Blog

Since last summer’s Schrems II judgment, about which we have repeatedly reported on our blog, exporting personal data outside the EU has become quite cumbersome. In particular, the disappearance of the “Privacy Shield” between the EU and the US is causing a lot of complications and forces European companies to conclude Data Export Agreements on a large scale with non-European (usually American) partners containing so-called “Standard Contract Clauses”.  These SCC’s are model documents that are made available by the European Commission to be copy/pasted into Data Export Agreements and thus guarantee safe export at a contractual level.  

However, one of the major problems until now when concluding Data Export Agreements was that the European Commission’s SCC’s or Standard Contract Clauses were outdated. They dated from before the entry into force of the GDPR and were not adapted to that GDPR, nor to the current technological and economic reality.  

Those old SCC’s have now finally been replaced by new, fully up-to-date versions since June 6, 2021, and European entrepreneurs can now get started to conclude legally conclusive and secure Data Export Agreements with their partners outside the EU. We provide a summary below of what you need to know about these new and SCC’son our download page you will also find a downloadable copy of the new SCC’s, along with our Vendor Assessment Form that you can use to determine whether or not your foreign partners are do not receive personal data from you and whether they handle it correctly and in accordance with GDPR. This way you can work quickly, clearly and with a minimum of effort on GDPR compliance within your company. 

 

 

Data Export?

Data export is any exchange of data with a partner outside the EU. It could be a hosting provider from whom you rent server space, an offshore call center or customer service, a developer or online marketing agency outside of Europe, a cloud storage service, an email service provider or just about any online service or tool you can imagine. 

GDPR only allows data export to countries outside the EU if the recipient outside the EU can guarantee an appropriate level of protection.  

A handful of countries are automatically considered to offer an appropriate level to provide protection, but for most other countries data export since the end of the EU-US Privacy Shield requires a Data Export Agreement, in which written data protection guarantees are made.

 

“Appropriate additional guarantees”

Since the Schrems II judgment, we know that simply signing (the old version of) the SCC’s is not sufficient in itself to ensure safe data export. As a European entrepreneur, you have the obligation to carry out a documented assessment of the risks involved for every data export and to request, if necessary, from the recipient “appropriate additional guarantees.” We have already listed several times for you in this article about Mailchimp or in this webinar on our Youtube page.

 

New SCC’s are “Schrems proof”

The new standard contractual clauses are not only fully customized to the text and content of the GDPR, they have also been made “Schrems proof”. That is to say, they contain many clauses that meet the requirements of the European Court of Justice to make a prior risk assessment and to demand additional guarantees where necessary as set out by the Schrems II judgement.  

Please note that this does not mean that a separate risk assessment and additional separate guarantees are no longer necessary. As an entrepreneur, you still have to carry out the necessary preliminary investigations before exporting personal data outside the EU, but the new SCC’s are in any case already provided for this obligation in terms of content, which was not the case with the old ones.

 

“Modular” approach

In the past, a number of “versions” of the SCC’s coexisted. Depending on the situation, you could choose one of those versions and incorporate it into an agreement, for example for data export between a European controller and a non-European processor.

That system is now replaced by one global set of SCC’s, which you can adapt to your personal situation by copying/pasting or omitting individual clauses (modules). According to the European Commission, this should lead to more ease of use, but personally, we fear that it threatens to do exactly the opposite and seriously impede the use of these model documents by non-lawyers. 

That one global version of the SCC’s now also provides for two previously missing situations for the first time: the transfer by a processor in the EU to a controller outside the EU and the transfer from a processor in the EU to another processor outside the EU. 

 

Replace your existing SCC’s in time, with our help at Sirius Legal!

The existing SCC’s are still valid for three months for new data exports. A grace period of 15 months applies for existing data exports, but after that all existing Standard Contract Clauses must also be replaced by the new regulations. 

Since the content of the new SCC’s has changed considerably and (there are a lot of new additional guarantees and obligations for instance), this means that as a company you will have to renegotiate a lot of those existing mode contracts or that you will at least have to carefully review the new versions before signing. 

Sirius Legal helps you with that. You can visit our website for our “Data Export Compliance” service, with which we help your company through the maze of old and new SCC’s and “additional appropriate measures”.

In any case, make sure you have a good overview of all your data exports in a spreadsheet, check with whom you do or do not have a current Data Export Agreement and ensure a timely invitation to adjust if one has already been concluded in the past or to close of a new Data Export Agreement if none had been concluded before.  

Do not forget to carry out an individual impact assessment and to properly document this. If one day there is a cyber attack or hacking at one of your suppliers and it turns out that you did not follow the rules before entrusting your data to him or her, you quickly risk being liable for the consequences of such a data breach… 

Be aware that data export is a point of attention for many governments, including our Belgian Data Protection Authority. The German authorities, for example, announced this week that they will carry out extensive checks on data exports by German companies. Those checks will primarily focus on the use of email service providers, hosting companies, tracking via cookies, application management and the exchange of customer data within groups of companies, for example based on Customer Data Platforms.

 

Questions about data export or GDPR in general?

We are happy to make time for you. Feel free to call or email Bart Van den Brande at bart@siriuslegal.be or +32 492 249 516 or book a free online introductory meeting with Bart via Google Meet or Zoom.

Alexa, Siri and the Google Assistant, self-driving cars, speech tech and facial recognition, image or text analysis software, … Artificial Intelligence has been booming in recent years and each and every one of our lives is, consciously or unconsciously, affected by AI on a daily basis, from the advertisement we see, to the control of the traffic lights where we are waiting while we swipe away that advertisement on our smartphone. 

Artificial intelligence is therefore rightly regarded by the EU as one of the essential building blocks for the digital society of the future and given the speed with which computing power is evolving, that future does not start tomorrow or today, but it did so yesterday already.

