Latest Event Updates

EU dataflow: the new Privacy Shield is (almost) born

Posted on Updated on

CaOXf3AWQAEatpF.jpg-large

 

On February 2, 2016 the European Commission announced in a press conference in Strasbourg to have found a political agreement with the US authorities to allow the transfer of personal data from UE to US. The agreement, named “US/UE Privacy Shields” (the hashtag is already a star in the web, and in Twitter in particular) will replace the Safe Harbor agreement invalidated by the Eu Court of Justice last October 2015.

The enthusiasm by European authorities and corporations (US in particular) following this announcement is well comprehensible. In fact, after the annulation of the Safe Harbor Agreement, the entire UE/US business fall into a serious uncertainty, with the national data protection authorities being empowered to chase whoever and whatever involved in transatlantic business. The problem is dramatic because a huge amount of businesses rely on the transfer of data from UE to US: to make an example, most of European retailers use US platform to bill their clients, therefore without a clear data transfer framework most if such businesses are impaired, even if they refer to trade within the UE.

Nevertheless, it is still too early to predict whether the announced agreement will solve the pending problems. The announcement concerns just principles, while the precise details of the new framework need to be further negotiated, and then incorporated into a final European decision (a so-called “adequacy decision”). In addition, most of the commendable obligations required upon the US authorities should be confirmed in writing.  Not surprisingly, the announcement of the Commission was followed by skeptical reactions by various top characters of the #SafeHarbor novel, such as  Mr. Scherms, the Austrian guy who started there entire matter with the recourse to the European court, MEP Albrecht, the rapporteur of the new European data protection regulation, and even Mrs Reding, the former EU Commissioner who started the reform of data protection in the EU.

One could say that the main scope of this announcement to gain some time, since the national data protection authorities granted to the Commission a 3-months period (expiring at the end of January 2016) before the national data protection authorities start to investigate (and eventually impose sanctions) into the EU-US data flow business. If it is, we could say that the escamotage worked, since the Article 29 Working Group (basically the bodies representing the data protection authorities) has welcomed the political agreement and encouraged the Commission to go ahead (although no evaluation on the merits has been given, since precise details are not fixed yet). However, the chief of the French data protection authority has been much more clear, by stating that “we can’t just accept words on privacy shield”.

Thus, it is still unclear whether this agreement will solve the crisis or will just open a new round trip to the European Court of justice. Some parts of the announcement seem to disclose important progress from the uS side, such as:

For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms“.

Mass surveillance and unlimited access to personal data are a crucial matter between UE and US: it is a delicate legal issue – being the main ground referred by the European court to invalidate the Safe Harbor agreement – but also a matter for political discussion, following the Snowden/NSA scandal.

The further steps will not be easy at all: Vice-President Ansip and Commissioner Jourová will prepare a draft “adequacy decision” in the coming weeks, which could then be adopted by the College of the European Commission after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States. In the meantime, the U.S. department will make the necessary preparations to put in place the new framework with the obligations of their side.

***

As regard the main part of the agreement, here an extract from the PR of the Commission:

  • Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
  • Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
  • Effective protection of EU citizens’ rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.

 

How the European copyright rules help the US entertaining industry to make more money in the EU rather than in US

Posted on Updated on

12363236_913687508725571_8791187732396125000_o

Tomorrow December 9th the European Commission will publish a copyright package consisting of a communication on the copyright reform plus 2 legislative proposals (about content portability and contractual conditions respectively).

On the basis of leaks circulated in the last weeks, I would tend to say that the European Commission is slowing down with the copyright reform, and that the copyright package will be much less ambitious than expected, at least if we compare it with the declarations made when the Digital Single Market (“DSM”) strategy was announced and launched in May last. For instance, targeting geoblocking and improving of cross-borders availability of online content was one of the karmas marketed by Junker and Ansip to explain the need for a Digital Single Market. By contrast, if you look at what is going to be really proposed tomorrow, you will find out that:

– reference to geoblocking has mostly disappeared;

– in order to target cross-border issues, just a content portability proposal is made. This proposal is good and welcomed but, depending on the actual duration & conditions of the portability*, the benefits for the consumers may be very limited (in other words, citizens may encounter the same disappointment already with roaming, when it was announced that roaming surcharges will disappear in 2017 and then found legal details whereby roaming surcharges to continue to exist much beyond that time);

– with regard to important technical and legal subjects to be clarified or harmonized (private copy, exceptions, act of communication to the public ecc) the Commission’s position consists in considering possible actions in the future;

– in general, the Commission is proposing a “gradual approach” that, in political terms, means, I fear, “wait and see” with regard the most important problems.

