SlideShare una empresa de Scribd logo

GDPR and Copyright Law

Giovanni Maria Riccio
Giovanni Maria Riccio

GDPR and Copyright Law - Lecture at the Krakow Summer School on Intellectual Property May 2020

Derecho
1 de 37
Descargar para leer sin conexión
GDPR Krakow Intellectual Property Summer School Giovanni Maria Riccio Professor of Law gmriccio@unisa.it
The History of the General Data protection Regulation • In 1995, the European Data protection Directive (Directive 95/46 CE) on the protection of individuals with regard to the processing of personal data and on the free movement of these data was adopted. • For the first time, a definition of «personal data» was provided: «any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity» • The Directive specified the meaning of processing data, with a broad definition: «any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction»
The History of the General Data protection Regulation • In 2011, the European Data Protection Supervisor published an Opinion on the European Commission Communication, entitled «a comprehensive approach on the personal data protection in EU» • In 2012, the European Commission proposed a comprehensive reform of the Directive 95/46 to streghten online privacy rights and the European Data Protection Supervisor adopted an opinion on the Commission’s data protection reform package. • In 2014, the European Parliament supported the new regulation on data protection and in 2015 an agreement was reached by the European Parliament, the Council and the Commission. • In 2016, the Regulation (EU) 2016/679 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data was published and entered into force from 24th May 2016. • From 25th May 2018, the GDPR started to be applied
General Data Protection Regulation The General Data Protection Regulation (EU) 2016/679 The same law and the same text for all the member States Approved on May 2016 – Came into force on May 2018 It is applicable also to non European entities where they offer products or services or when they monitor European citizens (eg Google Maps, Facebook, Instagram, etc.)
GDPR - a common framework • The difference between the Directive and the GDPR is that the GDPR does not require the implementation into the national legal framework by the Member States. In fact, the Directive soght to harmonise the protection of fundamental rights and freedoms of natural persons • So, the GDPR is a common framework in all the Member States, without any differences. • The most important aims of GDPR are: - to promote the protection of personal data of natural persons both in the Community and in the external context - to update the legislation on data protection in Europe, with a common framework, that is more adequate to be modified in order to the technological and sociological scenario. • «In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used ». (Whereas 15).
GDPR - a common framework • The Whereas specified the most relevant purposes of the GDPR. The protection of natural persons in relation to the processing of personal data is a fundamental right. • Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her. Article 8: «1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.» Article 16: «1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.»
The scope of GDPR • The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. • Only to the processing of personal data of natural persons. • To the processing of personal data in the context of the activities of an establishment of a Controller or a Processor in the Union, regardless of whether the processing takes place in the Union or not. • To the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; 2. the monitoring of their behaviour as far as their behaviour takes place within the Union.
The scope of GDPR The processing of personal data should be designed to serve mankind. But the right to the protection of personal data is not an absolute right: it must be balanced against other fundamental rights, in accordance with the principle of proportionality. The GDPR respects all fundamental rights and observes the freedoms and principles, specifically: -the respect for private and family life, home and communications; -the freedom of expression and information; - freedom to conduct a business; -the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity. The GDPR does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of the Regulation 679/2016 into their national law.
Definitions The Article 4 of GDPR provides the most important definitions: Personal data Processing Controller Processor Data Subject any information relating to an identified or identifiable natural person (“the data subject”); for instance, a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity the identified or identifiable natural person, that can be identified directly or indirectly, whose personal data is being collected, held or processed. any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
Definitions • There are special categories of personal data, including the personal data that reveal: 1. racial or ethnic origin; 2. political opinions; 3. religious or philosophical beliefs; 4. trade union membership; Or: 1. genetic data, biometric data; 2. concerning health or a natural person's sex life or sexual orientation. 3. data relating to criminal convictions and offences. Another category consists in anonymous information: the anonymous information is the one that does not relate to an identified or identifiable person or to personal data rendered anonymous in a such manner that the data subject is not or no longer identifiable. But the GDPR does not concern the processing of anonymous information, including for statistical or research purposes.
Principles relating to processing of personal data • Lawfulness, fairness and transparency • Purpose limitation • Data minimisation Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. The data subject must be informed about the processing of these data and the purposes. The Processing shall be lawful only if and to the extent that at least one of the conditions, provided by the Article 6 of GDPR. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Principles relating to processing of personal data • Accuracy • Storage limitation • Integrity and confidentiality Personal data shall be accurate and, where necessary, kept up to date. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measure.
The principle of accountability The GDPR introduced a new principles to data protection, that of accountability. Controllers and processors have to take responsibility for their processing activities and for how they comply with data protection principles and they must be able to demonstrate compliance. Being responsible for compliance means being proactive and organised about data protection, while demonstrating compliance is the ability to present evidence of the steps taken to comply.
Consent • Processing of personal data is lawful only under one of the six legal basis, provided by the Article 6 of GDPR. • The first condition is CONSENT. The data subject has to give his or her consent to the processing of personal data for one or more specific purposes. What does consent mean? And what are the GDPR requirements ? Consent of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. So, the consent must: 1. be freely given; 2. be specific; 3. be informed; 4. be unambiguous. The controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Other legal basis • Contractual perfomance: the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. • Legal obligation: the processing is necessary for compliance with a legal obligation to which the controller is subject. • Vital interest: the processing is necessary in order to protect the vital interests of the data subject or of another natural person. • Public interest or acting under official public authority: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. • Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