However, this lightning-fast evolution has also raised awareness in recent years that there is an urgent need for a regulatory framework. At best, AI makes our lives more pleasant, but that same technology in the wrong hands could have potentially dire consequences, for example for your and my privacy.  

Precisely for this reason, behind the scenes within the EU, a regulatory framework has been underway for 2 years to ensure the safe and ethically responsible use of AI within the EU. The first draft of the “AI Regulation” that should result from this, was made public on April 21, after being unintentionally leaked a few days earlier, as usual.

Let’s have a look at that draft together, shall we…?

 

First attempt in the world to regulate AI

The proposal for a regulation that the European Commission made public on April 21, 2021 is no less than the very first regulatory framework for AI in the world. The rules are part of the European Commission’s strategy to make the EU a global hub for new technology and digitization. To achieve this goal, the EU wants to provide legal safeguards for the privacy and fundamental rights of European citizens, while strengthening support for AI, investment and innovation across the EU. 

(Cynics are already wondering whether the design that is before us today, because it is so strict, is not likely to have the exact opposite effect, but more on that later).  

 

Risk-based approach that is reminiscent of GDPR

A first reading of the new rules immediately reminds one of the GDPR, which has over recent years shaped the way we look at data protection in the EU and far beyond its border. In a similar way, the EU now wants to regulate the way in which companies throughout the EU or even from outside the EU can use data (whether or not personal data) within AI algorithms. 

One of those striking points of contact with the approach under GDPR is the so-called “risk-based approach”: AI development will require a risk analysis and AI systems that pose a clear threat to the safety and rights of European citizens will be banned. These are AI applications that manipulate human behavior in order to circumvent the free will of users. The European Commission itself gives as an example “smart” toys with speech technology that can encourage children to engage in dangerous behavior. The Commission makes a distinction between such “high risk” AI, “limited risk” AI and “minimal risk” AI. 

High risk AI systems are those used for public infrastructure (e.g. traffic), in medical environments, in the context of vocational training or access to education (e.g. improving exams), employment, personnel policy (e.g. screening during job applications), essential services such as banking and credit services (creditworthiness checks), use by police services, customs services, courts and other authorities (including, for example, also all possible biometric systems of facial recognition, voice recognition, fingerprint recognition, etc…). 

These applications will be subject to strict obligations before they can be placed on the market:

• Serious obligations to risk assessment and risk mitigation obligations
• High quality of the datasets that feed the system in order to exclude risks and discriminatory results as much as possible
• Registration(!)
• Detailed documentation and transparency towards governments about the operation of the algorithms
• Transparent information for users
• Obligation to ensure appropriate human supervision of the operation
• (cyber) Security, robustness and accuracy

All systems for remote biometric identification in particular are considered high risk and must meet strict requirements. In public places, the direct use of those systems for law enforcement purposes is in principle prohibited. Limited exceptions are strictly defined and regulated (e.g. to find a missing child, avert a specific and imminent terrorist threat, or track, identify or prosecute a perpetrator or suspect of a serious criminal offense). Prior authorization must be given by a judicial or other independent authority, which is only valid for a limited period and environment and for specific databases.

By AI applications with limited risk, the Regulation means amongst others chatbot applications. In particular, the requirement will be that the user is informed transparently and correctly about the use of AI, so that he or she can decide for themselves whether or not to engage with a software application.

The latter category is by far the largest. These are thousands of AI applications for daily use, which involve only “minimal risk”. Examples are: “smart” spam filters, self-learning video games, predictive marketing tools, smart kitchen appliances, … The draft regulation leaves those systems untouched as the risk to the rights or safety of citizens is minimal or nonexistent (which does not mean that other rules like exactly GDPR might not apply to these applications, of course!).

Some AI applications will by nature be prohibited. This is the case, for example, for the use of real-time automated facial recognition systems by government agencies in publicly accessible places or also AI applications that “use subliminal techniques that go beyond a person’s consciousness“, or that attempt to exploit the vulnerabilities of people due to age, physical or mental disability, in both cases to disrupt their behavior in a way that could cause physical harm or psychological damage.

 

Overreaching limitations?

Incidentally, there is also a lot of criticism, rightly or wrongly, of the draft regulation. Early opponents point out that the European Union is in danger of shooting itself in the foot. After all, it is the first political bloc in the world to impose a legislative framework around AI that also entails far-reaching restrictions and it immediately imposes the same rules – just as with GDPR – on non-European companies that want to offer their software in the EU. In particular, the prohibition to use AI for credit scoring, for example, or even the far-reaching restrictions in the use of biometric data, critics say, threaten to impose serious restrictions on competition on European players and thus threaten to move innovation from the EU to other parts of the world.

It seems however that the EC has given more than sufficient thought to the innovation aspect. This is witnessed by the fact that the draft contains measures to support innovation. For example, there is a sandboxing scheme in the field of AI and there are measures to exempt SMEs and start-ups from too much regulatory pressure or the creation of digital hubs and facilities for testing experiments. 

 

Fines and penalties

The design provides, moreover, a strong sanction mechanism and the proposed fines again are reminiscent of what we already know under GDPR, with administrative fines up to 20 million euros, or 4% of the total global annual revenue. As under the GDPR, the national supervisory authorities are empowered to enforce the rules and a “European Artificial Intelligence Board” (EAIB) is being established, analogous to the EDPB under GDPR for uniform application throughout the EU. 

 

Additional “Machine Regulation” to follow soon

In addition to the future AI regulation, the EU is also working on a “Machine Regulation”, which should replace the current Machine Directive in due course. While the new AI regulation will address the safety risks of AI systems, the Machine Regulation aims to guarantee the safe integration of AI ​​systems in the machine as a whole. The current Machine Directive, which will be replaced by the new Machinery Regulation, already sets health and safety requirements for machines today. These rules will therefore be updated in the foreseeable future. This concerns the safety of a wide range of products for consumers and professionals, from robots to lawn mowers, 3D printers, construction machines and industrial production lines. 

