antes del día 16 del mes siguiente a aquel en que se hubiera producido el devengo del impuesto.

Respecto a las facturas recibidas, el plazo es de cuatro días naturales desde la fecha en que se produzca el registro contable de la factura o del documento en el que conste la cuota liquidada por las aduanas cuando se trate de importaciones y, en todo caso, antes del día 16 del mes siguiente al período de liquidación en que se hayan incluido las operaciones.

Por lo que refiere a determinadas operaciones intracomunitarias (envío o recep-ción de bienes muebles corporales para su utilización temporal o para la realización de informes periciales, reparaciones y trabajos sobre los mismos), el plazo es de cuatro días naturales desde el momento de inicio de la expedición o transporte, o en su caso, desde el momento de la recepción de los bienes.

En relación con las operaciones a las que sea de aplicación el régimen especial del criterio de caja, se aplican los plazos generales sin perjuicio de los datos que deban sumi-nistrarse en el momento en que se efectúen los cobros o pagos totales o parciales de las operaciones. Respecto a las rectificaciones registrales, deben remitirse antes del día 16 del mes siguiente al final del período al que se refiera la declaración en la que deban tenerse en cuenta. Y, finalmente, en cuanto al libro registro de bienes de inversión, la totalidad de los registros se remitirán dentro del plazo de presentación del último periodo de liquidación.

Es importante destacar, en relación con los plazos para la remisión electrónica de todas las anotaciones, que se excluyen del cómputo los sábados, los domingos y los de-clarados festivos nacionales. Asimismo, hay que tener en cuenta que, durante el segundo semestre del año 2017, el plazo anterior de cuatro días se amplía a ocho días naturales.

También conviene tener presente que los sujetos pasivos que apliquen el SII desde el 1 de julio de 2017 estarán obligados a remitir los registros de facturación del primer semestre de 2017 antes del 1 de enero de 2018.

Finalmente se ha previsto una lógica excepción al suministro de información referida al primer semestre de 2017. Se trata de los sujetos pasivos inscritos en el registro de devolución mensual (REDEME). Para ellos la obligación de remitir los registros de facturación, correspondientes al primer semestre de 2017 se entenderá cumplida en tanto que están obligados a la presentación de la declaración informativa a que se refiere el art. 36 RGGIT durante el periodo comprendido entre el 1 de enero y el 30 de junio de 2017.

7. MODIFICACIÓN DE LAS OBLIGACIONES FORMALES

En relación con el plazo de presentación de las declaraciones-liquidaciones, según los arts. 61 ter.3 y 71.4 RIVA, se amplía para los empresarios que utilicen el SII hasta


los treinta primeros días naturales del mes siguiente al correspondiente período de liqui-dación mensual, o hasta el último día del mes de febrero en el caso de la declaración-liquidación correspondiente al mes de enero.

Respecto a la declaración censal, de acuerdo con los arts. 9.3 q y r, 10.2.h, p y q RGGIT, se incorpora la opción por la llevanza de libros registro del IVA a través del SII y la opción por el cumplimiento de la obligación de expedir factura por el destinatario o por tercero así como la revocación a las mismas entre las causas de presentación del mo-delo 036 de declaración censal de alta, modificación y baja en el Censo de Empresarios, Profesionales y Retenedores.

Asimismo, como ya se ha comentado, se produce una supresión de determinadas obligaciones formales. Tal como disponen los arts. 32.f y 36.1 RGGIT y la DT 2ª RD 596/2016, se exonera a los sujetos pasivos que apliquen el SII de presentar ciertas decla-raciones informativas. Por un lado, la declaración de operaciones con terceras personas (modelo 347), a partir del período correspondiente a 2017. Por otro lado, la declara-ción informativa con el contenido de los libros registro (modelo 340) para los sujetos pasivos inscritos en el REDEME. La supresión afectará a las declaraciones relativas a la información a suministrar a partir del período correspondiente a julio de 2017. Y a estas declaraciones debe añadirse, de acuerdo con la exposición de motivos del RD 596/2016, la declaración-resumen anual del IVA (modelo 390).

Por lo que se refiere a la supresión de la obligación de presentar el modelo 340, hay que destacar que se mantiene la obligación para los sujetos pasivos del impuesto general indirecto canario (IGIC), ya que el sistema de llevanza de los libros registro a través de la sede electrónica de la AEAT no les afecta. Por lo tanto, únicamente los sujetos pasivos del IGIC inscritos en el REDEME regulado en los arts. 9 y 10 del Reglamento de gestión de los tributos derivados del régimen económico y fiscal de Canarias, aprobado por el Decreto 268/2011, de 4 de agosto, estarán obligados a presentar una declaración informativa con el contenido de los libros registro a que se refiere el art. 49.1 del Decreto citado.

En cuanto a esta supresión de ciertas obligaciones formales, se presenta por el preámbulo del RD 596/2016 como una reducción sustancial de las cargas administrati-vas. Concretamente, se indica que el suministro de información de los libros registro a través de la sede electrónica de la AEAT “permitirá reducir sustancialmente las cargas ad-ministrativas asociadas al suministro periódico de información que atañen a estas perso-nas y entidades”. Sin embargo, a nuestro juicio, no puede entenderse como una ventaja o compensación para los sujetos acogidos al SII, puesto que, en realidad, se trata de una consecuencia lógica de la implantación del nuevo sistema de gestión, que hace innece-sario duplicar el suministro de información a través de las mencionadas declaraciones informativas. Es más, resulta paradójico presentar el SII como un sistema que reduce las cargas administrativas cuando es evidente que, precisamente, incrementa las mismas hasta un nivel que puede llegar a considerarse para algunos como desproporcionado.


Otra de las modificaciones de las obligaciones formales que se introduce con la implantación del SII tiene que ver con las dilaciones por causa no imputable a la Admi-nistración. De acuerdo con lo dispuesto por el art. 104.j RGGIT, se añade como motivo de dilación el incumplimiento de la obligación de llevanza de los libros registro del IVA a través de la sede electrónica de la AEAT. La dilación se computará desde el inicio del procedimiento hasta la fecha de su presentación o registro.

Asimismo, se establece una nueva disposición en relación con la facturación por los destinatarios de las operaciones o por terceros. Según el art. 5.1 RD 1619/2012 y la DT 3ª RD 596/2016, las personas y entidades que apliquen el SII y hayan optado por el cumplimiento de la obligación de expedir factura por el destinatario o un tercero, deberán comunicar mediante declaración censal (modelo 036) dicha opción, la fecha a partir de la cual la ejercen y, en su caso, la renuncia y fecha de efecto. Esta comunicación se podrá realizar a partir del mes de junio de 2017.

Por último, respecto al plazo para la remisión de las facturas, tal como establece el art. 18 RD 1619/2012 y la DF 2ª RD 596/2016, a partir del 1 de enero de 2017, en el caso de que el destinatario de las operaciones sea un empresario o profesional, la factura deberá remitirse antes del día 16 del mes siguiente a aquél en que se haya producido el devengo del impuesto.

8. RÉGIMEN SANCIONADOR

Como ya se ha comentado anteriormente, la Ley 34/2015, de 21 de septiembre, de modificación de la Ley General Tributaria, ha modificado, con entrada en vigor desde el 1 de enero de 2017, el art. 200 para tipificar como infracción tributaria el retraso en la obligación de la llevanza de los libros registro y suministro a través de la sede electrónica de la AEAT.

Concretamente, se ha introducido una nueva letra g en el art. 200.1 LGT, que dispone que constituye infracción tributaria “el retraso en la obligación de llevar los libros registro a través de la sede electrónica de la Agencia Estatal de Administración Tributaria mediante el suministro de los registros de facturación en los términos esta-blecidos reglamentariamente”.

Por su parte, se introduce un nuevo párrafo en el art. 200.3 LGT que establece que “el retraso en la obligación de llevar los libros registro a través de la sede electrónica de la Agencia Estatal de Administración Tributaria mediante el suministro de los registros de facturación en los términos establecidos reglamentariamente, se sancionará con multa pecuniaria proporcional de un 0,5 por ciento del importe de la factura objeto del regis-tro, con un mínimo trimestral de 300 euros y un máximo de 6.000 euros”.


Algún autor ha destacado acertadamente ciertas cuestiones que suscita este nuevo tipo infractor y su correspondiente sanción.3 Por un lado, el tipo infractor tiene como consecuencia la nueva redacción del art. 29.3 LGT, estableciendo la posibilidad de que a través de norma reglamentaria se regule la obligación de llevanza de los libros registro a través de medios telemáticos. Pero no se refiere a que tengan que llevarse a través de la sede electrónica de la AEAT, lo que viene recogido en la norma reglamentaria. Por lo tanto, pueden darse problemas de legalidad, debido a la configuración de un tipo infrac-tor por referencia a una norma reglamentaria.

Por otra parte, en el art. 200.1.g LGT se alude exclusivamente al retraso en la “obli-gación” de llevar los libros electrónicamente a través de la sede electrónica de la AEAT, por lo que se plantean dudas sobre si la infracción pueden cometerla quienes se hayan acogido al sistema del SII de forma voluntaria.

Asimismo, en el citado art. 200.1.g LGT no se distingue en función del retraso en la aportación de la información, de forma que será suficiente el retraso de un día para que pueda considerarse cometida la infracción. Esto supone un elevado nivel de exigencia para los empresarios o profesionales acogidos al sistema del SII, en el cumplimiento de obligaci-ones formales, que no sustantivas, y que pueden implicar una cierta desproporción.

Otra de las cuestiones controvertidas tiene que ver con una cierta discordancia entre el tipo infractor, que se refiere a la llevanza de los libros registro, mientras que la sanción se impone con multa por cada factura objeto de registro. En este sentido, no hay que olvidar que existen anotaciones en los libros registro que no tienen como fun-damento una factura, como en el caso del libro registro de bienes de inversión o el de determinadas operaciones intracomunitarias.

Por último, en el art. 200.3 LGT se hace referencia a un mínimo trimestral, lo cual plantea dudas en cuanto a saber si las infracciones se cometerán por el incumplimiento trimestral de la obligación. De forma que cabe preguntarse cuál es el período a tener en cuenta para calificar la conducta infractora, sobre todo teniendo en cuenta que los empresarios o profesionales acogidos al SII tienen obligación de presentar las autoliqui-daciones mensualmente.

9. CONCLUSIONES

El sistema de SII supone un importante avance en la administración electrónica en el ámbito tributario, así como una intensificación del uso de las tecnologías de la

3 Véanse los detallados comentarios que se realizan al respecto en Longás Lafuente, A. (2017). Suministro Inmediato de Información en la gestión de los libros del IVA (II). Revista de Conta-bilidad y Tributación (409), 92-93.


información en las relaciones entre la administración tributaria y el contribuyente. Este nuevo sistema de gestión implica la llevanza de los libros registro a través de la sede elec-trónica de la AEAT, mediante el suministro prácticamente inmediato de los registros de facturación. Los contribuyentes deben remitir a la administración tributaria los detalles sobre la facturación por vía electrónica, y con esta información se van configurando, casi en tiempo real, los libros registro del tributo.

Es importante destacar que el sistema de SII no supone la remisión de la factura a la AEAT, sino el envío de determinada información que se contiene en la misma. En este sentido, conviene subrayar que el SII no se configura como una nueva obligación for-mal, sino como un nuevo sistema de llevar a efecto el cumplimiento de una obligación formal ya existente, la llevanza de los libros registro del IVA.

Aunque con la introducción de este nuevo sistema de gestión tributaria se pretenda la potenciación de la asistencia al contribuyente, al facilitarle una serie de datos fiscales, en una primera fase, y el borrador de la declaración del impuesto, en una segunda fase, no hay que olvidar que el principal objetivo es el del control tributario. Es evidente que la obligación de facilitar información inmediata a la AEAT tiene como finalidad más importante permitir a la administración tributaria llevar a cabo un control más exhaus-tivo de la veracidad de las autoliquidaciones presentadas, de forma que se pueda evitar o reducir el fraude fiscal.

Ahora bien, la implantación de este nuevo sistema de gestión del impuesto supo-ne un evidente aumento de la carga administrativa de los empresarios y profesionales acogidos al SII. Además, el régimen sancionador establecido implica un elevado nivel de exigencia en el cumplimiento de obligaciones formales, que no sustantivas. Todo ello puede suscitar dudas en cuanto al cumplimiento del principio de proporcionalidad. Asi-mismo, este aumento de la carga administrativa del empresario y profesional puede ir en contra de la necesaria simplificación y reducción de los deberes formales, que suponen ya en este impuesto para el sujeto pasivo un elevado esfuerzo económico y de dedicación de recursos humanos.

10. BIBLIOGRAFÍA

Casana Merino, F. (2015). Manual de Procedimientos Tributarios. Madrid: Iustel.Gascón Orive, A. (2016). IVA Práctico. Madrid: Centro de Estudios Financieros.Longás Lafuente, A. (2017). Suministro Inmediato de Información en la gestión

de los libros del IVA (I). Revista de Contabilidad y Tributación (408), 45-92.Longás Lafuente, A. (2017). Suministro Inmediato de Información en la gestión

de los libros del IVA (II). Revista de Contabilidad y Tributación (409), 45-100.Merino Jara, I. y otros (2014). Procedimientos Tributarios: Aspectos prácticos. Bar-

celona: Bosch.

18

ROL Y RÉGIMEN JURÍDICO DE LA PLATAFORMA EN LÍNEA EN EL DISCUSSION DRAFT OF A DIRECTIVE ON ONLINE INTERMEDIARY PLATFORMS

Adrian Di Pizzo ChiacchioInvestigador predoctoral

Área de Derecho Civil Universitat de Barcelona

RESUMEN: En los últimos años, en el marco de la digitalización masiva de productos y servicios, he-mos asistido a cambios estructurales en el Derecho de consumo que han derivado de la transición de un «mercado rígido» a un «mercado flexible», y que han dotado al consumidor de nuevas herramientas que plantean diversos y complejos retos jurídicos. Las plataformas digitales (online platforms), que constituyen una de dichas herramientas, han ido creciendo exponencialmente y acaparan en la actualidad un poder de mercado (market power) de contornos difusos que dificultan la consecución del Mercado Único Digital. Por ello, resulta cada vez más acuciante regular su actividad en el seno de la sociedad de la información y determinar qué rol desarrolla en las relaciones triangulares que promueve entre operador, proveedor y cliente. Sin embargo, el concepto ambiguo y la amplia taxonomía de la plataforma impiden configurar un régimen exento de cuestiones problemáticas. En este sentido, algunas comunicaciones de la Comisión Europea e iniciativas de grupos de trabajo como el Discussion Draft of a Directive on Online Interme-diary Platforms han determinado la necesidad de regular las plataformas en línea, especialmente en lo que concierne a la protección de los consumidores, la responsabilidad en la economía del Big Data y la creación y potenciación de un mercado digital que sea libre e innovador. En este trabajo se examina dicha iniciativa doctrinal, y se pone el acento en algunas de las cuestiones a propósito del rol que asumen las plataformas en el modelo actual de economía de consumo. Se concluye con la necesidad de que la Unión Europea regule el mercado de las plataformas digitales.

PALABRAS CLAVE: plataformas digitales/en línea, contenidos digitales, economía colaborativa, Derecho de consumo, Mercado Único Digital

289 ROL Y RÉGIMEN JURÍDICO DE LA PLATAFORMA EN LÍNEA EN EL DISCUSSION DRAFT...

1. INTRODUCCIÓN: LA NECESIDAD DE REGULAR LA ACTIVIDAD DE LAS PLATAFORMAS DIGITALES

La Comisión Europea supo plasmar la incipiente preocupación en torno a la con-figuración de las plataformas en línea en la Comunicación por la que se establece una Es-trategia para el Mercado Único Digital de Europa1. Dicho documento recoge un conjunto de compromisos para atraer, consolidar y maximizar los efectos positivos de la realidad digital2, entre los que destaca el establecimiento de un marco regulador de la actividad que desarrollan las plataformas en línea, puesto que facilitan el acceso a la información a los consumidores y proporcionan ventajas económicas a las empresas3.

En el seno de dicha estrategia, la Comisión llevó a cabo una evaluación exhaustiva acerca del rol que desempeñan las plataformas en línea, fundamentalmente a partir de una consulta pública4. El resultado se recogió en el Documento de trabajo5 que funda-menta y desarrolla la Comunicación sobre las plataformas en línea6, en la que se concibe la importancia capital que está acaparando la plataforma en línea en «la innovación y el crecimiento del Mercado Único Digital»7.

A su vez, la doctrina científica también ha detectado la problemática que deriva de la irrupción de las plataformas en el mercado, así como de la necesidad de establecer un régimen jurídico que sea capaz de regular los efectos de su actividad. Con tal fin, el Gru-

1 Comisión Europea (2015). Comunicación de la Comisión al Parlamento Europeo, al Consejo, al Comité Económico y Social Europeo y al Comité de las Regiones: Una Estrategia para el Mer-cado Único Digital de Europa [COM(2015) 192 final], de 06-05-2015 [v. ES].

2 La Estrategia para el Mercado Único Digital enumera los siguientes objetivos principales: (a) mejorar el acceso de los consumidores y empresas a los bienes y servicios en línea; (b) crear las condiciones para la prosperidad de los servicios digitales; y (c) aprovechar el potencial de creci-miento de la economía digital en Europa.

3 Comisión Europea (2015). Comunicación…: Una Estrategia para el Mercado Único Digital, cit, p. 12-13.

4 Dicha consulta pública se extendió desde el 24 de septiembre de 2015 hasta el 6 de enero de 2016.5 Comisión Europea (2016). Commission Staff Working Document on Online Platforms Ac-

companying the document Communication on Online Platforms and the Digital Single Market [SWD(2016) 172] [v. EN].

6 Comisión Europea (2016). Comunicación de la Comisión al Parlamento Europeo, al Con-sejo, al Comité Económico y Social Europeo y al Comité de las Regiones: Las plataformas en línea y el mercado único digital. Retos y oportunidades para Europa [COM(2016) 288 final], de 25-05-2016 [v. ES].

7 Comisión Europea (2016). Comunicación…: Las plataformas en línea…, cit., p. 17.


po de Investigación de Derecho de los Servicios Digitales («GIDSD»)8 ha elaborado la Propuesta de Directiva sobre plataformas en línea («PDPL»)9 publicada el pasado año10, algunos extremos de la cual se analizan en este trabajo11.

No obstante, en la actualidad no existe una definición (ni legal ni doctrinal) unánime de lo que debe entenderse por «plataforma digital», pese a que no nos hallamos ante un fe-nómeno del todo novedoso12. Así, en la consulta pública lanzada por la Comisión Europea a finales de 2015, la propuesta de definición de plataforma digital se exponía como sigue:

«“Online platform” refers to an undertaking operating in two (or multi)-sided markets, which uses the Internet to enable interactions between two or more distinct but interdependent groups of users so as to generate value for at least one of the groups. Certain platforms also qualify as Intermediary service providers»13.

Como puede observarse, la plataforma digital constituye un escenario del mercado eco-nómico en el que, con el desarrollo de su actividad, el operador tiene por finalidad fomentar y facilitar la creación de valor digital14 entre, al menos, dos grupos de actores en el mercado a los que facilita la interacción en un marco de común interés: los proveedores de bienes, servicios y contenido digital y los clientes, figuras que no necesariamente se corresponden con la tradicional concepción de empresario y consumidor, como podremos comprobar.

Sin embargo, el informe final sobre los resultados de dicha consulta ha señalado de forma acertada el carácter genérico y amplio de la definición de plataforma digital inicialmente propuesto15, lo que ha impedido alcanzar un consenso de los participantes

8 El Research Group on the Law of Digital Services constituye una red europea de juristas creada por un grupo de investigadores procedentes de la Universidad de Osnabruck (Alemania) y la Universidad Jagiellonian de Cracovia (Poland).

9 Discussion Draft of a Directive on Online Intermediary Platforms. 10 Vid. Research group on the Law of Digital Services (2016). Discussion Draft of a Directive on On-

line Intermediary Platforms. Journal of European Consumer and Market Law, vol. 4, p. 164-169. 11 Vid. infra § 3.12 Busch, C. et al. (2016). The Rise of the Platform Economy: A New Challenge for EU Consumer

Law? Journal of European Consumer and Market Law, vol. 1, p. 3. Los autores consideran con acierto que «the business model of platforms is not entireley new», dado que servicios como Ebay –prototipo de plataforma C2C y B2C por excelencia– hace décadas que existen.

13 Comisión Europea (2015). Public consultation on the Regulatory environment for platforms, online intermediaries, data and cloud computing and the collaborative economy, de 24-09-2015 [v. EN], p. 5, disponible en URL: <http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=10932>.

14 Comisión Europea (2016). Comunicación…: Las plataformas en línea…, cit., p. 2.15 Comisión Europea (2016). Full report on the results of the public consultation on the Regulatory en-

vironment for Platforms, Online Intermediaries and the Collaborative Economy, de 25-05-2016 [v. EN], disponible en URL: <http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=15877>.

http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=10932



al respecto. Así, algunos de ellos expresaron que, interpretada lato sensu, la definición podría englobar «todo el Internet»16.

Desde esta perspectiva, la taxonomía de las plataformas incluye una gran variedad de actores en el mercado como, a modo de ejemplo, los siguientes: (a) plataformas de comunicaciones y redes sociales (Facebook, Twitter); (b) app stores (Apple App Store, Google Play); (c) plataformas audiovisuales (Netflix) y de música (Spotify); (d) plata-formas e-commerce (Amazon, eBay); y (e) motores de búsqueda (Google, Bing)17. Como parte de este escenario digital, las plataformas de la denominada economía colaborativa también han destacado por su crecimiento exponencial (Airbnb, Uber, BlaBlaCar)18.

De este modo, la percepción de que la mayor parte de actividades y operaciones desarrolladas en el marco digital puede encajar en el concepto de plataforma dificulta, a priori, cualquier intento de conceptualización (one-size-fits-all definition19). En conse-cuencia, se ha postulado que tal vez sea conveniente abordar los problemas que la actua-ción de las plataformas provoca en vez de intentar acotar sus categorías20.

2. EL ROL QUE DESEMPEÑA LA PLATAFORMA DIGITAL

2.1. La plataforma digital como servicio de la sociedad de la información

La plataforma en línea desarrolla un papel central en el escenario digital, respecto del cual se plantean problemas en relación con el poder de mercado, la protección de

16 House of Lords, Select Committee on European Union (2016). 10th Report of Session 2015–16: Online Platforms and the Digital Single Market, p. 22, disponible en URL: <http://www.parliament.uk/online-platforms>.

17 Comisión Europea (2015). Public consultation on the Regulatory environment for platforms…, cit., p. 5. Una taxonomía similar puede verse en: Comisión Europea (2016). Commission Staff Working Document on Online Platforms…, cit., 16-44.

18 Comisión Europea (2016). Comunicación de la Comisión al Parlamento Europeo, al Consejo, al Comité Económico y Social Europeo y al Comité de las Regiones: Una Agenda Europea para la economía colaborativa [COM(2016) 356 final], de 2-06-2016 [v. ES]. El documento define este tipo de economía como (p. 3): «Modelos de negocio en los que se facilitan actividades mediante plataformas colaborativas que crean un mercado abierto para el uso temporal de mercancías o servi-cios ofrecidos a menudo por particulares».

19 Comisión Europea (2016). Commission Staff Working Document on Online Platforms…, cit., p. 46.20 Linskey, O. (2017). Regulating ‘Platform Power’. Law, Society and Economy Working Papers,

vol. 1, p. 6.

http://www.parliament.uk/online-platforms



consumidores y la protección de datos personales21. Sin embargo, el común denomina-dor de toda plataforma digital es, precisamente, su actuación multilateral en Internet. Y, aunque evidente, es este un factor que no debe perderse de vista para determinar si, como tal, la plataforma digital constituye o no un «servicios de la sociedad de la infor-mación» («SSI») y si, como consecuencia, le resulta de aplicación la Directiva 2000/31/CE («Directiva sobre comercio electrónico»)22.

A la hora de definir el concepto de SSI, el art. 2, letra a), de la Directiva sobre co-mercio electrónico se remite al art. 1.2 de la Directiva 98/34/CE23, instrumento que ha sido derogado por la Directiva (UE) 2015/153524,por lo que dicha remisión actualmen-te debe entenderse al art. 1.1, letra b), de esta última norma:

«[T]odo servicio prestado normalmente a cambio de una remuneración, a distan-cia, por vía electrónica y a petición individual de un destinatario de servicios».

Por tanto, en la medida en que la plataforma digital presta servicios (a) a distan-cia, (b) mediante comunicaciones electrónicas, (c) a petición individual de uno de los destinatarios de los servicios que facilita y (d) desarrolla una actividad de naturaleza económica –independientemente de que sea o no remunerada25–, es evidente que dicha actividad puede ser subsumida en el concepto de SSI.

Ello supone que la Directiva sobre comercio electrónico resulta aplicable a las pla-taformas digitales, de lo cual deriva que los deberes exigibles a los prestadores de SSI también deban imponerse a los operadores: (a) en el marco de los contratos celebrados entre el operador y el cliente que acude a la plataforma para adquirir un producto o un

21 Para un estudio del poder de mercado de las plataformas, vid. Linskey, O. (2017). Op. Cit., p. 4-15. 22 Directiva 2000/31/CE del Parlamento Europeo y del Consejo, de 8 de junio de 2000, relativa a

determinados aspectos jurídicos de los servicios de la sociedad de la información, en particular el comercio electrónico en el mercado interior (DOUE L 178 de 17-07-2000).

23 Directiva 98/34/CE del Parlamento Europeo y del Consejo, de 22 de junio de 1998, por la que se establece un procedimiento de información en materia de las normas y reglamentaciones técnicas (DOCE L 204 de 21-07-1998). Esta Directiva fue posteriormente modificada por la Directiva 98/48/CE del Parlamento Europeo y del Consejo de 20 de julio de 1998 que modifica la Direc-tiva 98/34/CE por la que se establece un procedimiento de información en materia de las normas y reglamentaciones técnicas (DOCE L 217 de 05-08-1998).

24 Directiva (UE) 2015/1535, del Parlamento Europeo y del Consejo, de 9 de septiembre de 2015, por la que se establece un procedimiento de información en materia de reglamentaciones técnicas y de reglas relativas a los servicios de la sociedad de la información (DOUE L 241/1 de 17-09-2015).

25 En este sentido, vid. el Anexo, letra a), y la Exposición de Motivos, ap. II, ambos de la Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico (BOE 166 de 12-07-2002).


servicio («O2C»), y (b) en el marco de los contratos celebrados entre el operador y el proveedor que acude a la plataforma para ofertar un producto o un servicio («O2P»).

Estos deberes consisten, grosso modo, en: facilitar información sobre su condición de prestador de SSI (art. 5); sobre las comunicaciones comerciales (art. 6); y sobre la celebración del contrato, tanto antes como después de concluirse (arts. 10 y 11, respec-tivamente). Pero resulta menos claro si podría exigírsele al operador que vele por el cum-plimiento de los deberes de información cuando no sea parte de la relación contractual, esto es, en el marco de un contrato celebrado entre el proveedor y el cliente («P2C»). Como veremos más adelante, la PDPL pone énfasis en este extremo.

2.2. De la relación bilateral a la relación triangular: ¿quién es qué?

Como podemos observar, a diferencia de los escenarios de consumo tradicional entre dos actores («relaciones bipolares»), el contexto digital que nos ocupa evoca un conjunto de relaciones a tres bandas («relaciones triangulares»). Así, en el seno de la pla-taforma digital, como servicio de intermediación, nacen las tres relaciones contractuales bilaterales que hemos apuntado (contratos O2P, O2C y P2C).

Si nos atenemos a las definiciones que enumera la Directiva sobre comercio electró-nico, al suministrar un SSI las plataformas se configuran como prestadores de SSI (art. 2, letra b), mientras que los proveedores de bienes, servicios y contenido digital y los clientes se configuran, en un primer plano de relaciones (contratos O2P y O2C), como destinata-rios del servicio (art. 2, letra d). Sin embargo, el proveedor también desarrolla un SSI (la venta de productos o servicios en línea26), por lo que, en un segundo plano de relaciones (contrato P2C), asume el rol de prestador de SSI y, en consecuencia, el cliente asume el rol de destinatario del servicio. Sin duda, este último es el modelo que recoge la norma-tiva de Derecho de consumo actual, en el marco de relaciones contractuales duales entre prestadores de SSI –empresarios– y clientes –consumidores– (contratos de consumo).

