Wednesday, 9 October 2019

The CJEU rules on consent to cookies under data protection law




Lorna Woods, Professor of Internet Law, University of Essex

Last week’s CJEU ruling in Planet49 is an important Grand Chamber decision concerning the use of cookies and the meaning of consent under the e-Privacy Directive in the light of the Data Protection Directive but also the General Data Protection Regulation (Regulation 2016/679)(GDPR). The judgment is therefore relevant for understanding the cookie obligations in the new regime as well as the old.

Judgment

The case concerned an online lottery. To participate, users had to enter their name and address and were shown two checkboxes in relation to consent for data processing before they could participate in the lottery.  The first consent pertained to users being contacted by third parties for promotional offers. The second consent pertained to cookies being dropped on users’ browsers in connection with participation in the online lottery. While Planet49 sought consent for the third-party promotional offers through the use of an unticked box, box for the use of cookies was pre-ticked.  Two questions were referred: whether the use of pre-ticked boxes gave consent; and what information needed to be supplied to provide clear and comprehensive information to the user.

The e-Privacy Directive provides that users must consent to the use of cookies, and the meaning of consent has the same meaning as in the Data Protection Directive (Recital 17 and Article 2f e-Privacy Directive) and now the GDPR.  The Data Protection Directive required an ‘indication’ of the user’s consent which, as the Advocate General pointed out ([AG60], cited by the Court [para 52]) requires the user to do something active to signal consent rather than remain passive. Further, only active behaviour can satisfy the requirement that consent must be unambiguous [para 54].

The Court also referred to the ‘legislative origins’ of the cookie provision (Article 5(3) e-Privacy Directive), noting that before the provision’s amendment in 2009, the provision gave the user the right to refuse cookies [para 56]. The Court concluded that consent was not valid if pre-ticked boxes were used.  If that was the case under the Data Protection Directive, it remained so under the GDPR, given that its definition of consent is more stringent than that under the Data Protection Directive.  The Court noted that:

according to recital 32 [GDPR], giving consent could include ticking a box when visiting an internet website. On the other hand, that recital expressly precludes ‘silence, pre-ticked boxes or inactivity’ from constituting consent [para 62].

The Court noted that the referring court did not asked the question as to whether making consent to such processing a precondition for participation in the lottery satisfied the requirement for consent to be ‘freely given’ and therefore the ECJ did not answer that question.

Given that the e-Privacy Directive is not just about personal data, the referring court asked if the meaning of consent was the same should data other than personal data be in issue. While it was accepted that the data in issue constituted personal data, in line with the approach of the Advocate General and relying on Recital 24 of the e-Privacy Directive, the Court commented:

that Article 5(3) of Directive 2002/58 refers to ‘the storing of information’ and ‘the gaining of access to information already stored’, without characterising that information or specifying that it must be personal data [para 68].

In response to the questions of the referring court as to the nature of the information the use must be given as to the duration of the use of cookies and whether or not third parties may have access to those cookies, the Court referred to the general obligation that the use be given ‘clear and comprehensive information’ [para 73].  The Data Protection Directive and now the GDPR list certain information that must be given; this does not include duration. The Court noted that these lists were not exhaustive and that a long duration of operation for cookies would mean that a lot of data would be collected. In support of the argument that information on duration should be given the Court noted that the GDPR requires the controller to provide information about how long personal data will be stored.

Comment

The ruling will have significant implications for those who obtain data relying on cookies, as the Court has confirmed that ‘active consent’ is required. While this is clear on the face of the GDPR it was less so under the Data Protection Directive. Given that the Data Protection Directive has already been repealed and the GDPR is now in force the consequences – save for those already legally embroiled on this point – might be thought to be limited.  Nonetheless, this is a clear affirmation of the fact that the GDPR definition of consent applies in the e-Privacy Directive.

Given that the Court interpreted the meaning of consent through the lens of the GDPR as well as the Data Protection Directive, it is also the first ruling on consent under the GDPR.  Further, the ruling might be seen as part of a more general push-back against ‘surveillance capitalism’ techniques constituted by a number of investigations currently ongoing in various Member States (and note the recent guidance from the ICO on use of cookies). 