 

Next steps?

Today only a draft from the European Commission has been submitted. That draft must now be discussed and amended by both the European Council (the heads of government) and the European Parliament before a final proposal can be expected. The analogy with GDPR teaches us again that this is an exercise that requires 24 months at best. The final version will therefore take a while, but it is clear that the EU is serious about regulating AI. We at Sirius Legal will be following every evolution and will certainly report on this in time on our office blog.

 

Questions about AI or the legal aspects of new technology in general?

We are happy to make time for you. Feel free to call or email Bart Van den Brande at bart@siriuslegal.be or +32 492 249 516 or book a no-obligation online introductory meeting with Bart via Google Meet or Zoom.

A recent decision by the Bavarian data protection authority raises serious doubts about whether the popular email marketing platform MailChimp can be used legally under the GDPR.  

By extension, the same problem arises for almost all US software applications that process personal data of EU citizens. After all, data export to the US has been a serious legal issue ever since the European Court of Justice annulled the Privacy Shield last summer and at the same time pointed out that the use of Standard Contract Clauses as an alternative is rather difficult because it requires a case-by-case examination of the need to implement additional security measures to ensure data privacy.  

It is precisely that issue of additional measures that is now highlighted by the Bavarian Mailchimp decision.

 

Data export?

The impact of the Schrems II ruling of the European Court of Justice last summer has had an increasing impact in Europe over the past few months. Many companies have hesitated about how to react to the ECJ’s decision last summer to overturn the EU-US Privacy Shield. After all, almost all software tools that European companies use today are American and since most of them are now cloud services or online tools, there is by definition data export to the US…

The problem only got worse by the fact that in the same effort, the ECJ also added that in the event of any data export outside the EU (also to destinations other than the US), the exporting company must also immediately take into account the fact that the Standard Contract Clauses that the European Commission itself provides to guarantee secure data export between companies and organizations within and outside the EU are not sufficient.

The Schrems II judgment requires that transfers of personal data to cloud service providers in the United States be assessed on a case-by-case basis and if there is a risk to the integrity of the data in question, additional security safeguards must be provided. These additional safeguards are almost automatically imposed on exports to the US, given the very far-reaching investigative powers of the US intelligence agencies, for example under section 702 (50 USC § 1881a) of the Foreign Intelligence Surveillance Act (Cloud Services Act).

 

Using Mailchimp not OK?

It sounds almost absurd, but the Bavarian data protection authority (Bayerisches Landesamt für Datenschutzaufsicht) earlier this month banned a European online magazine from using Mailchimp any longer to send its newsletters.

The reason? Well, by using Mailchimp to send newsletters, companies are sending personal data (e.g. email addresses and recipient names) to Mailchimp’s servers in the United States and that is potentially not OK.

The Bavarian Data Protection Authority justified its decision by noting that the company had not previously investigated whether additional safeguards were needed for the transfer of personal data to Mailchimp, in particular because Mailchimp may be subject to the Cloud Services Act. 

Note in this context the important nuance that the Bavarian Data Protection Authority did not rule that MailChimp is per se illegal. Instead, it ruled that in this particular case, the company’s use of MailChimp was illegal because the company had not previously assessed whether adequate additional measures had been taken to ensure that its personal data was protected from access by U.S. regulatory agencies. 

 

Additional guarantees?

Following the already mentioned Schrems II judgment, European companies should indeed have started a broad data export audit or “vendor assessment” within their company in order to determine if:

• there is data exchange outside the EU / EEA
• there is an appropriate legal basis in accordance with Chapter V GDPR (standard contract clauses, binding corporate rules or one of the other less common and obvious legal grounds)
• the data concerned is in any way particularly sensitive and whether the data export as such can be justified
• additional safeguards may or may not be required on the receiving end of the data flow
• More in general, whether the receiving party can guarantee all-round GDPR compliance

This exercise should obviously and based on the accountability principle under GDPR be  documented in detail and that is precisely why we at Sirius Legal have been offering since last September a free Data Export Impact Assessment form on our website. That form has now been downloaded hundreds of times by companies all over Europe, by the way.

Incidentally, the EDPB has already listed some additional measures to be taken some time ago in its “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” of 10 November 2020. In this document, various data export scenarios are proposed and each time an indication is given on a case-by-case basis about how to ensure a secure exchange of personal data or which method is certainly not sufficiently secure.  

The recurring message in that document is the need to encrypt personal data before exporting it and to make use of proprietary (preferably European) encryption techniques prior to export and separate from the platforms’ own encryption technology.  

The use of Mailchimp also falls within this context. After all, personal data is exported to the US, where Mailchimp is considered a telecom provider under FISA legislation, which means that it potentially has to provide access to its customer data to the US government. Therefor encryption is necessary. Only… the use of Mailchimp actually does not allow such encryption from a technical point of view and as a consequence it is hard to imagine how a European company can use Mailchimp in a legally compliant matter…

 

Mailchimp as a wake-up call?

Until now, it seemed that the European data protection authorities had turned a blind eye for the time being and had given some kind of unofficial grace period for European companies and organizations to adapt to the changed legal situation after the Schrems II judgment. This certainly also had to do with the fact that the aforementioned Standard Contract Clauses are being reviewed and updated by the European Commission at this very moment.

However, the actions of the Bavarian Data Protection Authority now show that things are now getting serious and that companies will eventually have to ensure a secure exchange of personal data with their non-European partners. In a press release accompanying the Mailchimp decision, the Bavarian authority noted that in its view this case is an example of how the Schrems II judgment will be enforced in practice in the future. 

 

Is your software “data export compliant”?