Sin embargo, la actual tendencia de consumo entre los contratantes a no exteriorizar si actúan dentro o fuera del ámbito de su actividad profesional o comercial impide, en principio, calificar si la relación que concluyen a través de la plataforma es o no de consu-mo. Ello permite intuir que algunas de tales relaciones escapan del ámbito de aplicación de la Directiva sobre los derechos de los consumidores27, puesto que una de las notas ca-

26 Cfr. Considerando 18 de la Directiva sobre comercio electrónico. 27 Cfr. art. 3 de la Directiva 2011/83/UE del Parlamento Europeo y del Consejo, de 25 de octubre

de 2011, sobre los derechos de los consumidores, por la que se modifican la Directiva 93/13/CEE del Consejo y la Directiva 1999/44/CE del Parlamento Europeo y del Consejo y se dero-gan la Directiva 85/577/CEE del Consejo y la Directiva 97/7/CE del Parlamento Europeo y del Consejo (DOUE L 304, de 22-11-2011).


racterísticas de la contratación mediante plataformas es la diversidad de actores en escena y la versatilidad de los roles que desempeñan. Así, si el proveedor no es un empresario sino un consumidor, la relación contractual que concluya con quien adquiera los bienes, servi-cios o contenido digital que oferta será una relación entre consumidores («C2C») –típicas de la economía colaborativa– y no una relación entre empresario y consumidor («B2C»).

Expuesto lo anterior, si pensamos en la aplicación múltiple de la normativa actual a la actividad desarrollada por la plataforma digital28, una cuestión prevalece: ¿qué rol asume la plataforma en los contratos celebrados en el seno de su actividad cuando no sea parte contractual? Esencialmente, la cuestión se encamina a determinar si, en el segundo plano de relaciones apuntado (esto es, en los contratos P2C), la plataforma actuará como un simple facilitador o como un auténtico proveedor. Sobre este punto incide la PDPL, como tendremos oportunidad de examinar.

3. EL (DES)ENCAJE DE LA PLATAFORMA DIGITAL EN LA NORMATIVA DE CONSUMO ACTUAL: ¿NECESITAMOS UNA DIRECTIVA SOBRE PLATAFORMAS EN LÍNEA?

3.1. Aproximación a la regulación de las plataformas en línea

Si bien antes apuntábamos que no resulta del todo novedosa la plataforma digital como escenario en el que se concluyen contratos (de consumo o no)29, es igualmente cierto que las dimensiones cuantitativas y cualitativas que promueven del comercio di-gital ha crecido –y continuará creciendo– de manera exponencial. Ante esta realidad, resulta indubitado que el modelo de mercado actual seguirá evolucionando hacia pa-radigmas que se alejarán cada vez más de nuestra concepción de consumo tradicional.

Ahora bien, la regulación de un marco adecuado para las plataformas, precisamente por su naturaleza poco determinada y la amplia repercusión de sus efectos, no debería dejarse a iniciativa de los ordenamientos nacionales. Ello encaja de forma natural con las pretensiones de la Comisión respecto del establecimiento de un modelo de Mercado Único Digital en Europa: deben evitarse los obstáculos normativos que eventualmente

28 La PDPL especifica algunas de ellas al establecer una relación complementaria entre la presente directiva y las diferentes normas eventualmente aplicables al mismo ámbito (entre ellas, las Di-rectivas sobre comercio electrónico y de protección de los consumidores).

29 Vid. supra § 1.


surgirían de la regulación sesgada y multilateral de una materia que trasciende las fron-teras nacionales en la Unión y que tiende, además, a la expansión global30.

Consciente de la importancia de esta premisa, el GIDSD ha contribuido a esclare-cer determinados aspectos mediante la elaboración de la PDPL, que tiene por vocación aportar una visión innovadora al debate existente31. En él se ha considerado con acierto que la eventual configuración de un régimen jurídico sobre las plataformas digitales de-bería desarrollarse a nivel europeo32: la acción de la UE será más eficaz que la que puedan emprender los ordenamientos nacionales (principio de subsidiariedad33).

En esta línea, cuestión distinta será optar por uno u otro instrumento internacional en el marco de la política legislativa de la Unión. Como sabemos, el GIDSD ha optado por la directiva como base normativa de su propuesta y, de acuerdo con sus disposicio-nes, se trata de una directiva de máximos. Así, el art. 3 de la PDPL impide a los Estados miembros mantener o introducir en sus respectivos ordenamientos nacionales disposi-ciones que difieran de la Directiva, «including more or less stringent provisions affording a different level of protection for suppliers or customers».

Por tanto, si consideramos que la aplicación de la norma deberá fomentar una Europa digital cohesionada, la directiva de máximos armonizará la materia y desplegará efectos próximos –no idénticos– a los del reglamento, que, recordemos, tiende a pro-vocar un efecto uniformizador. En consecuencia, el GIDSD apuesta formalmente por el efecto armonizador en la configuración de un régimen de la plataforma, lo cual no resulta desatinado en virtud del principio de proporcionalidad34.

30 En este sentido, vid. Parlamento Europeo (2017). Opinión de la Comisión de Asuntos Juríudicos para la Comisión de Industria, Investigación y Energía y la Comisión de Mercado Interior y Protec-ción del Consumidor sobre las plataformes en línia y el Mercado Único digital [2016/2276(INI)], de 08-05-2017 [v. ES], p. 5.

31 Research group on the Law of Digital Services (2016). Op. Cit., p. 164.32 Recientemente, el European Law Institute («ELI») identificó la propuesta sobre «Draft Model

Rules on Contractual Aspects of Online Intermediary Platforms» como proyecto mediante el cual adoptar, precisamente, reglas que tengan por finalidad establecer un régimen jurídico sobre las plataformas en línea.

33 Vid. el art. 5 del Tratado de la Unión Europea (DOUE C 326/13, de 26-10-2012) [v. consoli-dada].

34 Ibid.


3.2. El régimen de las plataformas en línea en la PDPL

3.2.1. El ámbito de aplicación material y las definiciones preliminares

La PDPL se limita a regular las relaciones contractuales de suministro de bienes, servicios y contenidos digitales35 entre un proveedor y un cliente mediante la intermedia-ción de una plataforma digital (art. 1.1) y excluye de su ámbito material a las plataformas que operen en el marco de una autoridad pública y a las plataformas que intermedien en contratos de suministro de servicios financieros entre un proveedor y un cliente (art. 1.2).

Esta primera aproximación nos permite destacar varias premisas. En primer lugar, respecto de las relaciones que entran dentro del ámbito de aplicación de la norma, debe señalarse que el contrato principal (esto es, aquel que dota de sentido a la existencia de la plataforma) se constituye entre dos partes: el proveedor y el cliente. En virtud de este contrato, el proveedor se compromete a entregar bienes o a proveer servicios o conteni-dos digitales al cliente (art. 2, letra e). Llama la atención que, a diferencia de la Propuesta de Directiva sobre contenidos digitales36, la PDPL no contempla los datos personales como contraprestación, aunque, ciertamente, sí la contempla como opción que, en su caso, podrá incluirse en una eventual regulación de la materia.

No obstante, como ya hemos apuntado, son tres las partes que intervienen (el operador, el proveedor y el cliente) en el marco de las plataformas digitales y que consti-tuyen, respectivamente, diferentes relaciones sinalagmáticas entre ellas.

Con relativo acierto, la PDPL delimita también la naturaleza de cada una de estas partes:

a) El operador de la plataforma es, naturalmente, el comerciante (trader) que opera la plataforma en línea (art. 2, letra b). Al respecto, el texto complementa la definición al establecer que es trader cualquier persona física o jurídica que actúe en el seno de su profesión, oficio, comercio o negocio en relación con los contratos que forman parte del ámbito de la PDPL (art. 2, letra i)37.

35 Del mismo modo que la Propuesta de Directiva del Parlamento Europeo y del Consejo, relativa a de-terminados aspectos de los contratos de suministro de contenidos digitales [COM(2015) 634 final], de 09-12-2015 [v. ES], la PDPL se refiere a un «contrato de suministro», sin ahondar en la concreta tipología contractual que, en su caso, pueda atribuirse al contrato celebrado entre proveedor y cliente.

36 Comisión Europea (2015). Propuesta de Directiva…, cit., art. 3 (12).37 Un interesante estudio sobre el rol de la plataforma en la Propuesta de Directiva sobre conteni-

dos digitales puede verse en Rochfeld, J. (2016). La réglementation des contrats de fourniture de contenus numériques: l’appréciation des aspects numériques, en Arroyo Amayuelas, E. y Serrano de Nicolás, A. (dirs.). La europeización del Derecho privado: cuestiones actuales (p. 29-43). Barcelona: Marcial Pons.


b) El proveedor (supplier) es cualquier persona, física o jurídica, que utiliza una pla-taforma en línea como servicio de intermediación para ofrecer bienes, servicios o contenidos digitales a potenciales clientes (art. 2, letra d).

c) El cliente (customer), por su parte, es cualquier persona, física o jurídica, que utiliza una plataforma en línea como servicio de intermediación para adquirir bienes, servi-cios o contenidos digitales (art. 2, letra c). La definición tan solo se refiere a la ope-ración de «adquisición», lo cual sugiere que, en el plano de relaciones entre el cliente y el proveedor, el cliente es el «adquirente» de bienes (el comprador, por ejemplo, si calificamos como contrato de compraventa la relación contractual de la que nace la prestación de «adquirir»). Por el contrario, en el plano de relaciones entre el operador y el proveedor (O2P), es claro que este último asume el rol de cliente, puesto que el operador le proporciona la posibilidad de ofertar sus productos, servicios o conteni-dos digitales mediante la plataforma (lo cual es un servicio en sí mismo).

d) Finalmente, el consumidor (consumer) es cualquier persona que actúa fuera del ámbito de sus negocios, comercio, profesión u oficio (art. 2, letra h). De la lectura conjunta de la definición de cliente y de consumidor puede inferirse la indeterminación de las situaciones en que nos hallamos ante uno u otro rol. A nuestro juicio, el planteamiento del carácter genérico del concepto de cliente y del carácter restringido del concepto de consumidor provoca cierta confusión, e incluso el uso de ambas figuras es indiferente a lo largo del texto. Por ello, puede sostenerse que, en cierta manera, el rol de consumidor podría en la práctica solaparse con el rol de cliente (si concurre el requisito de ajenidad profesional o comercial en la adquisición de bienes, servicios y contenidos digitales) y, asimismo, el rol de consumidor podría solaparse con el rol de proveedor (si concurre el re-ferido requisito de ajenidad en la promoción de bienes, servicios o contenidos digitales).

3.2.2. Los sistemas de reputación por feedback

Uno de los focos de atención más relevantes en la PDPL consiste en la configu-ración del modelo de herramienta de reputación por feedback que el operador de la plataforma integre, en su caso, en el sistema de intermediación que proporcione, una herramienta de indudable utilidad para fomentar la confianza en el mercado de las plata-formas, sobre todo en las plataformas de la denominada economía colaborativa. En este sentido, la herramienta recabaría datos de la actividad de los usuarios (críticas/reseñas y puntuaciones/valoraciones) para posteriormente elaborar clasificaciones con base en un estándar de credibilidad que la plataforma debe respetar.

La regulación de este aspecto, que ya ha comenzado a tratarse a nivel doctrinal38, plantea un verdadero reto de la era digital, por cuanto la herramienta debe ser capaz de

38 Busch, C. (2016). Crowdsourcing Consumer Confidence: How to Regulate Online Rating and Review Systems in the Collaborative Economy, en Alberto De Franceschi (ed.), European Con-tract Law and the Digital Single Market. Cambridge: Intersentia, p. 223-243.


medir, de manera fidedigna, los efectos de red39 que las críticas –feedbacks positivos o negativos– generen en la actividad de la plataforma. Así planteado, el sistema de repu-tación contribuye a formar la opinión del cliente sobre el proveedor y sus productos y servicios –genera, por tanto, confianza o desconfianza– y, en consecuencia, constituye un factor decisivo en la formación del consentimiento contractual tanto en relación con el proveedor con el cual el cliente concluye finalmente el contrato como en relación con aquel proveedor con quien ha preferido no contratar. Por ello, su trascendencia en el desarrollo de la economía de las plataformas es incuestionable.

Por esta razón, el GIDSD plantea un modelo de corregulación del sistema repu-tación digital –que, por tanto, deberá ser desarrollado y complementado en el seno de la Unión en el futuro40– basado en una presunción de conformidad con los estándares de la diligencia profesional (art. 8.2), concepto indeterminado que no es acotado en la PDPL. Así, tras establecer un mandato incardinable en el principio de transparencia del tratamiento de datos desarrollado por la plataforma (art. 8.1)41, el texto tan solo se limita a regular algunas condiciones que, si concurren, permiten considerar la existencia de la diligencia profesional referida (art. 8.3).

En esta línea, la regulación inicial del sistema de reputación por feedback dispone que la plataforma cumplirá con los estándares de la diligencia profesional si implementa, alternativamente, o bien (a) los estándares voluntarios en virtud de los cuales los orde-namientos nacionales hayan transpuesto los estándares europeos sobre la materia –even-tualmente existentes–, o bien (b) los estándares que el propio texto enumera (art. 8.4) y que, en su caso, deba aplicar: comprobar que el feedback deriva de clientes en el marco de un contrato P2C42; indicar que el feedback ha sido aportado como contraprestación

39 Comisión Europea (2016). Commission Staff Working Document on Online Platforms…, cit., p. 4. Con la expression «network effects», la Comisión se refiere al «effect that one user of a good or service has on the value of that product to other people»”.

40 Research group on the Law of Digital Services (2016). Op. Cit., p. 165.41 En efecto, el texto exige al operador de la plataforma que provea información sobre las modali-

dades de recogida, procesamiento y publicación de los ratings y las valoraciones (a mayor abun-damiento, se refieren al mismo principio los arts. 5 y 6 de la PDPL). En este sentido, si la información recogida comprende datos personales, ex art. 4.1 Reglamento (UE) 2016/679, del Parlamento Europeo y del Consejo, de 27 de abril de 2016, relativo a la protección de las perso-nas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos y por el que se deroga la Directiva 95/46/CE [«RGPD (UE)»], vid. el Considerando 58 de este instrumento supranacional.

42 Cfr. Comisión Europea (2016). Guidance on the Implementation/Application of Directive 2005/29/EC on Unfair Commercial Practices [SWD(2016) 163 final], de 25-05-2016 [v. EN], ap. 5.2.8, p. 139-140: «When publishing user reviews, a platform operator is required to pro-vide truthful information on the main characteristics of its services in accordance with Articles


a un precio; trasladar al cliente los motivos de rechazo de una valoración; presentar las valoraciones sin demora y en orden cronológico; concretar las razones de rechazo de va-loraciones; especificar el número total de valoraciones cuando se presente una valoración general; y proveer al cliente de un mecanismo gratuito de queja/denuncia de valoracio-nes presumiblemente falsas.

Ahora bien, tales condiciones, por el hecho de conformar meras circunstancias no siempre conexas de una actividad con múltiples variables –poco previsibles–, constitu-yen realmente aspectos secundarios que no determinan la consecución de un sistema justo y fiable de reputación. Curiosamente, el GIDSD es parcialmente partícipe de esta misma concepción al dudar de la extrapolación del modelo de corregulación, aplicado originalmente en materia de seguridad en los productos, al entorno de la contratación de bienes, servicios y contenido digital mediante la plataforma43. Ello es así porque, si bien se trata de un modelo que promueve la flexibilidad y la implicación de todos los actores, el escenario de las plataformas digitales conforma igualmente un contexto difuso, cam-biante y repleto de variables, notas que dificultarían concebir un sistema apropiado de reputación en línea mediante feedback que impida la manipulación, el sesgo o el engaño en las reseñas y valoraciones.

Finalmente, merece señalar el derecho de portabilidad que la PDPL reconoce a favor de los proveedores y clientes respecto de las reseñas y valoraciones, que nace –y, por ende, podrá ser exigible– una vez que los respectivos contratos con la plataforma se hayan extinguido (art. 8.5). Sin duda alguna, el tenor de esta previsión está fundada en el régimen del derecho de portabilidad de datos personales previsto en el art. 20.1 del RGPD (UE), en breve aplicable.

3.2.3. Los deberes de información de la plataforma

Además del deber de la plataforma de reenviar sin demora cualquier comunicación entre el proveedor y el cliente (art. 7), la PDPL le atribuye deberes de información que sistematiza en función del destinatario al que deba proporcionarla: deberes hacia el cliente y deberes hacia el proveedor.

6(1)(b) and 7(4)(a) UCPD. In particular, the platform should not mislead its users as to the origin of the reviews: it should avoid creating the impression that reviews posted through it orig-inate from real users, when it cannot adequately ensure this. In such case, the platform operator should clearly inform consumers about this fact».

43 Busch, C. (2016) Crowdsourcing Consumer Confidence…, cit., p. 224.


a) Deberes hacia el cliente Se atribuye al operador de la plataforma dos deberes concretos respecto del cliente:

(a) deberá informarle, antes de la conclusión del contrato P2C, que la parte con que contratará es el proveedor (art. 11.1)44; y (b) deberá asegurarse de que el proveedor in-forma al cliente si este actúa en el ámbito de su actividad profesional o comercial (art. 11.2). Además, se establece como cláusula de cierre que, en los contratos O2C, las partes no podrán excluir o modificar los efectos derivados de las normas que transpongan la Directiva en detrimento del consumidor (art. 12)45.

Con la previsión de estas medidas, el GIDSD ha abordado una de las cuestiones más complejas en la relación P2C mediante la intermediación de una plataforma digital: el conocimiento efectivo del cliente de que adquirirá productos, servicios o contenidos digitales del proveedor –y no del operador–, en el ámbito de su actividad profesional o comercial –o fuera de él–. De esta circunstancia deriva el rol de «simple facilitador» que el operador debe asumir y exteriorizar en la relación triangular entre operador, proveedor y cliente, para lo cual se le exigen deberes de información hacia el cliente en los contra-tos P2C, aunque no sea parte contractual. De ello dependerá, como la PDPL señala y examinamos infra, que incurra o no en responsabilidad.

b) Deberes hacia el proveedorAntes de la conclusión del contrato O2P, el operador de la plataforma deberá infor-

mar al proveedor: (a) que la parte contractual a la que proporcionará productos, servicios o contenidos digitales será el cliente –y no el operador–; (b) las tasas –y su respectivo cálculo– que deberá pagar a la plataforma; (c) cualquier medio de pago que la platafor-ma proporcione al proveedor; (d) los métodos de comunicación entre el proveedor y sus clientes; (e) y, en su caso, si el operador selecciona los clientes para el proveedor y si este tiene derecho alguno de rechazar los que no le interesen (art. 13). Del mismo modo que respecto del cliente, el operador es un simple facilitador y como tal debe actuar en todo momento también respecto del proveedor.

Asimismo, la plataforma debe proporcionar al proveedor los mecanismos para que este pueda cumplir con los deberes de información que se le atribuyen (art. 14), aunque, a diferencia de los deberes que se enumeran y atribuyen al operador, el texto no incorpo-ra un listado que especifique los deberes que el proveedor debe asumir.

44 Rectius, que la parte de la que adquirirá productos, servicios o contenidos digitales es el proveedor, dado que el cliente concluye sendos contratos tanto con el operador como con el proveedor, pero será tan solo este último el que oferte en la plataforma.

45 En este caso, como vemos, la PDPL se refiere al «consumidor» y no al «cliente», lo cual siembra la duda sobre si la naturaleza imperativa del Capítulo IV tan solo rige en supuestos en que el cliente es también consumidor.


Por último, al igual que con la cláusula de cierre dispuesta respecto de los clientes, las partes no podrán ni excluir ni modificar estas disposiciones de la Directiva en detri-mento del proveedor (art. 15).

3.2.4. Régimen de responsabilidad de la plataforma

El Capítulo V de la PDPL establece el régimen de responsabilidad del operador de la plataforma, aunque determinadas previsiones se hallan diseminadas a lo largo del texto. En general, la plataforma que, de manera destacada, se presente a sí misma como intermediaria ante clientes y proveedores, no podrá ser responsable por incumplimiento en los contratos P2C (art. 16.1). Se trata de una consecuencia lógica para el operador que ha procurado diferenciar los roles de las partes que interactúan en el marco de la plataforma en línea.

Sin embargo, la plataforma puede incurrir en responsabilidad en los contratos que concluya, de un lado, con el proveedor y, de otro lado, con el cliente (art. 16). Así, res-pecto del cliente, la plataforma puede ser responsable:

a) Por no retirar información engañosa aportada por el proveedor (art. 17). En este caso, la plataforma tan solo será responsable cuando se le haya comunicado tal cir-cunstancia (esto es, cuando tenga conocimiento efectivo de la misma), salvo que adopte las medidas apropiadas para retirar o rectificar dicha información. Se trata de una previsión que, en concordancia con lo que a tales efectos expone la Directiva sobre el comercio electrónico, respeta las disposiciones sobre responsabilidad de los SSI que tengan por finalidad alojar datos46.

b) Cuando, ante el incumplimiento del contrato por el proveedor, el cliente pueda razonablemente entender que la plataforma tiene una influencia predominante so-bre aquel (art. 18). Para determinar esta circunstancia, el texto incluye un numerus apertus de condiciones que, en particular, deberán tenerse en cuenta: si la conclusión del contrato P2C se ha llevado a cabo exclusivamente a través de medios facilitados por la plataforma; si la plataforma puede retener pagos realizados por clientes en los contratos P2C; si las condiciones del contrato P2C son principalmente fijadas por la plataforma, entre ellas el precio; si la plataforma proporciona una imagen común de proveedores; y si el marketing se centra en la plataforma y no en los proveedores.

En estos casos, la plataforma tiene derecho a exigir una indemnización al proveedor por la actuación de este último enmarcada en los supuestos de los arts. 17 y 18 (art. 22.1).

Por otro lado, respecto del cliente y el proveedor, la plataforma puede ser responsable:

46 Cfr. art. 14 de la Directiva 2000/31/CE, cit.


a) Por no tomar las medidas adecuadas encaminadas a proteger a los usuarios de la pla-taforma cuando detecte una conducta del proveedor o el cliente que sea criminal y se lleve a cabo en detrimento de un usuario de la plataforma o sea capaz de provocar daños físicos, violación de la privacidad, vulneración de la propiedad, privación de la libertad o violación de cualquier otro derecho similar (art. 9).

b) Por las afirmaciones engañosas vertidas por el operador (art. 19). En este caso, las afirmaciones pueden referirse tanto a los productos, servicios o contenidos digitales ofrecidos por los proveedores como a los proveedores (ap. 1) o a los clientes (ap. 2).

c) Por las garantías ofrecidas sobre proveedores o clientes, o sobre bienes, servicios y contenidos digitales ofrecidos por los proveedores (art. 20).

En estos casos, tanto los usuarios afectados en el supuesto del art. 9 como el provee-dor que sea responsable conforme al supuesto del art. 19.1 tienen derecho a exigir una indemnización a la plataforma (art. 22.2), aunque sorprendentemente nada se indique acerca de esta misma posibilidad cuando el proveedor resulte responsable en el marco del supuesto del art. 20.

Finalmente, la PDPL establece que las partes no pueden desviarse, en detrimento de la plataforma, de los derechos del usuario –léase, cliente o proveedor, ex art. 2, letra j)– reconocidos por la normativa nacional que transponga la Directiva (art. 21). Una vez más, el texto incide en el modelo de equilibrio deseado entre los derechos e intereses de las distintas partes.

4. CONCLUSIONES

El modelo actual de plataformas digitales plantea diversos problemas que dificultan la configuración de un régimen normativo, lo cual deriva tanto del funcionamiento como de la expansión progresiva de este fenómeno. Así, la falta de un concepto uniforme, la indeterminación de sus actividades y la inconcreción material de su rol impiden acotar la naturaleza de este SSI en el triángulo de relaciones contractuales del que forma parte.

Como hemos visto, la PDPL ha planteado un modelo de regulación de algunas de estas cuestiones con relativo acierto. Así, impone deberes de información al operador en los contratos de los que no es parte (P2C) y de los que sí lo es (O2P y O2C), enumera los requisitos que los sistemas de reputación o feedback deben cumplir, y establece un régimen de responsabilidad por falta de actuación diligente en diversos supuestos y por influencia predominante del operador sobre el proveedor.

Sin embargo, como hemos puesto de relieve, la PDPL adolece de algunas insufi-ciencias. En este sentido, en determinadas ocasiones emplea de manera indistinta los conceptos de «consumidor» y «cliente» y «usuarios de la plataforma» –que el texto de-fine–, no especifica claramente que tanto el cliente como el proveedor pueden configu-


rarse como consumidores y no explicita el rol de simple facilitador que el operador debe asumir, si bien implícitamente enumera condiciones que permitirían identificar cuando no actuará como tal.

Ahora bien, la PDPL destaca la necesidad de que la Unión Europea regule un marco jurídico equilibrado de las plataformas digitales a fin de instaurar un clima de confianza entre todos los actores en el Mercado Único Digital. Ello exige que se esta-blezca claramente cuándo el operador actuará como simple facilitador y cuando como auténtico proveedor, qué condiciones de transparencia debe cumplir y los supuestos de responsabilidad en que incurrirá cuando no lo haga.

En tal sentido, deberá adoptarse un enfoque tuitivo tanto de clientes como de proveedores, máxime cuando su condición sea también la de consumidores. Para ello, deberá prestarse especial atención a la relación entre la eventual directiva y las normas que actualmente resultan o puedan resultar aplicables a las plataformas digitales (sobre todo las Directivas de comercio electrónico y de protección de los consumidores).

5. BIBLIOGRAFÍA

Busch, C. (2016). Crowdsourcing Consumer Confidence: How to Regulate Onli-ne Rating and Review Systems in the Collaborative Economy, en Alberto De Franceschi (ed.), European Contract Law and the Digital Single Market. Cambridge: Intersentia, p. 223-243.

Busch, C. et al. (2016). The Rise of the Platform Economy: A New Challenge for EU Consumer Law? Journal of European Consumer and Market Law, vol. 1, p. 3-10.

Comisión Europea (2016). Full report on the results of the public consultation on the Regulatory environment for Platforms, Online Intermediaries and the Collaborative Eco-nomy, de 25-05-2016 [v. EN], disponible en URL: <http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=15877>.

Comisión Europea (2016). Commission Staff Working Document on Online Plat-forms Accompanying the document Communication on Online Platforms and the Digital Single Market [SWD(2016) 172] [v. EN].

Comisión Europea (2016). Comunicación de la Comisión al Parlamento Euro-peo, al Consejo, al Comité Económico y Social Europeo y al Comité de las Regiones. Las plataformas en línea y el mercado único digital: Retos y oportunidades para Europa [COM(2016) 288 final] [v. ES].

Comisión Europea (2016). Comunicación de la Comisión al Parlamento Europeo, al Consejo, al Comité Económico y Social Europeo y al Comité de las Regiones: Una Agenda Europea para la economía colaborativa [COM(2016) 356 final], de 2-06-2016 [v. ES].

Comisión Europea (2016). Guidance on the Implementation/Application of Di-rective 2005/29/EC on Unfair Commercial Practices [SWD(2016) 163 final], de 25-05-2016 [v. EN].




Comisión Europea (2015). Comunicación de la Comisión al Parlamento Europeo, al Consejo, al Comité Económico y Social Europeo y al Comité de las Regiones: Una Estrategia para el Mercado Único Digital de Europa [COM(2015) 192 final], de 06-05-2015 [v. ES].

Comisión Europea (2015). Public consultation on the Regulatory environment for platforms, online intermediaries, data and cloud computing and the collaborative economy, de 24-09-2015 [v. EN], disponible en URL: <http://ec.europa.eu/newsroom/dae/docu-ment.cfm?doc_id=10932>.

House of Lords, Select Committee on European Union (2016). 10th Report of Session 2015–16: Online Platforms and the Digital Single Market, p. 22. Disponible en URL: <http://www.parliament.uk/online-platforms>.

Linskey, O. (2017). Regulating ‘Platform Power’. Law, Society and Economy Wor-king Papers, vol. 1, p. 1-30.

Parlamento Europeo (2017). Opinión de la Comisión de Asuntos Juríudicos para la Comisión de Industria, Investigación y Energía y la Comisión de Mercado Interior y Protección del Consumidor sobre las plataformes en línia y el Mercado Único digital [2016/2276(INI)], de 08-05-2017 [v. ES].

Research group on the Law of Digital Services (2016). Discussion Draft of a Direc-tive on Online Intermediary Platforms. Journal of European Consumer and Market Law, vol. 4, p. 164-169.