Fact is, this disappointing scenario may be due to the fact that there internal disagreement within the European Commission as to how much to tackle the fragmentation of the European content market: VP Ansip, VP for the DSM, seems to be much more liberal than Oettinger, Commissioner for the digital sector. In addition, the Commission’s offices may fear that a too strong proposal would be later destroyed by Member States and EP, which are mostly under the pressure of the “content industry”: broadcasters, distributors, producers. In fact, the content industry is really strong in defending its prerogatives (i.e. the territorial segmentation of their business, in order to increase profits) on the excuse that this status quo is necessary to protect the production of European movies and the European culture in general. But then they do not explain why they are advocating geobklockinbg also for US movies, i.e. the big part of content watched by European users. In other words, the current fragmented system helps the US industry to make more money in Europe to the detriment of European consumers, while the same industry would not dare to impose to US citizens a fragmented movies offer through 50 american States.

Unfortunately, European Members States and European Parliament are caught by the content industry arguments, because the influence of such industry in each Member State is massive. Each government and each politician, with few exemptions, wants to protect the national industry, even when the final winner is the US content making more money in the EU than US. As a consequence of this status quo, European citizens willing to pay for legal content, but not finding what they want and buy, will be forced to go into piracy or use VPNs. Make the example of a Belgian citizens living in Italy and willing to buy Netflix Belgium, because of some features of that offer with respect to the offer of Netflix Italy. He/she would be blocked in Italy and, as an alternative, he/she should go to the pirate market to find the wanted content, or use the VPN tools. And we are talking about people willing to pay for legal content! 

As always, the potential way-outs may come just from external, unexpected actions: for instance the DG COMP directorate of the Commission, headed by Mrs. Vestager , which has independent powers and does not need Member States or EP to agree on what she does, could take a decision on a competition case (like the pending one on broadcasting) stating that territorial restriction (and related geoblocking measures) are anticompetitive; or, the legal case could be solved by the European Court of Justice. Do not forget that in the ‘70/’80 the European Court was decisive in liberalizing the European cross-border trade by declaring that distribution agreements of goods (cars, food, pharmaceutic ecc) could not prevent a consumers to buy something offered by a seller established in another member states (passive sale). A kind of intervention would be needed also for the digital single market, if politicians cannot afford it.

* The actual conditions whereby users may be accessing subscribed content on their device when traveling abroad are not clear yet. The proposal of the Commission is intentionally vague because this item will problem a battle field when discussing with Council and European Parliament. If no clear conditions are stated, the commercial practice amy be restrictive.

Italian web-blocking goes into a mess

Posted on Updated on

keyboard-279664_640

With a landmark decision today the Italian Constitutional Court threw into confusion the Italian Internet market. The highest Italian court had been asked to verify the consistency with the Italian Fundamental Chart (Costituzione) of AGCOM regulation 680/2013/CONS, i.e. the regulation empowering the telecom regulator to repress copyright infringements in the Internet via content removal or web blocking orders. The constitutionality question had been referred by the Tar Latium, an administrative court in front of which the validity of various legal provisions on copyright enforcement had been disputed by some parties resisting against an order of AGCOM.

The copyright enforcement regime carried out by AGCOM had been loudly contested by a big part of the Italian Internet community, while rights-holders have been supporting it.

The Constitutional Court rejected the constitutionality request on the grounds that the Tar Latium referral was contradictory and wrongly formulated, thus without examining the merits of the questions. However, the same court expressed doubts whether regulation 680/2013/CONS has a proper legal in the Italian legal environment. This evaluation was expressed in an obiter dictum, i.e. a part of the reasoning which is not part of the deciding conclusions.