The painfully problematic conclusion is that no American software application currently works completely “GDPR compliant”…

We ourselves at Sirius Legal have conducted a benchmark test in recent months on 10 of the most well-known marketing tools, including Mailchimp, Sharpspring, Hubspot, Active Campaign, Salesforce and a few others. The conclusion is that most of these – all American – providers have adapted in recent months in the sense that they no longer invoke the Privacy Shield as a legal basis, but now refer to Standard Contract Clauses, but that they also all still show several essential shortcomings in the area of data export compliance:

• In some cases, the Standard Contract Clauses are unavailable or in any event nowhere to be found on the website
• most vendors provide either no or only very general and vague “additional safeguards”
• most, if not all, providers rely on sub-processors, of which neither the identity nor the location is sufficiently clear and of which there is little or no guarantee of GDPR and data-export compliance with the sub-processor concerned.   

The same applies by extension to other non-European cloud services or online applications. It is almost by definition so that they are not (completely) GDPR compliant and that any use thereof requires a prior audit and possibly the provision of additional technical or organizational guarantees.

 

Can European companies no longer use American or other non-European services at all?  

Fortunately, things are not as problematic as they might seems at first sight.  Jumping to the conclusion that all non-EU software should be banned would be absurd in a globalized society and economy as weknow it today.

In the Mailchimp case, the problem was evidently clear, as the company in question apparently had not made any prior risk assessment at all to document whether additional safeguards were needed. That in itself was enough to provoke this decision.  

Future matters will probably lead to a less obvious sanction, at least if the EU companies concerned have made a well-balanced and documented prior risk analysis or even implemented additional safeguards. Which measures will be “sufficient” in which context will only become clear when there is sufficient case law available, but it is evident that the “sensitivity” of the data and the risk of access requests from abroad play a role. In that context, a mailing list for a legal weekly appears much less problematic than the membership list of a political party and in the former case a well-founded preliminary estimate may (?) be sufficient … 

However, this decision should without a doubt be seen as a warning to all companies and organizations in Europe on the importance of due diligence when transferring personal data outside the EU. As a company, it is best to get started as soon as possible with a strict and thorough internal audit exercise on the basis of which you can demonstrate that you have assessed whether or not your data can come into the hands of third parties and especially foreign governments if you use non-European applications.

If necessary, feel free to use our free Data Export Impact Assessment form to collect the necessary information from your non-European partners. 

Also, take into account that if a supplier cannot or does not want to provide information to help you properly assess the potential risks, you will have to consider whether you can continue to work together and that in the worst case you will indeed have to look out for another alternative (preferably European) partner …

 

Would you like to know more about the practical impact of Schrems II?

Those who want to know more can contact bart@siriuslegal.be or book an online meeting directly via Google Meet.

Or better yet, register for the Schrems II webinar of our international contact network Consulegis “The Practical Impact of Schrems II on International Data Flows”  on April 14th. Speakers from the EU (including Bart Van den Brande for Sirius Legal), the UK, the US and India will discuss all legal and practical sensitivities of international data flows and make time for all your questions and concerns. 

Every so many time yet another new social media platform pops up that, according to insiders and early adopters, is going to change the internet.  

The success of the Snapchats and TikToks in this world has two things in common: on the one hand, their success often fades just as quickly as their hype has started, and on the other – and this is something that the privacy advocate in me finds continuously disturbing- the companies behind those apps never seem to pay any real attention to your and my privacy. In some cases, the main reason for this seems to be a rather disturbing lack of knowledge and understanding of (European or other) data protection laws, but just as often the impression remains that the entire business model of social media companies is built on unbridled data collection with the aim of building user profiles and selling those as ad profiles to advertisers around the globe.

 

School book marketing strategies

The latest rising star in the social media firmament is Clubhouse, an audio file sharing app that you can only access and use after an invitation by one of your friends. 

In other words, it seems that the authors behind Clubhouse have used a few marketing classics to make their new product a success: creating artificial scarcity by limiting access to your product and counting on the ego of the fortunate few to fuel the hype and to have the masses eagerly await the moment when they too will be included in the inner circle. This technique has proven its success on school playgrounds around the world many years ago, as children fiercely searched for that one rare Pikachu card and even today we all fall for the same strategies…

 

A word about privacy and GDPR …

But Clubhouse appears to carry the same flaws as so many other success stories in the appstore of your choice. The marketing strategy is well thought through, but no one seems to have really thought about respect for your and my privacy  along the way.

It is not surprising that Clubhouse is now subject of investigations by various European privacy authorities. Both the French CNIL and the state DPA in Hamburg, the HmbBfDI, are currently investigating the way in which Alpha Exploration Co., the American company behind Clubhouse, handles personal data of its current and future users.  

In France, the investigation is the result of a petition against Clubhouse, which has now collected more than 10,000 signatures and anyone who remembers the millions of fines in France for Google and Amazon last December knows that the CNIL is not afraid to strike hard against American tech companies.

 

Your contact details processed without you knowing … 

One of the biggest issues with Clubhouse is that the whole story is based on a member-get-member system, where existing members upload their digital phone book and open it up to Clubhouse. Based on that phone book Clubhouse invites new users or has them invited by its users.  

In other words, even if you have not yet received an invitation today, Clubhouse has probably already processed your personal data without your permission via one of your friends or acquaintances and that in itself is very problematic.  

Just a few months ago, the Belgian GBA imposed a hefty fine on dating website Twoo in very similar circumstances, arguing that no valid legal basis under GDPR can be found for the processing of friend data. After all, your friends have not given permission to – in this case – Clubhouse to process their data, nor to you to process and share their data with Clubhouse for that purpose. Nor can Clubhouse and its users rely on a legitimate interest in this context and the processing of contact details of non-users therefore lacks a valid legal basis.  

