Monday, 18 December 2017

Internet legal developments to look out for in 2018

A preview of some of the UK internet legal developments that we can expect in 2018. Any future EU legislation will be subject to Brexit considerations and may or may not apply in the UK.

EU copyright reform In 2016 the European Commission published
proposals for

-         a Directive on Copyright in the Digital Single Market. As it navigates the EU legislative process the proposal continues to excite controversy, mainly over the proposed publishers’ ancillary right and the clash between Article 13 and the ECommerce Directive's intermediary liability provisions.  

-         a Regulation extending the country of origin provisions of the Satellite and Cable Broadcasting Directive to broadcasters' ancillary online transmissions. Most of the Commission’s proposal was recently rejected by the European Parliament.

-         legislation to mandate a degree of online content portability within the EU. The Regulation on cross-border portability of online content services in the internal market was adopted on 14 June 2017 and will apply from 20 March 1 April 2018.
EU online business As part of its Digital Single Market proposals the European Commission published a proposal for a Regulation on "Geo-blocking and other forms of discrimination". It aims to prevent online retailers from discriminating, technically or commercially, on the basis of nationality, residence or location of a customer. Political agreement was reached in November 2017 [and the Regulation was adopted on 28 February 2018. The Regulation will apply from 3 December 2018]

Telecoms privacy The proposed EU ePrivacy Regulation continues to make a choppy voyage through the EU legislative process.

Intermediary liability On 28 September 2017 the European Commission
published a Communication on Tackling Illegal Content Online.  This is a set of nominally voluntary guidelines under which online platforms would adopt institutionalised notice and takedown/staydown procedures and proactive content filtering processes, based in part on a system of 'trusted flaggers'. The scheme would cover every kind of illegality from terrorist content, through copyright to defamation. The Commission aims to determine by May 2018 whether additional legislative measures are needed. [The Commission followed up on 1 March 2018 with a Recommendation on Measures to Effectively Tackle Illegal Content Online and with a public consultation open until 25 June 208.]
Politicians have increasingly questioned the continued appropriateness of intermediary liability protections under the Electronic Commerce Directive. The UK Committee on Standards in Public Life has suggested that Brexit presents an opportunity to depart from the Directive. The government has published its Internet Safety Strategy Green Paper. More to come in 2018. [The House of Lord Communications Committee is conducting an inquiry on internet regulation, including intermediary liability.] The hearing of the appeal to the UK Supreme Court in Cartier on who should bear the cost of complying with site blocking injunctions [was] heard [at the end of February] 2018.

TV-like regulation of the internet The review of the EU Audio Visual Media Services Directive continues. The Commission proposal adopted on 25 May 2016 would further extend the Directive's applicability to on-demand providers and internet platforms. [The European Parliament, Council and Commission have reached a preliminary political agreement on the main elements of revised rules.]

Pending CJEU copyright cases More copyright references are pending in the EU Court of Justice. Issues under consideration include whether the EU Charter of Fundamental Rights can be relied upon to justify exceptions or limitations beyond those in the Copyright Directive; and whether a link to a PDF amounts to publication for the purposes of the quotation exception (Spiegel Online GmbH v Volker Beck, C-516/17). Another case on the making available right (Renckhoff, C-161/17) is pending [Advocate General Opinion published 25 April 2018]. It is also reported that the Dutch Tom Kabinet case on secondhand e-book trading has been referred to the CJEU.


ECommerce Directive Two cases involving Uber are before the CJEU, addressing in different contexts whether Uber’s service is an information society service within the Electronic Commerce Directive. Advocate General Szpunar gave an Opinion in Asociación Profesional Élite Taxi v Uber Systems Spain, C-434/15 on 11 May 2017 and in Uber France SAS, Case C320/16 on 4 July 2017. [The CJEU gave judgment in Uber Spain on 20 December 2017, holding that the service was a transport service and not an information society service. It followed up with a similar judgment in Uber France on 10 April 2018.][The Austrian Supreme Court has referred to the CJEU questions on whether a hosting intermediary can be required to prevent access to similar content and on extraterritoriality (C-18/18 - Glawischnig-Piesczek).]

Online pornography The Digital Economy Act 2017 grants powers to a regulator (recently formally proposed to be the British Board of Film Classification) to determine age control mechanisms for internet sites that make ‘R18’ pornography available; and to direct ISPs to block such sites that either do not comply with age verification or contain material that would not be granted an R18 certificate. The DCMS has published documents including draft guidance to the Age Verification Regulator.