As an aside, it is also worth noting the broader scope of the e-Privacy Directive: it is not limited to personal data but the ‘private sphere of individuals’, that private sphere encompassing users’ ‘terminal equipment’. This means that national rules should not be less strict if no personal data is in issue.  The Court reminds us also that the protection in the e-Privacy Directive is not limited to to cookies but to ‘hidden identifiers and other similar devices’ [para 70].  Presumably then these techniques also require active consent.  Of course, this ruling relates to the e-Privacy Directive; it remains to be seen what the position will be should the proposed ePrivacy Regulation ever be agreed. 

The final point to note is the issue surrounding ‘freely given’. The German court did not raise the question of whether requiring consent as a pre-condition for accessing the service would be permissible and the Court did not answer it of its own volition. This presumably will come before the Court another day.

Photo credit: pcmag

Monday, 7 October 2019

Facebook’s liability for defamatory posts: the CJEU interprets the e-commerce Directive




Lorna Woods, Professor of Internet Law, University of Essex

The last couple of weeks have seen a number of judgments relating to the control of information on the internet by the subject of the information.  The cases of GC et al (Case C-136/17) and Google v CNIL (Case C-507/17) concern the interpretation of General Data Protection Regulation (GDPR), looking at the obligations of search engines. The most recent case, Glawischnig-Piesczek v Facebook (Case C-18/18) concerned the impact of the e-Commerce Directive (Directive 2000/31/EC), specifically the prohibition on general monitoring found in Article 15 of that Directive, on ‘stay down’ notices. The focus of this post is on Glawischnig-Piesczek, but there is a question that reaches beyond the impact of that case on the e-Commerce Direcitve: to what extent is there a coherent approach to issues arising from the Internet across the various legal measures that intersect with it. This may go beyond the e-Commerce Directive and the GDPR to include measures related to intellectual property (notably the recent controversial Directive on Copyright in the Digital Single Market (Directive 2019/790/EU) and the Enforcement Directive (Directive 2004/48/EC)) and the combating of child exploitation (Directive on combatting the sexual abuse and sexual exploitation of children and child pornography (Directive 2011/93/EU)) and terrorism (Terrorism Directive (Directive 2017/541/EU)).

The Judgment

The facts giving rise to this reference are simple.  Glawischnig-Piesczek complained to Facebook about some defamatory posts. Facebook did not remove the posts so Glawischnig-Piesczek obtained a court order requiring Facebook to stop publishing the impugned content. The precise scope of the order gave rise to further litigation and the Austrian Supreme Court referred a number of questions to the CJEU, asking:

-          Are “stay down” notices in relation to identically worded content compatible with Article 15 of the e-commerce Directive?
-          Are there geographic limitations to the obligation?
-          Are such notices in relation to content with equivalent content to that which has been found unacceptable which does not use the same words but conveys the same meaning acceptable?
-          In relation to posts with equivalent meaning, does the obligation accrue when the intermediary becomes aware of the content?

The Court started its analysis by making clear that the immunity from suit granted by Article 14 of the Directive is not a general immunity from every legal obligation. Specifically the national authorities remain competent to require a host to terminate access to or remove illegal information. The Court also noted that Article 18 of the e-Commerce Directive requires Member States to have in place appropriate court actions to deal with illegal content. It states:

Member States shall ensure that court actions available under national law concerning information society services’ activities allow for the rapid adoption of measures, including interim measures, designed to terminate any alleged infringement and to prevent any further impairment of the interests involved.

The Court held that no limitation on the scope of such national measures can be inferred from the text of the e-Commerce Directive [para 30]. 

It then turned to the impact of Article 15. It highlighted the fact that while Article 15 prohibited general monitoring as recital 47 in the preamble of the Directive makes clear, monitoring ‘in a specific case’ does not fall within that prohibition. It then held that

[s]uch a specific case may, in particular, be found, as in the main proceedings, in a particular piece of information stored by the host provider concerned at the request of a certain user of its social network ….. [35].