As a consequence, regulation 680/2013/CONS is still valid (because the lack of validity was not formally declared by the Court), however the entire system is now at risk because any interested party, facing a proceeding in which regulation 680/2013/CONS is involved, could claim, on the basis of the Constitutional Court’s comments, that such regulation is lacking a legal basis and therefore is invalid. Thus, it would be to the judge at stake to make a new evaluation and decide to reject the claim, desist applying the regulation or referring again the matter to the Constitutional Court for a more clear ruling.

The legal situation is more than complex now and, with no surprise, the Italian regulator AGCOM had not officially commented yet the ruling of the Constitutional Court.

Zero-rating: the European Parliament washing hands like Pontius Pilate

Posted on Updated on

ponzio-pilato

As well all know, on Tuesday October 27 the European Parliament, meeting in plenary session, will likely approve the new net neutrality provisions which are part of the Single Telecom Market (“STM”) regulation. Civil society and industry are however protesting because the reform, despite some commendable principles, will de facto legitimate zero-rating practices, i.e. a commercial behaviors allowing telcos to discriminate Internet services and so affecting the free choice of users. Even Tim Berners-Lee launched an alert about the dangers of the proposed reform, while an accurate critical analysis have been dome by Barbara Van Schewick.

Because of the above, a Save-the-Internet campaign has been launched in order to support amendments to block that part of the reform. It is to be expected that some groups in the EP will support the amendments, especially the Greens, GUE, as well as some MEPs of the EFDD and the ENF groups. Several Dutch MEPs should also support the amendments (the Netherlands, notably, was the sole country together Slovenia to prohibit zero-rating practices). It seems that approximately half of the ALDE group is likely support them. The “Save-the-internet” campaign asking MEPs to support the amendments seems to be particularly strong in Germany, Belgium and Austria. However, I understood that the EPP, ECR and a huge majority of the S&D group will vote against and support the net neutrality provision including the zero-rating issue.

Because of the noise created by this debate, the press office of European Parliament issued a misleading communication pretending that it is not the Parliament, rather the national regulators, who will take a decision on zero-rating:

Zero rating is a commercial practice of some internet access providers, especially mobile operators, to not measure the data volume of particular applications or services when calculating their customers’ data usage. This means that these websites or services are effectively provided for free to customers, to the detriment of all other websites or services. Parliament intends to allow national regulators, overseeing the implementation of the draft regulation, to decide whether zero rating will be applied in their country or not.

This is completely false and misleading! So far national regulators had various instruments to block zero-rating practices, including antitrust, fair trade and consumers protection rules. In Slovenia and Netherlands they even had a net neutrality legislation ad hoc. By contrast, after the approval of the STM regulation, that power of national regulators will be materially weakened because of the ambiguous wording of article 3 of the European regulation vis-à-vis zero-rating practices:

  1. Users shall have the right to access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice, irrespective of the enduser’s or provider’s location or the location, origin or destination of the information, content, application or service, via their internet access service.This paragraph is without prejudice to Union law, or national law that complies with Union law, related to the lawfulness of the content, applications or services.
  2. Agreements between providers of internet access services and end users on commercial and technical conditions and the characteristics of internet access services such as price, data volumes or speed, and any commercial practices conducted by providers of internet access services, shall not limit the exercise of the rights of end users laid down in paragraph 1“.

The above provisions must be read together with recital 7 (a recital, not a binding provision!) of the same regulation:

In order to exercise their rights to access and distribute information and content and to use and provide applications and services of their choice, endusers should be free to agree with providers of internet access services on tariffs for specific data volumes and speeds of the internet access service. Such agreements, as well as any commercial practices of providers of internet access services, should not limit the exercise of those rights and thus circumvent provisions of this Regulation safeguarding open internet access.