Rochfeld, J. (2016). La réglementation des contrats de fourniture de contenus numériques: l’appréciation des aspects numériques, en Arroyo Amayuelas, E. y Serrano de Nicolás, A. (dirs.). La europeización del Derecho privado: cuestiones actuales (29-43). Barcelona: Marcial Pons.




19

LEGAL UNCERTAINTY: PROPOSED REGULATION ON ADDRESSING GEO-BLOCKING

Maria Lorena Florez RojasPhD candidate in Individual Person and Legal Protections

Scuola Superiore Sant`Anna, Pisa, IT

ABSTRACT: Geo-blocking techniques affect e-commerce in the European Union and at the same time they reinforce discriminatory practices in the online world among European consumers. The first attempt to fight discrimination in cross-border trades was article 20 of the Services Directive which describes the non-discrimination principle. However, this provision has failed in practice due to its large interpretative uncertainties and lack of enforcement. In this view, discriminatory practices have been a constant in the online market which have intensified due to the use of new geolocation technologies. The new strategy to fight online discrimination in the European Union is the proposed Regulation on addressing geo-blocking released on 2016. This paper is part of an ongoing research regarding Geo-blocking in the Digital Single Market. The paper will analyze the proposed Regulation and the obstacles for cross-border trade. However, this part of the research will examine the market regarding goods and services that are not protected by copyrights. Finally, the paper will argue that geo-blocking in this subject matter refers a business issue, not a legal one. For this reason, these discri-minatory practices will only disappear if the business models give way to global approaches that make the borderless Internet a reality.

KEYWORDS: online discrimination, geo-blocking, Services Directive, legal uncertainty, enforce-ment.

1. INTRODUCTION

The use of geolocation technologies by several actors on the internet has become common for commercial practices based on consumer’s profile. Geo-blocking and other geographically-based restrictions undermine online shopping and cross-border sales by limiting the possibility for consumers and businesses to benefit from the advantages of e-commerce (EP & DGIP, 2017a, p. 20). In addition, there are situations of differences in treatment that might be discriminatory practices based on nationality, place of residency or place of establishment. For instance, where customers are treated differently based on IP address, or the country that has been issued the credit card or the delivery address.

Geo-blocking occurs when traders operating in one member state block or limit the ability of customers from other member State to order their goods or online services (EP & DGIP, 2017a, p. 18). Moreover, blocking a customer can take place automatica-lly, when the consumer attempt to enter to a certain website, or it shows the denial in

306 LEGAL UNCERTAINTY: PROPOSED REGULATION ON ADDRESSING GEO-BLOCKING

the payment process or in the delivery stage when the consumer making the consumer lose significant time and effort on a website. Therefore, these practices can be divided into four main categories: denial of access to a website, automatic re-routing, refusal to sell, and changing the terms and conditions.

There might be justified reasons for traders not to sell cross-border, such as the need to register at the tax authority in the country of destination, higher shipping costs or costs arising from the application of foreign consumer law. However, discrimination among European Union (EU) customers based on the desire to segment markets along national borders, increasing profits to the detriment of foreign customers, is conside-red as unjustified geo-blocking. For that reason, the European Parliament on 25th May 2016, released a proposal for a Regulation on addressing unjustified geo-blocking and other forms of discrimination that prevent the free movement of goods and services in a single market.

The proposed Regulation defines specific situations where there can be no justi-fied reasons for geo-blocking or other discriminations based on nationality, residence or location. Furthermore, the proposal bans blocking of access to websites and the use of automatic re-routing if the customer has not given prior consent. However, the propo-sed Regulation is based on Art.20(2) of the Services Directive (SD) and is expected to be complementary of that provision.

Art.20(2) of the SD introduces a general prohibition against consumer discrimina-tion to be complied by member states and service providers1. Each Member State should implement this non-discrimination principle through national law in order to render it binding on service providers. Thus, most member states have introduced horizontal laws transposing the SD provisions reproducing in full or in part the Directive’s provision on non-discrimination, others have been able to rely on pre-existing legislation that achie-ves the same end (EC, 2016a, p. 126).

Even though the SD was adopted in 2006 and transposed by all EU countries in 2009, the Commission is not aware of a single company that has been sanctioned based on the application of Art.20(2) (EC, 2016c, p.127). However, the Commission has co-llected over 1500 complaints between 2009 and 2015 from service recipients across EU on alleged discrimination. In fact, the recent 2015 Digital Single Market (DSM) survey of online consumers showed that 80% of the respondents indicated geo-blocking as one of the main challenges that they have experienced it (EC, 2016c, p. 61–77).

1 Art. 20 (2) of the Service Directive states that: “Member States shall ensure that the general conditions of access to a service, which are made available to the public at large by the provider, do not contain discriminatory provisions relating to the nationality or place of residence of the recipient, but without precluding the possibility of providing for differences in the conditions of access where those differences are directly justified by objective criteria”.


Consumers, business and national authorities agreed that Art.20(2) of the SD only introduced a general non-discrimination principle without clear elements to apply. The main points that stakeholders highlighted for the ineffectiveness of the provision are the low rate of enforcement by national authorities and the unsettled legal interpretation of Art. 20(2) on what constitutes objective criteria for business to discriminate based on geolocation of the consumer (EP & DGPI, 2013, p. 10).

At first sight, the proposed Regulation seems to cover the gaps on Art.20(2), howe-ver, legal uncertainty of the main elements to evaluate each situation and lack of en-forcement on the existing might affect the economy growth. In this regard, the paper analyzes how the proposed Regulation on addressing geo-blocking is just a piece of the puzzle in the Digital Single Market and how this regulation could be considered as an attempt to regulatory failure due to the ineffectiveness of article 20(2) which is complement of the proposal. The paper, first describes how geo-blocking techniques are affecting e-commerce in the EU and reinforce the discriminatory practices in the online world. Second, it presents the failure of enforcement of Art.20(2) of the SD due to its large interpretative uncertainties. Third, the paper will explain how the core of the proposal lacks legal and concrete basis to be applied and moreover creates additional obstacles for cross-border trade falling to create a clear framework for traders, consumers and authorities. Finally, it presents some conclusions and open discussion for the next part of the research.

2. DISCRIMINATORY PRACTICES AMONG EUROPEAN UNION

According to the E-commerce Sector Inquiry, geo-blocking is 60% implemented through IP address verification (EC, 2016d). The most common technique used to block the access and content to cyber consumers is the TCP/IP filtering, where the IP addresses become virtual passport to be presented at the border checkpoints represented by various kinds of online geo-blocks. These technologies have the capability to restrict, deny or limit the access in the Internet communications. Thus, the combination of filtering and location technologies allows companies and states to limit user’s commu-nications on the Internet while gives control to governments and companies over the market and flow of information.

The creation of the Single Market Strategy, refers to the EU as one territory without any internal borders or other regulatory obstacles to the free movement of goods and services. Moreover, to improve the economic growth it was implemented the DSM strategy as one of the cornerstones of European challenges. The agenda focuses on seven priority areas of action: creating a DSM, greater interoperability, boosting internet trust and security, providing much faster internet access, encouraging investment in research and development, enhancing digital literacy skills and inclusion, and applying ICTs to


address challenges facing society (EC, 2015a). Nowadays, efforts to achieve this objecti-ve have been mainly focused on ensuring that companies are free to sell goods and servi-ces cross-border without unjustified restrictions which will allow for a better allocation of resources within the Union and will increasing economic growth (Eurostat, 2016)2.

Nevertheless, cross-border consumers complained that they were subject to addi-tional conditions and guarantees when for example they were contracting with mobile telephony operators, prevented from receiving pay-tv channels broadcasted from other member states and had to pay higher fees when participating in cultural or sporting events, visiting museums or tourist sites, buying ferry tickets, taking out insurance con-tracts, using sports facilities and hiring cars (EC, 2002, 2016f ). A representative survey found that 15.2% of cross-border online shoppers had experienced restrictions at one stage or another of the purchasing process and 24.5% of these shoppers associate the re-fusal due geographical location (EC & DGJC, 2015; Hunter & Wilson, 2015). Likewi-se, the e-commerce sector inquiry issued by the Commission found that the practice of geo-blocking was practiced by companies of all sizes through the collection and analysis of geographical information about the user. Also, it presented that 36% of retailers do not sell cross-border and around 40% of those confirm the use geographical information for geo-blocking purposes specifically (EC, 2016b). Similarly, in 2015 a Mystery Shop-ping Survey (MSS) found that 32% of websites analyzed refuse to deliver cross-border and 37% of the websites did not have any information on delivery restrictions clearly displayed on the starting page or during the ordering process (EC, 2016e).

These statistics show on one side the potential for cross-border online sales where consumers and traders could benefit from a more competitive market (Craig & Búrca, 2015, p.527) Nonetheless, they also illustrate that in the online world, is a common practice that a trader refuse to sell to foreigners or only doing so under different circum-stances based on the origin of the consumer through IP-tracking. Such practices decrea-se confidence and contribution that the consumer brings to the market (EP & DGIP, 2013, p. 7). Thus, the potential for e-commerce among member states has not been fully exploited due restrictions and barriers that are known or unknown by the consumer.

For instance, the report of the first stage of the Internal Market Strategy mentioned some practices that might prevent the emergence of a true single market for e-commerce such as refusals to supply pay-tv channels, higher fees for participating in cultural or sporting events, visiting museums or tourist sites, among others (EC, 2002, pp.122–123). The following are four common types of market practices which are detrimental

2 For instance, 42 % of large enterprises made e-sales corresponding to 23% of their total turn-over; 28% of medium sized enterprises made e-sales corresponding to 12% of total turnover in this size class. By contrast, 18% of small enterprises engaged in e-sales, corresponding to only 6% of the turnover of such enterprises.


from the consumers’ perspective, (i) Denied of supply/access; (ii) Redirection; (iii) Price discrimination and (iv) Indirect discriminations (EP & DGIP, 2013, p. 8).

Denied of supply/access based on the nationality or place of residence of the con-sumer are practices where consumers are often asked to agree not to use or attempt to use the service from outside of a specific location. Besides, consumers are confronted with clauses in the terms and conditions indicating that the service they are intending to acquire is available only in a specific member state (EC, 2012a, p. 10; Karlson Jernbäc-ker, 2014, p. 9,17). For example, a Spanish consumer, who wishes to order a product from a German online-shop. The online-shop requires the customer to register before being able to place an order. The Spanish consumer is prevented from registering becau-se of his place of residence and is discriminated by refusal to sell (EP & DGIP, 2013, p. 17; Sinkovics, Yamin, & Hossinger, 2007).

Redirection occurs when a refusal to supply is used to redirect the consumer, without the consumer’s consent or knowledge, to a local partner company, which offers the same service at different terms, most commonly at higher prices (EP & DGIP, 2013, p. 8). This practice use an automatic geolocation technique detecting the consumer’s location using IP tracking, or through a note of non-delivery to other member states and a link to other specific e-shop from other member state (EC, 2016e, p. 6). As an exam-ple, a Polish consumer wishing to order a product from a French online-shop. After the consumer has completed the ordering process and must fill the place to delivery with his Polish address, he is informed that he is unable to order and must use the Polish website of the same business (EP & DGIP, 2013, p. 19).

Price discrimination occurs when the same service is offered by the same company but where the price varies depending on the nationality or place of residence of the consumer. There are justifiable reasons for price discrimination, particularly in relation to supply and demand factors such as logistics, security, delivery, different tax rates or concessions based on a consumer’s student status or possession of a loyalty card (HM Government, 2016, p.3). However, there are some situations which businesses prevent a consumer from making an online purchase because their nationality or location is being used as a proxy for their willingness to pay a higher price (EP & DGIP, 2013, p.9)3. For instance, if a consumer from Germany visits a Greek website for hotel bookings. The shop scans his IP-address and automatically redirects him to the German website in which the price for the hotel booking is 50% higher than on the Greece website (EP & DGIP, 2013, p. 19). Nevertheless, the concept of price discrimination should not be

3 This practice is known as Third Degree Price Discrimination which involves charging a different price to different groups of consumers. These groups of consumers can be identified by charater-istics such as age, sex, location.


confused with differences in price applied in different member states. Because, every bu-siness has the freedom of offer their products with the price they considered appropriate, but this type of price discrimination occurs where the same business applies different prices in different member states (EP & DGIP, 2013, p. 20).

Finally, indirect discriminations cover restrictions that are not directly based on the nationality or residence of the consumer, but rather some other condition that in-directly restricts access for foreigners and non-residents (Matrix Insight, 2009, p. 75). In this regard, conditions similar to the country of the driving license, the country of the credit card, the lack of credit history and the lack of a national ID-number could be used for hidden discrimination practices (EC, 2012a, p.10). For example, in the case of the payment options some business may charge an extra fee for the use of a method of payment exclusive for a member state increasing artificially the final price of the product (EC, 2016e, p. 45).

Therefore, despite the efforts made at union level to facilitate cross-border trade in goods and services, consumers are still often faced with unfavorable contract terms due to their nationality, place of residence or establishment, such higher prices or supply restrictions (EP & DGIP, 2013, p. 7). These restrictions on transactions reduce the confidence on the DSM by consumers and companies affecting the economic growth of the Union.

3. GENERAL PROHIBITION OF NON-DISCRIMINATION

The first attempt to prevent discriminatory practices against consumers was the implementation of the SD which introduces a general prohibition in Art.20(2). This ob-ligation lies on the member states that should implement it into national law, obliging the service providers to comply with it (De Waele, 2009, pp. 527–528; ECJ, 1993; Karl-son Jernbäcker, 2014, p. 18). Thus, the implementation of Art.20(2) allows recipients to rely on the principle of non-discrimination regarding service providers (De Waele, 2009, p. 527; Karlson Jernbäcker, 2014, p. 45).

Art.20(2) of the SD requires member states to ensure that general conditions of access to a service that are made available to the public do not contain discriminatory rations based on nationality, place of residence or establishment of recipients, unless it is justified by objective criteria (Dir.2006/123/EC). The aim of this provision is to enhance the rights of service recipients and strengthen their confidence in the Inter-nal Market by ensuring that they are not subject to discriminatory practices based on geographical elements when shopping across the EU (EC, 2016c, p. 6). Therefore, this provision might seem a step forward to solve the identified problem of consumer dis-crimination in online sales, however, Art.20(2) has been criticized due to the ambiguous criteria and unclear scope of application on which it is based (HM Government, 2016,

http://Dir.2006/123/EC


p. 23). The following imprecise and vague elements of the provision show that Art.20(2) in practice is not effective due to legal uncertainties and lack of enforcement at national and cross-border level.

3.1. Legal Uncertainties

Firstly, the scope of the Art.20(2) excludes temporary work agencies, healthcare, private security and non-economic services of general interest. However, some of the exceptions do not have a settled definition in the EU-law. For instance, the “non-econo-mic services of general interest” have been interpreted by the European Commission as “non-market services which the public authorities class as being of general interest and subject to specific public service obligations” (EC, 2004, p. 22). Under this vague definition mem-ber states have discretion to decide which services are also excluded from the application of the provision in Art.20(2) which could result in further market fragmentation rather than integration (Delgado, 2008, p. 968).

Secondly, the concept of “general conditions of access” can also be misinterpreted. On one hand, it can be understood as all the terms and conditions and all other infor-mation made available by the service provider through various means such as infor-mation published in advertisements or documentation in websites (EC, 2012a, p. 9). On the other hand, the Commission Staff Working Document interprets the term in a broad sense, which includes practices such as information by way of e-mails or letters addressed to service recipients in response to request for information (EC, 2012a, p. 5). However, this interpretation overlap the general conditions of access with the tailor-made terms negotiated on an individual basis with one service recipient because omits that the provision also requires that this information is available to the public at large and not for a single service recipient (EP & DGIP, 2013, p. 45).

Finally, one of the most important legal uncertainties is regarding justifications for differences in treatment based on consumer’s nationality or place of residence or establishment which is not clear for every member state or retailer. In fact, differences in treatment do not always constitute discrimination and differences in the conditions of access can be legitimate when they are justified by objective criteria (ECC-Net, 2013; EP & DGIP, 2013). Nevertheless, the SD does not explain what could be considered objective circumstances to justify differences in treatment.

Recital 95 of the SD mentions in a not an exhaustive list some examples of possible justifications which makes it difficult to apply the provision in practice (Dir.2006/123/EC). The recital defines “objective criteria” as reasons that can vary from country to cou-ntry such as additional costs, different market conditions, lack of the required intellectual property rights and extra risks (ECC-Net, 2013, p. 24). However, the ambiguous terms of objective criteria create uncertainty for traders, customers and national enforcement authorities turning out the provision in Art.20(2) as mainly symbolic, expressing the values of the internal market (EP & DGIP, 2013, p.48; HM Government, 2016, p. 22).




According to a case-study made by the ECC-Net about enforcement of Art.20(2), “objective criteria” can be interpreted by any retailer transforming every reason in jus-tifiable without any previous information or concrete prove (ECC-Net, 2013, p. 33). Nonetheless, the Commission study on business practices showed that companies use a wide range of justifications for treating customers differently (Matrix Insight, 2009). Some of the reasons that traders claim to apply different treatment were for instance re-gulatory environment, corporate structure, exchange-rate fluctuations, taxation and cre-dit card processing fees, competition, market growth, risks related to stricter consumer protection laws, seasonality and simply the fact that the cost for different services varies between the member states (EC, 2016a, pp. 52–53). Thus, the list of examples that could fit under the definition of objective criteria seems endless and almost every case of discrimination will be justified, because there are always additional risks and costs associated with providing services abroad. In this view, if any economic justification will be reason enough for the refusal to accept orders from another member state, the only left exceptions being infringements will be anti-racism legislation and competition law (EP & DGIP, 2013, p. 48). The concept of objective criteria indicates a wide range of justifiable reasons available to companies which would render Art.20(2) of the SD somewhat ineffective (HM Government, 2016, p. 2).

It has been concluded that Art.20(2) is formally addressed to the member states, but that the intention from the legislature seems to have been that it should be imple-mented directly to service providers to justify a difference in treatment. Also, the scope of application of the provision could be interpreted by every member state differently, narrowing the situations in which the Art.20(2) could apply. Finally, the interpretation of the concept of objective criteria seems so broad that every justification for a different treatment will be reasonable (Barnard C., 2016, p.23) For those reasons, it was proposed the enactment of a new directive to overcome with the ambiguity of the provision in Art.20(2). First, because the prohibition related to discriminatory practices should con-cern general conditions of access to services used by the service provider, as well as other contractual practices that may infringe this principle. Second, because as far as it con-cerns discrimination based on residency, Art.20(2) intervenes too deeply in the decision-making process of the trader and is not fit-for-purpose. Finally, it was also proposed that in a short term should be implemented an obligation for all service providers in online shops to inform clearly and in an appropriate manner any geographical restriction and different conditions based on grounds of geographical location to the consumer (EP & DGIP, 2013, p. 87).

3.2. Lack of enforcement actions by national authorities

The second reason of the failure of Art.20(2) of the SD is its lack of enforcement by member states. Since the implementation of the SD, for some member states is not clear to recognize which is the enforcement authority and what are the mechanisms for


cooperation with other member states. Furthermore, the bodies responsible on the pro-tection of consumer rights have reported problems with the interpretation of Art.20(2) and the list of possible justifications in Recital 95. (EC, 2016c, pp. 127–128). Thus, un-certainty regarding interpretations of Art.20(2) and the broad scope of Recital 95 have led to confusion in the application of the provision by the national authorities.

Firstly, member states should had designate responsible authorities to ensure com-pliance with the relevant national provisions implementing Art.20(2) (EC, 2016c, p. 126). Most member states have attributed this task to the authorities that oversee the administrative enforcement of consumer protection rules. In some cases, competition authorities have also been delegated with the application of this provision. However, some member states have failed to identify clear enforcement authorities and ensure cooperation with other authorities (EC, 2012a, p. 27, 2016c, pp. 17–19).

In addition, according to Art.21 of the SD, member states were also obliged to de-signate assistance bodies. The “Article 21 bodies” should help consumers who have expe-rienced discrimination based on residence or nationality in violation of Art.20(2) even though they, in general, do not have any enforcement powers (EC, 2016c, p. 126). Ne-vertheless, these bodies reported difficulties with the interpretation of Art.20 (2), the list of possible justifications in Recital 95, the identification of the relevant enforcement authority and continuous complications to get local enforcement authorities to act (EC, 2016c, pp. 127–128).

Furthermore, the Commission issued a Guidance on Art.20 with the purpose to clarify which authority is responsible to enforce this provision in each member state. However, in some member states4 consumers would have to go to court to proceed with a case of non-compliance and in others it is very difficult to identify the competent enforcement body (EC, 2012a). After the publication of the Guidelines, did neither result in an increased number of sanctions, nor did member states amend their national regulations to ensure a more effective transposition of Art.20(2) of the SD (EC, 2016c, p. 127). Hence, the Guidance did not lead to any clear improvement in terms of inter-pretation of the provision or enforcement (EC, 2016a).

Secondly, to identify if a business measure constitutes objective criteria or not, the competent authority should consider (1) whether the different treatment reflects objec-tive economic or legal incentives, such as compliance cost or copyright charges, and (2) whether the responses to the drivers of differentiation are proportional (Matrix Insight, 2009, p. 82). This elements will help to analyze each situation separately because not all the different treatments should be considered discriminatory measures but all the

4 For instance, Cyprus, Czech Republic, Estonia, Finland, Italy, Latvia, Poland, Romania, Slove-nia have their national court as the authority to enforce business in this issue.


discriminatory justifiable measures must be implemented clearly and comprehensible for the consumer (ECC-Net, 2013, p. 19; Karlson Jernbäcker, 2014, p. 96). In this view, any assessment on differentiation in treatment based on the country of residence or nationality must review two main elements, namely objectivity and proportionality. Nonetheless, the Commission is not aware of any company that has been sanctioned for violating Art.20(2) of the SD (EC, 2016c, p.127).

Thirdly, authorities of each member state have failed in the coordination of cross-border enforcement across the EU as necessary element to address discrimination in the online market (EP & DGIP, 2013, pp. 88–89). Ensuring that all member states have designated enforcement authorities and have the resources to properly enforce Art.20(2) at national level is not sufficient. Thus, it is necessary to reinforce the strategy for coo-peration among member states.

In this view, Regulation (EC) No.2006/2004 on consumer protection coopera-tion lays down the general conditions and framework for cooperation between national enforcement authorities in the EU. It covers situations when the collective interest of consumers is at stake and allows authorities to stop breaches of consumer rules when the trader and the consumer are established/residing in different member states. Even though, the cooperation is applicable to consumer rules in various areas, such as unfair commercial practices, distance selling and passenger rights, it is not included the provi-sion of Art.20(2). The situations covered by Art.20(2) are cross-border situations which require cooperation by member states to ensure an effective enforcement. Therefore, as part of the review of the Consumer Protection Cooperation Regulation, the Commis-sion proposed to include Art.20 in the Annex of this regulation to improve enforcement and cooperation. However, this proposal is part of the Single Market Strategy and it was presented on May 2016 which means that there is currently no cooperation in terms of coordinated enforcement of this provision by national authorities.

In sum, national authorities have not enforced appropriately the provision in Art.20(2) due to the legal uncertainties related to the objective criteria and scope of application. In addition, national authorities lack formal cooperation among member states which hinders the cross-border application of Art.20.

Therefore, the non-discrimination principle established in Art.20(2) of the SD only introduced a general standard without compliance tools to enforce the principle.

4. PROPOSED REGULATION ON ADDRESSING GEO-BLOCKING

Despite the legislative efforts to fight discrimination in the online market, restric-tive practices still happened among EU consumers and there are increasing with the implementation of technological measures that prevent access to websites or re-route consumers to local shops offering different products, prices and terms operating in de-


triment of nationals of other member states (ECJ, 1999, p. 14, 2000, p. 13, 2003, pp. 13–14; EC, 2002, p. 6). In order to achieve no-discrimination against customers in the DSM, the European Commission, proposed a Regulation on addressing geo-blocking to prevent artificial segmentation of the market by traders, thus ensuring that custo-mers on are not directly or indirectly discriminated against on the basis of nationality, place of residence or place of establishment. It is important to clarify that the proposed Regulation is in the early stages of the legislative procedure and it is subject to review and amendment by both the European Parliament and European Union Council (EC, 2016c, p. 23).

4.1. Scope of application

The proposed Regulation is limited and it is based on exceptions, for instance, it does not apply to providers of non-economic services of general interest, transporta-tion, gambling, taxation, healthcare and certain social services (EC, 2016c, pp. 3–6). However, the proposal bans other forms of discrimination based on nationality, place of residence or place of establishment in the internal market. For example, refusal to deliver, receive payment from cross-border customers or enabling automatic application of different sales conditions. Thus, the proposal applies to the following situations in which it is not permissible for traders to apply different general conditions of access to their goods or services for reasons related to nationality.

First, when a customer buys a good, such as electronics, clothes, sportswear or a book, which the trader does not deliver cross-border. In this situation, the customer should be able to buy the goods under the same conditions as customers having their residence in the member state of the trader. This provision seeks to grant all consumers with the choice of having the goods sent to an address in this member state or to collect the goods personally. Second, when a customer buys an electronically delivered service, such as cloud services, data warehousing, website hosting. In this regard, delivery costs cannot be an argument for not selling cross-border and the taxation implications of cross-border sales have already been subject to the facilitation mechanism of the VAT mini-one stop since the beginning of 2015 (EC, 2015b). Finally, when a customer buys a service which is supplied in the premises of the trader or in a physical location where the trader operates, such as a hotel room or a rental car. For example, consumers from Germany accessing the non-country specific EU website (.com or .eu) of the car rental company got offered in 13% of cases higher price than consumers from Italy with no possibility to see the lower price available to other consumers.

Moreover, some traders operate different versions of their interfaces which are focu-sed on customers from different member states. Nevertheless, these practices cannot be clearly labelled as illegal, as in some cases, access to the on-line interface may be restric-ted, or rerouting may occur due to compliance with national or EU law. The proposal states that traders are not allowed to reroute customers to the on-line interface version


which is intended for their country of residence, if it is different from the version which the customer originally attempted to access. Thus, re-routing can only take place with the customer’s consent and requires traders to keep the version of the online interfaces that the customer sought to access before having been rerouted easily accessible.

Furthermore, the proposal sets out a non-discrimination rule in payments meaning that traders shall not give unjustified unequal treatment of individual customers with different means of payment. The proposal sets out three situations when this prohibition applies: (i) payments made through electronic transactions by credit transfer or a card-based payment instrument within the same brand, (ii) the payee may request strong customer authentication by the payer and (iii) the payments are in a currency that the payee accepts.

However, one of the most notable absences in the proposal regarding to access digital content is that copyright and other protected works are carved out of the pro-posal (Jacklyn Hoffman, 2016, p.20). This means that providers of copyrighted digital content, can keep using this geolocation tools to block users of other member states. Copyright law in the EU is a collection of independent, national rules which can vary substantially between member states (Jacklyn Hoffman, 2016, p.23). Therefore, mate-rial which benefits from copyright in one member state, may be completely unprotected in another. This has left rights holders to implement various exclusive licenses of their material which are carried out on a national basis to reflect the different national fra-meworks for copyright law.

In principle, the proposed geo-blocking Regulation seeks to complement Art.20(2) of the SD, which would remain applicable insofar as it is compatible with any new instrument (EC, 2016c, p. 23). In this view, the proposal aims to address the failure to enforce Art.20(2) (EP & DGIP, 2017b, p. 27). Nonetheless, this objective is not expli-citly mentioned in the proposal, which instead simply establishes that the Regulation would prevail in any case of doubt or conflict with Art.20(2). Thus, both Art.20(2) and the proposal will be in force in the DSM, but the coexistence of these two legal rules might harm the market more than help it. Therefore, in my view, instead of attemp-ting to comprehensively address the problem of consumer expectations by making all digital content and services available across borders, the European Commission chose to address more narrow concerns through three discrete regulatory initiatives: (i) geo-blocking, (ii) cross-border parcel delivery services and (iii) enforcement of consumer protection laws.

4.2. Pitfalls of the geo-blocking proposal

The proposed Regulation does not substitute or amend Art.20(2), meaning that traders could claim that they have a justifiable reason to treat differently when their practices do not fit under the proposal scope. For example, cases where the fluctuations of the market affect differently each member state or when the offer and demand lead


to price discrimination, among other (Svenskt Naringsliv, 2016, p. 4; Swedish Trade Federation, 2016, pp. 6–9). Moreover, the Regulation does not clarify the circumstances for traders to claim objective criteria according to Art.20(2) which could cover almost all situations under a commercial decision. Consequently, the proposal leave the door open for traders to support their discriminatory practices under the SD and the proposal will apply when a case is under revision by the national authority and not to prevent these behaviors in the online market.

