Legal & Government Affairs Update Nov16
Draft Report on the Digital Content Directive
The draft Report on the Digital Content Directive (the Directive) prepared by co-Rapporteurs from the Internal Market and Consumer Protection (IMCO) and Legal Affairs (JURI) Committees, largely endorses the approach adopted by the European Commission. The draft Report will be discussed at a joint meeting of the Committees on 29 November 2016. Any amendments to the Directive will then need to be made by 11 January 2017. In light of what the Directive says I would suggest that all members of FAST should read the draft Report and seriously consider tabling amendments to the Directive via IMCO or JURI. The draft Report confirms that the Directive will only apply to business to consumer contracts. In the draft Report you may wish to consider some of the following points.
(1) Relationship to the Consumer Rights Directive (CRD)
The draft Report argues for the extension of the Directive to cover digital services including file hosting, social media, instant messaging, cloud storage, video or audio sharing websites or platforms, rather than just applying to digital content defined in the CRD as data "supplied in digital form". What impact would this Directive then have on your business if it was adhered to after Brexit?
Not only will the Directive apply to digital content as defined above, but unlike the law in the UK it will also apply to digital content embedded in goods, where the digital content operates as an integral part of the goods and cannot easily be de-installed. Given that software is now used in virtually all household appliances, consumer goods and vehicles, and is usually integral to the performance of those goods, this represents a major step and one that members of FAST should consider in relation to their own business customers who may embed software into consumer goods.
(3) Data Protection and Counter Performance
The draft Report supports the notion of "counter-performance" which simply put, says that the Directive shall apply where software is provided free of charge if the supply was in exchange for data other than personal data. The Directive will not apply where digital content is provided in exchange for personal data exclusively used by the supplier for the provisions of the digital content or digital service in order to comply with statutory obligations.
(4) Modification of the digital content
The draft Report suggests that the supplier should not alter the main features of the digital content or digital service if those alterations adversely affect access to or use of the digital service by the consumer, although there are some exceptions to this. But in practice will this be something that it will be possible for companies to comply with?
ICO recommends Personal liability for Directors
It appears to have been a busy month for Information Commissioner, Elizabeth Denham who also attended a Parliamentary meeting on the recent Digital Economy Bill. The Information Commissioner recommended to the committee that directors should be held personally liable and accountable for data breaches by their companies.
This represents a change to current legal orthodoxy whereby directors generally have no personal liability or accountability for breaches of data protection law committed by their companies. The ICO issued a total of £4million in fines last year but Elizabeth Denham suggested only a small percentage of this was actually recovered. One reason given was that many companies shut down following the fines only to quickly re-open as a new legal entity under the same management team.
The largest fine for a breach of data protection law issued by the ICO to date is £400,000 which was imposed on TalkTalk. However, as outlined above when the GDPR comes into force Companies could be held liable for up to £20 million or 4% of global turnover for the most severe data breaches.
The Information Commissioner appears concerned as to whether the increased fines will truly have the intended deterrent effect. Most large companies rely on the goodwill and reputation of their brand and cannot simply start a new legal entity. It should also be noted that consumers are becoming more aware of data protection law, TalkTalk lost a reported 95,000 customers in three months following their data breach. This prospect of long lasting commercial damage arising from a data breach is in the longer term more likely to drive more compliant behaviours rather than the risk of any fines from the ICO.
The Information commissioner also made the following recommendation in respect of the Digital Economy Bill:
- The bill should be reviewed against the GDPR to ensure there is constancy;
- The ICO's Data Sharing Code of Practice and Direct Marketing Code of Practice are given statutory footing as opposed to being just guidance in their current form
- Ensuring the sharing of data whilst beneficial for public interest reasons is always proportionate and undertaken in accordance with the Data Protection Act 1998.
Case Law Updates
Groups challenge Privacy Shield
A digital rights lobbying Group in Ireland and two French internet rights associations have all separately challenged the adequacy of the EU-US Privacy shield. The main accusation appears to that the Privacy shield does not contain adequate privacy protections. It is unlikely that these matters will get heard until sometime in 2017.
The Privacy Shield was implemented in July 2016 as a replacement to the previous Safe Harbour method. It remains to be seen what method will be adopted by the UK post-Brexit but the European Commission are unlikely to accept any method of protection which is not as strong as that afford by the EU.