Incidentally, the need to demonstrate sufficient legal grounds is not an administrative formality. The obligation to have a valid legal basis for any processing of personal data is one of the cornerstones of GDPR and of your and my privacy protection …

Clubhouse goes one step further when it comes to the processing of phone book data of its users. Contact data of current users are not only used to invite new members, but also to compile a database with user statistics or profiles about existing and future users. The first information from the CNIL seems to indicate that Clubhouse is selling or may potentially sell that data to third parties (advertisers). Although Clubhouse itself does write in its privacy policy that it “does not sell your personal information“, it does mention a large number of cases where it can potentially “share” your information with third parties, including for “advertising and marketing services” …

 

Conversations recorded without knowing it…

By the way, did you know that Clubhouse is also recording your conversations? That doesn’t have to be a problem, at least as long as Clubhouse only uses those recordings to evaluate any complaints and then permanently removes recordings from its servers. We do not know whether Clubhouse actually does that, but the previous paragraphs in this article give very little confidence.

 

No transparency…

The German government in particular is also stumbling over the fact that Clubhouse is not transparent at all towards users. The correct contact details of the company behind Clubhouse (“das Impressum”, as it is called under German law) are nowhere to be found clearly and the privacy policy is only available in English, where GDPR requires it to be written in a language that is understandable (for the average user). In comparison, Whatsapp already got a hefty fine in Germany in 2016 because its terms of use were not available in German. Moreover, the privacy policy is missing a lot of mandatory information, for example the retention periods of your personal data and the names of the parties with whom that data is shared…

Another point on which Clubhouse fails to offer transparency is the data collection by means of cookies and other trackers. Clubhouse itself indicates that it collects data in this way and that it shares this data with advertisers via advertising networks. However, as far as we could determine, Clubhouse does not provide a clear overview of which cookies and trackers are used, which data is collected and with whom exactly that data is shared. Moreover, again as far as we could determine, no free and informed opt-in is obtained for the use of those cookies and trackers …

 

Data export outside the EU

Exporting personal data outside the EU (for example by storing it on servers in the US) is only allowed under strict conditions and lacks contractual and technical security guarantees. Clubhouse, however, limits its privacy to the short statement that “By using our Service, you understand and acknowledge that your Personal Data will be transferred from your location to our facilities and servers in the United States, and where applicable, to the servers of the technology partners we use to provide our Service”.

 

Should you do best to stay away from Clubhouse then?

Time will tell whether Clubhouse is just another hype or a stayer in the social media landscape. The above comments do not necessarily mean that you should not work with Clubhouse. Follow the hype if you feel called to do so, there is nothing wrong with that.

But as a consumer and citizen you better be aware of what big tech companies do with your data, so that you can make conscious choices.  

In other words, be careful, inform and read carefully the terms of use and privacy policy for your Clubhouse or any other social media app you use.

 

Want to know more about GDPR, data protection or social media?

Do not hesitate to contact us via bart@siriuslegal.be or book a no-obligation video call with Bart via this link: https://koalendar.com/events/Meet-with-Bart-Van-den-Brande 

Images and other content that is publicly available on the Internet are also protected by copyright. All too often we are contacted by people who have received a hefty invoice from an angry  (rightly or wrongly) photographer because they copied his image on their website without permission. The photographer works hard to make a good picture and often makes considerable investments to do so. He therefore wants to oppose any unlawful use. However, the photographer is not always right. Sometimes the photos are not protected by copyright and, under certain conditions, you can use them on your website without having to ask permission. However, this is subject to a number of conditions… We summarise the rules for you here.

 

Ask permission as a rule of thumb

In order to enjoy copyright, a work does not have to comply with any formality. Nor does it have to be in a particular form or even be considered to be “beautiful”. There are three conditions for a work to be protected by copyright:

• It must be a creative activity. This may be interpreted very broadly. Every creation of the human mind can be protected. Whether it is a vlog, a song, a blog or a photograph, it does not matter. However, a photograph taken by an animal is not protected. This was shown in a discussion about this selfie of a crested macaque. A gemstone that you might find in nature will also not be protected. A photograph or drawing of that same gemstone might be protected if it meets the following two conditions.
  
• Ideas, concepts and methods are not protected by copyright. The work must be expressed in a concrete form. This does not necessarily have to be in a tangible format such as a book or a painting. It can also be a blog that only exists on the Internet or even an improvised street concert that ends when the last note is played.
  
• At the latest, the work must be original. Much has been said and written about this subject, but it ultimately boils down to the fact that you must be able to see the artist’s contribution to the work. If someone else had taken the picture, for example, it would not have looked the same. The author’s contribution can be seen in the choice of lighting, the size of the work, the colours used, the settings on the camera, and so on.

When we talk about photos on the Internet, there is often discussion about this last point. Practice shows that courts are reasonably quick to accept that a work is original. For example, a photograph of a natural landscape or even a gemstone may be protected by copyright. In that case, you may not just cut and paste the photo on your website.

The rule of thumb with copyright protected works is that you always need permission from the author before you can copy the work. Sometimes, however, the author stipulates in his general terms and conditions that you may use the work under certain conditions. For example, only in a non-commercial context. There are exceptions to this principle, which are discussed further below.

 

Sharing is not multiplying

But there are exceptions: hyperlinking, embedding and similar practices. If you use these correctly, you can place protected content of others on your website without permission or compensation. This exception has been confirmed many times by the courts.

The hyperlink is well-known to everyone. You simply share the location of a piece of content on the Internet with a link. Your website visitors can click on the link and are then transported to the referenced website. For example, above we referred to the selfie of the crested macaque via a hyperlink. 

Embedding also means that you refer to a piece of content on another website, but that content is directly visible on your website. Many online platforms even facilitate this, for example YouTube, Instagram and Twitter. However, it is not a requirement that this is facilitated. Someone with a minimum amount of technical know-how can embed almost any piece of content on a website, unless the website owner makes it impossible.  