Furthermore, the proposed Regulation in combination with Art.20(2) could create more complex legal regime, especially for small and medium enterprises (SMEs) that cannot afford technical requirements to comply. Although, geo-blocking is a practice that promotes the fragmentation of the market, SMEs and micro-enterprises, may have well-founded reasons for avoiding or refusing cross-border on-line trade or for adjusting prices and/or conditions as a result of differences between markets. Therefore, in these cases, SMEs might face the risk of sanctions for breaching EU provisions and they could feel forced to sporadically sell to a loss to customers in other member states due to legal uncertainty over what is an unjustified or a justified refusal of delivery to the customer (Competition & Markets Authority, 2016, p. 3; Swedish Trade Federation, 2016, p. 5).

In addition, recital 30 of the proposed Regulation states that to ensure the proposal’s effective enforcement it is necessary to amend the Regulation (EC) No 2006/2004 related to cross-border cooperation among EU countries (EC, 2016f, p. 16). However, Regulation (EC) No 2006/2004 applies with respect to laws that pro-tect consumers’ interests, meaning that any measures related to cooperation among EU countries is available only when the customer is a consumer. Also, the same pro-posal was mentioned in the analysis of Art.20(2) related with the revision of consumer regulation. Hence, the enforcement of the proposed Regulation depends on the revi-sion of other legislative instruments leaving the proposed Regulation without effective tools to enforce cross-border.

The current landscape covers different national standards and different certification schemes; some websites are blocked to prevent them from selling from another country; payment regimes usually differ; language requirements may be prohibitive; market sur-veillance authorities sometimes impose extra requirements and some existing EU Direc-tives are not implemented at all. These factors undermine both market transparency and the desired level playing field. Thus, the proposed Regulation should be implemented in parallel with other provisions such a parcel delivery, copyright regimes, and enforcement of consumer rights. The DSM strategy is comparable with the construction of a house—if one of the elements is not properly assembled, the house itself will fall. The same will occur with the proposed Regulation in geo-blocking because its adequate application depends upon other regulatory proposals.


5. CONCLUSIONS

It has been presented that to increase cross-border trade and create economic growth in the EU is necessary a regulatory framework to tackle discrimination in the DSM. On the one hand the EU legal framework has Art. 20(2) of the SD and on the other the European Parliament presented the proposed Regulation for specific situations regarding unjustified geo-blocking. However, the coexistence of both provisions has revealed a clash of frames due to the legal uncertainty leading to lack of enforcement.

Likewise, the Commission has identifying geo-blocking as a barrier in the DSM, nevertheless its insistence on introducing new legislation to address it may prove to be misguided. If the proposed Regulation Commission decides to take a stand and intro-duce a blanket-ban on all forms of geo-blocking, this could potentially result in less con-sumer choice as businesses, particularly SMEs, will not be able to handle the demands of providing goods and services throughout the entirety of the EU. Thus, the proposed Regulation would most likely prove to be symbolic rather than functional.

Geo-blocking is a delicate issue interlinked with copyright protection, the political objectives of market integration, and economics. In short, the fight against geo-blocking is about market integration: the freedom of European Union citizens to freely obtain services across the Union. Therefore, the proposed Regulation on geo-blocking could be considered a small step forward for online trading by removing obstacles to selling and buying across borders. The efficacy of the regulation will depend on other proposals which could obstruct appropriate enforcement. However, widely divergent industrial policies and national legislation, including copyright issues and parcel delivery tariffs, make it difficult to speed-up the harmonisation process.

In addition, some of the situations that do not violate either Art.20(2) or the pro-posed Regulation can alter the market and harm consumers. The market segmentation among member states could be explained by unilateral business decisions or contractual arrangements preventing sales of goods and services. In this view, artificial barriers are hampering companies, especially SMEs, from developing organically.

Vertical and horizontal agreements between traders and distributors, as well as va-rious forms of market segmentation that are generally considered to form unjustified geo-blocking, must often also be seen as defensive measures against what companies consider to be arbitrary national barriers. For example, shipping costs and the cost of after-sales services due to national policies may unexpectedly turn out to be higher. Thus, a company obliged to deliver under all circumstances might find it difficult to meet its obligations against a background of unknown conditions.

These restrictions might be analysed under competition law, which creates barriers for cross-border e-commerce. For instance, Articles 101 and 102 TFEU have been applied to address a variety of forms of geo-blocking on the grounds that it can dama-ge the integration of the internal market. From that perspective, it can be argued that


instead of creating a complex and non-functional legal framework for geo-blocking, these situations might be addressed by concentrating on alterations to the structure or damages regime of the Single Market. Therefore, investigations under competition law will have effects on cross-border trades and could lead to the imposition of fines, while the application of consumer law is related to specific cases and might not change the behaviour of a business. In this regard, if the Commission is truly committed to tackling geo-blocking in an efficient manner, the DSM strategy suggests cooperative measures with business and industry stakeholders, as well as better enforcement of the existing legislative framework.

On the other hand, justified geo-blocking occurs primarily as a result of the frag-mentation of the EU market and of situations that lack transparency. New technologies arise every day creating new challenges for traders, consumers and governments. For ins-tance, challenges related with customization, personalization and tailor sales through al-gorithms are techniques to shape content and features to specific characteristics of users.

The combination of geo-location techniques and new technologies to improve sales in the online market is becoming a trend. The main goal of personalization is to deliver content and functionality that matches specific user needs or interests, with no effort from the targeted users. The system profiles the user and adjusts the interface according to that profile. Personalization may deliver or emphasize particular information, restrict or grant access to certain tools, or simplify transactions and processes by remembering information about a user.

These new techniques might hamper the enforcement and application of legal ru-les on the internet. For instance, it will be a challenge for legislators and enforcement authorities to clarify whether the principle of non-discrimination will apply to cases where each consumer has different prices, options, and tools according to his profile. Due to personalization, the regulatory efforts to fight discrimination among EU coun-tries will enter into a grey area where a consumer might have access to prices and tools different from those accessible by his neighbour in the same country.

6. BIBLIOGRAPHY

Barnard C., (2016). The Substantive Law of the EU: The Four Freedoms (Fifth). Oxford University Press.

Competition & Markets Authority. (2016). CMA response to the European Commis-sion on geo-blocking and other geographically based restrictions.

Craig, P., & Búrca, G. de. (2015). EU Law: Text, Cases, and Materials (Sixth). Oxford, New York: Oxford University Press.

De Waele, H. (2009). The Transposition and Enforcement of the Services Directive: A Challenge for the European and the National Legal Orders. Eur. Pub. L., 15, 523.


Delgado, J. (2008). The Economics of the Services Directive. Contratto E Impresa / Europa. Retrieved from http://aei.pitt.edu/id/eprint/8391

Directive 2006/123/EC Services in the Internal Market, Pub. L. No. Directive 2006/123/EC (2006).

ECC-Net. (2013). Enhanced Consumer Protection – the Services Directive 2006/123/EC Analysis of Article 20.2 and Article 21. Retrieved from http://ec.europa.eu/consum-ers/ecc/docs/ecc-services_directive_en.pdf

ECJ. C-271/91 Helen Marshall v Southampton and South-West Hampshire Area Health Authority, No. ECLI:EU:C:1993:335 (European Court of Justice 1993).

ECJ. C-224/97 Erich Ciola v Land Vorarlberg, No. ECR 1-2517 (European Court of Justice 1999).

ECJ. C-282/98 Roman Angonese v Cassa di Risparmio di Bolzano SpA (European Court of Justice 2000).

ECJ. C-388/01 Commission of the European Communities v Italian Republic, No. ECLI:EU:C:2003:30 (European Court of Justice 2003).

ECJ. C-190/11 Daniela Mühlleitner v Ahmad Yusufi, No. ECLI:EU:C:2012:542 (Eu-ropean Court of Justice 2012).

ECJ. Case C-218/12, No. ECLI:EU:C:2013:666 (European Court of Justice 2013).European Commission. (2002). Report from the Commission to the Council and the Euro-

pean Parliament on the state of the internal market for services: presented under the first stage of the Internal Market Strategy for Services (No. COM 441). Brussels.

European Commission. (2004). Communication from the Commission to the European Parliament, the Council, The European Economic and Scoial Committee and the Com-mittee of the regions: White Paper on services of general interest (No. COM 374). Brussels.

European Commission. (2012a). Commission Staff Working document with a view to establishing guidance on the application of Article 20(2) of Directive 2006/123/EC on services in the internal market (’the Services Directive’) (No. SWD 146). Brussels.

European Commission. (2012b). Communication from the Commission to the European Parliament, the Council, The European Economic and Social Committee and of the regions: on the implementation of the Services Directive. A partnership for new growth in services 2012-2015 (No. COM 261). Brussels.

European Commission. (2015a). Commission Staff Working Document: A Digital Single Market Strategy for Europe-Analysis and Evidence (No. SWD 100). Brussels.

European Commission. (2015b). Consumer Conditions Scoreboard: Consumers at home in the Single Market. European Union.

European Commission. (2016a). Commission Staff Working Document - Impact Assess-ment Accompanying the document Proposal for a Regulation of the European Parlia-

http://aei.pitt.edu/id/eprint/8391

http://ec.europa.eu/consumers/ecc/docs/ecc-services_directive_en.pdf

http://ec.europa.eu/consumers/ecc/docs/ecc-services_directive_en.pdf


ment and of the Council on cooperation between national authorities responsible for the enforcement of consumer protection laws (No. SWD 164). Brussels.

European Commission. (2016b). Commission Staff Working Document: Geo-blocking practices in e-commerce: Issues paper presenting initial findings of the e-commerce sector inquiry. (No. SWD 70). Brussels.

European Commission. (2016c). Commission staff working document: Impact assessment accompanying the document proposal for a Regulation of the European Parliament and of the Council on addressing geo - blocking and other forms of discrimination based on place of residence or establishment or nationality within the Single Market (No. SWD 173). Brussels.

European Commission. (2016d). Commission Staff Working Document: Preliminary Re-port on the E-commerce Sector Inquiry (No. SWD 312). Brussels.

European Commission. (2016e). Mystery Shopping Survey on territorial restrictions and geo-blocking in the European Digital Single Market (Survey). European Commis-sion. Retrieved from http://ec.europa.eu/consumers/consumer_evidence/market_studies/docs/geoblocking-exec-summary_en.pdf

European Commission. (2016f ). Regulation of the European Parliament and the Council on addressing geo-blocking and other forms of discrimination based on customers’ na-tionality, place of residence or place of establishment within the internal market and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC (No. COM 289). Brussels.

European Commission. (2017). Report from the Commission to the Council and the Euro-pean Parliament: Final report on the E-commerce Sector Inquiry (SWD 154 final). Brussels.

European Commission, & Directorate-General for Justice and Consumers. (2015). The European Consumer Centres Network: 10 years serving Europe’s consumers: anniversa-ry report 2005-2015. Luxembourg: Publications Office.

European Parliament, & Directorate General for Internal Policies. (2013). Discrimina-tion of Consumers in the Digital Single Market (Economic and Scientific Policy A No. IP//imco/st/2013-03).

European Parliament, & Directorate General for Internal Policies. (2017a). Extending the scope of the Geo-blocking prohibition: an economic assessment (Economic and Sci-entific Policy A No. IP/A/IMCO/2016-15).

European Parliament, & Directorate General for Internal Policies. (2017b). The Geo-blocking Proposal: Internal Market, Competition Law and Regulatory Aspects (Economic and Scientific Policy A No. IP/A/IMCO/2016-14).

Eurostat. (2016). E-commerce statistics - Statistics Explained. Retrieved February 17, 2017, from http://ec.europa.eu/eurostat/statistics-explained/index.php/E-com-merce_statistics

http://ec.europa.eu/consumers/consumer_evidence/market_studies/docs/geoblocking-exec-summary_en.pdf

http://ec.europa.eu/consumers/consumer_evidence/market_studies/docs/geoblocking-exec-summary_en.pdf

http://ec.europa.eu/eurostat/statistics-explained/index.php


HM Government. (2016). UK Government response to EU public consultation on tackling unjustified Geoblocking. Retrieved from https://www.gov.uk/govern-ment/uploads/system/uploads/attachment_data/file/491116/bis-16-10-geoblock-ing-eu-consultation-response.pdf

Hoffman, J., (2016). Crossing Borders in the Digital Market: A Proposal to End Copyright Territoriality and Geo-Blocking in the European Union. 49 Geo. Wash. Int’l L. Rev.

Hunter, J., & Wilson, M. (2015). Cross-border online shopping within the EU: Learn-ing from consumer experiences. Brussels: ANEC. Retrieved from http://www.anec.eu/attachments/ANEC-RT-2015-SERV-005.pdf

Karlson Jernbäcker, M. (2014). Article 20 (2) of the Services Directive: A prohibi-tion against consumer discrimination. Uppsala Universitet, Sweden. Retrieved from DiVa.

Matrix Insight. (2009). Study on business practices applying different condition of access based on the nationality or the place of residence of service recipients. European Com-mission.

Sinkovics, R. R., Yamin, M., & Hossinger, M. (2007). Cultural adaptation in cross border e-commerce: A study of German companies. Journal of Electronic Commerce Research, 8(4).

Svenskt Naringsliv. (2016, June 22). Proposal for a regulation addressing geo-blocking and other forms of discrimination based on customers’ nationality, place of resi-dence or place of establishment within the internal market and amending Regula-tion (EC) No. 2006/2004 and Directive 2009/22/EC.

Swedish Trade Federation. (2016). Swedish Trade Federation’s reply to geo-blocking consultation.

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/491116/bis-16-10-geoblocking-eu-consultation-response.pdf



http://www.anec.eu/attachments/ANEC-RT-2015-SERV-005.pdf

http://www.anec.eu/attachments/ANEC-RT-2015-SERV-005.pdf

20

ALLOCATING JURISDICTION AND APPLICABLE LAW AFTER GDPR1: THE PERSPECTIVE OF OVERALL DAMAGES’2 CLAIMS

Maiia OtchenashUniversity Oberta de Catalunya, PhD Researcher

Information and Knowledge Society Doctoral Program (LLM at the Maastricht University, the Netherlands)

ABSTRACT: A significant difficulty in EU data protection law is that a data subject in one Member State might be affected by processing activities taking place in another Member State. In these cir-cumstances, the question of which courts should have authority to hear a particular claim frequently arises. According to current provision of the art.22 of the Data Protection Directive (the Directive)3, Member States must allow data subjects to seek judicial remedies for any infringement of the applica-ble data protection laws, on the basis of the national laws governing the relevant processing.The new GDPR in the art.79 (2) brings the alternative to the traditional jurisdictional rule of the defendant’s domicile by introducing the possibility for the data subject to bring the personal data protection claim before the courts of the Member States where he or she has a habitual residence.4 Also, the art.3 of GDPR5 maintains broader scope of territorial application of EU data protection law. In this frame, the rules of international cross-border jurisdiction will be applicable more frequently because more overseas companies will be involved in the liability chain. Despite of the fact that the new GDPR is highly criticized in terms of the absence of consistency and comprehensive rules for jurisdiction and applicable law6, the present publication argue in a favour of relatively applicable guidance for allocation jurisdiction in online data protection litigation and the

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (2016) OJ L 119/1.

2 The notion of “damage” is used in the meaning of loss or injury to a person or property, while “damages” are money claimed by, or ordered to be paid to, a person as compensation for loss or injury. The notion of “overall damages” will be used in the sense of the compensation to all the harm caused by the online infringement beyond the territory of one country.

3 The Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 of protection individuals with regard to the processing the personal data and of free movement of such data (1995) OJ L 281/31.

4 See Recital (145) of GDPR.5 Art.3 of GDPR 6 See more in materials of the online webinar. Retrieved April, 19, 2017 from: >>>http://www.

olswang.com/articles/2016/10/gdpr-and-jurisdictional-issues/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View-Original

http://www.olswang.com/articles/2016/10/gdpr-and-jurisdictional-issues/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View-Original



324 ALLOCATING JURISDICTION AND APPLICABLE LAW AFTER GDPR: THE PERSPECTIVE...

data subject receives more possibilities in claiming damages. However, administrative and non-judicial procedures are out of the scope of present publication.

KEYWORDS: the GDPR, personal data protection, applicable law, international jurisdiction, com-pensation claims, overall damages.

1. INTRODUCTION7

According to art.79 (2), “Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers”8.

Therefore, the new GDPR suggests two for a for the data subject:

• the controller’s or processor’s domicile AND • the data subject’s habitual residence, considering data subject to be the weaker party. 9

However, every public authority will always be sued within the territory of the court of its establishment.

In this regard, may we consider the provision of art.79 (2) of GDPR as a jurisdic-tional rule for online data protection litigation? In particular, how do GDPR and the Regulation 1215/2012 on jurisdiction and the recognition and enforcement of judg-ments in civil and commercial matters (Brussels Recast)10 interact? What is the scope of the Brussels Recast for online data protection cases? What jurisdictional rules are currently applicable to online data protection litigation in the case law of CJEU?

If the new GDPR introduces the rules for jurisdiction, what is a practical applica-tion of these rules in relation to global damages claims? In other words, may the data

7 The author would like to thank Dr. Raquel Xalabarder Plantada for her helpful discussions and comments on the earlier draft of this paper. Errors and omissions remain those of the author.

8 Art. 79 (2) of GDPR9 Brkan M.(2015) Data Protection and European Private International Law (p. 24) Retrieved

March 10th 2017 from http://cadmus.eui.eu/bitstream/handle/1814/36335/RSCAS_2015_40.pdf?sequence=1.

10 Regulation EU No 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (2012) OJ L 351/1.

http://cadmus.eui.eu/bitstream/handle/1814/36335/RSCAS_2015_40.pdf?sequence=1



subject claim worldwide damages in the court of his or her residence in the same way as he or she can within the jurisdiction of the defendant’s domicile?

Also, the provision of art.79 of GDPR extends beyond the equivalent provision in the Directive11, which provides a judicial remedy only against data controllers,12 but not against data processors13.

The current doctrine of applicable law bases its analysis solely on Article 4 of the Directive14. However, new GDPR in Art.315 maintains broader scope of territorial appli-cation of EU data protection law and “… applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regard-less of whether the processing takes place in the Union or not.”

According to the art.3 (2): “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

a) the offering of goods or services, irrespective of whether a payment of the data sub-ject is required, to such data subjects in the Union; or

b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”

Thus, EU based data controller16 and processor falls into broadly interpreted scope of GDPR, that was introduced before in Google Spain case17. For instance, if a subsidiary of online company is involved in overall business structure of its mother company, the GDPR applies irrespective of whether the actual data processing takes place in the EU or not18.

On the other hand, where no EU presence exists, the GDPR will still apply whe-never: (1) an EU resident’s personal data is processed in connection with goods/services offered to him/her; or (2) the behaviour of individuals within the EU is “monitored”.

11 Art. 22, the Data Protection Directive.12 Art 4 (7): “controller” means the natural or legal person, public authority, agency or other body which,

alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the con-troller or the specific criteria for its nomination may be provided for by Union or Member State law.”

13 Art. 4 (8): “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

14 According to Art.46 and Recital (171), the Directive should be repealed by GDPR.15 Art. 3 of GDPR16 Art. 4 (7), (8) of the GDPR. 17 EU: C- 131/12 Google Spain SL, Google Inc./Agencia de Protección de Datos (AEPD), Mario Cos-

teja Gonzalez (2014).18 Recital (22) of GDPR


However, in relation to the issues of applicable law after GDPR also some signi-ficant questions appear. For instance, what the role of “main establishment” and other subsidiaries in the sense of data processing is?19 Will the new GDPR influence on the business structure of online businesses? What is the practical application of the concepts of “monitoring” or “offering”? To what extend online companies will continue to use monitoring and behavioural advertising after the GDPR?

At last, but not least, GDPR is supposed to unify the legal regime on processing of data in different Member States20. At the same time, on numerous occasions, the GDPR does allow Member States to legislate on data protection matters.21 Numerous articles also state that their provisions may be further specified or restricted by Member State law.22

In these circumstances, will the attempt of harmonization make the issue of appli-cable law not so pressing?23 Or the problem of the conflict between EU data protection law and national laws is still on the stake?

2. ALLOCATING JURISDICTION IN DATA PROTECTION CLAIMS AFTER GDPR

From a risk management perspective one legal certainty is necessary regarding whe-re an online company can be sued and according to which rules. In other words, the bu-siness structure of online companies should be designed to avoid the risks of unexpected litigation in foreign jurisdiction. On other hand, comparing to big online companies which are the “repeat players”24 in the court proceedings, the data subject is considered to be a “weaker party”25. Thus, there is always an imbalance in a stake.

The national case law often finds it difficult to define the nature of data protection,26 which is considered to be at the crossroads between private and public law.27 As a result,

19 Recital (116) of GDPR 20 Article 99 (2) of the GDPR: “It shall apply from 25 May 2018. This Regulation shall be binding

in its entirety and directly applicable in all Member States.”21 Art. 23, 85, 88 of GDPR22 Art.86 of GDPR23 Brkan M. (p. 20)24 Hornle J., (2009) Cross-border Internet dispute resolution, p. 265.25 Recital (7) of GDPR26 Brkan, p.16.27 Brkan, p.17.


the scope of Brussels Recast for data protection litigation is contradictory still28. Thus, the interaction between new GDPR and the Brussels Recast is also unclear.

Obviously, both documents should be synchronized,29 but how and when is left open. For instance, one way is to expand the scope of the Brussels Recast to the situa-tions, when data controller/processor is outside of the EU territory in the same way as provided for the protection of consumers or employees30. In other words, data subject might use the rules of consumer’s or employee’s jurisdiction.

Other possibility for synchronization is to incorporate into the Brussels Recast spe-cial rules of jurisdiction for data protection cases31. For example, the adopted provision of the art.79 (2) of GDPR. Also, there is no room for contractual jurisdiction in GDPR, since data protection standards cannot be freely negotiated between the parties32.

2.1. The current scope of application of Brussels Recast for online data protection cases and its interaction with the art.79 of GDPR

Traditionally, the Brussels Recast is applicable to the civil and commercial mat-ters.33 There is no specific provision introduced for data protection claims34. Thus, cu-rrently, there are two fora for the data subject under the Brussels Recast: to lodge a claim in court of the country of the defendant’s domicile35 or in the court of “the place where the harmful event occurred or may occur.”36

Basically, for data protection claims are possible both administrative procedures and civil litigation path37. Thus, what the type of matter data protection is?

28 Belgium: Case 2015/57/C Privacy Commission’s vis-à-vis Facebook Inc., Others.29 Art. 99 of GDPR30 According to the Section 4 and 5 the Brussels Recast extends its application to consumer con-

tracts employment contracts, covering overseas services companies and employers.31 Similar solution was also introduced by M. Brkan, however the author argue that the data sub-

ject domicile should be coupled with the criterion of “directing to”, see more Brkan, p.29.32 Brkan, p.12.33 The boundary between civil and commercial matters, and administrative matters, was considered

in the decision of the CJEU in Goldman Sachs International v Novo Banco [2015] EWHC 2371. 34 Brkan, p.16.35 Art. 4 of the Brussels Recast and the CJEU Case C-68/93 Shevill and others v Presse Alliance)36 Art. 7(2) of Brussels Recast and the CJEU Case C-509/09, eDate Advertising and Others,

[2011] ECR I-10269.37 See more at Brkan, p.30.


It can be argued that data protection fall within the category of personality rights.38This leads to a result according to which the “place where the harmful event occurred or may occur” can mean one of the three possibilities of jurisdiction: either the jurisdiction of the courts of establishment of the controller/processor, of the habitual residence or of the centre of interests of the data subject or, according to the “mosaic theory”, for damage caused in the territory of a particular Member State, the courts of each Member State in the territory of which content placed online is or has been accessible.39

Beyond the nature of the law that is enforced,40 the court focuses only on the rela-tionship between the parties. In this case, the Brussels Recast nevertheless was applicable despite the fact that one of the parties was a public authority, which acted as a private party. 41 However, the presence of a cross-border element is important. For instance, in the Google Spain case, Brussels Recast was not applicable because there was no cross-border element (since the data subject and the European subsidiary of the controller were situated in the same Member State).

The lack of consistent interpretation of the Brussels Recast applicability may lead to conceptual misunderstandings in the sense of choosing the jurisdictional rules in data protection litigation, like in the Facebook datr-cookie case42, when the Belgium Data Protection Authority (Belgium DPA) brought a claim to the Belgium Court of the first instance against Facebook Inc. and Facebook Belgium, where Facebook was blamed on tracking the surfing behaviour of the nonusers by installing a datr-cookie.43 The courts of the first instance applied its jurisdiction over Facebook Inc., but the Brussels Court of appeal denied international jurisdiction in relation to Facebook Inc. due to the fact that it was not engaged in data processing and has its establishment in the USA.

Also this case revealed that under current personal data protection law,44 when the DPA full fill the function to protect the data subject right (not as a private party in the meaning of the Brussels Recast) and the claims from a single data subject is a random

38 Brkan, p. 23.39 Brkan, p. 24.40 EU: C-265/02, Frahuil case [2004] ECR I-1543.41 For example, the action to claim damages of a public authority against a private person for loss

caused by a tortious conspiracy to commit tax fraud, EU: Case C-49/12. Sunico and Others, (2013), ECR I-0000.

42 Belgium: The Brussels Court, the Case of Privacy Commission’s vis-à-vis Facebook Inc., Others.43 From Social Media Service to Advertising Network. A Critical Analysis of Facebook’s Revised

Policies and Terms (2015), Brussels, Katholieke Universiteit Leuven and the Vrije Universite-it Brussel, Retrieved September, 9th, 2016 from: https://www.law.kuleuven.be/citip/en/news/item/facebooks-revised-policies-and-terms-v1-2.pdf.

44 The Brussels Court, the Case of Privacy Commission’s vis-à-vis Facebook Inc., Others

https://www.law.kuleuven.be/citip/en/news/item/facebooks-revised-policies-and-terms-v1-2.pdf



thing45, the application of international jurisdiction (as well as application of the Brus-sels Recast) for personal data claims is problematic.

However, the GDPR allows for the possibility of representatives (non-profit organizations)46 seeking judicial remedies and compensation from organisations, on behalf of multiple data subjects (in particular, collective claims that are similar to class action litigation47). Therefore, the mentioned above provision bring the clarity also to the Brussels Recast application, in particular, extending the list of the parties in the data protection claims which are considered to be private by nature.

One may consider that the GDPR and the Brussels Recast operate in so-called parallel universes. For instance, the GDPR tends to cover data processors which do not have an establishment within the EU territory,48 while in the same situation the jurisdic-tional rules of the Brussels Recast would not apply.49

In this frame, it may be argued that the new GDPR contains jurisdictional rules for online data protection claims and interacts with the Brussels Recast as lex specialis and lex generali. In its recital GDPR defines the way of coexistence with the Brussels Recast: “Where specific rules on jurisdiction are contained in this Regulation, in particular as regards proceedings seeking a judicial remedy including compensation, against a controller or processor, general jurisdiction rules such as those of the Brussels Recast should not prejudice the application of such specific rules”50.

The Article 4(1) of the Brussels Recast lays down the general rule that persons do-miciled in a Member State shall be sued in the courts of that State.51 Domicile can be defined as the place where person live or a place of a company’s registration52. In online

45 Due to lack of awareness of the data infringement, high litigation costs and the absence of collective claims in current EU law, see more on these issues at: Powels J.(2015) The Changing Landscape for Search Engines After Google Spain: EU Internet Regulation after Google Spain Conference, 27 March 2015.

46 Recital (142); Art.80 GDPR47 Collective claims, for example, are not available in Brussels Recast at the moment.48 Art. 4 (1) (b), (c) of the Data Protection Directive49 Art. 4(1) of the Regulation Recast, unless consumer’s or employee’s jurisdiction is argued 50 Recitals (147) of GDPR51 Article 2(1) of GDPR52 European Max-Planck Group for Conflict of Laws in Intellectual Property (CLIP), Principles Gov-

erning Jurisdiction, Choice of Laws in Intellectual Property (2007), 284 and Second Preliminary Draft (6 June 2009). IPRax, p. 284.


context the nationality of a webpage or nationality of a domain name are also argued to be considered in the meaning of domicile.53.

The Article 79 (2) of the GDPR provides an alternative regarding jurisdiction for data protection, suggesting two fora: the controller’s or processor’s domicile and the data subject’s habitual residence, considering data subject to be the weaker party.