Cross-border liability and jurisdiction
Ilsjan (Case C-194/16) is another CJEU reference on the Article 7(2) (ex-Art 5(3)) tort jurisdiction provisions of the EU Jurisdiction Regulation. The case concerns a claim [by a legal person] for correction and removal of harmful comments. It asks questions around mere accessibility as a threshold for jurisdiction (as found in Pez Hejduk) and the eDate/Martinez ‘centre of interests’ criterion for recovery in respect of the entire harm suffered throughout the EU. The AG Opinion in Ilsjan was delivered on 13 July 2017. [The CJEU gave judgment on 17 October 2017. It held that a claim in relation to rectification, removal and the whole of the damage could be brought in the Member State in which the legal person had its centre of interests. Since an action for rectification and removal is indivisible it cannot be brought in each Member State in which the information is or was accessible.]

The French CNIL/Google case on search engine de-indexing has raised significant issues on extraterritoriality, including whether Google can be required to de-index on a global basis. The Conseil d'Etat has referred various questions about this to the CJEU. [See also C-18/18 Glawischnig-Piesczek. A Swedish court has declined to make a global de-indexing order against Google in a right to be forgotten case, restricting the order to searches from Sweden.]

Online state surveillance The UK’s
Investigatory Powers Act 2016 (IP Act), partially implemented in 2016 and 2017, is expected to come fully in force in 2018. However the government has acknowledged that the mandatory communications data retention provisions of the Act are unlawful in the light of the Watson/Tele2 decision of the CJEU. It has launched a consultation on proposed amendments to the Act, including a new Office for Communications Data Authorisation to approve requests for communications data . Meanwhile a reference to the CJEU from the Investigatory Powers Tribunal questions whether the Watson decision applies to national security, and if so how.


The IP Act (in particular the bulk powers provisions) may also be indirectly affected by cases in the CJEU (challenges to the EU-US Privacy Shield), in the European Court of Human Rights (various NGOs challenging the existing RIPA bulk interception regime) and by a judicial review by Privacy International of an Investigatory Powers Tribunal decision on equipment interference powers. However in that case the Court of Appeal has held that the Tribunal decision is not susceptible of judicial review.  [A further appeal will be heard by the Supreme Court, following grant of permission to appeal on 22 March 2018.] One of the CJEU challenges to the EU-US Privacy Shield was held by the General Court on 22 November 2017 to be inadmissible for lack of standing.

Liberty's challenge by way of judicial review to the IP Act bulk powers and data retention powers is pending. [A judgment in relation to data retention powers was issued on 27 April 2018, giving the government until 1 November 2018 to amend the IP Act to reflect two conceded grounds of incompatibility with EU law.]
Compliance of the UK’s surveillance laws with EU Charter fundamental rights will be a factor in any data protection adequacy decision that is sought once the UK becomes a non-EU third country post-Brexit.

[Here is an updated mindmap of challenges to the UK surveillance regime.]





[Update 18 Dec. Replaced 'EU law' in last para with 'EU Charter fundamental rights'.] [Updated 5 March 2018, including addition of mindmap; and 6 March 2018 to add CJEU referral in C-18/18 Glawischnig-Piesczek.]
[Updated 28 March 2018 to correct starting date of Portability Regulation to reflect corrigendum to the Regulation.][Updated 27 April 2018 with updated mindmap. Further updated 13 and 17 May 2018.]

Wednesday, 13 December 2017

Cyberleagle Christmas Quiz

[Updated with answers, 1 January 2018]

15 questions to illuminate the festive season. Answers in the New Year. (Remember that this is an English law blog). 

Tech teasers 

1. How many data definitions does the Investigatory Powers Act 2016 (IP Act) contain?

Twenty-one: Communications data, Relevant communications data, Entity data, Events data, Internet connection record, Postal data, Private information, Secondary data, Systems data, Related systems data, Equipment data, Overseas-related equipment data, Identifying data, Target data, Authorisation data, Protected data, Personal data, Sensitive personal data, Targeted data, Content, and Data. 

2. A technical capability notice (TCN) under the IP Act could prevent a message service from providing end to end encryption to its users. True, False or Maybe?

Maybe. A TCN could require the provider to have a capability to remove electronic protection applied by it if, among other things, that is technically feasible. The most significant question is whether the message service provider is regarded as itself applying the E2E encryption. If so, then a TCN could possibly be used to require such a provider to adopt a different model. If the user is regarded as applying the encryption then a TCN could not be used. 