With both hyperlinking and embedding, the content remains on the original server. A consequence of this is that when the photo is removed from the original server, it is also removed on all websites that have embedded the photo. 

You can check whether a photo is embedded by right-clicking on ‘open image in new tab’. In the link at the top you should then see the location on the original website. If the photo was downloaded and uploaded, then it is not embedding, but simply copying. In that case, the exception does not apply. You have to be careful here, because some CMS tools automatically copy the content to their own server when you upload it to your website. In that case, there is also a copy and you cannot rely on the exception.

 

Limitations

Embedding and hyperlinking are not a licence to do whatever you want without restraint. There are a number of restrictions that have been developed over the years in case law:

• You are not allowed to share illegal content. In principle, you cannot share a photo that has been placed on the Internet without the permission of the rights holder. So you are not allowed to embed a video that has been placed online through piracy. The courts are stricter in this assessment if it is abundantly clear that the content was placed online without the permission of the rights holder. This is likely to be the case with a piracy website. In addition, there is a presumption that someone with a for-profit motive would be more likely to be aware of the lack of permission than an ordinary private individual.
• You may not link to content that is behind payment walls or other barriers. This condition speaks for itself, of course. The copyright holders take active steps to prevent the content from being shared. For instance paid articles on the website of a magazine or paid photographs from image banks such as Shutterstock, Getty Images, etc.
• You are not allowed to edit the content. This condition is also obvious, but in practice it can sometimes cause problems. Many artists have no problem with their works being linked to or embedded. This way, they get more visibility on the net. However, this increased visibility is cancelled out as soon as their picture is edited. Many artists therefore take technical measures to prevent this. For example, they place a watermark on the photo or stick an informative bar with their details to it. If someone then wants to embed the photo on their website, this information is available anyway. Some website owners try to get around this by editing the photo in such a way that this information is not visible. In that case, the exception does not apply.

 

Checklist for correct use of content

You are providing your website with entertaining content, what should you pay attention to? In the checklist below, we list the focus points and the consequences of each point:

• Copyrighted content. This is rarely a done deal. Prevention is better than cure, so it is best to assume this and ask permission from the rights holder. By the way, by asking permission explicitly from the author, you avoid 99% of all problems. Even if you only use hyperlinks and embedded content.
• Illegal content. If you have a website with a for-profit motive (very broad criterion, you don’t necessarily have to sell something), then you have to investigate this thoroughly. If the content is illegal or you have doubts, do not use it. If you are sure that the content was put online with the required permission, then you can probably use it.
• Terms of use. For example, conditions in the general terms and conditions or a Creative Commons licence. If there are terms of use, you must take them into account when using the content. For example, the author may prohibit you from using his content for commercial purposes.
  
• Restrictions. If the rights holder has built in certain (technical) barriers, such as a paywall, you cannot share the content. When an explicit HTML code is provided, as with YouTube, sharing is facilitated.
• No editing. In principle, this is impossible when embedding or linking to content. If this is somehow possible, the exception does not apply and you may not share the content.
• Sharing is not multiplying. You may not copy-paste the content, download and upload it, take a screenshot and post it on your website, etc. The content must remain in its original place and you may not make a copy of it.

 

Do you still have questions about Internet law, copyright or intellectual property law in general? Please do not hesitate to contact us via bart@siriuslegal.be, matthias@siriuslegal.be or +32 2 721 13 00. 

The European Commission has imposed a 7,8 million euro fine to Valve, owner of the online PC gaming platform “Steam”, and five video game distributors for violating European geoblocking rules. Valve and the affected distributors restricted cross-border sales of certain video games based on the geographic location of consumers, which is exactly what is prohibited under the geoblocking regulation.

 

What is geoblocking?

As part of its Digital Single Market package, the so-called geoblocking Regulation has been in force in the EU since 2019.  With this Geoblocking Regulation, the EU wants to put an end to any discrimination based on consumers’ place of residence or location. Research by the EU over the past years had shown that very often residents of a certain country could not enjoy certain offers online because they were denied access to a website based on their location or IP address or because they were automatically redirected to another country version of that website. 

The classic example is when an airline passenger wants to book an airplane ticket on a flight from, for example, Berlin to Brussels. Anyone who tries to access the website of the relevant airline from Germany will find an offer, let us say, 59 euros. However, anyone who tries to book the same ticket from Belgium is automatically diverted to a Belgian website, where the same ticket is considerably more expensive, or simply cannot access the German website. That is exactly what the EU wants to prevent with the Geoblocking Regulation. 

The regulation contains a set of rules that restricts both the technical limitation of access for foreign buyers to a website and the practical impediment or disabling of purchases on a website by foreigners.

 

What is no longer allowed since the beginning of 2019?

• Making access to websites technically impossible from another country (pure geoblocking) 
• Making access to websites or to the products offered on this website more difficult or impossible “in any other way” (this is the case, for example, when a buyer cannot fill in the order because the format of the input fields do not allow this, especially in the zip code shows this regularly are problematic because it requires a pre-formatted format)
• Redirection of website visitors to a local version of the website without prior consent
• Use of price differences based on the buyer’s origin (unless there is an objective justification for this)
• Use of different sales conditions depending on the buyer’s place of residence or residence (unless there is an objective justification for this).
• Refusal to sell based on place of residence or residence (what is still allowed however is limiting delivery to certain areas, but the buyer who is willing to accept the limited delivery options must always be able to purchase)
• Discrimination against buyers on the basis of the means of payment offered (this is in this case the systematic refusal of, for example, credit cards issued in another country)

 

What was Valve doing wrong?

Commissioner Margrethe Vestager, responsible for competition policy, said: “More than 50% of all Europeans play video games. The video game industry in Europe is thriving and is now worth more than € 17 billion. Today’s sanctions against the “geoblocking” practices of Valve and five PC video game publishers are a reminder that EU competition law prohibits companies from contractually restricting cross-border sales. Such practices deprive European consumers of the benefits of the EU Digital Single Market and the ability to search for the most suitable offer in the EU ”.