Here Important point is that such personal jurisdiction on the ground of habitual residence may be established “alternatively,” without any linking factor to the territory of the court (such as “direct to” test or targeting that are applicable in trademark or database’s protection cases54), which makes it easier to apply. In addition, it can be sta-ted that the data protection may be categorized by analogy with the jurisdiction set for consumers and employees55.

Thus, definitely, the GDPR itself states that the provision of the art. 79 is a juris-dictional rule. For proceedings against a controller or processor, the plaintiff should have the choice to bring the action before the courts of the Member States where the contro-ller or processor has an establishment or where the data subject resides.56 Moreover, due to precise wording of this article, both situations must be treated equally.

However, will the situation with the scope of damages be the same for both fora? May the data subject who fills the complaint in the country of his habitual residence in accordance with the provision of art.79 (2) of GDPR claim overall damages as it would be the country of the controller’s establishment?

2.2. The situation for claiming worldwide damages in online data protection cases after GDPR

2.2.1. Jurisdictional criteria for online infringements under the Brussels Recast and in the case law of the Court of Justice of European Union (the CJEU)

Under current doctrine, Art. 7(2) of Brussels Recast “the place where the harmful event occurred or may occur”57 is based on the existence of a particularly close connec-

53 Kalâtin V. (2000) Intellektual′naâ sobstvennost′ (isklûčitel′nye prava) [Intellectual Property (exclusive rights)] , p.450, 255.

54 For instance, EU: ECJ 7 December 2010 - Case C-144/09 Pammer v Reederei Karl Schliiter iGmbH & KG and Hotel Alpenhof GesmbH v Oliver Heller. See also, Brkan, p. 22.

55 Section 4 and 5 of the Brussels Recast56 Recital (145) of GDPR57 EU: Case C-509/09, eDate Advertising and Others, [2011] ECR I-10269.


ting factor between the dispute and the courts of the place where the harmful events occurred.58 In some regard Article 7(2) of Brussels Recast is not effective due to the localization problem59 or, more precisely, due to difficulties to claim overall damages.60

According to A. Metzger61, the place in which the alleged infringer has acted “subs-tantially” could be helpful as a possible additional criterion to select among the many places of infringement in online cases. Also, the CLIP62 introduces “the place of activity” as a possible forum delicti.63

At the moment jurisdictional criteria in the EU64 are: for trademark infringement is “targeted at”65, “intended target of information” as a criterion for database protection cases,66 and the mere accessibility - for copyright litigation.67 However, the list of juris-dictional criteria is left open and still not properly explained by the CJEU.

In trade mark cases it was ruled that for allocation of jurisdiction the evidences are ne-eded of an intention to target persons in particular country. The existence of particular close connecting factor between the dispute and the court of the place where the harmful event occurred68 was concerned for online trademark infringements by the use of “adwords”.69

Also, the jurisdiction may be established in a Member State where the alleged un-lawful act did not take place, but, infringes national law of the State of the Court seized and caused or may cause damage within its jurisdiction.70

58 EU: ECJ Case C-68/93 Shevill and others v Presse Alliance)[1995] ECR I-415. 59 Slovakova Z. (2008) International Private Law Issues regarding Trademark Protection and the Inter-

net within the EU, Journal of International Commercial Law and Technology, Vol. 3, Issue 1, p. 15.60 Boschiero N. (2007) Infringements of IPR, IPL Journal, V 9, p. 22.61 Metzger, Jurisdiction, IP and PIL (2009), p. 255.62 Svantesson, PIL, the Internet, p. 335.63 CLIP, (2007), 284 and Second Preliminary Draft (6 June 2009), (Article 2:202).64 Calster G.V. (2015), Regulating the internet. Prescriptive and Jurisdictional Boundaries to the EU’s

“right to be forgotten”. p. 21, Retrieved September, 9th, 2016 from: http://papers.ssrn.com/sol3/pa-pers.cfm?abstract_id=2686111

65 EU: Case C-324/09 (L’Oréal/eBay).66 EU: Case C-173/11, Football Dataco.67 EU: Case C-170/12 Pinckney.68 EU: ECJ April 2012 - Wintersteiger, E.C.R. 415.69 EU: ECJ 23 March 2010 Louis Vuitton [2010] ECR1-2417.

70 EU: Case C-360/12 Coty Germany GmbH v First Note Perfumes NV, EU: Case C-523/10 , Wintersteiger AG v. Products 4U Sondermashinenbau GmbH; Case C-170/12 Pinckney; Case C-387/12 Hi Hotel.

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2686111



On the other hand, for online copyright infringements a “mere accessibility” is considered as sufficient criteria to find the jurisdiction71. In Pinckney case, the CJEU concluded that there is no need that the infringing activities were directed to the fo-rum72, following, however, its ruling in Shevill73, in relation to damages caused only on its territory.

Thus, when the jurisdiction was based on the “mere accessibility” criteria alone the court may only rule on the damage caused in that Member State74. The essential problem of worldwide online damages is left uncertain in current case law of the CJEU. A cost-efficiency, a legal certainty and easy access to justice as the basic principles of en effective jurisdiction are still on their way of implementation75.

2.2.2. The Shevill test and jurisdictional rules in the litigations concerning protection of personal rights

In relation to damages claims in the defamation case of Shevill and Others 76 the court ruled that an action for all damages may be brought either in the place where the publisher is established, or before the courts of each Contracting State where harm is suffered. However, when the court of the publisher’s establishment had jurisdiction for overall damages, the jurisdiction of the courts of other States was limited to the damages that occurred in their territory. This has proven to be insufficient when dealing with online infringement77. Until now, opinions have differed about the possible impact of the Shevill78 rule in online infringement cases. For instance, consolidation of damage claims at the place where the causal act was committed was denied in a patent case79 and copyright cases.

71 Calster, p. 25.72 EU: case C 5/11, Donner and Others, 2012.73 EU: Shevill case [1995] ECR I-415.74 EU: Case C 441/13, Pez Hejduk v EnergieAgentur. NRW GmbH. 75 See more on the principles of “a good jurisdictional model” at: Svantesson D.J.B. (2012) Private

International Law and the Internet (p.93) Alphen aan den Rijn: Wolters Kluwer Law & Business.76 EU: Shevill case [1995] ECR I-415.77 See more at Xalabarder, p.174. and CJEU, the joint case C-509/09, eDate Advertising and Oth-

ers, [2011] ECR I-10269. 78 EU: Shevill case [1995] ECR I-415.79 Germany: Landgericht Diisseldorf 25 August 1998, 4 O 165/97—Schussfadengreifer, [1999]

GRUR Int 455

http://curia.europa.eu/juris/liste.jsf?language=en&num=C-5/11


Then, for personal rights the approach of the e/Date Martinez joint defamation case was taken.80 “The place of harmful event” was considered as “a centre of interests” that leads to grant damages for global online infringements in all territories where the harm is caused.81. Beyond the habitual residence, a person may also have the centre of his interests in a particularly close link with other Member State82.Those considerations may, as was noted by the Advocate General in his Opinion, be applied to other media and means of communication and may cover a wide range of infringements of perso-nality rights recognized in various legal systems83. Also there are scholars who argue in favour of application of this interpretation per analogy to other rights.84 For instance, R. Xalabarder states that no discrimination should take place in relation to other personal rights and those moral rights that driven from copyright in particular. Still, case law in copyright protection stays far away from e/Date Martinez case findings.85

As soon as personal data protection also falls within the category of personality rights,86 the “place where the harmful event occurred or may occur” can mean the jurisdiction of the courts of the habitual residence or of the centre of interests of the data subject.

In this regard, no one will deny that the court of the country of the controller’s establishment can rule upon overall damages.87 Thus, it can be stated that both the fora of the defendant’s domicile and the data subject’s habitual residence will be treated equally88 and with the new GDPR the courts of habitual residence of the data subject will gain an equal jurisdictional power as the court of the controller’s/processor’s esta-blishment.

Therefore, the Shevill test will not apply for online personal data protection litiga-tion and the data subject will gain the opportunity to receive compensation for suffered damages beyond the territory of the controller’s/processor’s establishment.

80 Xalabarder, p.p. 175-176.81 EU: Case C-509/09, eDate Advertising and Others, [2011] ECR I-10269. para 48.82 eDate Advertising and Others, para 49.83 eDate Advertising and Others e/Date, para 43.84 Xalabarder, p. 175, Brkan, p. 22. 85 Xalabarder, p. 177.86 Brkan, p. 23.87 EU: Shevill [1995] ECR I-41588 Art 79 (2) of GDPR


2.2.3. Allocation of the liability for damages’ compensation between controllers and processors in GDPR

According to art.82 (1) of GDPR: “Any person who has suffered material or non-ma-terial damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” In a part 4 of this article it is stated that: “Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject”. 89

Whilst the Data Protection Directive refers only to the right to compensation for “damage”90, the GDPR makes clear that compensation may be recovered for both pe-cuniary and non-pecuniary losses. This clarification is, however, consistent with current law interpretation of the meaning of damage for the purpose of compensation claims.91

Therefore, this means that some joint controllers may find themselves facing much higher liability for claims made under GDPR.92

3. EXTENDED TERRITORIAL SCOPE OF GDPR AND APPLICABLE LAW

According to art.2 of GDPR the material scope essentially repeats the position set out in the Directive.93 However, GDPR enlarges the territorial scope of EU data protec-tion law94. Where no EU presence of online company exists, the GDPR will still apply.

3.1. The role of the main establishment of the data controller in the sense of GDPR’s applicability

The CJEU interpreted current Article 4(1) (a) of the Directive95 in Google Spain case96 and came to the conclusion that this Article refers not merely to an establishment

89 Recital (46-147); Art.82(1)-(2), (4) of GDPR90 Art.22 of the Data Protection Directive91 EU: Google Inc. v Vidal-Hall & Others [2015] EWCA Civ 311).92 Although, the national law may apportion liability between them93 Art. 2.2 of GDPR 94 Art. 3 of GDPR95 Art. 4 of the Data Protection Directive96 EU: Case C-131/12, Google Spain and Google.


of data controller or processor, but when the later processes the data “in the context of the activities of an establishment”.97 Also the concept of an “establishment” was considered by CJEU in case of Weltimmo v NAIH, where it was stated that presence of a single representative may be sufficient to satisfy the requirement of the establishment on the EU territory98.

Therefore, the wording of the art.3 of the GDPR99 is already pre-empted by rele-vant case law insofar of the broad interpretation of the current notion of the “establish-ment” in order to secure applicability of EU data protection law. With the new GDPR the fact by whom100 and where the actual data processing takes place is not determining.

According to Art.4 (16) of the GDPR,101 “main establishment” is considered to be the place of the controller’s central administration, or the place where the main proces-sing takes place. However, the difference between the notion of the “establishment” in the Directive and the “main establishment” in the GDPR is not clear.

After the recent case by the CJEU of Amazon EU,102 the establishment that actua-lly “targets” EU consumers is relevant for applicability of EU data protection law when choosing between all possible establishments within EU. The court came to conclusion that law of the Germany will apply, where Amazon has an establishment whose website targets Austrian consumers103. Thus, instead of choosing the law of the country of the main establishment, the court applied the “targeting” criterion in choosing applicable law even for EU established companies. Earlier, the Administrative Court for the German State Schleswig-Holstein104 decided that German data protection law is not applicable to U.S.-based Facebook Inc. as well as its European subsidiary, Facebook Ireland Ltd., based on Facebook’s establishment in Ireland and regulation under Irish data protection law.

In this frame, mentioned above national cases, where different establishments of online companies were involved, might have had an opposite outcome with the GDPR’s ruling. Therefore, the role of main establishment should not be overestimated.

97 Brkan, p. 8. 98 EU: Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság - Case C-230/14. 99 Art 3. of GDPR. 100 The liability of processors was under the question as far as they not always were considered to be

involved in the process of personal data processing. 101 Art. 4 (16) (a), (b) of GDPR102 EU: Case C191/15, Verein für Konsumenteninformation v Amazon EU Sàrl (2016).103 EU: Weltimmo case, C230/14, paragraph 29.104 Germany: Case 8 B 60/12, Facebook v Independent Data Protection Authority of Schleswig-Hol-

stein case.


3.2. Non-EU “established” companies who “target” or “monitor” EU data subjects105

This provision brings under GDPR Internet businesses that do not have an esta-blishment within EU, but have or would like to have EU consumers and users.

The key factor here is the intention of the business activity, or to make it simple – the target. Basically, the “targeting” as a connecting criterion to establish EU data protection law was introduced earlier106. However, case law of the CJEU reveals different “degrees” of intention to target depending of the subject of the case and other factual situation107. The followings are some examples of an overlapping use of targeting test.

In fact, the Pammer /Alpenhof criteria108 serve as a starting point when deciding whether a business has directed its activities to the consumer’s state109. The CJEU de-cided that the national courts have to decide whether a website is “directed” to the Member State of the consumer’s domicile, following non exhaustive list of factors, for example, namely the international nature of the activity, use of a language, or a currency, or a top-level domain name other than generally used in the Member State, excluding the pure accessibility of the website.

The “direct to” test as an interpretation of the targeting principle was also followed by the CJEU in the L’Oréal/Ebay case110. Moreover, the amended Brussels Recast has extended the application of consumer contracts, provided their activities are “directed at” the EU, in line with the Pammer /Alpenhof criteria111. The CJEU in Wellttmino case also used the criterion of “intention to target” with the situation of the language use.

In Google Spain AG Jääskinen employed the notion “targeted at” and “oriented at” in the sense of business model criterion112. It was argued113 that “business model” or “economic” criterion of AG’s opinion is already applicable in recent privacy protection

105 Art. 3 of GDPR106 EU: Case C-131/12, Google Spain and Google.107 Schultz T. (2015) Carving up the Internet: Jurisdiction, Legal Orders, and the Private/Public

International Law Interface, The European Journal of International Law Vol. 19 no.4, p. 82.108 EU: ECJ 7 December 2010 - Case C-144/09 Pammer v Reederei Karl Schliiter iGmbH &

KG and Hotel Alpenhof GesmbH v Oliver Heller. 109 Svantesson D.J.B. (2012) Private International Law and the Internet (p.93) Alphen aan den

Rijn: Wolters Kluwer Law & Business.110 EU: Case C-324/09 L’Oréal, [2011] ECR. I-6011. 111 Brkan, p.33.112 The opinion of Advocate General in the case of the CJEU C- 131/12 Google Spain case, n. 3.113 Calster,p. 23.


and patent case law114. Therefore, the key point here will be “the intention” in a complex factual situation, excluding the mere accessibly of website.

3.3. The practical application of “monitoring” after GDPR115

The practical application of this ruling may be illustrated by the position of the DPA that considers, for example, placing “cookies116 as “equipment use” in the sense of Art.3 (c) of the Directive. For example, mentioned above datr-cookie117 was subject to a recent litigation.118

In this case, the Brussels’ Court of First Instance declared its jurisdiction and the applicability of Belgian Law to the conflict. However, recently119 the Brussels’ Court of Appeal has overruled the decision of the former and dismissed the Privacy Commission’s claim, stating, basically, that the Commission was late120 with lodging the claim and the datr-cookie have already been used by Facebook for a couple of years.

Earlier, the so-called “Safari cookie” experienced another setback in the English Court of Appeal in a claim against Google.121 The Court stated that browser-generated information (“BGI”), such as cookies, constitutes “personal data” in the sense of Eu-ropean data protection laws. Another method of user’s data gathering was conside-red as the government’s registration and storage of the internet protocol address (“IP address”).122

114 The Case of the CJEU in Judith Vidall-Hall, Robert Hann and Marc Bradshaw v Google Inc., 2014, as was argued by Calster, p.25.

115 Art 3. of GDPR.116 Cookie is a text file which contains a personal sensitive data about the surfing behaviour of the

user. Some of them are purely technical and vital for effective functionality of the website.117 From Social Media Service to Advertising Network. A Critical Analysis of Facebook’s Revised

Policies and Terms (2015), Brussels, Katholieke Universiteit Leuven and the Vrije Universite-it Brussel, Retrieved September, 9th, 2016 from: https://www.law.kuleuven.be/citip/en/news/item/facebooks-revised-policies-and-terms-v1-2.pdf.

118 Belgium: Case 2015/57/C Privacy Commission’s vis-à-vis Facebook Inc., Others.119 The full text of the decision of the court of appeal was not available on the time of present pub-

lication120 The case analysis was retrieved November, 9th, 2016 from: http://www.astrealaw.be/nl/news/

updates/belgian- privacy-watchdog-vs-facebook-1-0.121 EU: Case Google v Vidal-Hall (2015) EWCA Civ 311. 122 EU: Case C582/14, Patrick Breyer v Bundesrepublik Deutschland, 2016.



http://www.astrealaw.be/nl/news/updates/belgian-privacy-watchdog-vs-facebook-1-0

http://www.astrealaw.be/nl/news/updates/belgian-privacy-watchdog-vs-facebook-1-0


According to GDPR, “tracking” and “profiling” are used to predict personal prefe-rences, behaviours and attitudes of data subjects.123 In this regard, the notion of “profi-ling” has a rather broad meaning.124

Therefore, it may be stated that after implementing the GDPR the element of in-tentional or active tracking in relation to “large-scale processing operations” is required to be applicable for non-EU companies.125

4. UNIVERSAL APPLICATION OF GDPR IN TERMS OF DAMAGES’ CLAIMS

According to the article 99, the new GDPR shall be binding in its entirety and directly applicable in all Member States126. Therefore, harmonized EU data protection law will become an efficient reason in order to support the overall damages claims, as soon as the law that the court will apply will be unified and the problem of applicability of data protection rules of particular Member States should not be such crucial as at the moment.

Basically, the multiple bundle of national laws within EU is considered to become one of the reasons of a sceptical treating the damages claims by national courts. Diffe-rences in the level of protection of the rights to the protection of personal data may constitute an obstacle to the pursuit of economic activities at the level of the Union127. Thus, the primary intention of the legislator was a high level of GDPR’s unification and universal application in all Member States128.

However, the devil is always in details. The GDPR leaves scope for divergences between Member States in a number of areas. This includes occasions where the pro-cessing of personal data is required to comply with a legal obligation, relates to a public interest task or is carried out by a body with official authority. Processing of employee data is another significant area where Member States may take divergent approaches129.

123 Recital (24) of GDPR.124 Art. 4 (4) of GDPR.125 Recitals (91) of GDPR126 Art. 99 of GDPR127 Explanatory Memorandum to the Proposal of General Data Protection Regulation, COM

(2012), Art.3.1. 128 Chapter 5 of GDPR, Recital (13) of GDPR129 Art. 87, 88 of GDPR


Also, GDPR leave it to each Member State to determine the right balance between data protection and freedom of expression in the national context130.

At the same time, such provisions are limited in the scope and are unlikely to mate-rially affect organisations that do not regularly process personal data in the specific fields.131 Also, in its recital132 GDPR emphasizes that: “… Member States should be allowed to main-tain or introduce national provisions to further specify the application of the rules of this Regu-lation” in terms of “... the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data.”

In this frame, still “… the level of protection of the rights and freedoms of natural per-sons with regard to the processing of such data should be equivalent in all Member States”. 133

Therefore, it may be concluded that the scope for divergences between Member States in a number of areas is, to an extent, the inevitable consequence of the existing limits on the EU’s power to legislate over the internal affairs of Member States. However, the level of data protection should remain equivalent. Moreover, Member States, provi-ding more specific rules to ensure the protection of the rights and freedoms in respect of the processing of personal data have an obligation to notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

As a result, the case law of the CJEU on these matters will still play a significant role in determining the balance between national law of Member States and the new GDPR.

5. CONCLUDING REMARKS

To sum up, the level of the interaction between the new GDPR and current Brus-sels Recast is left open. Beyond the improvement of the data subject rights, under new provision of the art.79 (2) of GDPR, a company may be subject to legal proceedings in unfamiliar jurisdictions, outside the Member State(s) in which it is established. Yet, the new GDPR will increase the company’s costs of outsourcing services, data protection experts134 and representatives:135 and as usual, the final price will be passed on the users.

130 Art.85 of GDPR131 Art.86 of GDPR 132 Recital (8) of GDPR133 Recital (10) OF GDPR 134 Art. 97 of GDPR 135 Art. 4 (17), Art .27 of GDPR


Unfortunately, the GDPR’s attempt of harmonization136 was successful only partly, thus, above mentioned questions of jurisdiction and applicable law remain relevant still.

Also, extended EU “traveling” data protection legislation indirectly increases glo-bal standards of data protection, forcing overseas companies to comply with it.137 This approach has been highly criticized138, but it reveals the tendency of harmonization and globalization in data protection rules for transnational online players.

6. BIBLIOGRAPHY

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (2016) OJ L 119/1.

Regulation EU No 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judg-ments in civil and commercial matters (2012) OJ L 351/1.

The Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 of protection individuals with regard to the processing the personal data and of free movement of such data (1995) OJ L 281/31.

EU: C- 131/12 Google Spain SL, Google Inc./Agencia de Protección de Datos (AEPD), Mario Costeja Gonzalez (2014).

EU: Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság - Case C-230/14. Retrived from: http://curia.europa.eu/juris/documents.jsf?num=C-230/14

EU: Case C 191/15, Verein für Konsumenteninformation v Amazon EU Sàrl (2016).EU: ECJ 7 December 2010 - Case C-144/09 Pammer v Reederei Karl Schliiter iGmbH

& KG and Hotel Alpenhof GesmbH v Oliver Heller.EU: Case C-509/09, eDate Advertising and Others, [2011] ECR I-10269.EU: ECJ Case C-68/93 Shevill and others v Presse Alliance)[1995] ECR I-415.EU: Case C-324/09 (L’Oréal/eBay).

136 Art. 99 of GDPR137 Art.105-110 of GDPR, Bradford A. (2012) The Brussels Effect: The Rise of a Regulatory Super-

state in Europe, the University of Chicago Law School’s, retired 10th of December 2016 from: http://www.law.uchicago.edu/video/bradford011812

138 Schultz, p. 754.

http://curia.europa.eu/juris/documents.jsf?num=C-230/14

http://www.law.uchicago.edu/video/bradford011812


Germany: Case 8 B 60/12, Facebook Ireland Ltd. v Independent Data Protection Authority of Schleswig-Holstein.

Belgium: 2015/57/C, Privacy Commission’s claim vis-à-vis Facebook Inc., Facebook Ire-land and Facebook Belgium.

European Max-Planck Group for Conflict of Laws in Intellectual Property (CLIP), Principles Governing Jurisdiction, Choice of Laws in Intellectual Property (2007), 284 and Second Preliminary Draft (6 June 2009). IPRax, p. 284.

Brkan M., (2015) Data Protection and European Private International Law, Retrieved March 10th 2017 from http://cadmus.eui.eu/bitstream/handle/1814/36335/RSCAS_2015_40.pdf?sequence=1

Bird&Bird (2016) Guide to the GDPR. Retrived March 1st 2017 from https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird--bird--guide-to-the-general-data-pro-tection-regulation.pdf.

Calster G.V., (2015) Regulating the internet. Prescriptive and Jurisdictional Bound-aries to the EU’s “right to be forgotten”. p. 23. Retrieved September, 9th, 2016 from: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2686111.

Metzger A., (2009) Jurisdiction, intellectual Property and Private international law. Mohr, Tübingen, p. 250.

Schultz T., (2015) Carving up the Internet: Jurisdiction, Legal Orders, and the Pri-vate/Public International Law Interface, The European Journal of International Law Vol. 19 no.4, 802.

Svantesson D.J.B., (2012) Private International Law and the Internet (p.93) Alphen aan den Rijn: Wolters Kluwer Law & Business.

Xalabarder R., (2014) Jurisdiction and applicable law issues for the protection of moral rights on-line. Materials of the conference: Moral Rights in the 21th century. Brussels, p. 175-177.



https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird--bird--guide-to-the-general-data-protection-regulation.pdf




21

THE PROTECTION OF IP ADDRESSES IN PEER-TO-PEER (P2P) NETWORKS

Dr. Nafiye Yücedağ

ABSTRACT: The first question that will be examined in this paper is whether IP addresses should be considered personal data. Even if many jurisdictions accept IP addresses as personal data, not every legal system takes this stance. some do not. Secondly as a result of the technical process in peer-to-peer (P2P) networks users’ IP addresses are visible to others users while downloading/uploading files. One could then be tempted to argue that internet users make this data (their IP addresses) publicly available when they access (P2P) networks. However, how consciously the peers reveal their IP ad-dresses is a question that needs to be answered more categorically. Secondly, this paper will evaluate whether copyright holders’ obvious legitimate interest in enforcing copyright claims against infringers can overweight the privacy of the data subject. Overall, this paper will examine which criterion can be taken into account, in today’s digital age, when assessing the lawfulness of IP addresses processing in P2P networks. In this respect, the paper examines the 95/46/EC Directive, German Law and Swiss Law in a comparative perspective.

KEYWORDS: peer-to-peer networks, copyright infringement, IP addresses, personal data

1. INTRODUCTION

The digitalization of information has made personal data more easily accessible in cyberspace. Many internet users make their data publicly available on social media networks, especially on peer-to-peer (P2P) networks, without even realizing it. In this field, the adaptation of the law to technological changes is neither satisfactory nor uni-form. This paper aims at exploring the gap that exists between law and social reality as far as the processing of personal data in P2P networks is concerned. The focus will be on German Law, Swiss Law and European Union Law.

This gap between law and social reality is very visible in the case of P2P networks where the IP addresses of individual users are revealed to the other users. The first ques-tion, in this regard, is whether IP addresses should be considered personal data. Even if many jurisdictions accept IP addresses as personal data, some do not. The second main question that will be addressed is how third parties can lawfully process IP addresses that have been revealed in these P2P networks. This issue arises because, in many cases, copyright holders collect the personal data of P2P network users (their IP addresses) through software, in order to protect their copyrighted works which are made available on the network. In other words, the second part of this paper will be devoted to exami-

343 THE PROTECTION OF IP ADDRESSES IN PEER-TO-PEER (P2P) NETWORKS

ning the justification grounds for the processing of personal data by copyright holders. The two main justification grounds, namely that the personal data was made available to the public by its subject and the overweighting interest of the copyright holder in conducting piracy surveillance, will be reviewed successively.

2. THE CHARACTERIZATION OF IP ADDRESSES AS PERSONAL DATA

At first glance, it might seem obvious that IP addresses should be considered perso-nal data. This view, however, is not accepted in all jurisdictions. Swiss Law and German Law, in particular, have taken different positions in this matter (1.1). But the European Court of Justice (hereafter “ECJ”), in a recent ruling, has now offered a potentially de-cisive contribution to this debate (1.2).

2.1. The Differing Positions of Swiss Law and German Law

According to Article 2(a) of the 95/46/EC Directive on the protection of individ-uals with regard to the processing of personal data and on the free movement of such data, personal data is defined as “any information relating to an identified or identifiable natural person”. Similar definitions are also provided in Art. 3(a) of the Swiss Federal Act on Data Protection and § 3(1) of the German Federal Data Protection Act (hereaf-ter “BDSG”). According to the Swiss provision, personal data refers to “all information relating to an identified or identifiable person”. BDSG § 3(1) for its part, provides that “personal data means any information concerning the personal or material circumstanc-es of an identified or identifiable individual”. Even though these three definitions are broadly similar, the approaches to the classification of IP addresses as personal data differ considerably in Switzerland and Germany.

The issue of whether IP addresses are personal data has been examined in one par-ticular case before the Swiss Federal Administrative Court. The case involved a dispute between the Swiss Federal Data Protection and Information Commissioner and the Logistep company. The Swiss Federal Data Protection and Information Commissioner had sent Logistep a recommendation to cease using a software it had developed to search for illegal downloading of copyrighted works on various P2P networks. Logistep, after collecting the data including the IP addresses, would communicate it to the copyright holders. As, under Art. 43 of the Telecommunications Act of 30 April 1997, the identi-fication of a person behind an IP address is prohibited by the secrecy of telecommuni-cations except in cases of criminal proceedings, the copyright holder would then initiate criminal proceedings. In the course of these criminal proceedings, the internet service provider would be obliged, under Art. 14(3) of the Federal Act on the Surveillance of Postal and Telecommunications Traffic, to provide the competent authority with all the information that would enable identification of the persons involved. Once their


identities were so established, the copyright holders could direct civil proceeding against these persons in order to claim damages. Logistep rejected the recommendation and the Federal Data Protection and Information Commissioner took the issue to the Federal Administrative Court.

