Legal & Government Affairs Update July 2021
General Counsel at FAST
Covered in this update
In this newsletter we explore some of the most prevalent stories in recent months, including the European Commissions’ new Standard Contractual Clauses, and the CJEU’s joint judgement in C-682/18 YouTube & C-683/18 Cyando. The remaining articles focus on the European Commissions’ guidance on the Digital Copyright Directive as well as the settlement of the largest personal data group action claim in UK legal history. As ever, dear reader, if there is anything you would like me to focus on in the coming months please let me know. Otherwise I hope you have a well deserved rest over the summer and look forward to updating you in the Autumn.
The new Standard Contractual Clauses for Controllers and Processors in the EU/EEA
The 1998 European Data Protection Directive (DPD), and later the General Data Protection Regulation (GDPR), allow Standard Contractual Clauses (SCCs) which contain adequate data protection safeguards to be used as grounds for international data transfers from the EU to other third countries. The (DPD) originally laid out three sets of SCCs which were approved for this purpose, however, since the DPD has been repealed and replaced with the GDPR, these SCCs have now been deemed obsolete and require updating.
After publishing a ‘Consultation Draft’ of new SCCs in November 2020, the European Commission published its long awaited ‘Implementing Decision’ on adopting modernised SCCs in the Official Journal of the EU on June 4 2021. Following a 20 days period of publication within the journal, the SCCs became effective on 27 June 2021.
The previous SCCs will remain valid until they are repealed on 27 September 2021, after which they will not be able to be relied upon in new commercial agreements. Previous arrangements based on the existing SCCs will benefit from an 18 month grace period to transition onto the new EU SCCs, lasting until 27 December 2022.
Why have new SCCs been implemented?
- The old SCCs were inflexible in nature
The three sets of SCCs originally laid out within the DPD have an inherent lack of flexibility, given that different SCCs ‘sets’ had to be implemented within a single contract for each different processing relationship the data importer and exporter would have. For example, two sets of SCCs would be required if the contracting parties were to have both C to C, and a C to P relationships.
A ‘Modular’ approach has been incorporated into the new SCCs to provide coverage for an array of different data transfers. They contain four different Modules which will apply for different processing scenarios:
Controller to controller (C to C)
Controller to processor (C to P)
Processor to processor (P to P)
Processor to controller (P to C)
These Modules reflect the various methods of international data transfers that are commonly undertaken by contracting parties and bake in the additional obligations that have been imposed on parties by GDPR. They have been built to operate on a multi-party basis, so a single set of SCCs can cover transfer of personal data between multiple parties and across different data roles (such as C to C and C to P).
The new SCCs have also introduced a new optional docking clause, which enables third parties to join the commercial agreement between the importer and exporter at any time. This creates an additional degree of flexibility for parties, as, for example, a new intra-group subsidiary could join the data transfer arrangement of its parent company.
- The old SCCs were outdated
The old SCCs were outdated and did not reflect the modern data security requirements that have come to fruition due to the GDPR. The new provisions within the SCCs have been drafted with this in mind in an attempt to rectify this. For example, the contractual obligations on data processors laid out in Article 28 of the GDPR have been incorporated, as well as the obligation to notify data subjects of a personal data breach laid out in Article 34 GDPR. There is also an added obligation to implement technical and organisational safeguards as per Article 32 GDPR.
- The impact of the Schrems II Judgement
In Schrems II, Max Schrems, a privacy activist, complained to the Irish Data Protection Commissioner regarding Facebook’s reliance on SCCs for data transfers to the US. Facebook were able to do this as EU data exporters, when transferring data to the US, were able to rely on the EU-US privacy shield arrangement. However, as a result of this challenge, the CJEU held that the privacy shield was invalid as, even with privacy shield, US laws continued to grant data access rights to US public authorities (without an assessment of sufficient safeguards). This judgement lead to further scrutiny on the safeguarding capabilities of international data transfer mechanisms, third country laws and the need for improvement.
As a result Schrems II has heavily influenced the forging of the new SCCs. For example, the SCCs now have further actions imposed on data importers in relation to requests received from governments on accessing personal data, and have introduced requirements to carry out a data transfer impact assessment on the circumstances of the transfer and the third country’s laws, to determine whether additional safeguards will be required.
What steps must I take?