3. Under the IP Act a TCN requiring installation of a permanent equipment interference capability could be served on a telecommunications operator but not a device manufacturer. True, False or Maybe?

True. Device manufacturers are outside the scope of TCNs. If a device manufacturer provides a telecommunications service (for instance where a phone manufacturer also provides its own messaging service) then it could be within scope, but only for its telecommunications service activities. 

4. Who made a hash of a hashtag?

In an interview in March 2017 Home Secretary Amber Rudd famously referred to the need for assistance from those who ‘understand the necessary hashtags’.  A week later a Home Office Minister explained that she had intended to refer to image hashing, not hashtags. So strictly speaking she made a hashtag of a hash.

Brave new world


5. Who marked the new era of post-Snowden transparency by holding a private stakeholder-only consultation on a potentially contentious IP Act draft Statutory Instrument?

As required by the IP Act the Home Secretary consulted various specified stakeholders on draft technical capability regulations (see 2 and 3 above) prior to laying them before Parliament for approval. The consultation was conducted privately, excluding the general public and civil society groups. However the Open Rights Group obtained and published a copy of the draft regulations.

6. Who received an early lesson in the independence of the new Investigatory Powers Commissioner?


GCHQ. Its November 2017 approach to the Investigatory Powers Commissioner to discuss the possibility of a protocol for reducing evidential issues in Investigatory Powers Tribunal or other cases was politely but firmly rebuffed. 

The penumbra of ECJ jurisdiction
  
7. The EU Court of Justice (CJEU) judgment in Watson/Tele2 was issued 22 days after the IP Act received Royal Assent. How long elapsed before the Home Office published proposals to amend the Act to take account of the decision?

344 days. The Consultation was published on 30 November 2017.

8. The Investigatory Powers Tribunal has recently made a referral to the CJEU. What is the main question that the CJEU will have to answer about the scope of its Watson decision?  

Paraphrased, the main question is whether national security is excluded from the Watson decision as being outside the scope of EU law.

9. What change was made in the IP Act’s bulk powers, compared with S.8(4) RIPA, that would render the CJEU’s Q.8 answer especially significant?

In the IP Act the purposes for which the bulk powers may be exercised are all framed by reference to national security. In RIPA (as amended by DRIPA 2014) the serious crime purpose does not have to be related to national security. 

10. After Brexit we won't need to worry about CJEU surveillance judgments, even if we exit the EU with no deal. True, False or Maybe? 

False, at least if the UK wishes to have a data protection adequacy determination that would enable EU countries to transfer personal data to the UK. As the USA discovered in Schrems, a third country’s surveillance regime can be a significant factor in an adequacy determination.

Copyright offline and online

11. Tweeting a link to infringing material is itself an infringement of copyright. True, False or Maybe?  

Maybe, depending on whether (a) you know that the material is infringing; or (b) you are linking for financial gain, in which case you would be rebuttably presumed to know. This is the result of the CJEU’s decision in GS Media.

12. Reading an infringing copy of a paper book is not copyright infringement. Viewing an infringing copy online is. True, False or Maybe?

True, at least if what you do online is sufficiently deliberate and knowing.  EU copyright law treats screen and buffer copies as engaging the reproduction right. The CJEU in Filmspeler held that the user of a multimedia player add-on containing links to infringing movies infringed the reproduction right by viewing an infringing copy accessed via the link.  This was because, as a rule, the purchaser of such a player deliberately and in full knowledge of the circumstances accessed a free and unauthorised offer of protected works. This took the activity outside the Copyright Directive’s exception for transient and temporary copies. The same reasoning can be applied to an online book.

13. Whereas selling a set-top box equipped with PVR facilities is legal, providing a cloud-based remote PVR service infringes copyright. True, False or Maybe?

True. Established by the CJEU in VCAST, 29 November 2017.

14. Format-shifting infringes copyright. True, False or Maybe?

True.  Seven years after the Hargreaves Review identified this as an aspect of copyright that puts the law into confusion and disrepute, format shifting remains an infringement.

15. Illegal downloading is a crime. True, False or Maybe?

False. A user who downloads without the permission of the copyright owner commits a civil infringement of copyright, but without more that is not a crime.  In 2014 PIPCU (the Police Intellectual Property Crime Unit) deployed replacement website ads proclaiming that ‘Illegal downloading is a crime’. PIPCU later explained this on the basis that “Downloading falls within s.45 of the Serious Crime Act 2007 if it encourages s.107 CDPA 1988 offences”.