The Swiss Federal Administrative Court first examined whether IP addresses could be regarded as personal data. Even if Switzerland is not part of European Union, the court stated that a comparative approach was necessary and therefore made reference to the 95/46/EC Directive. The Court referred to the Working Party Opinion which states that “Internet Access Providers and Managers of Local Area Networks can, using reasonable means, identify Internet users to whom they have attributed IP addresses as they normally systematically “log” in a file the date, time, duration and dynamic IP address given to the Internet user. The same can be said about Internet Service Providers that keep a logbook on the HTTP server. In these cases there is no doubt about the fact that one can talk about per-sonal data in the sense of Article 2 a) of the directive”1. As a result, the Court came to the conclusion that IP addresses should be considered personal data2.

The Oberlandesgericht Hamburg however, in a similar case also involving Logistep, came to a different conclusion. The Court stated that it was unclear whether the pro-cessing of IP addresses under German Law is unlawful, since the determination of the data subject by the controller is not possible without additional information. By coming to this conclusion, the Court sided with the majority doctrinal opinion in Germany according to which data can only be considered personal if the identification of the data subject is possible on the sole basis of the information available to the controller3. It was thus as a result of not accepting IP addresses as personal data that the Court did not tackle the issue of whether the collection of IP addresses by Logistep was lawful4.

1 Bundesverwaltungsgericht (“BVGer”), A-3144/2008, 27.5.2009, 2.2.3 and Article 29 Data Protection Working Party “Privacy on the Internet - An integrated EU Approach to On-line Data Protection, Adopted on 21st November 2000, p. 21.

2 BVGer, A-3144/2008, 27.5.2009, Nr. 2.2.4.3 On this so-called relative criterion, see below. On this point, see also Bundesdatenschutzgesetz

Kommentar, ed. Gola, Peter /Schomerus, Rudolf/Klug, Christoph /Körffer, Barbara (2015), 12., überarbeitete und ergänzte Auflage (“Gola/Schomerus/Author, BDSG”), Gola/Schomerus/Gola/Klug/Körffer/, BDSG § 3 Nr. 1; Bundesdatenschutzgesetz Kommentar,, ed. Simitis, 2014, 8. Auflage, (“Simitis/Author, BDSG”), Simitis/ Dammann, BDSG § 3 Nr. 32. See also Bundes-gerichtshofs (“BGH”), Multimedia und Recht (“MMR”), 2015, 132.

4 Oberlandesgericht (“OLG”) Hamburg, MMR, 2011, 281 (282). However, the OLG Hamburg did state that the determination of the data subject was lawfully possible only in accordance with § 161(1)(1) and § 163 of the Criminal Procedure Code (STPO) or with a court order according to § 101 Absatz 9 of the Copyright Act [Urheberrechtsgesetz, (“URHG”)]. According to § 101 Absatz 9 URHG, internet service providers (ISPs) have to provide traffic data if a civil court


But a recent decision from the ECJ, following a request for a preliminary ruling from the German Federal Court of Justice (Bundesgerichtshof ), may lead to reexamining this argument.

2.2. The input of the European Court of Justice

The Directive, Swiss Federal Act on Data Protection and German Federal Data Protection all define personal data by reference to information relating to an identifiable person, that is to say a person who can be identified directly or indirectly. In this sense, indirectly does not necessarily mean that the information alone should allow the data subject to be identified. And indeed Recital 26 of the 95/46/EC Directive provides that in determining whether a person is identifiable, “all the means likely reasonably to be used either by the controller or by any other person to identify the said person should be taken into account”. In a ruling dated 19 October 20165, the Court stated that accord-ing to Recital 26, “it is not required that all the information enabling the identification of the data subject must be in the hands of one person” processing the data6. Additional data required to identify the user of a website may not be in the hands of the online media services provider, but in those of that user’s internet service provider. Nonethe-less, according to the ECJ this does not lead to refusing that the dynamic IP addresses registered by an online media services provider constitute personal data7. But in order to indentify the data subject, the task of combining the IP address with additional ele-ments should remain reasonable, in the sense that the identification should not require disproportionate efforts in terms of time, cost and manpower8.

By reaching this conclusion that dynamic IP addresses are personal data, the ECJ has followed what is known as an objective criterion approach to determining the iden-

order is handed down. However this provision does not allow third parties to collect and store IP addresses but rather provides for the identification of the terminal owner assigned to a specific IP address through a court order. There is therefore still a need to determine whether third party data processing is lawful under German Law, and before such an assessment can be made, it should first be decided conclusively whether IP addresses are personal data. A closer examination can then be conducted with respect to the BDSG provisions.

5 Breyer v. Federal Republic of Germany, ECJ ruling dated 19 October 2016, numbered C-582/14,

6 Breyer v. Federal Republic of Germany, ECJ ruling dated 19 October 2016, numbered C-582/14, Nr. 43.




tity of the data subject. However, until the decision of the ECJ at least, the dominant view within the German doctrine rested on a so-called relative criterion: according to this view, only the knowledge, resources and possibilities of the controller should be tak-en into account; conversely the knowledge and skills of third parties should not be ex-amined9. Dammann writes that “all the means likely reasonably to be used either by the controller or by any other person” should be understood as all means likely reasonable to identify the data subject by the data controller or a third person under the same circum-stances but not any absolute person10. However this approach has not been adopted by ECJ. Since the ambiguity surrounding whether IP addresses constitute personal data has now been lifted by the ECJ, the data protection rules of German Law should be taken into account in determining whether there are any justification grounds for companies such as Logistep to collect IP addresses in P2P networks11. It nonetheless remains to be seen whether the approach favoured by German Courts and commentators will in fact change following the ECJ’s ruling.

In summary, dynamic IP addresses will be considered information relating to an identifiable person if identifying that person through a combination of the IP address with additional elements does not entail a disproportionate effort. In assessing whether the effort is disproportionate, the state of the art must also be considered. The identifica-tion of the data subject may not be technically possible or may require high expenditure today, but technological change could make it possible or considerably easier in the fu-ture12. Such a turn of events would, in all likelihood, lead to the information in question being newly characterized as personal data.

Once IP addresses are accepted as personal data, their protection in the context of P2P networks can be better framed and understood. One of the main issues, in this respect, is the processing of IP addresses by copyright holders, to which the second part of this paper is dedicated.

9 See Gola/Schomerus/ Gola/Klug/Körffer/Schomerus, BDSG, § 3 Nr. 10; Simitis/Dammann, BDSG § 3 Nr. 32; also see BGH, MMR, 2015, 132.

10 Simitis/Dammann, BDSG § 3 Nr. 25.11 Which is precisely what the OLG Hamburg omitted in the 2011 case; see above.12 See Auer-Reinsdorff, Astrid/Conrad (2016), Isabell, Handbuch IT- und Datenschutzrecht, 2.

Auflage, Nr. 70.


3. THE LAWFUL PROCESSING OF IP ADDRESSES BY COPYRIGHT HOLDERS

Copyright holders trying to fight copyright infringement on P2P networks have to process IP addresses. Whether they do so lawfully depends in no small part on whether they can avail themselves of one and/or the other of two interrelated justifica-tion grounds. The first consists in establishing that the data being processed has been made available to the public (2.1). This ground should be tackled first, because it plays a pivotal role: the fact that the data has been made available to the public can per se provide justification enough for the processing. In other cases, it will at least diminish the protection afforded to the personality rights of the subject. So even if this first point is resolved in the affirmative, in other words even if it is accepted that in P2P networks the IP addresses can be regarded as personal data made available to the public, the se-cond ground must be considered. This is the overriding interest of the copyright holder in conducting piracy surveillance (2.2). Copyright holders obviously have a legitimate interest in enforcing copyright claims against infringers, however the bar that must be cleared is higher: this interest should overweight the right to privacy of the data subjects. In the case of both the justification grounds, a description in general terms will be made first, before further analysis is conducted in relation to the particular issue of the proces-sing of IP addresses in P2P networks.

3.1. The Lawful Processing of Data Made Available to the Public

3.1.1. General Overview: A Two-Fold Test?

German Law, Swiss Law and the Directive apply different approaches and systema-tisations in relation to the “data made available to the public by its subject” justification ground. Under German Law, in line with the Directive, it only applies to sensitive data. Under Swiss Law however, the justification is more general in scope and it is not partic-ular to sensitive data.

In the Directive, the justification ground specific to sensitive data made available to the public by its subject is found in Art. 8(2)(e). If the data made available to the public is non-sensitive, its processing is not addressed by any specific provision, so that the balancing test of Art. 7(f ) is the sole justification ground13.

13 See below.


In the German BDSG, § 28(6)(2) and § 13(2)(4)14 permit the processing of sen-sitive data which the data subject has evidently made public. The Act however provides for another, related justification ground, which must also be taken into account and applies to non-sensitive data which is generally accessible. According to § 14(2)(5) of the BDSG, “the data that are generally accessible can be processed unless the data sub-ject clearly has an overweighting legitimate interest in excluding the change of purpose of processing”. The concepts of “the data that are generally accessible” under BDSG § 14(2)(5) and “data which the data subject has evidently made public” under § 13(2)(4) or 28(6)(2) appear broadly similar. “Evidently” suggests that the data subject has willing-ly made the data public15. Meeting the condition that the data in question is generally accessible on the internet would require it to have been provided by the will of the data subject or by third parties who have lawfully processed the data16. In the case of both rules, if the data is provided by the data subject in person, their intention will always have been at play. The two concepts, nonetheless, are not strictly equivalent and may natural-ly cover different situations. More specifically, the conditions which underlie the “data which the data subject has evidently made public” category are stricter than those which apply to the “data that is generally accessible” category and will be harder to meet17.

According to Art. 12(3) of the Swiss Federal Act on Data Protection, lastly, “As a rule there is no breach of personality rights if the data subject has made the data generally accessible and has not expressly prohibited its processing”. Under Swiss Law then, processing data which has been made generally accessible by the data subject is, in principle, not considered to be breaching the personality rights of the data subject, in particular their privacy. In other words, the legislator, has, by using “as a rule” (“in der Regel”), created a legal presumption which can be rebutted18. The first condition set by Art. 12(3) is that the data should have been made generally accessible, which means that an indetermi-

14 § 13 BDSG regulates “the processing of personal data by public bodies when they do not partic-ipate in competition as public-law enterprises”. On the other hand, § 28 BDSG regulates “the collection and storage of data for own commercial purposes by private bodies and public bodies of the Federation in so far as they participate in competition as public-law enterprises”. The translations of the BDSG provisions have been obtained from https://www.gesetze-im-internet.de/englisch_bdsg/index.html

15 Simitis/Sokol, BDSG § 13 Nr. 38.16 Gola/Schomerus/Gola/Klug/Körffer/, BDSG § 28, Nr. 33a.17 See Beck’scher Onlinekommentar Datenschutzrecht, ed. Wolff, Heinrich Amadeus/Brink, Ste-

fan (2017), 19. Edition, (“Wolff/Brink/Author”), Wolff/Brink/Wolff, BDSG § 28, Nr. 253.18 Rosenthal/Jöhri, Art. 12, Nr. 50; but see Wullschleger, Marc (2015), Die Durchsetzung des

Urheberrechts im Internet, SMI –Schriften zum Medien– und Immaterialgüterrecht, Band/Nr. 101, 2015, Stämpfli Verlag AG, Nr. 82. Wullschleger refuses that there is legal refutable presumption and only applies the balancing test.

https://www.gesetze-im-internet.de/englisch_bdsg/index.html

https://www.gesetze-im-internet.de/englisch_bdsg/index.html


nate number of persons have access to it without having to overcome any significant obstacle19. Naturally, the data subject should have made the data available to the public willingly and knowingly. Moreover, they should not have expressly prohibited its proces-sing, a prohibition which would however only apply to its particular addressee. If these conditions are met, the presumption of Art. 12(3) comes into play and it is presumed that there is no breach of the data subject’s personality rights.

The presumption, nonetheless, can be rebutted even when the data subject has made the data generally available to the public and has not prohibited its processing. In this context, an objective assessment can be conducted by taking into account the understanding of a reasonable data controller. What should be evaluated is whether the data controller has processed the data in the same way and with the same aim as the data subject in the concrete circumstances of the case20. If the processing of the data runs against the presumed will of the data subject, then the processing will not be con-sidered lawful under Art. 12(3). For instance, if an employee of the human resources department of a company searched for a candidate on webpages which are not related to the candidate’s past or future professional activities, such a processing would be viewed as running against the presumed will of the data subject21. Leaving aside cases where the privacy of the data subject is at stake, there might be other configurations in which other personality rights, such as the dignity or honor of a person, could be breached. In such cases, even the circumstance that the data has been made available to the public by the data subject herself or himself, could not possibly justify the breach of these rights. Consequently, there is no need to apply the presumed will test22.

It should be kept in mind that even if the presumption of Art. 12(3) is refuted, the data controller may still rely on the justification grounds of Art. 13. According to this provision, a breach of personality rights is unlawful unless it is justified by an overriding private or public interest, or by law. Art. 13(2) lists various such overweighting interests, and the list is not exhaustive. When balancing the interest of the data subject with the conflicting private or public interest put forward by the data controller, the circumstan-ce that the data has voluntarily been made available to the public by the data subject can be taken into account. When a person makes data publicly available, he or she could indeed be expected to foresee that there is a probability that this data might be used in

19 David Rosenthal/ Yvonne Jöhri (2008), Handkommentar zum Datenschutzgesetz sow-ie weiteren, ausgewählten Bestimmungen, Schulthess Juristische Medien AG, Art. 12, nr.54; Wullschleger, Nr. 84.

20 See Rosenthal/Jöhri, Art. 12, Nr. 75.21 Rosenthal/Jöhri, Art. 12, Nr. 77.22 Rosenthal/Jöhri, Art. 12, Nr. 76.


an unlawful manner. It might be said that if the data has never been made available to the public, the threshold for the characterization of a breach of personality rights would be higher. There is thus a reduction of the protection afforded to the personality rights of the data subject when they have made the data available to the public23.

3.1.2. Are IP Addresses Made Available to the Public in P2P Networks?

As explained just above, the circumstance that data has been made available to the public can per se constitute a justification ground for its processing, or at least dimin-ish the protection afforded to the personality rights of the data subject. Consequently, deciding whether downloading or uploading a copyrighted work in a P2P network can be construed as making the user’s IP address used available to the public is an issue of paramount importance.

In the Logistep case, the Swiss Federal Administrative Court stated that there is currently no specific legal basis which allows or prohibits the systematic collection of personal data in P2P networks by private individuals. Therefore, according to the Swiss Federal Act on Data Protection, the legality of the data processing should be assessed. During the case, the defendant referred to P2P networks as well as the internet as a public domain, and relied on Art. 12 (3) of the Swiss Federal Act on Data Protection. The Court however stated that even if the internet could be characterized to some extent as a public space, the use of the internet did not entail that the data was being made available to the public, since the IP addresses are not willingly made available, especially not for the pur-pose of processing by third parties. According to the Court, not every internet user can be aware that his or her IP address is recognizable by third parties, while the disclosure of IP addresses is only a technical process Even if one could argue that the users of a P2P net-work are aware that their IP addresses are visible to other users, it would still be difficult to conclude that their processing will be in line with the presumed will of the data subject.24

23 Rosenthal/Jöhri, Art. 12, Nr. 80.24 According to another view however, the presumed will test cannot be supported by the wording

of Art. 12(3) (Wullschleger, Nr. 82) and social communication would be significantly restricted if the public disclosure purpose should be determined before processing the data made available to the public (Wullschleger, Nr. 85 and Nr. 87). Wullschleger points out that the way that data is communicated should be taken into account in assessing whether it is made available to the public. In cases of individual communication, such as by sending an e-mail to a particular e-mail address, the data is only made available to the owner of that e-mail address. Conversely, in cases of mass communication, for instance in P2P networks, the data should be considered made available to the public (Wullschleger, Nr. 88). According to Wullschleger, a data subject who is downloading a copyrighted work must expect that an IP address assigned to them will be disclosed during the data exchange (Wullschleger, Nr. 89).


And since the Court did not find that the data had been made available to the public, it applied the balancing test as will be explained below.

Under German Law, § 28(1)(1)(3) BDSG can be taken into account in order to assess whether the collection of IP addresses in P2P networks is legitimate. According to this provision, the collection, storage, modification or transfer of personal data or their use as a means of fulfilling one’s own business purposes will be lawful “if the data are gen-erally accessible or the controller of the filing system would be entitled to publish them, unless the data subject’s legitimate interest in his data being excluded from processing or use clearly outweighs the justified interest of the controller of the filing system”. Internet, in this sense, is a generally accessible source, where anyone can reach data, for instance thanks to search engines. The data however should be published on the internet either willingly by the data subject or by third parties who have lawfully processed the data25. It seems difficult to consider that, in P2P networks, IP addresses are revealed with the will of the data subject, since this disclosure is a technical process26, as the Swiss Federal Ad-ministrative Court also pointed out 27. Since IP address visibility is part of the file sharing process, there is in all likelihood neither intention on the part of the data subject to make the data available to the public, nor any knowledge than it is happening.

In case such a disclosure is nonetheless accepted as making the data available to the public, then according to § 28(1)(1)(3) BDSG the processing of the data will be deemed lawful unless the “legitimate interest of the data subject in his data being excluded from processing or use clearly outweighs the justified interest of the controller”. This is again a “balancing test” similar to the ones provided under Art. 7(f ) of the Directive and § 28(1)(1)(2) BDSG. However, the threshold set by § 28(1)(1)(3) BDSG is higher compared to those of the other provisions, since unlike under § 28(1)(1)(2) BDSG, the legitimate interest of the data subject should not only override but clearly outweigh the interest of the controller. Therefore, under § 28(1)(1)(3) BDSG the interest of the data subject should be significantly higher than the controller’s and easily recognizable28. Accepting that IP addresses are generally accessible will naturally result in a reduced protection for personal data under German Law. If however the IP addresses are not accepted as data generally accessible in P2P networks, then a true balancing test will apply according to § 28(1)(1)(2) BDSG.

25 Gola/ Schomerus/Gola/Klug/Körffer/Schomerus, § 28, Nr. 33a.26 See also Lutz, Stephan (2012), Identifizierung von Urheberrechtsverletzern Zulässigkeit der Er-

mittlung von IP-Adressen durch Anti-Piracy Firmen, Datenschutz und Datensicherheit (DuD), Vol. 36(8), p. 588.

27 BVGer, A-3144/2008, 27.5.2009, Nr. 9.3.5.28 Wolff/Brink/Wolff, BDSG § 28, Nr. 88 and 89.


3.2. The Overweighting Interest of the Controller

3.2.1. The Balancing Test

Under Art. 7(f ) of the Directive, personal data may be processed if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1(1)”29. In this regard, the fundamental rights and freedoms as well as the interests of the data subject should be taken into account30. The interest pursued by the controller will be taken into account unless this interest is not ille-gitimate, regardless of whether it is ideal or economic, insignificant or highly significant31.

The same test would apply under German Law, since according to § 28(1)(1)(2) BDSG the collection, storage, modification or transfer of personal data or their use as a means of fulfilling one’s own business purposes shall be admissible “in so far as this is ne-cessary to safeguard justified interests of the controller of the filing system and there is no reason to assume that the data subject has an overriding legitimate interest in his data being excluded from processing or use”. The “legitimate” interest of the data subject, on the one hand, and the “justified” interest of the controller, on the other hand, will be weighted. The processing should be necessary to safeguard the justified interest of the controller; in this context, “justified interest” refers to any interest approved by the law32. The phrase “legiti-mate interests” encompasses all interests of the data subject which are covered under § 1(1) BDSG, namely the interests attached to the protection of an individual’s right to privacy33.

29 Art. 1(1) of the Directive states that “In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data”.

30 The “interests for fundamental rights and freedoms of the data subject” should be understood as the “interests or fundamental rights and freedoms of the data subject”, since various language versions of the Directive use “or” rather than “and”. For instance, the French version of the Directive uses “l’intérêt ou les droits et libertés fondamentaux de la personne concernée”, and the German version “das Interesse oder die Grundrechte und Grundfreiheiten der betroffenen Person”. That the English version uses “and” instead of “or” can thus be seen as a misspelling in this version (Article 29 Data Protection Working Party, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, (“Legitimate Interest Opinion”), p. 29).

31 Legitimate Interest Opinion, p. 24.32 Gola/ Schomerus/Gola/Klug/Körffer, § 28, Nr. 24; Wolff/Brink/Wolff, § 28, Nr. 59.33 Wolff/Brink/Wolff, § 28, Nr. 65. Even if the terms are not identical compared to the Directive,

the scope of the interests would not differ.


The same test is provided under Art. 13. of the Swiss Federal Act on Data Protec-tion. According to this provision, “a breach of personality rights is unlawful unless it is justified by an overriding private or public interest or by law”34. In the Logistep case, the Swiss Federal Administrative Court, after concluding that the data had not been made available to the public by the data subject, went on to consider whether Logistep had an overweighting interest in processing the data under Art. 13(1). The Court applied the balancing interest test of Art. 13, since there was no legal basis specifically allowing processing of personal data in cases of copyright infringements in P2P networks. The Court decided that although the processing of personal data is unlawful, it was justified by private and even public interests, since the enforcement of both copyright law and criminal law are in the public interest. According to the Court’s assessment, without the collection of technical data such as the IP addresses, it would not be possible for the copyright owners to identify infringers35. The Court therefore rejected the Federal Data Protection and Information Commissioner’s application. However, the Federal Supre-me Court came to a different conclusion as to the outcome of the balancing test. The Federal Supreme Court found that Logistep’s methods led to uncertainty regarding the type and scope of the collected data and their processing, and concluded that there was no overweighting interest of the copyright holders36.

The balancing test is a justification ground common to all three regulations surve-yed. The test requires first the determination of the justified interest of the controller and of the legitimate interest of the data subject, then these interests must be compared37. The balancing test however does not simply require a “quantifiable and easily compara-ble” weighting of interests, on the contrary several factors should be taken into accou-nt38. Safeguarding the interests of the data subject requires weighting his or her perso-

34 Logistep, as a legal entity collecting the data on behalf of copyright holders, is considered a third party assigned by the copyright holders according to Swiss Federal Act on Data Pro-tection Art. 10a. Logistep can therefore claim the same justification grounds as the copy-right holders [Swiss Federal Act on Data Protection Art. 10a(3)]. The main interests of Logi-step, as well as the copyright holder’s, should be taken into account in this respect [BVGer, A-3144/2008, 27.5.2009, Nr. 12.3.1]

35 BVGer, A-3144/2008, 27.5.2009.36 Bundesgerichtsentscheid (“BGE”) 136 II 508 Nr. 6.3.3. However Wullschleger is of the opinion

that the Federal Supreme Court did not evaluate the overriding integrity interest of the data sub-ject. The Court, for instance, could have taken into account the sensitivity of the processed personal data, the potential for data violations, and the severity of the breach of personality rights. According to Wullschleger, even if the Court had considered these points, it would be difficult to justify an overweighting interest of the data subject over the copyright holder’s (Wullschleger, Nr. 100).

37 Wolff/Brink/Wolff, § 28, Nr. 66.38 Legitimate Interest Opinion, p. 23.


nality rights as well as the importance of the processing of the data for them, compared to the interests of the controller linked to the purpose of processing39. When applying the balancing test, four elements can be considered: “assessing the controller’s legitimate interest”, “the impact on the data subjects”, “the provisional balance” and “additional safeguards applied by the controller to prevent any undue impact on the data subjects”40. In order to assess the impact of the processing on the data subjects, the nature of the data, the method of processing, the reasonable expectations of the data subjects and the status of the controller and data subject41 can be taken into account.

3.2.2. The Balancing Test Applied to the Interest of the Copyright Holder

Copyright holders obviously have a justified interest in enforcing copyright claims against infringers. Likewise, the agents acting on their behalf have a justified economic interest in processing the IP addresses in P2P networks. In this sense, Logistep’s interest in collecting the data through software is an economic one42. Therefore, the processing of IP addresses in P2P networks for these purposes fulfills the requirement that justified/legitimate interests be at stake. Nevertheless, the characterization of a legitimate interest on the part of the controller and copyright holder is insufficient to justify the processing. This interest should also overweigh the data subject’s.

In P2P networks, the availability of the IP address to the other peers might affect the protection of the data subject’s personal data. In cases where the data is generally available to the public, the breach of the data subject’s fundamental rights resulting from the processing will be deemed less severe, and this will in turn affect the protection granted to the data subject43. If data is not generally available to the public, the breach will in all likelihood be considered more severe44. However, such reduction of the pro-tection does not automatically result in the overweighting interest of the data controller. Several other factor must still be taken into account in order to properly assess the seri-ousness of the breach.

39 BGH, decision dated on 17/12/1985, Neue Juristische Wochenschrift (“NJW”) 1986, 2505.40 Legitimate Interest Opinion, p. 33.41 Legitimate Interest Opinion, p. 36.42 Lutz, p. 588.43 See Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v. Rīgas pašvaldības SIA

‘Rīgas satiksme’, ECJ ruling dated 4 May 2017, numbered C-13/16, Nr. 32.44 See Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF), Federación de

Comercio Electrónico y Marketing Directo (FECEMD) v. Administración del Estado, ECJ ruling dated 24 November 2011, numbered C-468/10 and C-469/10, Nr. 45.


When assessing the impact of processing on the data subjects, the nature of the data is the primary consideration. Even if IP addresses, being traffic data45, are not sen-sitive data, they require special protection46. This obligation to afford a strict protection falls mainly on the ISPs while they are processing IP addresses47. Yet even if copyright owners and third parties acting on their behalf are not the addressees of these rules, the special protection required by IP addresses by virtue of their nature should be taken into account while assessing the impact of processing.

Secondly, the method of data collection is of paramount important in the evalu-ation of the impact of processing on the data subject. In this regard, the severity of the breach of personality rights as a result of the processing and the potential risk of data violations should be given special consideration. At the moment when their IP address is processed, it is not certain yet whether the data subject is infringing copyright. Fur-thermore, the software is not identifying a person but rather a machine. The assumption is that the copyright infringer is the person that operates the machine, however this will not be borne out in the case of open wireless networks and internet cafes48. In such sit-uations, the IP address holders would face unjustified civil claims. The mere possibility that data collection is necessary to enforce copyright claims cannot justify a private par-ty’s interference in the right to privacy of the data subject49. Such a method of processing could lead to the privacy of a large number of people being breached, consequently the potential for data violations when such software is used might be deemed high. Further-more, since the method and scope of data collection with software remains imprecise, the generalized and automatic character of this approach to monitoring might breach the privacy of users acting in a lawful manner50.

In addition, a user capable of downloading or uploading a copyrighted work in a P2P network would reasonably expect that his or her IP address would, in this process, be revealed to other peers. It is however not certain that he or she can reasonably expect

45 According to Art. 2(b) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), IP addresses are considered traffic data.

46 Legitimate Interest Opinion, p. 38.47 See Directive 2002/58/EC Art. 6.48 Frosio, Giancarlo F. (2011), “Urban Guerrilla & Piracy Surveillance: Accidental Casualties in

Fighting Piracy in P2P Networks in Europe”, Rutgers University Computer & Technology Law Journal, Volume 37, p. 9.

49 Maaßen, Stefan (2009), “Urheberrechtlicher Auskunftsanspruch und Vorratsdatenspeicherung”, MMR, 511 (513); Lutz, p.588.

50 Lutz, p. 588.


another peer, disguised as an ordinary user of the P2P network, to collect his or her IP address to fight illegal downloading/uploading of copyrighted work.

Finally, the controller should take measures to comply with the general principles of data processing, especially the proportionality and transparency principles51. Even if such measures were taken, it would not automatically result in meeting the require-ments set out by Art. 7(f ) of the Directive, though it would suggest that data subjects’ interests or fundamental rights or freedoms are less likely to prevail52. Conversely, clan-destine processing of IP addresses in P2P networks can hardly be expected to meet the requirement of proportionality, considering the potential for data violations and the uncertainty surrounding, in some case, the identity of the holder of an IP address. It is also impossible to consider, in such a situation, that copyright owners have taken any additional measures to reduce the impact of the processing on the data subjects.

4. CONCLUSION

In line with the ECJ ruling, dynamic IP addresses will be considered information relating to an identifiable person, and consequently treated as personal data, if identi-fying that person through a combination of the IP address and additional elements does not entail disproportionate effort. The additional information does not have to be solely in the hands of the data controller. If IP addresses are accepted as personal data, their protection in the context of P2P networks will be subject to data protection regulations.