If you are a data importer or a data exporter then these new SCCs will be directly applicable to you. If this is the case, we recommend ensuring you have taken these key steps:
- Familiarise yourself with the new SCCs and undertake a risk assessment for your business. You may need to assess your ongoing data transfers and consider if they are adequate, relevant and necessary.
- Track all of your relevant data transfers and ensure you are fully aware of where and how much processing is taking place. This will ensure no unexpected problems arise.
- Ensure you are aware of the roles of all parties within your current data transfer arrangements. This is especially important if you are transitioning from the old SCCs, as you will need to incorporate the correct Module depending on the arrangement.
- Keep updated on the regulatory developments and familiarise yourself with the timetable for implementation. The European Commission has given an 18 month grace period from the 27 June 2021 to ensure all contracts are replaced with the new SCCs. Whilst a seemingly generous time period, it will be a large scale project for most companies which be require lots of preparation and consideration.
Read more here
European Commission guidance on implementation of Article 17 of Digital Copyright Directive
The European Commission has released guidance for Member States on how best to implement Article 17 of Digital Copyright Directive. Having been published on 17 May 2019, the Directive was transposed into national law on 7 June 2021.
What is Article 17?
This Directive aims to give copyright holders in protected works a higher level of control over their work and where it is shared online. This has been done by shifting the legal burden from the rightsholders, to the online platform, requiring them to use their ‘best efforts’ to take down infringing material from their online platform. Furthermore, the Directive also requires online platforms to use their ‘best efforts’ to receive prior authorisation from rightsholders, before they upload protected works onto their site. These obligations are welcomed by rightsholders for many reasons, including the fact it creates additional cause of action for them against both the individual uploading the infringing material, and now also the online platform if they fail to achieve these newfound obligations.
This Directive was deemed controversial by the Member States due to these stringent rules. Google criticised this Directive by claiming it would ‘harm Europe’s creative and digital industries’ and ‘change the web as we know it’. The UK has also decided not to implement this new Directive, although they do support the overall aims and are planning on introducing their own legislation in due course.
Off the back of various consultations with key stakeholders of Member States, the European Commission has now published guidance on this Directive which aims to give practical advice on how best to implement the new provisions. Key aspects include:
- Ongoing ‘communications to the public’ available on online platforms are not affected by Article 17. This reduces the initial burden on online platforms considerably.
- Rightsholders must be given the option of refusing authorisation.
- Member States can use individual and voluntary collective licensing solutions in circumstances where each individual copyright holder in a protected works is difficult to identify and sourcing their individual consent would be disproportionately burdensome.
- Authorisation given by rightsholders to individual users to upload protected works is also sufficient authorisation for the relevant online platform. Authorisation between the two should not be separate and distinct.
- The ‘best efforts’ obligations on the online platform laid out above are to be judged by using the principle of proportionality. This means that factors such as the size of the online platforms user base, frequency of protected content appearing online and the cost and availability of the solutions used to takedown the content, should all be taken into consideration.
- Uploading of protected works should be automatically blocked and taken down by online providers, alongside appropriate takedown procedures in cases where complaints are made about uploaded content.
- The exceptions of parody and criticism within the Copyright Directive are to continue in existence.
Read more here
Case Law Updates
CJEU Clarifications during the joint Judgment in C-682/18 YouTube and C-683/18 Cyando
In C-682/18 YouTube, Frank Peterson, a musical producer, brought a claim against Youtube due to users uploading various musical recordings (that Peterson held the rights to) onto their website, without his permission. In a materially similar case, C-683/18 Cyando, Elsevier, a publisher, brought a claim against Uploaded in respect of various works that were uploaded onto their platform, that Elsevier had exclusive rights in. The key question was whether these online platforms make a ‘communication to the public’ of copyright-protected content, when users post content onto their platforms. If they are deemed to be doing so, they are liable for breach of copyright under Directive 2001/29, Directive 2000/31 and Directive 2004/48.
The outcome of these joint-cases has been hotly anticipated, as it could change the current EU law position that online platforms do not make a ‘communication to the public’ of copyrighted material, when it is illegally posted online by users of those platforms, unless those online platforms contribute, beyond merely making those platforms available, to giving such access to content to the public in breach of copyright.
Whilst making their decision on these cases, the German Federal Court of Justice referred questions to the CJEU to clarify the liability of operators of online platforms in these circumstances.
- What is deemed a ‘communication to the public’ within the meaning of Directive 2001/29.