Given the nature of information flows there is a risk that any such information may be re-posted, so

‘.. in order to ensure that the host provider at issue prevents any further impairment of the interests involved, it is legitimate for the court having jurisdiction to be able to require that host provider to block access to the information stored, the content of which is identical to the content previously declared to be illegal, or to remove that information, irrespective of who requested the storage of that information. In particular, in view of the identical content of the information concerned, the injunction granted for that purpose cannot be regarded as imposing on the host provider an obligation to monitor generally the information which it stores, or a general obligation actively to seek facts or circumstances indicating illegal activity, as provided for in Article 15(1) of Directive 2000/31 [37].

The Court determined “equivalent meaning” to be about the message the information posted conveys and which was “essentially unchanged”. Given the focus on meaning not form, the Court held that an injunction could extend to non-identical posts as otherwise the effects of an injunction could easily be circumvented.  The Court then considered the balance between the competing interests. The Court commented that the “equivalent information” identified by court order should contain specific elements to identify the offending content and in particular must not require the host to carry out its own independent assessment. In terms of assessing the burden on the host, the court noted that the host would have recourse to “automated search tools and technologies” [para 46].

The court concluded that the injunctions would not constitute a general obligation to monitor all content and specifically no obligation to seek facts or circumstances indicating illegal activity.

The Court also noted that Article 18 of the Directive makes no provision for territorial limitations on what measures Member States may make available. In principle, world-wide effects would be permissible [para 50], but this is subject to the proviso that EU rules must be consistent with the international law framework.

The court felt it unnecessary to respond to the third question without elaborating further.

Comment

There are a number of comments that could be made about this judgment. This post comments on three: the approach of the Court to general monitoring; non-identical content; and the issue of territorial scope. It also discusses freedom of expression issues.

General Monitoring

In this judgment there is a clear confirmation that searching for specific pieces of information/types of content does not constitute general monitoring. The Court makes it clear, at para 35, that the searching for individual pieces of content constitutes a ‘specific case’ within recital 47.  The Court gives the searching for specific information as an example of a ‘specific case’; presumably the searching of a targeted user’s stored date could be another such.  This is the first time the approach has been adopted in regards to defamation.  Perhaps the fact that the case concerns defamation rather than, for example, intellectual property explains the dearth of previous case law cited in the court’s judgment.

The statement of the Court that searching for an individual item of content does not constitute general monitoring does not address the fact that such a search would presumably involve search all content held. Yet in McFadden (Case C-484/14), the Court described the scope of Article 15 thus:

As regards, first, monitoring all of the information transmitted, such a measure must be excluded from the outset as contrary to Article 15(1) of Directive 2000/31, which excludes the imposition of a general obligation on, inter alia, communication network access providers to monitor the information that they transmit. [McFadden, 87]

This is broadly similar to the approach in the early case of L’Oreal (Case C-324/09) which referred to Article 15 precluding ‘an active monitoring of all the data of each of its customers in order to prevent any future infringement ...’ [para 139].  The prevention of future infringements in the context of L’Oreal could be achieved – in the view of the Court – however by the suspension of the perpetrator.  Yet monitoring of the data of all customers seems to be what would be required to find the specific case of content. The matter remains unacknowledged in the Court’s analysis in Glawischnig-Piesczek.  Perhaps the assumption is (a) that the concern underpinning the prohibition in Article 15 derives from privacy; and (b) that when we look for one thing we do not really see the other things that we look at during our search – and that this might particularly be so when the searching is automated.  Of course, arguments that automated review of communications data does not constituted an invasion of privacy have not been accepted by the Court (e.g. Watson/Tele2).  In any event, further support for the distinction between searching for an identified piece of content and searching in a less targeted fashion is found in the context of the fight against child sexual abuse and exploitation and in the context of enforcement of intellectual property.