Steam is one of the world’s largest online games platforms, where users can stream or download games. Games purchased outside of Steam (eg in physical stores or via downloads from third party websites) from third parties can also be activated and played on Steam. Valve also offers game distributors a territory control function, which makes it possible to set certain geographic restrictions when activating games. Precisely these limitations result in the active geoblocking of games based on the geographic location of the user. The reason for this was mainly to divide the territory between each of the distributors involved. As a result, users outside of a designated member state were unable to activate certain games with Steam activation keys.

The Commission found that Valve is thereby de facto splitting up the market in a manner contrary to European competition law and in particular that Valve and the relevant distributors were guilty of the following geoblocking practices:

• Bilateral agreements and / or concerted practices between Valve and implemented each of the affected distributors through geo-blocked Steam activation keys that allow the activation of certain video games from these publishers outside the Czech Republic, Poland, Hungary, Romania, Slovakia, Estonia, Latvia and Lithuania, in response to unsolicited consumer requests (the so-called “passive sales”). These lasted between one and five years and were implemented between September 2010 and October 2015, depending on the case.
• geoblocking practices in the form of licensing and distribution agreements concluded bilaterally between four of the five distributors involved (Bandai, Focus Home, Koch Media and ZeniMax) and some of their respective distributors in the EU, which contained clauses restricting the cross-border (passive) sales of the concerned games within the EU. These generally lasted longer, ie between three and eleven years, and were implemented between March 2007 and November 2018, depending on each bilateral relationship.

 

Avoid geoblocking issues on your own website

Not only International distributors of online games should be careful with geoblocking. The rules apply to every website and webshop in Europe.

Therefore, check your website at least on the following points:

• Is your website freely accessible from the entire EU?
• If you use a redirect, does the visitor have the choice to stay on the chosen country version (and to order there at the price offered there)?
• Do your terms and conditions of sale contain no dissimilar conditions depending on the place of residence or residence (price, guarantee, dispute settlement, reflection period, …)
• Are you sure that your payment solutions do not discriminate in function of the place of issue of payment cards and / or the residence or residence of the buyer?
• Are you sure that your order forms are location-neutral and allow the local composition of address data, in particular, in the address fields?

 

Questions about geoblocking or e-commerce?

Our team gladly makes time to discuss with you. Feel free to book an introduction directly in Bart’s agenda or contact us by email at bart@siriuslegal.be or by phone at +32 492 249 516.

An upcoming judgment of the Court of Justice may have interesting consequences for companies operating in a cross-border context. In a recent opinion on the case of the Belgian Data Protection Authority (DPA) against Facebook, the Advocate General of the Court of Justice wrote that ‘the DPA of the country in which the registered office of a company is located has a general power to initiate legal proceedings against that company. The other DPAs also have this power, but only in a limited number of cases.’

 

Local and leading authorities

A DPA is an independent government body that, among other things, watches over our right to privacy. Each European country has at least one such authority that exercises its powers within its territory. Sometimes several DPAs can be competent, because data processing problems occur increasingly cross-borders. In that case, there is a leading DPA. This is the DPA of the country in which the registered office of the processor or controller committing the infringement is located. 

 

Belgium vs. Facebook

The case started about five years ago when the predecessor of the Belgian DPA took Facebook to court. The reason for this was, among other things, the use of tracking cookies. These are cookies used to follow Internet users across different websites. The court initially ruled in favor of the predecessor of the Belgian DPA, but Facebook appealed the decision. Facebook claims that the Belgian DPA does not have the authority to commence legal proceedings against it. It is of the opinion that only the DPA of the place of its registered office is competent to start legal proceedings. In this case, that would be the DPA of Ireland. 

Subsequently, the Brussels Court of Appeal asked the Court of Justice in Luxembourg who is competent to bring legal proceedings against a company in the event of cross-border infringements. Is it only the leading DPA or can any national DPA do so?

 

One DPA to rule them all

We are still waiting for a judgment from the Court of Justice, but Advocate General Michal Bobek has already shared his opinion. These opinions are almost always followed by the Court of Justice. In his opinion, he clarifies that DPAs do indeed have the power to take infringers to court, but in the case of cross-border disputes, this power is limited. In that case, only the leading DPA may initiate proceedings in consultation with the other competent authorities. 

This is called the one-stop shop mechanism. This means that a company can only be sued in the first instance by the DPA of its registered office. In the Facebook case, this means that the Irish DPA has the authority to initiate proceedings in the first instance. However, it should always do this in close cooperation with the other DPAs. Mind you, the victims of infringement can still start proceedings in their own country against companies with a registered office in another country. 

The Advocate General emphasises that in five cases the national DPAs can initiate legal proceedings when they are not the leading DPA:

• For breaches outside the framework of the GDPR. For example, the French DPA (CNIL) has already imposed fines in this context for breaches of the cookie rules in the ePrivacy Directive.
• In the case of cross-border processing operations carried out by public authorities in the public interest or in the exercise of their official powers or by controllers not established in the European Economic Area.
• When the controller has no establishment in the European Economic Area.
• For urgent measures.
• After the leading DPA has decided not to hear a case.

It will now be several months before the Court of Justice gives its final ruling on the case. After that, the Brussels Court of Appeal will rule on the case, taking into account the Court of Justice’s replies. 

 

Effects 

A possible consequence of this situation is that some companies will move their headquarters to the country with the least stringent DPA. Indeed, some DPAs are more lenient on certain issues than other DPAs. 

Would you like to know more about which DPAs are competent for your processing activities or privacy and GDPR in general? You can always contact us at bart@siriuslegal.be and matthias@siriuslegal.be. 

Last week Sirius Legal met with the Belgian Data Protection Authorty as the legal representative of the united Belgian digital industry about the use of analytics cookies.  