It seems difficult to consider that, in P2P networks, IP addresses are revealed with the will of the data subject, since this disclosure is a technical process. Therefore Art. 12(3) of the Swiss Federal Act on Data Protection cannot apply as a justification ground. § 28(6)(2) BDSG, for its part, regulates the processing of sensitive data which the data subject has evidently made public, therefore this provision is not applicable to IP addres-ses. § 14(2)(5) BDSG, however, can be seen as a relevant justification ground. Nonethe-less, fulfilling the condition that the data be generally accessible on the internet would require it to have been provided by the will of the data subject. Once again, the same argument that a technical process is involved leads to refusing to consider that the data has been made generally accessible by the will of the data subject.

In this author’s opinion, the only applicable justification ground would derive from the balancing test under § 28(1)(1)(2) BDSG and Art. 13 of the Swiss Federal Act on Data Protection. However, the copyright holders’ obvious justified interest in enforcing

51 Legitimate Interest Opinion, p. 41.52 Legitimate Interest Opinion, p. 41.


copyright claims against infringers can hardly be expected to overweight the interests of the data subject, since the impact of processing on the data subject is substantial. Taking into account the nature of the data, the unknown method and scope of the data collec-tion, and the potential for data violations, only reinforces that conclusion.

5. BIBLIOGRAPHY

Article 29 Data Protection Working Party Privacy on the Internet-An integrated EU Approach to On-line Data Protection, Adopted on 21st November 2000.

Article 29 Data Protection Working Party, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.

Auer-Reinsdorff, Astrid/Conrad, Isabell (2016), Handbuch IT- und Datenschutz-recht, 2. Auflage.

Dammann Ulrich (2014), Bundesdatenschutzgesetz Kommentar, ed. Simitis, Spiros, 8. Auflage.

David Rosenthal/Yvonne Jöhri (2008), Handkommentar zum Datenschutzgesetz sowie weiteren, ausgewählten Bestimmungen, Schulthess Juristische Medien AG.

Frosio, Giancarlo F. (2011), “Urban Guerrilla & Piracy Surveillance: Accidental Ca-sualties in Fighting Piracy in P2P Networks in Europe”, Rutgers University Com-puter & Technology Law Journal, Volume 37.

Gola/Klug/Körffer (2015), Bundesdatenschutzgesetz Kommentar, ed. Gola, Peter /Schomerus, Rudolf/Klug, Christoph /Körffer, Barbara, 12., überarbeitete und ergänzte Auflage.

Lutz, Stephan (2012), Identifizierung von Urheberrechtsverletzern Zulässigkeit der Ermittlung von IP-Adressen durch Anti-Piracy Firmen, Datenschutz und Datensi-cherheit (DuD), Vol. 36(8), 584- 590.

Maassen, Stefan (2009), “Urheberrechtlicher Auskunftsanspruch und Vorratsdaten-speicherung”, MMR, 511- 515.

Sokol, Bettina, (2014), Bundesdatenschutzgesetz Kommentar, ed. Simitis, Spiros, 8. Auflage.

Wolff, Heinrich Amadeus (2017), Beck’scher Onlinekommentar Datenschutzrecht ed. Wolff, Heinrich Amadeus/Brink, Stefan, 19. Edition.

Wullschleger, Marc (2015), Die Durchsetzung des Urheberrechts im Internet, SMI - Schriften zum Medien- und Immaterialgüterrecht, Band/Nr. 101, Stämp-fli Verlag AG.

INTERNET, POLÍTICA Y SOCIEDAD / INTERNET, POLITICS & SOCIETY

22

TOWARDS A MAP-BASED ACCOUNTABILITY FOR ENVIRONMENTAL HEALTH RISK? THE CASE OF THE EQUATORIAL ASIAN HAZE

Anna Berti Suman Tilburg Institute for Law, Technology and Society (TILT), Tilburg Law School, Tilburg University, PhD Candidate.

ABSTRACT: Southeast Asia is experiencing toxic haze waves due to illegal forest fires. The haze represents a pressing public health concern for the region. Public authorities and NGOs launched initiatives aimed to tackle the issue and condemn those responsible. However, these efforts have been hindered by a lack of reliable evidence on the fires’ exact location and on land ownership. The scarcity of evidence has been worsened by an uncooperative attitude of governments and companies, which showed resistance to disclose information. This paper investigates a possible solution the digital world provides to the issue, focusing in particular on the potential of non-state mapping platforms and on how these initiatives affect the treatment of the haze risk. My first research question wonders whether such tools could provide authoritative evidence that may allow civil society to hold the public and private actors accountable. Secondly, I investigate the chance that these platforms could foster a trans-parent governance of the haze. In my conclusions, I argue that a map-based ‘digital accountability’ demonstrates the extent to which ICT challenges the informational and operational monopoly of the traditional political actors, and gives new roles to the citizens. However, governments and companies’ reluctance to cooperate with the civil society by disclosing concessions and fire spot maps represents the main barrier to the realization of the ICT empowering potential. I formulate recommendations underlining the need to overcome the fragmentation in the allocation of the information between lay people, companies and governments, and to establish mechanisms to give legal, social and political recognition to the bottom-up mapping efforts.

KEYWORDS: monitoring technologies, digital maps, accountability, environmental health risk.

1. THE HAZE CHALLENGE IN EQUATORIAL ASIA

In this paper I will investigate the phenomenon of the Asian haze through a so-cio-legal analysis and I will focus on the response of lay people to the public health risk represented by the haze. Specifically, I will consider the reaction manifested under the form of a considerable work of mapping the threat through digital tools, and the impli-cations this mapping has as a legal source of evidence and as a source of accountability. I will start contextualizing the phenomenon and illustrating its causes and effects. Sub-sequently, I will present the response to the risk of the international institutions and of the local community. I will then zoom in on the interrogative whether the bottom up

360 TOWARDS A MAP-BASED ACCOUNTABILITY FOR ENVIRONMENTAL HEALTH RISK?...

mapping of the phenomenon can serve as a source of legal evidence and as an incentive to improve the management of a public health risk like the haze.

1.1. The regional scenario

People in Southeast Asia are being confronted with massive air pollution due to tremendous waves of toxic haze originated from illegal burning of forests and peatlands in Indonesia. These man-made fires are aimed at preparing land for agricultural use, at burning agricultural residue, and at clearing forest for land acquisition. Fires can also be the result of vandalism, or accidental ignition, or a mechanism to force inhabitants off the land. (Simorangkir, 2007)1.

Land conversion by fire is prohibited in accordance with the Indonesian Law No. 32/20092, which foresees penalties including fines and prison. Nevertheless this option (mechanical clearing with heavy equipment) is the most common because it is cheaper than other alternatives3. The lack of State control on the burning activities and the weak law enforcement process against those responsible made the issue expanding across the region. In addition, recurring droughts, unregulated agricultural expansion, rampant deforestations and land conflict even worsen the scenario4.

In September and October 2015 the advent of El Niño and of the positive Indian Ocean Dipole (IOD)5 intensified tremendously the threat deriving from the haze across much of the equatorial parts of Southeast Asia, in particular Indonesia (mostly the is-lands of Sumatra and Kalimantan), East Malaysia and Singapore6.

1 Simorangkir, D. (2007). Fire use: Is it really the cheaper land preparation method for large-scale plantations?. Mitigation and Adaptation Strategies for Global Change, no. 12, pp. 147-164.

2 In particular, forest clearing by fire is prohibited under Law No. 32/2009 on the Protection and Management of Environment and Government Regulation No. 4/2001 on Management of Environmental Degradation and/or Pollution linked to Forest or Land Fires.

3 See footnote 1 above.4 The World Bank (2015). The cost of fire. Indonesia Sustainable Landscapes Knowledge, note no. 1.

Washington, D.C.: World Bank Group. Retrieved March, 12th, 2017 from http://documents.worldbank.org/curated/en/776101467990969768/The-cost-of-fire-an-economic-analysis-of-Indonesia-s-2015-fire-crisis.

5 The Indian Ocean Dipole (IOD), also known as the Indian Niño, is an irregular oscillation of sea-surface temperatures that produces an increase and decrease in the temperature of the western part of the Indian Ocean, with respect to the eastern part.

6 These two territories are particularly vulnerable because they host the country’s fragile peatlands (lahan gambut).


1.2. Where the danger comes from

The noxiousness of the fires derives from the material of the peatland burned. In-deed, during the combustion, the organic material contained in the peat releases great amounts of fine particulate matter (PM2.5), which represents the main cause of po-llution. The World Health Organization (2009) identified that this particulate matter is potentially fatal when inhaled. This contaminant is even more dangerous because it does not stay over the lands where it is produced, but it is transported by winds, often to densely populated areas. For example, in 2015 the haze was pushed towards Singapore and Kuala Lumpur, populous territories that are also totally extraneous to these practices of forest burning7.

The illegal burning of peatland is aimed at replacing the pristine forest with com-mercial species, as the fast growing Acacia tree. This practice is mostly linked to palm oil production, pulpwood and timber plantations, and brings about the enrichment of a few thousand farmers and, above all, powerful multinational corporations like the well-known Asian Pulp and Paper (APP). This profit cannot compensate the loss of native vegetation and the huge socio-economic costs that the haze causes to the region. Indeed, the noxious air pollution highly affects public health, transport, trade, tourism, even for-cing school closures. The World Bank (2016)8 estimated that, just in 2015, fires costed just Indonesia around USD 16.1 billion (IDR 221 trillion). Moreover, this figure does not reflect the additional costs suffered regionally (e.g. in Singapore) and globally. With regards to the world impact, for example, fires also increase substantially the release of greenhouse gas emissions9.

1.3. Impacts of the haze on public health

In this section I will consider the effects of the haze both on public health in its strict sense, and more broadly on public behaviors. This double approach may help illustrating the magnitude of the real risk and of the perceived risk. The verification of behavioral changes due to the perceived menace is considered in this paper as important as the health impacts and it is an indispensable element to understand the scenario.

7 Koplitz, S.N. et al. (2016). Public health impacts of the severe haze in Southeast Asia in Septem-ber–October 2015: demonstration of a new framework for informing fire management strategies to reduce downwind smoke exposure. Environmental Research Letter, No. 11, IOP Publishing.

8 See footnote 4 above.9 See footnote 4 above.


With regard to health strictu sensu, a study by Koplitz, S.N. et al. from Harvard and Columbia Universities (2016)10 estimated the impact of the haze on public health focu-sing on two pollution events of 2006 and 2015 in Indonesia, Malaysia, and Singapore. Using a model of chemical transportation (called “GEOS-Chem”), they hypothesized smoke transport pathways, and thus calculated the impacts of fire emissions and the re-sulting smoke exposure on the inhabitants. The study links near real-time assessment of pollution exposure, to morbidity and premature mortality, demonstrating the potential lethality of the haze. Specifically, they estimated that the 2015 haze provoked 100,300 excess deaths across Southeast Asia, which would amount to the double of the 2006 event. This shows that the menace represented by the haze is growing, although it must be considered that the 2015 haze episode was aggravated by El Niño.

The issue is particularly urgent in Singapore. Indeed in 2015, Singapore was hit by one of the most prolonged haze episodes ever recorded. On a lapse of 46 days air quality worsened into Unhealthy, Very Unhealthy and Hazardous, according to the Pollutant Standards Index (PSI). During that year, more than 2,200 people died directly for the haze, while around 500 suffered serious health consequences11. A study by Crippa et al. from Leeds and Newcastle Universities (2016)12 analysed specifically the levels of parti-culate matter in the air (PM2.5) over the fires period. According to WHO, the experts stress, the amount of PM2.5 should stay within a maximum of 25 μg/m³ in a 24 hour lapse. Instead in autumn of 2015 in Singapore the PM2.5 was on average 70 μg/m³ with peaks of even 300 μg/m³. In most European countries, a severe episode of air pollution would be already when PM2.5 surpasses the 30 μg/m³ threshold. Singaporean haze was 10 times higher than the European alarm level. The issue, however, was not new to the island13. Indeed already in 2013, the PSI raised to noxious levels, causing ailments and deaths among the population. As documented by Kunii et al. (2002)14, also in 1997 a

10 See footnote 7 above.11 Salvo, A. and Tan, D. (2014). Multilateral approach to abating regional haze pollution. Straits

Times, no.1, 6/5/2014.12 Crippa, P. et al. (2016). Population exposure to hazardous air quality due to the 2015 fires in

Southeast Asia. Scientific Reports 2016; 6: 37074. Retrieved March, 12th, 2017 from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5111049/. doi: 10.1038/srep37074.

13 For a history of the haze in Equatorial Asia see: Aditama, T.Y. (2000). Impact of haze from for-est fire to respiratory health: Indonesian experience. Respirology 5:169–174. Retrieved March, 12th, 2017 from https://www.ncbi.nlm.nih.gov/pubmed/10894107. PMID: 10894107.

14 Kunii, O. et al. (2002). The 1997 haze disaster in Indonesia: its air quality and health effects. Archives of Environmental Health 57(1):16–22. Retrieved March, 12th, 2017 from https://www.researchgate.net/publication/11304100_The_1997_Haze_Disaster_in_Indonesia_Its_Air_Quality_and_Health_Effects. doi: 10.1080/00039890209602912.

https://dx.doi.org/10.1038%252Fsrep37074

https://www.ncbi.nlm.nih.gov/pubmed/10894107

https://www.researchgate.net/publication/11304100_The_1997_Haze_Disaster_in_Indonesia_Its_Air_Quality_and_Health_Effects




strong haze event struck Indonesia and the surrounding countries. Nonetheless, neither Indonesia nor Singapore at the time of the third episode had implemented sufficient preventive measures.

Exposure to the haze create immediate health consequences for the current gene-rations, ranging from respiratory, to heart and eye-related illnesses (Stephen and Low, 2002)15. However, these illnesses represent only a part of the haze’s impacts. Indeed, it also affects future generations16. A study by Balasubramanian et al. from National University of Singapore (2013)17 indeed demonstrates that long-term exposure to haze-related air pollution has the potential to hinder the healthiness of the population over time. The study shows a direct relation between urban exposure to PM2.5 pollution and the probability for a Singaporean to develop cancer in his/her life (Radojevic, 2003)18.

Moving to the behavioral aspect, it must be stressed that during both the episo-des, the change in people’s behaviors was substantial. Salvo’s research (2014)19 based on interviews conducted on a sample of 421 Singaporean households in relation with the haze in 2013 demonstrated this change. Indeed, four out of five respondents to the interviews showed serious worries about the haze. When indoor, they assumed mitigat-ing behaviours, for example trying to spend more time indoors, keeping the windows closed, increasing the usage of air condition. Outdoor, they started wearing masks and were five times less prone to stay in parks and recreate outdoor.

With regards to hospital expenses, a Haze Subsidy Scheme was launched in 2013 by the government of Singapore. Data from Singaporean Health Minister (2015)20 states that, in 2015, more than USD 3.3 million were spent to cover the cost of over 77,000 patients coming to polyclinics and clinics for haze-related diseases.

15 Stephen, A., and Low, L. G. (2002). Impact of haze on health, mortality and mitigation pro-gramme. In “World Conference on Land and Forest Fire Hazards 2002”, pp. 319 - 323, Kuala Lumpur.

16 Fort the health cost of the haze over time see Quah, E., and Johnston, D. (2001). Forest fires and environmental haze in Southeast Asia: using the “stakeholder” approach to assign costs and responsibilities. Journal of Environmental Management, no. 63, pp. 181–191. Retrieved March, 12th, 2017 from https://www.ncbi.nlm.nih.gov/pubmed/11721597.

17 Balasubramanian, R. et al. (2013). Chemical speciation of trace metals emitted from Indonesian peat fires for health risk assessment. Atmospheric Research, no. 122, pp. 571–578.

18 Radojevic, M. (2003). Haze Research in Brunei Darussalam During the 1998 Episode. Pure and applied geophysics, no. 160: 251. Retrieved March, 12th, 2017 from https://link.springer.com/article/10.1007/s00024-003-8776-5. doi:10.1007/s00024-003-8776-5.

19 See footnote 11 above.20 For more information see http://www.channelnewsasia.com/news/singapore/more-than-s-3-

3m/2470654.html.


https://link.springer.com/article/10.1007/s00024-003-8776-5


http://www.channelnewsasia.com/news/singapore/more-than-s-3-3m/2470654.html

http://www.channelnewsasia.com/news/singapore/more-than-s-3-3m/2470654.html


1.4. Methodology

For the sake of brevity, in this section I will not dive extensively into the methodologi-cal aspects of this research. Nonetheless, it seems worth presenting the basics of the method that has informed this study. The main components of this research can be listed as follows:

• A doctrinal review focused on:1) Legal texts relevant for the haze litigation;2) Health reports on haze impacts on public health;3) Environmental studies on the effects of the haze on the environment;4) The theory on the use of satellite evidence in environmental law proceedings;5) The theory on accountability in the digital society.

• A qualitative research based on:1) The action research approach, performed at the headquarters of the Legal Unit

of Greenpeace International, Amsterdam;2) Face to face interviews and meetings realized both at the office of Greenpeace

and via skype;3) Email exchanges with stakeholders and organizations on the ground (Southeast

Asia) and from various parts of the world, involved in the haze issue;4) Targeted communication with public officers in Singapore in ministries and

positions relevant for the haze.

This paper has been informed by the fundamental principles pervading the debate on Business and Human Rights. In particular, I highlight the appropriateness of the Corporate Crimes Principles21 to this topic. The principles were released in October 2016 by a group of legal experts, with the support of Amnesty International and the In-ternational Corporate Accountability Roundtable (ICAR). I highlighted in italics those parts that I deem particularly relevant for the haze debate. The aim of the principles is to improve the investigation and prosecution of human rights cases, while tackling the impunity gap often reserved to powerful transnational corporations.

Specifically, it is worth mentioning principle 2 - Fight impunity for cross-border corporate crimes by choosing to assert jurisdiction; principle 3 - Guarantee accounta-bility and transparency in the justice process when pursuing corporate crimes; principle 4 - Identify the legal standards and secure the evidence needed to establish liability for

21 See http://www.commercecrimehumanrights.org/wp-content/uploads/2016/10/CCHR-0929-Final.pdf.

http://www.commercecrimehumanrights.org/wp-content/uploads/2016/10/CCHR-0929-Final.pdf

http://www.commercecrimehumanrights.org/wp-content/uploads/2016/10/CCHR-0929-Final.pdf


corporate crimes in your jurisdiction; and principle 8 - Use all available legal tools to collect evidence, build cases and obtain the cooperation of critical witnesses in corporate crimes cases.

2. THE RESPONSE OF THE INTERNATIONAL COMMUNITY

2.1. The letter from UN special rapporteurs on HRs

In this section I illustrate the awareness that is dominant worldwide on the serious-ness of the haze issue. I take as proof of this awareness a recent meeting on the topic occurred at the United Nations level. In a connected world, news spread rapidly and the international community is tracking the haze threat and its management.

On 9 November 2016, a group of UN special rapporteurs wrote to the Indonesian government to raise the issue of haze and claim justice22. They met in Geneva at the High Commissioner for Human Rights to call the attention of the Indonesian Govern-ment on the “negative health impacts of persistent hazardous levels of smoke pollution across much of Equatorial Asia due to forest fires in Indonesia and especially increased effects after the extreme haze event of 2015”. This action was encouraged and supported by the advocacy of numerous NGOs and grassroots organizations.

2.2. The claims against the Indonesian Government

The UN spokespeople addressed the Government a demand of prompt interven-tion, asking for legislation against the haze and for the enforcement of corporate accou-ntability against those stakeholders responsible for the haze. They proclaimed the urgen-cy to grant people in the affected areas their rights to life and health in environments free from contamination.

At p.3 of the letter, the UN experts indicated accurate data numbering the amount of deaths related to the haze in 2015: “according to information received, haze from Indonesia’s forest fires are estimated to have caused around 100,300 pre-mature deaths in 2015 spanning three countries: Indonesia, Malaysia, and Singapo-re. In 2015, 91,600 people were killed prematurely in Indonesia, 6,500 in Malaysia and 2,200 in Singapore”.

22 Text of the letter available at https://spcommreports.ohchr.org/TMResultsBase/DownLoadPublicCommunicationFile?gId=22840. Retrieved March, 12th, 2017.

https://spcommreports.ohchr.org/TMResultsBase/DownLoadPublicCommunicationFile?gId=22840. Retrieved M

https://spcommreports.ohchr.org/TMResultsBase/DownLoadPublicCommunicationFile?gId=22840. Retrieved M


2.3. Human Rights breaches according to the special rapporteurs

The rapporteurs continued underlying their severe concerns regarding the breach of human rights guarantees, in particular the right to life, health and physical integrity. With the power that the mandates of the Human Rights Council grant them, they asked the Indonesian Government to consider the possible incompliance with the ASEAN Agreement on Transboundary Haze Pollution (2014). Most important they demanded “what judicial, administrative, legislative or other steps the Government of Indonesia has taken to ensure that victims of the haze have access to effective remedies” (p.5).

Apart from the possible violation of the ASEAN Agreement on Transboundary Haze Pollution, the UN rapporteurs stressed the likely breach of the rights of every individual to life and physical integrity, as granted by articles 3 of the Universal Decla-ration of Human Rights (UDHR) and article 6 of the International Covenant on Civil and Political Rights (ICCPR). In addition, they identified a possible violation of article 12 of the International Covenant on Economic, Social and Cultural Rights (ICESCR), recognizing the right of everyone to the enjoyment of the highest attainable standard of physical and mental health.

The State’s obligation to intervene in case of such breaches is also supported by the UN Guiding Principles on Business and Human Rights, 2011. Interestingly they quo-ted Guiding Principle 25 affirming State’s duty to “take appropriate steps to ensure” that in case of business-related human rights violations “those affected have access to effective remedy”. Worth to mention is also Guiding Principle 29 stressing the duty of the State to “provide a channel for those directly impacted by the enterprise’s operations to raise concerns when they believe they are being or will be adversely impacted”.

The Indonesian State had 60 day from the release of the letter to address the-se claims. Up to date there is no information available on measures undertaken by Indonesia to comply with the UN’s request. Further research is needed to assess the Government’s response to this letter and its probable failure to justify its conduct before the UN rapporteurs.

3. THE MAPS, A DIGITAL SOLUTION

3.1. Mapping tools as a response to the haze

Together with the international condemn to the haze, many actors on the ground, as NGOs and civil society organizations, proved to be willing and ready to take action against the haze through the creation of sophisticated online maps. However, the poten-tial of these platforms has been hindered by a lack of reliable evidence on the exact loca-tion of the fires and on the stakeholders responsible. Far from speculating on the right


the affected stakeholders’ have to access environmental information23, I will focus on the likelihood that bottom-up tracking tools could complement or even substitute so-mehow the information that the governments and corporations were reluctant to share.

Throughout the following sections, I will present the potential of these mapping initiatives in achieving both political and socio-legal accountability of those stakeholders responsible for the haze. The illustration of existing maps and their use in court will be aimed at answering the questions on whether monitoring systems launched by the organized civil society can (1) provide authoritative evidence valid before courts for law enforcement against haze responsible; (2) push policymakers to take action against those businesses menacing public health.

3.2. Institutional initiatives

The Singaporean government, this country being one of the areas most affected by fires, showed commitment to support Indonesia (the “haze producing” country) with support on fires detection and other related issues. The anti-haze cooperation agreement between the two countries –institutionalized by the “Jambi Memorandum Of Unders-tanding”– lead, for example, to the installation of Geographical Information System (GIS) on the Indonesian Jambi province, that is one of the most hit by illegal fires. In addition, Jambi officials have been trained by Singaporean experts on how to interpret satellite photos for detecting fires hotspot.

At a higher political level, Singapore supported the ASEAN Agreement on Trans-boundary Haze Pollution signed by all 10 Association of Southeast Asian Nations (ASEAN) Member States in June 2002. In addition, on the technical side, Singaporean government facilitated the creation of the ASEAN Sub-Regional Haze Monitoring Sys-tem (AHMS)24.

Among the ASEAN members, there is the acknowledgment of the importance of information transparency and data sharing to tackle the haze threat. This is demonstra-ted, for example, by the exploration by the ASEAN authorities of a compelling system for the sharing of digital geo-reference concession maps. ASEAN members have affirmed the need to achieve a widespread access to satellite and mapping technologies, in order to foster hotspot monitoring. However, despite these efforts, most of land-use and concession maps are not digitised yet and Government-to-Government cooperation is still weak25.

23 This right is aimed to protect those seeking access to information on the environment from public authorities.

24 For access to the platform, see http://haze.asean.org/. Retrieved March, 14th, 2017.25 Shah, V. (2016). New map launched on company concessions in Indonesia. Press release of 22

March 2016. Eco-business. Retrieved March, 15th, 2017 from http://www.eco-business.com/news/new-map-launched-on-company-concessions-in-indonesia/.

http://haze.asean.org/


Nevertheless, an attempt in this direction has been performed with the “One Map initiative”, launched by the Indonesian government. The project was created in colla-boration with the National Geospatial Agency (“Badan Informasi Geospasial”, BIG), and received the support of the United States Agency for International Development (USAID) and US Forest Service International Programs26. This map was aimed to create a single database of land use, land tenure and other spatial data for the Indonesian terri-tory. The idea was to integrate different levels of government (national, provincial and district), to harmonize conflicting data and data dis-alignments. The platform has been designed in a user-friendly way, enabling any user to download maps, and contribute to the system with their data where relevant for the mapping. This user-entered data, after the verification by BIG, could have been incorporated into the official database. Howe-ver, this remarkable project is still incomplete and has not delivered the improvement in transparency promised by the government27.

3.3. Non-institutional initiatives

Grassroots’ organizations across the affected countries have developed creative solu-tions for facing the haze. It is worth to name some of the Indonesian organizations that are strongly fighting the haze, like “Walhi” (the Indonesian Forum for the Environ-ment), “Jatam” (the Mining Advocacy Network), “Jakarta Legal Aid”, and the Indone-sia Centre for Environmental Law from civil society.

At an inter-regional level, it is noteworthy to mention the work performed by the World Resources Institute which, together with NGOs like DigitalGlobe, launched in 2014 the “Global Forest Watch Fires”28, a bottom-up online platform for monitoring and responding to illegal fires. This platform is based on high-resolution satellites in-formation documenting individual fires and gathering high-quality evidence of possible wrongdoing, potentially connectable to culpable individuals and companies.

Greenpeace Indonesia joined these mapping efforts adding the “Kepo Hutan”29 interactive map to the Global Forest Watch Fires. Kepo Hutan has a specific focus on mapping the ownership of concessions areas at risk of fires. It allows the public to see in detail information about the companies owning the lands, the characteristics (e.g. if peatland, if orangutan and tiger habitat) and the borders of specific concessions. In

26 See footnote 24 above.27 See footnote 24 above.28 For GFW maps, see http://fires.globalforestwatch.org/home/, and http://www.wri-indonesia.

org/en/resources/maps. Retrieved March, 15th, 2017.29 For Kepo Hutan maps, see http://www.greenpeace.org/seasia/id/Global/seasia/Indonesia/Code/

Forest-Map/index.html (only Indonesian). Retrieved March, 15th, 2017.

http://www.wri.org/blog/2014/07/high-resolution-satellites-help-monitor-and-respond-fires-southeast-asia

http://fires.globalforestwatch.org/home/

http://www.wri-indonesia.org/en/resources/maps

http://www.wri-indonesia.org/en/resources/maps

http://www.greenpeace.org/seasia/id/Global/seasia/Indonesia/Code/Forest-Map/index.html

http://www.greenpeace.org/seasia/id/Global/seasia/Indonesia/Code/Forest-Map/index.html


addition, the platform permits the user to see these concession maps in relation with fire hotspots and deforestation alerts. This interactive map was developed making use of the open source technology provided by the above mentioned Global Forest Watch Fires. The work performed by Greenpeace involves the digitization of paper maps and PDFs into scalable maps for use in GIS under shapefile format. This format is suitable for combined data analysis, in this case for combining the official maps with more recent satellite images or other digital information. In addition, the platform allows the down-load of these shapefiles, thus giving lay people and experts the chance to individually analyse this data.

With regard to the accountability question, it is worth pointing out that Greenpea-ce launched this map platform as an instrument to enhance transparency in the manage-ment of the haze. The organization claims that public information on who controls the concessions is scarce. Indonesian government shows resistance in complying with the NGO’s formal request to publish official and up-to-date concession maps, in shapefile format. They plan to appeal the Indonesian Central Information Commission, pursuant to the Public Information Disclosure Act (2008), for this State’s negligence30.

An interesting statement has been advanced by Bambang Widjojanto31, former de-puty chief of Indonesia’s Corruption Eradication Commission (KPK), in his speech per-formed in occasion of the Kepo Hutan launch event. “The public” –he declared– “has the right to comprehensive geospatial information in the most useful format –shapefiles– to allow continuous analysis and monitoring. No-one should have to jump through legal hoops and wait months or years to gain access to scraps of vital data. The government standard should be: all of the data, all of the time, available to all”.