Non-identical content

The clarification that an injunction may also extend to non-identical content raises a number of issues.  While the Court states that a host should not be required to make its own judgment on these matters it is not clear how similar the content needs to be.  It is also unclear whether the Court is concerned here with the wording or the message conveyed. At [40] it refers to the ‘message conveyed’, which could refer to the idea in issue rather than its precise expression. The Court then referred to ‘information, the content of which, whilst essentially conveying the same message, is worded slightly differently …’ [41]. An approach based on wording (or presumably identifiable items of content such as images) has the benefit of being more easily described by order. It is probably easier to circumvent.  There seems to be an assumption in the judgment that technological means are available to implement this sort of requirement, though whether that is the case is another question.

Territorial Scope

The territorial scope of the order is also worth mentioning.  Like its Advocate General, Szpunar, the Court does not envisage any territorial limitation of the removal/blocking as a result of EU law.  It is important to note that the Court does not say that injunctions must have such extraterritorial effect. Rather the question is about the interplay between each national legal system’s own way of dealing with these issues (and area the Court noted gave Member States wide discretion) and the fact that Article 18 is silent as to any limitations. The silence of EU law allows Member States freedom to take action.  A further issue is that the Court noted the impact of international law without however elaborating what it meant – are we talking fundamental human rights (this seems unlikely given the existence of the EU Charter) or international comity, for example?. 

This is one of a number of cases in which the Court has had to consider the territorial scope of EU law in the context of the Internet – the most recent being the Right to be Forgotten case: Google v CNIL (Case C-507/17). There the Court held that

Where a search engine operator grants a request for de-referencing …, that operator is not required to carry out that de-referencing on all version of its search engine, but on the version of that search engine corresponding to all the Member States. [73]

It seems then that the opposite conclusion has been reached. This is overstating the point.  While the fact that EU law does not require extraterritoriality, the GDPR’s silence on the point gives space to a national court to make an order with extra-territorial effect, a point the Court makes express in para 72. A national could then, within the constraints of its own national rules, make such an order. In such a situation the position would seem similar to that under Article 18 e-Commerce Directive as understood in Glawischnig-Piesczek. A contrast to the silence of the EU legislature on extraterritoriality of blocking/de-listing can be seen in the Terrorism Directive. There Article 21 imposes an obligation on Member States to obtain the removal of terrorist content hosted outside their territory, but it also recognises that that may not be possible.

In Google v CNIL, while the Court recognised the possibility for national courts to make orders for de-referencing with extra-territorial effect, it expressly noted that in doing so they must weigh up the competing interests of the data subjects  and the right of others to freedom of information [para 72]. It is noticeable that in Glawischnig-Piesczek the balancing is different. The Court notes the interest of the subject of the information and also the need not to impose an excessive burden on the host provider [para 45, para 46]. The existence of other rights: the right of the host to carry on a business and the rights of those posting the material and those wishing to receive it – both aspects of freedom of expression - are not expressly mentioned. To some extent the issue of rights will be covered through the national courts, which will be the bodies to carry out that balancing within their own national frameworks and within the limits of EU law. By contrast to Google v CNIL, however, there is no instruction from the Court that these are matters to be considered, nor any express recognition that the balance between the right to private life (including the protection of reputation) and freedom of expression differs between territories. What might be seen as the legitimate protection of private life in one place is an infringement of speech in another.  So, while the matter was not directly the Court’s concern in this case, it is somewhat surprising that the issues were not directly considered.

Barnard & Peers: chapter 9
Photo credit: Department of Defense, via Wikicommons

Tuesday, 1 October 2019

Accessing the EU’s Financial Services Market in the Event of a No-deal Brexit





Bartlomiej Kulpa, LLM (Twitter: @KulpaBart)

Introduction

Since Boris Johnson took the helm as British Prime Minister, a no-deal Brexit has become the most likely scenario. The UK-based financial services firms are waiting to hear if they will be able to serve clients in the EU 27, and if so, on what basis. Currently, the UK-based financial services firms rely on the so-called passporting rights. According to The Economist, 5,476 financial services firms based in Britain used 336,421 European passports to sell their products in the EU in 2016. By comparison, approximately 8,000 financial services firms based in the EEA used 23,535 European passports to sell their products in the UK. This proves that the removal of passporting rights as well as uncertainty over what will replace them amount to an existential threat.