The CJEU laid out two main criteria required in order to be considered a ‘communication to the public’, Firstly, there had to be an ‘indispensable role played by the platform operator’ and secondly, a ‘deliberate nature” to its intervention’. Given the role that Youtube and Elsevier play in the uploading of copyrighted content, the first criteria will nearly always be satisfied. The CJEU clarified that the second criteria would depend on whether the online platform intervenes ‘in full knowledge of the consequences of its action, to give customers access to a protected work’. In other words, the CJEU maintained the status quo here and held that an online platform would not be making a ‘communication to the public’ unless they contribute beyond merely making that content available.
- The question surrounding the Article 14 exemption.
The next question for the CJEU was whether Youtube or similar online platforms could benefit from the exemption from liability laid out in Article 14 of the E-Commerce Directive. The key consideration in relation to this was whether the operator’s role in the upload was ‘neutral’ or ‘active’ i.e. whether or not the operator had knowledge or control over the content the content uploaded to its platform. The CJEU found that online platforms could benefit from this exemption provided their role was ‘neutral’ and they could therefore show that they did not have knowledge or control over what content was uploaded to their platform.
This was a welcomed judgement for Youtube, Elsevier and all other operators of online platforms, who will not be deemed liable as long as their role remains ‘neutral’ instead of an ‘active’ in relation to content uploaded to their platform. In these circumstances, they are able to rely on the ‘safe harbour’ provisions of Article 14 of the E-Commerce directive. This position was the status quo in EU law and the CJEU decided it would not change its interpretation at this time.
Read more here
British Airways settles biggest ever data group claim
The largest personal data group action claim ever brought in UK legal history has been settled. More than 16,000 people joined the group action brought against British Airways, following a colossal breach of their internal systems in 2018, leading to over 420,000 customers having their names, addresses, email addressed and credit card details leaked.
Group litigation firm PGMBM has confirmed that all ‘qualifying claimants’ involved in the group action claim would receive a confidential settlement figure. Their Chairman stated: “This represents an extremely positive and timely solution for those affected by the data incident. The Information Commissioner’s Office laid out how BA did not take adequate measures to keep its passengers’ personal and financial information secure. However, this did not provide redress to those affected. This settlement now addresses that.’ said that the ICO fine was not nearly adequate”.
Read more here.
European Commission seeks views on data sharing for new Data Act
The European Commission is planning to publish a new Data Act in late 2021, which is seeking to encourage the sharing of data and realise the full potential of the EU’s data economy. It has the intention of addressing multiple issues within the business-to-business data economy, such as the lack of trust between businesses and their contractual terms, the fear of third parties and the lack clarity around the roles within data sharing.
Margrethe Vestager, Executive Vice-President for a Europe fit for the Digital Age, said:
“The Data Act is a new major step in building a fair and human-centred approach to digitalisation. It will clarify the rights and obligations of parties in data transactions and ensure fairness in the allocation of data value among the actors of the data economy.”
In an attempt to aid the development of the Data Act, the European Commission has launched a public consultation, requesting public authorities, academics, research institutions, businesses, consumers, NGO’s (et al.) to provide important feedback into what they believe would create a fair data economy.
The consultation aims to gather information on:
- Business-to-government data sharing for the public interest.
- Business-to-business data sharing.
- Tools for data sharing: Smart Contracts.
- Clarifying rights on non-personal Internet of Things data stemming from professional use.
- Improving portability for business users of cloud services.
- Complementing the portability right under Article 20 GDPR.
- Intellectual Property Rights – Protection of Databases.
- Safeguards for non-personal data in international context.
If you would like to respond to the questionnaire yourself, please follow this link. The deadline is 3 September 2021.
(Re)structuring Copyright, A Comprehensive Path to International Copyright Reform
Technology is developing at such a fast pace, it is seemingly impossible for humans and legal systems to keep up. Daniel J. Gervais explores this notion with regards to our copyright laws, and has authored a brave and thoughtful analysis identifying the issues and how they can be resolved moving forward.
Daniel J. Gervais’ diagnosis is divided into two distinct sections. Part I explores the intricacies of our copyright system and explores the inadequacies and inherent deficiencies within the status quo, allowing the reader to understand why it is arguably flawed, outdated and out of touch. Part II then offers a solution to the issues identified within Part I, with ambitious and interesting concepts such as the ‘Quadrants of Authorship’ discussed in great detail.
This book provides a finely balanced argument and a clear voice of reason within a field that is diluted with a plethora of opinions. A must read for all current and aspiring copyright scholars.