National regulatory and other competent authorities should be empowered to intervene against agreements or commercial practices which, by reason of their scale, lead to situations where endusers’ choice is materially reduced in practice. To this end, the assessment of agreements and commercial practices should inter alia take into account the respective market positions of those providers of internet access services, and of the providers of content, applications and services, that are involved. National regulatory and other competent authorities should be required, as part of their monitoring and enforcement function, to intervene when agreements or commercial practices would result in the undermining of the essence of the end users’ rights”.

In other words, while it is clear that agreements about data and speed are legitimate and may be used for zero-rating practices and other discriminations based on the price of Internet connectivity, it is absolutely unclear if and to what extent national regulators can intervene in order to prohibit such discriminations. The Dutsch and Slovenian legislations were quite clear to this respect, since they prohibit ISPs, sic et simpliciter, to differentiate the price of the Internet connectivity on the basis of the Internet services running over it. However, such legislations will need to be repealed (as it was declared by respective governments when voting against the STM).

Studies say that (actual) broadband download speeds in Europe are considerably higher than in US

Posted on Updated on

slow-internet

The European Commission published 3 studies in the area of broadband performance revealing very interesting data about how different degrees of competition may influence this market. The data comparison between EU and US is remarkable.

The study concerned Broadband SpeedsBroadband Prices and Broadband Coverage. A comprehensive analysis can be found in the press release of the European Commission.

I took the liberty to extract some selected conclusion concerning the comparison between the EU and US market, as well the performance of new entrants vs incumbent operators:

Speeds
The actual download speeds attained in Europe for any given technology (in particular cable) were considerably higher than those measured in the USA:
– xDSL services averaged 8.27Mbps in Europe and 7.67Mbps in the US
– Cable services averaged 66.57Mbps in Europe and 25.48Mbps in the US
– FTTx services averaged 53.09Mbps in Europe and 41.35Mbps in the US

Prices
The least expensive offers per country (in the EU) are, in around 80% of cases, provided by new entrants which, however, are generally not available to all customers, because they have lower coverage than the incumbents.
When taking a closer look at the countries (in the EU) where a new entrant offer is the least expensive one, the incumbent’s offer with the lowest price is on average between around 20% and 35% more expensive than the least expensive offer overall, and the relative difference is the highest for Standalone offer.
The EU28 is less expensive than the US for broadband above 12Mbps. For 30-100 and 100+ Mbps, trends are very similar for all types of offers – the EU28 average of least expensive offers is in all cases substantially lower than the least expensive offer prices in Canada and the USA:
– For the 30-100 Mbps range, prices in the EU28 are between 4 and 14% higher than in Japan and between 25 and 54% more expensive compared to South Korea. They are however between 36 and 51% cheaper than in Canada and between 21 and 38% cheaper than in the USA.
– For 100+ Mbps, the difference with Japan and South Korea is larger (minimally 33% and up to 74%). On the contrary, EU28 prices are between 23 and 43% cheaper than in Canada and between 13 and 34% cheaper than in the USA.

The end of the Safe Harbor regime: time for structural separation of personal data?

Posted on Updated on

german-demonstrator.-berlin-july-2013

The Court of Justice of the European Union (CJEU) declared invalid the so-called Safe Harbor decision of April 26, 2000 of the European Commission which allowed US platforms and OTTs such as Facebook, Amazon, Google and others to transfer and gather in the United States personal data of European citizens (Case C-362/14 Maximillian Schrems vs Data Protection Commissioner). The text of the judgment can be found here.

The judgment of the EU Court will have various fundamental consequences on the business of the US OTTs in Europe. In particular, the transfer and treatment of personal data of European citizens into US risk to become permanently uncertain and unfit for a proper online business based on profiling and online ads. My first thoughts on this:

  • a new Safe Harbor decision will not solve the problems. The CJEU confirmed that national supervisory authorities remain competent to examine whether the transfer of individuals data to third countries complies with the requirements requested by the directive on data protection (Directive 95/46). This will make it for a very different business environment for US based platforms and OTTs in the EU; as a matter of fact, such companies from now on will be running the risk of having individuals challenging the way their data are processed in the US. Additionally, since most of US OTTs are based in Ireland, the Irish data protection authority will have to manage an enormous, unexpected, and maybe uncalled for, power over the entire US online business;
  • in any case, it would be difficult to reach and enforce a new Safe Harbor decision. The CJEU clearly stated that the current way the US process personal data is not acceptable, because there are no guarantees as, nor limitations, to the potential interference by US investigation authorities, in particular as to security and anti-terrorism reasons. However, in a joint declaration, Vice-President Timmermans and Commissioner Jourová optimistically declared that “we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic“;
  • therefore, it seems that the only solution will be for US OTTs to store data in the EU, rather than in the US, if they want to continue to carry out business in the EU. This means they will have to create new and separate data processing centers in the US and the EU respectively. It will be a kind of structural separation for personal data;
  • for some OTTs this forced structural separation of personal data will be a disaster, since their business, based of profiling for advertising and marketing, will become much less interesting if data could not be compared and profiled all together.
  • to overcome this issue, an enormous political effort should be done between US and EU. In particular the US should accept to discuss, and comply with, the data protection standards as indicated by the European Court. However, this is very unlikely to happen in the short term.

In the short term, US OTTs will continue to carry on their business, since the transfer of data to third countries may happen (art. 26 of the Data Protection Directive) also via other alternative means, such as with the consent of interested parties, the application of the so-called Binding Corporate Rules or the use of standard contractual clauses. However, such instruments do not constitute a viable, long-term solution in the present circumstances, since the judgement clearly applies, as far as mass surveillance is concerned, to any alternative transfer methods. In other words, the CJEU has not argued only under the Safe Harbor decision, but has based the judgement on fundamental rights that apply no matter which transfer methods are used.

Zero-rating practices to become norm in Europe, according to (quasi-final) net neutrality regulation

Posted on Updated on

Today the Council formally approved the Roaming and Net Neutrality provisions of the TSM (Telecom Single Market) Regulation under the new name “Regulation laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union”.

The text agreed by the Council needs now to be ratified by the European Parliament: on 12 October the ITRE (Industry) Committee will vote recommending the European parliament plenary (scheduled for 27-28 October) to approve the Council position. Unless extraordinary circumstances occur, the new regulation should enter into force in late November 2015.

It is remarkable that the Council’s position at first reading was adopted without discussion at a meeting of the Competitiveness Council. However, there were rumours that Netherlands and Slovenia, the only EU countries which already have a national NN legislation in force, may be voting against. At the end, they were not able to oppose the deal, instead they made statements expressing concerns for the impact of the new rules on their NN national legislations. Netherlandas believes that they will be forced to repeal their net-neutrality rules banning zero-rating practices, i.e. price discrimination.

Zero-rating practices are in fact allowed by the new European regulation. As a consequence of that, an ISP could charge customers with different connectivity prices depending on the Internet services (website, music, video) which are accessed to, thus materially influencing the free choice of the users. The new European regulation empowers the national authority to surveil about anticompetitive practices, however such rules are too vague to be a deterrent, and this is the reason why the Dutch are so worried.

The position of the European Parliament has been ambiguous on this point. The assembly has been doing a big battle about net neutrality but, in my opinion, they understood too late the zero-rating dilemma, because at beginning it was considered too technical (despite the fact that various people, including the undersigned, have been flagging the danger since the beginning). The Parliament became fully aware of the problem after the first reading in April 2014, but it was too late then. This delay in fully understanding such an important issue may have a serious weight for the future of the European Internet industry.

However, some members of the European assembly could still rise the issue at the plenary session, asking this problem to be amended accordingly. They would need a strong support for that. It already happened in 2009, when the European Parliament refused to ratify the reform of the 2009 Electronic Framework Package because it was missing a clear provision about Internet as a fundamental right. In that case, as it would be now, the Council was very angry with the Parliament which was accused not to be able to respect inter-institutional deals.

It is till too early to assess how European telcos will react to this unexpected freedom to discriminate Internet prices. In markets where competition is vigorous, they will be probably hesitate, because users may migrate to more friendly ISPs. But in markets tending towards narrow oligopolies (mobile and ultrabroadband markets in particular), the problem may rise soon.