The Concept of a European Passport             

A European passport is a right granted under the Single Financial Market Directives, such as MiFID II (The Markets in Financial Instruments Directive 2014/65/EU), to an EEA institution licenced in an EEA Member State. The European passport enables financial services firms to act on a cross-border basis within the EEA. If Britain leaves the EU without a Brexit deal, the UK-based financial services firms will lose the passporting rights and consequently full access to the single market. In other words, they will be treated as third country financial services firms.  
   
Articles 34 and 35 of MiFID II form the legal basis for the passporting rights. Article 34 provides for freedom to provide investment services and activities in another Member State if such investment services and activities are authorised by the competent authorities of a home Member State. As regards Article 35, that allows financial services firms to provide services in another Member State through the right of establishment of a branch provided that such services are authorised by the competent authorities of the home Member State. Pursuant to Articles 34 and 35, a financial services firm must notify the competent authorities of the home Member State of its intention to provide services in another Member State. In other words, the financial services firm must apply for a licence. Subsequently, the competent authorities of the home Member State inform the competent authorities of a host Member State of the financial services firm’s intention to serve clients in the latter.    
  
There is no doubt that the advantages of the concept of a European passport easily outweigh the disadvantages. Firstly, one licence enables financial services firms to obtain access to 31 countries which have a population of over 500 million consumers (this will be reduced after a Brexit). From a legal point of view, this means that a financial services firm that has been granted a European passport is not required to obtain a domestic licence in every Member State. Secondly, the concept of a European passport helps to keep business costs down. Thirdly, the concept of a European passport is free from political influence. Fourthly, the range of clients and investors is not limited in scope. In other words, the concept of a European passport does not only apply to professional investors but also to retail investors. Lastly, a home Member State regulator cannot revoke the European passport and the European passport is granted for a period of time with no fixed limit.

Further, it should be noted that the concept of a European passport does not have the qualities to be described as a single European passport. If it qualified as the single European passport, then financial services firms would be allowed to undertake cross-border activities throughout the EEA without taking any further actions. A good example of a single administrative act with EEA-wide effect is a European trademark granted by the European Union Intellectual Property Office (EUIPO).

The Equivalence Regimes       

The EU has operated the equivalence regimes (also known as the third country regime or TCR) in relation to financial services firms based outside of the single market under the relevant Single Financial Market Directives and Regulations, the USA being the prime example, for some years. In accordance with Articles 46-49 of MiFIR (The Markets in Financial Instruments Regulation (EU) No 600/2014), the equivalence regime is based on an equivalence decision made by the European Commission (EC) and the register of third country financial services firms kept by the European Securities and Markets Authority (ESMA). As regards the former, the EC’s equivalence decision states whether, firstly, the prudential and business conduct requirements that are legally binding in a third country have equivalent effect under EU law and whether, secondly, the legal and supervisory arrangements of the third country ensure that financial services firms authorised by the competent authorities of that third country comply with the legally binding prudential and business conduct requirements. Once the EC has made the equivalence decision in favour of a particular third country, financial services firms based in that third country need to register, within a transitional period of three years under Article 54 of MiFIR, with the ESMA. As a result, third country financial services firms are able to operate as a European hub. It should be noted that Member States shall not impose any additional requirements on such firms and shall not treat them more favourably than firms based in the EU.       

Moreover, it should be emphasised that the equivalence regime enables third country financial services firms to provide investment services and activities only to eligible counterparties and professional clients. This means that, unlike the concept of a European passport, the equivalence regime does not apply to retail clients. What is more, the EC can revoke an equivalence decision at any time if divergences between a regulatory framework of a third country and the regulatory framework of the EU appear.