The result of this joint action of several organizations is an integrated multi-laye-red platform, based on a combination of services (e.g. satellite images, fire alerts from NASA, and maps from Google Earth Engine), and on a network of infrared sensors capturing ground features, which can be activated by lay people. The success factor of this mapping tool lays in the combination of NASA satellite data (private source), with administration and concession maps from the Ministry of Forestry (public source). In addition, a crucial element seems to be the 30-centimeter resolution of the images reg-istered by the satellites, the level of accuracy ranging around 90-100%, and the dense network of infrared sensors capturing ground features.

30 Greenpeace International. (2016). Greenpeace launches maps tracking “near real-time’’ Indonesian deforestation and fires. Press release of 15 March, 2016. Retrieved March, 15th, 2017 from http://www.greenpeace.org/international/en/press/releases/2016/Greenpeace-launches-maps-track-ing-near-real-time-Indonesian-deforestation-and-fires/.

31 See footnote 29 above.

http://insights.wri.org/news/2013/06/peering-through-haze-what-data-can-tell-us-about-fires-indonesia


A further element of interest is the capability of the platform to send the infor-mation in real-time to on-the-ground actors. In particular, NASA Fire Information for Resource Management (FIRMS) can distribute Near Real-Time (NRT) active fire data within 3 hours of satellite overpass in two easy-to-use formats (MODIS and VIRIIS)32.This system allows inhabitants to react to the threat, and policymakers to take action for the sake of public health. A correct understanding of the fire data may indeed allow to discern directions of the haze, and therefore assess the potential smoke exposure down-wind. Informed strategies can be planned and implement to prevent or minimize the risk on the basis of this satellite information.

4. DISCUSSION: THE DIGITAL MAPS AS COURT EVIDENCE AND A WARNING FOR THE GOVERNMENT

In this section, I discuss whether monitoring systems launched by the organized civil society can be used as an instrument to record evidence admissible in court trials against haze perpetrators. In addition, I examine whether these tools can push policy-makers to take action against those businesses responsible for the haze.

4.1. Maps as authoritative evidence

4.1.1. The provisions of local legislation for maps against the haze

The focus in this section will be on a legal instrument that has recently been ad-opted within the Singaporean legal system. The aim of this law is to prevent and punish the causation of transboundary haze pollution. The reason for the choice to focus on Singaporean law is, firstly, that legal claims against the haze’s perpetrators are more likely to be advanced and succeed in this country, due to the fact that it is not the country hosting the businesses causing the haze. The second and third reasons are based on the analysis of the relevant act. The legal instrument in question indeed mentions directly the use of digital maps to enforce justice against the haze’s producers. Lastly, the compre-hensiveness and efficiency of the provisions of this act are remarkable, though in practice have not been applied in their full potential. Lastly, the legal instrument is particularly effective for condemning both the direct and the indirect (those failing to prevent) re-sponsible persons for the haze.

32 For additional information visit https://earthdata.nasa.gov/earth-observation-data/near-real-time/firms. Retrieved March, 15th, 2017.

https://earthdata.nasa.gov/earth-observation-data/near-real-time/firms

https://earthdata.nasa.gov/earth-observation-data/near-real-time/firms


The law at issue is the Transboundary Haze Pollution Act (THPA), of 201433. It is applicable to any conduct involving smoke from any land or forest fire wholly outside Singapore, which causes or contributes to any haze pollution in Singapore, reason that gives it the name of “transboundary”. That conduct will be actionable in Singapore, whether or not it also actionable in the foreign jurisdiction where that conduct oc-curred. Any person can sue if there is an actionable conduct. That means that Singapore authorities can file a claim –e.g. the National Environmental Agency– but also the af-fected people, as separate plaintiffs or in a “representative action”. The accountable are (1) local and foreign companies involved in illegal forest burning causing haze in Singa-pore; (2) financial institutions that financially supported haze producers; (3) company executives who take decisions linkable to the haze.

I will not analyse further the act. Hereby, I will focus only on those provisions that may be relevant for legitimizing the legal weight of digital maps and other tracking tools. In Part I - Preliminary, it is worth mentioning that the definition of “document” is specified, as including (a) any map (..). Another relevant part is Part II - Liability for Transboundary Haze Pollution, Subsection 8 - Presumptions. They apply upon proof of the facts that (1) (a) there is haze pollution in Singapore; (b) at or about the time of the haze pollution in Singapore, there is a land or forest fire on any land situated outside Singapore; and (c) based on satellite information (..), it appears that the smoke resulting from that fire is moving in the direction of Singapore. If these three conditions are sat-isfied, it shall be presumed, until the contrary is proved, that there is haze pollution in Singapore involving smoke resulting from that land. Furthermore, at (2) it is stated that when there is any haze pollution in Singapore resulting from any fire on a land outside Singapore, it shall be presumed, until the contrary is proved, that the entity which is the owner or occupier of the land is responsible for the conduct (..). At (4) it is affirmed that the ownership/occupation of the land shall be presumed on the basis of maps show-ing the land as owned or occupied by that entity. These maps can be furnished by, or obtained from governmental sources but also from any prescribed person through any prescribed means, that is a very open clause with regards to maps’ sources.

The interesting elements for my conclusions is the criticality of the satellite in-formation in proving the causality between the illegal fire and the haze episode. The reliance on digital mapping evidence seems therefore justified by the THPA. In addi-tion, it is worth to highlight the role reserved to mapping tools for proving ownership/occupation of the land and consequently relation of responsibility. I find also central the

33 Transboundary Haze Pollution Act No. 24 of 2014, published in the Government Gazette, Electronic Edition, on 25th September 2014. The Bill in English can be found here: http://statutes.agc.gov.sg/aol/search/display/view.w3p;page=0;query=CompId%3A113ccc86-73fd-48c9-8570-650a8d1b7288;rec=0. Retrieved March, 19th, 2017.

http://statutes.agc.gov.sg/aol/search/display/view.w3p%3Bpage=0%3Bquery=CompId%253A113ccc86-73fd-48c9-8570-650a8d1b7288%3Brec=0




openness of the clause defining maps’ sources in a very broad manner, thus leaving space to lay people’s production of evidence. Lastly, one can reflect on the power granted to public authorities to require information and to the faculty individuals have to demand information disclosure, even when the DGA is reluctant to cooperate. I can conclude that grassroots’ efforts in monitoring the haze create evidence spendable in courts, on the basis of this analysed act.

4.1.2. A doctrinal opinion on digital (maps) evidence in Singapore

The focus in this section will be on the developments registered with regards to the legal weight of electronic evidence with a specific focus on Singapore. Regarding this point, an interesting commentary by Low (2012)34 presents thoroughly the increasing trend of accepting digital evidence in Singaporean courts. The author reflects on the resistance registered in past courts’ decisions in which admissibility issues of digital ev-idence were raised. Low presented the different procedural thresholds for admitting it as evidence.

However, more interestingly she presents a new development in the scenario. The author refers to Art 116A of the Singaporean Evidence (Amendment) Bill 201235, which repealed sections 35 and 36 of the Evidence Act, introducing three new presumptions to the Evidence Act. The three new presumptions relating to electronic evidence, the first related to accuracy and reliability; the second and third related to authenticity. These three presumptions create a favorable endeavor in Singapore to bring claims based on digital evidence related to the haze case.

An additional provision that is worth mentioning is contained still in Art. 116 A subsection (6) where it is stated that the Minister of Law may institute regulations aimed to define a certified process for generating digital evidence from e.g. tracking tools. Under this provision, it may be interesting to search for ways to have the bottom-up produced maps recognized as result of “approved process”. In this case, the court shall presume that the electronic record accurately reproduces the reality, unless evidence to the con-trary is adduced. The Bill makes also clear that the electronic “document” to which the bill refers can be not only a document in writing but also any map, plan, graph or drawing; any photograph etc.

34 Low, W. (2012). A Commentary on the Amendments to the Electronic Evidence Provisions in the Singapore Evidence Act. Singapore Law Gazette, No.191, 11-23.

35 The Evidence (Amendment) Bill 2012, No. 4 of 2012, published in the Government Gazette, Electronic Edition, on 16th April 2012, available at https://www.mlaw.gov.sg/content/dam/minlaw/corp/assets/documents/linkclick1513.pdf. Retrieved March, 17th, 2017.

https://www.mlaw.gov.sg/content/dam/minlaw/corp/assets/documents/linkclick1513.pdf

https://www.mlaw.gov.sg/content/dam/minlaw/corp/assets/documents/linkclick1513.pdf


Lastly, Low adds that the admission of electronic evidence should also be consid-ered by reference to the technology involved36. Consequently, software and programs that are subjected to encryption will be more likely considered to be an accurate, com-pared to data or records generated by means of human intervention through computer programs or devices. This issue obviously complicate the scenario because most of the tracking instruments I am analysing in this article are exactly human-generated evi-dence, and often even produced by non-experts. Therefore, here the democratic and in-clusive potential of these bottom-up initiatives conflicts with the chance of admissibility before courts of the information they generate.

4.1.3. Case law on digital maps used as evidence of the haze

In the presented context, case law on justice enforcement against corporations and individuals responsible for illegal forest burning is scarce. Indeed, despite the availability of effective instruments as the THPA and the commitment of civil society, there is a shortage of cases successfully brought against the haze responsible entities.

In Indonesia, a case37 was successfully brought in August 2015 before Indonesia’s Supreme Court. The Court rejected an appeal from the oil palm company Kallista Alam, that was fined to USD 26 million for illegal deforestation and fires conducted in the Tri-pa peat swamp region. This civil lawsuit was initiated by the Indonesian Environment Ministry. In addition, criminal charges have been advanced and succeeded, sentencing to prison two managers of the company. This ruling set an historic precedent against the causation of the haze, however it has not been followed by a stream of other successful cases as expected38.

More recent cases in Indonesia seems less promising. For example, in February 2017, the Indonesian Administrative High Court (PTUN) ruled in favor of the En-vironment and Forestry Ministry, judging as lawful the government’s decision not to disclose forest cover maps, as instead requested by Greenpeace Indonesia. This ruling signifies a defeat for civil society’s attempts to participate in haze prevention and a halt

36 Seng, D., Chakravarthi S. (2003).Technology Law Development Group, Computer Output as Evidence: Final Report, Singapore Academic of Law.

37 These rulings are in Indonesian and contained in Indonesian indexed databases, reason why the author was unable to access and quote them. The information contained here on these cases have been inspired by other authors’ commentaries (e.g. Satriastanti) on the sentences.

38 Satriastanti, F.E. (2014). Sustainability: Aceh peatland ruling only first step in restoring corporate damage. Thomas Reuters. Retrieved February, 10th, 2017 from http://sustainability.thomsonreu-ters.com/2014/01/23/aceh-peatland-ruling-first-step-restoring-corporate-damage/.

http://sustainability.thomsonreuters.com/2014/01/23/aceh-peatland-ruling-first-step-restoring-corporate-damage/





in the process of fostering transparent and accountable governance of the haze39. Likely, Greenpeace Indonesia will further appeal before the Supreme Court of Cassation.

With regards to the Indonesian scenario, in September 2015, the Singaporean Na-tional Environment Agency served the Indonesian multinational Asia Pulp & Paper Company Ldt (APP) a notice pursuant to Section 10 TPHA, with regards to the fires registered in their concessions. The NEA is currently reviewing the information recei-ved from the company40. APP argued that its operations were not the cause of the fires, which on the contrary should have been attributed to existing occupants and to illegal logging. The emerging issue here is how to track abusive land occupation in order not to make it an “excuse” for the companies41.

4.2. A recent development in the Haze Litigation

In March 2017, in the State Court of Palangkaraya, the capital of the Indonesian province of Central Kalimantan, the judge council ruled in favour of the citizen lawsuit related to the 2015 forest and ground fire in Indonesia. The judgement found guilty the President, four ministries (namely the Ministry of Environment and Forestry, the Ministry of Health, the Ministry of Agrarian and Spatial Planning, the Ministry of Ag-riculture), Central Kalimantan Governor and the Local Parliament for their negligence in the management of 2015 haze crisis. The ruling set an important precedent for the battle against the haze, and for the defence of the human rights of the people affected by the haze. The lawsuit has been initiated by Wahana Lingkungan Hidup Indonesia (Wal-hi)42 of Central Kalimantan, which represents the Indonesian representation of Friends of the Earth International.

The claims of the plaintiffs were grounded in the eight regulations and policies regarding the rights of the affected people to a responsible land management, to the prevention of forest and ground fire, the development of hospitals to face the health impacts caused by the haze, and public apology from the government for the misman-

39 Jong H.N. (2017). Forest cover maps to remain confidential: Court. The Jakarta Post. Retrieved March, 19th, 2017 from http://www.thejakartapost.com/news/2017/02/16/forest-cover-maps-to-remain-confidential-court.html.

40 Information received by the Singaporean Ministry of the Environment and Water Resources in an email exchange dated 22 February 2017.

41 Lim, K. (2015). Asia Pulp & Paper says comprehensive solution involving all stakeholders needed to solve crisis. The new Paper. Retrieved February, 10th, 2017 from http://www.tnp.sg/news/singa-pore/asia-pulp-paper-says-comprehensive-solution-involving-all-stakeholders-needed-solve.

42 See http://www.foei.org/member-groups/asia-pacific/indonesia.

http://www.thejakartapost.com/news/2017/02/16/forest-cover-maps-to-remain-confidential-court.html


http://www.tnp.sg/news/singapore/asia-pulp-paper-says-comprehensive-solution-involving-all-stakeholders-needed-solve


http://www.foei.org/member-groups/asia-pacific/indonesia


agement of the haze risk. All exceptions advanced from the defendants were rejected, along with their request of immediate decision.

The lawsuit –launched in 2016– is particularly relevant for the debate on the use of digital evidence in courts because it has been initiated by civil society’s organizations, namely by the Anti-Haze Movement of Central Kalimantan (GAAs), comprising Walhi Central Kalimantan, Save Our Borneo, JARI, Fire Watch Central Kalimantan, and is based in part on evidence mentioned in this paper (see e.g. the health studies from Co-lumbia and Harvard Universities; GFW Fires satellite information). In particular, the evidence presented during trial comes in part from the detailed study realized by Friends of the Earth Europe and titled “Up in Smoke”43.

This report presents several interesting points for reflections. Hereby, the most rel-evant to our conclusions are indicated:

• At p. 4 of the report, it is stated that the allegations against the haze do not have to be based or to prove who exactly started the fires, because it suffices to recognize that accountability and legal liability rest ultimately with the concession owners. Consequently, company’s claims that external sources are responsible for fires in their concessions lack credibility if no proof for those claims is provided.

• A detailed field research on the actual conducts of five palm oil plantations in Central Kalimantan owned by the palm oil companies Wilmar International and Bumitama Agri Ltd, both based in Singapore. The report shows how the compa-nies’ policy “No Deforestation, Not Peat, No Exploitation” is totally contradicted by the real actions of the two firms.

The judgement also represents an important step towards a better transparency in the management of the concessions. The plaintiffs’ demand of a stricter control on and a review of the licenses of those companies owning plantations where illegal burning occurred. Up to the moment of the ruling, the Central Kalimantan police has been negligent in conducting investigation on companies suspected of contributing to the haze crisis. Such investigations were often stopped because of shortage of evidence. The ruling brings new wisdom to the investigation practices, because it obliges the Minister of Environment and Forestry to announce to the public all companies which lands were burned, and review their licenses accordingly. The organizations who initiated the claim will monitor the execution of the decision, and are ready to push the Indonesian gover-nment to implement the ruling.

43 See See http://webiva-downton.s3.amazonaws.com/877/87/4/6987/Up_in_Smoke_hr.pdf.

http://webiva-downton.s3.amazonaws.com/877/87/4/6987/Up_in_Smoke_hr.pdf


5. CONCLUSION

Throughout this paper, I describe the impacts of the haze on the region, in particu-lar with relation to public health. I stress the awareness of the international community on the urgency of the haze issue. I identify a potential solution in grassroots-driven initiatives, aimed to complement and often substitute state intervention.

I identify two main weaknesses in these initiatives. First, they are undermined by governments and companies’ reluctance to cooperate with the civil society by disclosing concessions and fire spot maps. Secondly their bottom-up nature makes them often inhomogeneous. Therefore, a challenge would be that of collecting all the bottom-up generated evidence and systematize them in a sole participatory repository of evidence. The World Resources Institute, as explained before, has been responsive to this demand, creating an integrated mapping platform. Nevertheless, still much has to be done to co-ordinate and make a wise combined use of all the tracking efforts performed in the past and currently ongoing in the region.

At the legal level, I present the progresses in the scenario for courts’ acceptance of digital maps evidence, in particular against the haze perpetrators. I focus on Singaporean scenario to underline how both Art 116A of the Singaporean Evidence (Amendment) Bill 2012 and the THPA 2015 open the chance to rely on such evidence. However, I recognize the need to establish processes for certifying that the grassroots-generated evi-dence are accurate, reliable and neutral. Despite the positive legal scenario, it seems that a parallel progression in regional case-law for haze justice enforcement has not occurred. Indeed, excluding isolated case as Kallista Alam or the Walhi’s recently initiated case, the majority of the cases brought to courts against haze culpable entities have failed.

Lastly, I can affirm that the maps achieved a remarkable goal, regardless their suc-cessful use in courts. They made possible to visualize an ‘invisible’ risk as the concentra-tion of noxious particulate matter in the air, thus fostering a map-based ‘digital accoun-tability’. The awareness generated for each citizen visualizing those maps can already be considered a success. People, making use of ICT tools, challenged the informational and operational monopoly of the political actors controlling the debate, and had the chance to add their voice to the State’s voice. and gives new roles to the citizens.

However, the empowering potential of this large scale data visualization has been undermined by the fragmentation in the allocation of the information that plays at the advantage of those companies conducting their businesses in the grey areas where neither the state nor the civil society’s eyes arrive. Government’s incapacity (or unwi-llingness) to obtain the information, and people’s denied access to information have created a free zone where illegal fires can be perpetrated. Integrated, real time, and on the ground mapping and tracking tools, controlled by the inhabitants but acknowled-ged and supported by the state, appears a recommendable solution to tackle the haze challenge.


6. RECOMMENDATIONS: THE MULTILATERAL AND GRASSROOTS APPROACH

The analysis of the haze case and of the mapping initiatives raised a series of con-siderations that could orient future bottom-up tracking ventures and people’s action relying on them. They can be listed as follows:

• There is the need to identify a wider case law of non–state and civil society orga-nizations succeeding in bringing claims against entities culpable of environmental crimes on the basis of evidence from satellite maps.

• It is crucial to analyse and learn from the success factors of the case initiated by Walshi in the State Court of Palangkaraya (case presented at 4.2.).

• There is the need to investigate the conditions for both the admissibility of gras-sroots’ digital maps as court evidence, and the credibility of them. It is necessary to gain an understanding on the process of legitimization of unofficial maps. It may indeed be argued that the digitizing process changes the map from its original source/that the process of producing the map was not the official authorized by the State.

• Non-institutional maps should be presented (1) as created from the beginning with the intention to make them a potential instrument for bringing evidence to court; (2) as developed through the involvement of legal experts; (3) most impor-tantly, as neutral and non-edited, given that any work of human intervention on these maps may be considered an alteration of evidence.

• Bottom-up initiatives as those presented should take advantage of the fact that they are built on several layers of satellite images, compared over time. The multi-layered and multi-sources of the information can strengthen its probative value

In this paper I intended to demonstrate that a society suffering from an urgent threat like the haze may find in the digital world a way for standing for itself. I presented some recommendations aimed at strengthening the probative value of the maps. Howe-ver, the civil society-initiated mapping tools need to be supported by a multi-stakehol-ders intervention, stemming from the engagement of the international communities, to a stronger commitment of local authorities.

7. BIBLIOGRAPHY

Aditama, T.Y. (2000). Impact of haze from forest fire to respiratory health: Indonesian experience. Respirology 5:169–174. Retrieved March, 12th, 2017 from https://www.ncbi.nlm.nih.gov/pubmed/10894107. PMID: 10894107.


Azizah, A. (2016). The Portrait of Legal Liability of Forest and Land Fires in Indonesia. Presentation by Yayasan Auriga, Indonesia.

Balasubramanian, R. et al. (2013). Chemical speciation of trace metals emitted from Indonesian peat fires for health risk assessment. Atmospheric Research, no. 122, pp. 571–578.

Crippa, P. et al. (2016). Population exposure to hazardous air quality due to the 2015 fires in Southeast Asia. Scientific Reports 2016; 6: 37074. Retrieved March, 12th, 2017 from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5111049/. doi: 10.1038/srep37074.

Greenpeace International. (2016). Greenpeace launches maps tracking “near real-time’’ Indonesian deforestation and fires. Press release of 15 March, 2016. Retrieved March, 15th, 2017 from http://www.greenpeace.org/international/en/press/releas-es/2016/Greenpeace-launches-maps-tracking-near-real-time-Indonesian-defor-estation-and-fires/.

Hon, P. M.L. (1999). Singapore. In Glover, D. and Jessup, T. (eds.), Indonesia’s fires and haze, the cost of catastrophe, edited by D. Glover and T. Jessup (#the Institute of Southeast Asia Studies), pp. 51–85. Retrieved March, 12th, 2017 from https://www.idrc.ca/en/book/indonesias-fires-and-haze-cost-catastrophe-2006-update.

Jayachandran, S. (2008). A study on the effects of the 1998 Indonesian haze crisis on fetal, infant and under-three child mortality showed that air pollution led to 15,600 fewer surviving children. NBER Working Paper, no. 14011. Retrieved March, 12th, 2017 from http://www.nber.org/papers/w14011.

Jong H.N. (2017). Forest cover maps to remain confidential: Court. The Jakarta Post. Re-trieved March, 19th, 2017 from http://www.thejakartapost.com/news/2017/02/16/forest-cover-maps-to-remain-confidential-court.html.

Koplitz, S.N. et al. (2016). Public health impacts of the severe haze in Southeast Asia in September-October 2015: demonstration of a new framework for informing fire management strategies to reduce downwind smoke exposure. Environmental Research Letter, no. 11. IOP Publishing.

Kunii, O. et al. (2002). The 1997 haze disaster in Indonesia: its air quality and health effects. Archives of Environmental Health 57(1):16–22. Retrieved March, 12th, 2017 from https://www.researchgate.net/publication/11304100_The_1997_Haze_Disaster_in_Indonesia_Its_Air_Quality_and_Health_Effects. doi: 10.1080/00039890209602912.

Lee, H.K. (2005). Mapping the Law of Legalizing Maps: The Implications of the Emerging Rule on Map Evidence in International Law. Pacific Rim Law & Policy Journal, No. 14.

Lim, K. (2015). Asia Pulp & Paper says comprehensive solution involving all stakeholders needed to solve crisis. The new Paper. Retrieved February, 10th, 2017 from http://

https://dx.doi.org/10.1038%252Fsrep37074

https://www.idrc.ca/en/book/indonesias-fires-and-haze-cost-catastrophe-2006-update


http://www.nber.org/papers/w14011







www.tnp.sg/news/singapore/asia-pulp-paper-says-comprehensive-solution-involv-ing-all-stakeholders-needed-solve.

Low, W. (2012). A Commentary on the Amendments to the Electronic Evidence Provi-sions in the Singapore Evidence Act. Singapore Law Gazette, No.191, 11-23.

Othman, J. et al. (2014). Transboundary smoke haze pollution in Malaysia: In-patient health impacts and economic valuation. Environmental Pollution 189:194–201. Retrieved March, 12th, 2017 from https://www.ncbi.nlm.nih.gov/pubmed/24682070.

Purnomo, H., Shantiko, B., Gunawan, H. (2015). Political economy study of fire and haze. Presented at the International Seminar “Toward a sustainable and re-silient community: Co-existence of oil palm plantation, biodiversity and peat fire prevention”. August 5, 2015, University of Riau, Pekanbaru, Bogor, Indonesia.

Quah, E., and Johnston, D. (2001). Forest fires and environmental haze in Southeast Asia: using the “stakeholder” approach to assign costs and responsibilities. Journal of Environmental Management, no. 63, pp. 181–191. Retrieved March, 12th, 2017 from https://www.ncbi.nlm.nih.gov/pubmed/11721597.

Radojevic, M. (2003). Haze Research in Brunei Darussalam During the 1998 Epi-sode. Pure and applied geophysics, no. 160: 251. Retrieved March, 12th, 2017 from https://link.springer.com/article/10.1007/s00024-003-8776-5.doi:10.1007/s00024-003-8776-5.

Salvo, A. and Tan, D. (2014). Multilateral approach to abating regional haze pollution. Straits Times, no.1.

Sastry, N. (2000). Forest fires, air pollution and mortality in Southeast Asia. Santa Monica, CA: RAND Corporation. Retrieved March, 12th, 2017 from www.rand.org/content/dam/rand/pubs/drafts/2008/DRU2406.pdf.

Satriastanti, F. E. (2014). Sustainability: Aceh peatland ruling only first step in restor-ing corporate damage. Thomas Reuters. Retrieved February, 10th, 2017 from http://sustainability.thomsonreuters.com/2014/01/23/aceh-peatland-ruling-first-step-re-storing-corporate-damage/.

Seng, D., Chakravarthi S. (2003). Computer Output as Evidence: Final Report. Tech-nology Law Development Group, Singapore Academic of Law.

Shah, V. (2016). New map launched on company concessions in Indonesia. Press re-lease of 22 March 2016. Eco-business. Retrieved March, 15th, 2017 from http://www.eco-business.com/news/new-map-launched-on-company-concessions-in-in-donesia/.

Shahwahid, M. and Othman, J. (1999). Malaysia. In Glover, D. and Jessup, T. (eds.), Indonesia’s Fire and Haze, the cost of catastrophe (#the Institute of Southeast Asia Studies), pp. 22-50. Retrieved March, 12th, 2017 from https://www.idrc.ca/en/book/indonesias-fires-and-haze-cost-catastrophe-2006-update.







http://www.rand.org/content/dam/rand/pubs/drafts/2008/DRU2406.pdf

http://www.rand.org/content/dam/rand/pubs/drafts/2008/DRU2406.pdf









Simorangkir, D. (2007). Fire use: Is it really the cheaper land preparation method for large-scale plantations?. Mitigation and Adaptation Strategies for Global Change, no. 12, pp. 147-164.

Stephen, A., and Low, L. G. (2002). Impact of haze on health, mortality and mitiga-tion programme. In “World Conference on Land and Forest Fire Hazards 2002”, pp. 319 - 323, Kuala Lumpur.

The World Bank (2015). Indonesia Economic Quarterly, Report December 2015. Retrieved February, 3rd, 2017 from http://www.worldbank.org/en/news/feature/2015/12/15/indonesia-economic-quarterly-december-2015.

The World Bank (2015). The cost of fire. Indonesia Sustainable Landscapes Knowledge, note no. 1. Washington, D.C.: World Bank Group. Retrieved March, 12th, 2017 from http://documents.worldbank.org/curated/en/776101467990969768/The-cost-of-fire-an-economic-analysis-of-Indonesia-s-2015-fire-crisis.

http://documents.worldbank.org/curated/en/776101467990969768/The-cost-of-fire-an-economic-analysis-of-Indonesia-s-2015-fire-crisis

http://documents.worldbank.org/curated/en/776101467990969768/The-cost-of-fire-an-economic-analysis-of-Indonesia-s-2015-fire-crisis

23

TWITTER ACTIVISM IN THE FACE OF NATIONALIST MOBILIZATION: THE CASE OF THE 2016 CATALAN DIADA

Toni RodonLondon School of Economics

Francesc MartoriIQS - Universitat Ramon Llull

Jordi CuadrosIQS - Universitat Ramon Llull

ABSTRACT: This article examines the use of Twitter surrounding the 2016 Catalan Diada (Catalan National Day). We aim at analyzing the characteristics of the users that employed certain hashtags. To what extent there are significant differences across users employing different hashtags on the face of a highly nationalist event? Drawing on theories of national identity, we look also at the content of the tweets sent during the Diada. We examine how users clustered around different hashtags used Twitter, what they transmitted or the language they employed to write the tweet. We make use of a Twitter corpus collected around the Diada, which allows us to analyze the users, the content they sent, and the language in which they did it. Our findings show that users clustered around different hashtags and that language strongly shaped the content of the tweet. In addition, content analysis of the messages sent within each of the clusters shows distinguishable political views.

KEYWORDS: Twitter, Catalonia, nationalism, mobilization.


http://idp.uoc.edu