On 7 January sector organizations  ACC, BAM, Cube, Feweb, SafeShops.be, UBA and UMA (representing agencies, advertisers, web builders and webshops) met with Belgium’s DPA to convey their concerns about the way in which prior explicit consent must be requested for the use of analytics cookies in online environments today. The sector organizations, which together represent the broad spectrum of the Belgian online world, did so on the basis of an extensively substantiated position paper that was written by Sirius Legal.  

 

Concern about explicit consent for analytics cookies

Major concern in the entire sector is the fact that the obligation to request the consent of website visitors by means of a cookie banner causes very great economic damage to the sector. A lot of website visitors, some statistics speak of more than 80%, simply click away the often annoying cookie pop-ups or do not opt-in.  As a consequence, webshops and online marketers miss out on essential statistical data about website visits and visitor behaviour on their website, that is crucially needed to optimize their web content. This creates a great deal of frustration because in neighbouring countries the use of such analytics cookies is possible without prior consent from the website visitor, which creates a serious competitive disadvantage for Belgian online entrepreneurs.  

The entire industry is very committed to online privacy and welcomes the transparency that mandatory cookie opt-ins bring when it comes to data collection for marketing purposes. However, the industry insisted on the great urgency for the DPA to take action when it comes to (anonymous) analytics data.  The same message will be presented to the competent minister, in order to provide for a similar exception for Belgium as those which already exist in France, the Netherlands or Germany for strictly analytical purposes. High-performance websites, which are adapted to the expectations and needs of the consumer, are in the first place also to the advantage of precisely that consumer. After all, good analytics data makes it possible to offer better services and products, under better conditions and at better prices, to precisely that consumer.  

 

Position paper and relevant articles

The full position of the sector has been elaborated in a position paper that provides a very good outline of the current issue and reflects the point of view of the entire digital sector. 

Over the past few months, we have written a number of articles about this issue at Sirius Legal and are particularly pleased that our position paper is so enthusiastically endorsed throughout the digital sector. Sirius Legal, together with BAM, the Belgian Association for Marketing, and the other associations, will take the necessary steps to arrive at a proposal for text and negotiations with the cabinet of the Minister Mathieu Michel. We will certainly keep you informed!

Sirius Legal is and has been the legal partner of several of the signing parties to this position paper, including BAM, UBA, SafeShops and Feweb.  These partnerships place us in the center of the Belgian online industry and allow us to offer high quality legal services to the entire industry. 

• No e-commerce without analytics data
• “No cookies without permission”, says the European Court of Justice
• New Cookie Guidelines in France (also relevant for Belgium, article in Dutch)
• Are you completely addicted to cookies? Then this book “Privacy & Personal data: Manual for a good cookie policy” by Bart Van den Brande and Matthias Vandamme is definitely for you!

 

Questions about cookies or the position paper?

Feel free to contact Bart Van den Brande: bart@siriuslegal or book a short meeting into his agenda using this link.

In the beginning of this year, the EURid (the organisation in charge of managing .eu domain names) announced that 81,000 .eu domain names would be suspended as a result of Brexit. Those domain name holders now have three months to prove that they are entitled to the .eu domain name. This event is a perfect moment to refresh the importance of a good domain name policy. 

 

European domain names

.eu domain names are top-level domain names (TLDs) managed by EURid (European Registry for Internet Domains).
These domain names are reserved for:

• Citizens of the EEA (EU + Norway, Iceland and Liechtenstein), even if they no longer live in the EEA.
• Residents of the EEA, irrespective of their nationality.
• Companies established in the EEA.
• Organisations established in the EEA.

Individuals and companies that do not belong to one of these categories cannot apply for or hold a .eu domain name. As a result of Brexit, 81,000 .eu domain names were suspended at the beginning of this year. In practical terms, this means that these .eu websites and email addresses are no longer accessible since the beginning of 2021.

The domain name holders in the UK now have another three months to update their data. They can, for example, establish their registered office within the EEA or prove that they have the nationality of an EEA member state in order to keep their domain name. The well-known pro-Brexit website and campaign Leave.EU has moved its registered office to Waterford in Ireland to be able to keep its domain name. If a domain name holder cannot prove the above, their .eu domain names will be officially cancelled and consequently released to the public from January 2022. 

 

Checks for registration 

This incident is the perfect moment to refresh the importance of a good domain name policy. We recently wrote an article about the steps you can take to prevent and fight cybersquatting. In this article, we emphasise the importance of registering the various extensions (.com, .net, .shop, .be, .eu). Because you run the risk that someone else will profit from your carefully built reputation or even cause damage to it.

Make sure that you don’t thoughtlessly search all databases for available domain names. That is how you awaken the cybersquatters. These are individuals who want to get hold of your domain name in order to sell it to you at a higher price, or place harmful content on it in order to give you a bad name, or want to profit from your good reputation, etc. You can easily prevent this by timely registering the relevant and crucial domain names: 

• Make a list of all possible names and possible spelling mistakes. Perhaps also think about the domain name of your own name!
• Think carefully about which extensions you want to register.
• Register all names and extensions as soon as possible.

In itself this all seems obvious, but you would be surprised how often it goes wrong in practice. Often, certain extensions are not registered to reduce costs, but it has already happened more than once that a competitor or an unknown third party registers the other domain names to make a profit. Then, of course, there are possible legal steps you can take. For example, there are a number of alternative dispute procedures at the domain name registrars. In many cases, however, you will need to have a registered trademark to have a chance of justice. By the time you have gone through such a procedure, the damage may already be irreparable or your costs may have risen considerably.

 

Preventing is better than curing

Our team will be happy to help you with any questions concerning domain names, trademarks or intellectual property and the Internet in general. Feel free to contact us at bart@siriuslegal.be and matthias@siriuslegal.be.