One could argue that in the event of a no-deal Brexit the equivalence regime would be more attractive for smaller financial services firms. As practice proves, multinational financial services behemoths, which have used Britain as the gateway to the single market, have already relocated to the EU 27 or are in the process of setting up offices there as part of their Brexit strategy.

As far as the resolution of disputes is concerned, third country financial services firms shall, before providing any services or activities to the EU-based clients, offer to submit any disputes relating to the aforementioned services or activities to the jurisdiction of a court or arbitral tribunal in one of the Member States (Article 46(6) of MiFIR). In other words, such firms shall offer a forum in the EU where their right to conduct litigation could be exercised. If Britain were to access the single market via the equivalence regime in the event of a no-deal Brexit, then the English courts would not have any jurisdiction over disputes relating to such services or activities. In practice, this would result in London facing a struggle to retain its position as a global centre for securities litigation.         

Although the equivalence regime would allow the UK-based financial services firms to access, in the event of a no-deal Brexit, the single market, the equivalence regime suffers from a few drawbacks. Firstly, the equivalence regime is a unilateral mechanism. To put it simply, it only depends on the EU whether it recognises as equivalent the regulatory standards of a third country. Secondly, since an equivalence decision is made by a political body, namely the EC, various political factors can impact the equivalence assessment. Thirdly, the EC’s equivalence decision cannot be reviewed by a court.
        
The European Passport Light

The next issue that merits attention is the so-called ‘European passport light’ as set out in Article 47(3) of MiFIR. A third country financial services firm can rely on the European passport light if the following conditions have been met: (i) the EC has made an equivalence decision in favour of a particular third country; and (ii) the third country financial services firm has been granted the authorisation to establish a branch in one of the Member States pursuant to Article 39 of MiFID II. As a result, the third country financial services firm will be able to provide services and activities to eligible counterparties and professional clients in other Member States without the requirement to establish a new branch for each additional Member State. In the same way as the equivalence regime, the European passport light does not apply to retail clients. However, unlike the equivalence regime, the European passport light is not based on the requirement to register with the ESMA.         
  
The MiFID II Own Initiative Principle


Article 42 of MiFID II creates an exception to a Member State’s imposition of an authorisation requirement, which is enshrined in Article 39 of MiFID II, for a third country financial services firm where that firm provides investment services or activities at the exclusive initiative of a retail or professional client. The MiFID II Own Initiative Principle is coterminous with the reverse solicitation test. Compared to the equivalence regime, the MiFID II Own Initiative Principle applies to retail as well as professional clients. However, from a practical point of view, the MiFID II Own Initiative Principle does not seem to be useful for big financial services firms that intend to actively gain a market share. Furthermore, any marketing to EU-based clients triggers the EU rules for providing financial services and consequently the need for obtaining an EU licence.    
  
Conclusion

It seems that the equivalence regime is the only workable arrangement that could replace the concept of a European passport in the event of a no-deal Brexit. Unless the UK government creates ‘Singapore upon Thames’, the process of making a decision whether post-Brexit Britain’s regulatory regime is deemed to be equivalent should be relatively straightforward. However, one should remember that the equivalence regime does not apply to retail clients and the EC can revoke an equivalence decision at any time. Therefore, the equivalence regime would not fill the gaps created after the cessation of the application of a European passport to the UK-based financial services firms.

Further reading:

M Lehmann and D A Zetzsche, Brexit and the Consequences for Commercial and Financial Relations between the EU and the UK, 20 September 2016. Available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2841333;
H Nemeczek and S Pitz, The Impact of Brexit on Cross-Border Business of UK Credit Institutions and Investment Firms with German Clients, 1 February 2017. Available at: https://ssrn.com/abstract=2948944;
The Economist, London’s reign as the world’s capital of capital is at risk, 29 June 2019. Available at: https://www.economist.com/finance-and-economics/2019/06/29/londons-reign-as-the-worlds-capital-of-capital-is-at-risk.              

Barnard & Peers: chapter 14, chapter 27
Photo credit: via Wikicommons, photo taken by Andy F