What are the rights of the data subject? • the right of access: the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed • the right to rectification: the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. • the right to erasure: the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. • the right to restrict processing: the data subject shall have the right to obtain from the controller restriction of processing, in case of lack of accuracy, when the processing is unlawful, and when the controller no longer needs the personal data for the purposes of the processing. • the right to data portability: the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. • the right to object to processing: the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data • the rights in relation to automated decision making and profiling: the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The right to be informed There is a need for transparency regarding the gathering and use of data in order to allow EU citizens to exercise their right to the protection of personal data. The GDPR acknowledges to individuals the right to be informed about the collection and use of their personal data, which leads to a variety of information obligations by the controller. There are two cases: 1. Where data is obtained directly, the data subject must be immediately informed, at the time the data is obtained. In terms of content, the Controller’s obligation to inform includes his or her identity, the contact data of the Data Protection Processor (if available), the processing purposes and the legal basis, any legitimate interests pursued, the recipients when transmitting personal data, and any intention to transfer personal data to third countries. 2. If personal data is not obtained from the data subject, he or she must be provided the information within a reasonable period of time, but at latest after a month. In cases where the gathered information is used to directly contact the data subject, he or she has the right to be informed immediately upon being approached. As far as content is concerned, the controller has to provide the same specific information as if the personal data would have been directly obtained from the data subject.
The obligations of Controller The data Controller determines the purposes for which, the means by which personal data is processed. But, also the Controller determines the nature, the storage of the processing, and also the data categories. The Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Indeed, taking into account the nature, scope, context and purposes of processing, the Controller shall implement appropriate technical and organisational measures, such as pseudonymization and data minimization. The data pseudonymization consists in substituting the identity of the data subject in such a way that additional information is required to re-identify the data subject. It is different from anonymization, that actually consists in irreversibly destroying any way of identifying the data subject. The Controller shall maintain a record of processing activities under its responsibility, for instance: the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organization etc.
The role of the Data Processor The data processor processes personal data only on behalf of the controller. Where processing is to be carried out on behalf of a Controller, the Controller shall use only Processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Processing by a Processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the Controller and that sets out the subject- matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. The Processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the Controller.
What does DATA BREACH mean? Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In case of data breach, the controller should communicate to the data subject, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities. Indeed, the Controller shall notify the personal data breach to the supervisor authority not later than 72 hours (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons).
The role of DPO • The controller and the processor shall designate a data protection officer in any case where: 1. The processing is carried out by a public authority or body; 2. When the processing operations require regular and systematic monitoring of data subjects on a large scale; 3. When the processing on large scale involves special categories of data. The data protection officer shall have these tasks: 1. to inform and advise the Controller or the Processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; 2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data; 3. to provide advice where requested; 4. to cooperate with the supervisory authority
The role of the Data Protection Authority Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of GDPR, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union. • Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers. • Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by: - their Parliament; - their Government; - their head of State; or - an independent body entrusted with the appointment under Member State law Each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.
Cooperation, mutual assistance and consistency Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission. • Supervisory authorities shall provide each other with relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective cooperation with one another. • Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorizations and consultations, inspections and investigations. The supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism. This mechanism should in particular apply where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States. It should also apply where any supervisory authority concerned or the Commission requests that such matter should be handled in the consistency mechanism. The mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties
The role of the EDPB The European Data Protection Board is established as a body of the Union, shall have legal personality and shall act independently when performing its tasks. The Board shall ensure the consistent application of GDPR. Some of the relevant tasks of the Board are: • advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of the Regulation; • advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules; • issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services; • examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of the Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of the Regulation
Data protection and copyright How could a balance be possible between the data protection and the right to information, to ensure protection to copyright? The problem of the legitimate restriction of the right to the protection of personal data for the protection of intellectual rights arises with particular reference to the disclosure mechanism, by certain intermediaries, involving the personal data of third parties, previously collected by them for the provision of their services, to copyright holders, to allow to see the violations against them. Examples of violations are: 1. File-sharing networks 2. Peer-to-peer In order to be able to fully exercise their right of defense, the holders of intellectual property rights need to provide contact information relating to offenders, this information that is held by the providers of the connectivity services and/or the hosting providers.
Data protection and copyright The main issue is whether the transfer of this category of data to the copyright holders is lawful without the express consent of the data subjects. Could the transfer only appear as an unauthorized and as unlawful processing of personal data? On one hand, disclosure of data for the identification of infringers could be considered as a transfer to third parties without a legal basis; on the other hand, in the absence of such information, the other subjects may remain unprotected without the possibility to end the violations and obtaining compensation for the economic damages suffered. Is there a right to information that is superior than the personal data protection?
Data protection and copyright • The Article 6 of the Directive 2004/48/EC on the enforcement of intellectual property rights, provides: 1. Member States shall ensure that, on application by a party which has presented reasonably available evidence sufficient to support its claims, and has, in substantiating those claims, specified evidence which lies in the control of the opposing party, the competent judicial authorities may order that such evidence be presented by the opposing party, subject to the protection of confidential information. For the purposes of this paragraph, Member States may provide that a reasonable sample of a substantial number of copies of a work or any other protected object be considered by the competent judicial authorities to constitute reasonable evidence. 2. Under the same conditions, in the case of an infringement committed on a commercial scale Member States shall take such measures as are necessary to enable the competent judicial authorities to order, where appropriate, on application by a party, the communication of banking, financial or commercial documents under the control of the opposing party, subject to the protection of confidential information.
Data protection and copyright The Article 8 of the Directive 2004/48/EC on the enforcement of intellectual property rights, entitled «Right to information» states: 1. Member States shall ensure that, in the context of proceedings concerning an infringement of an intellectual property right and in response to a justified and proportionate request of the claimant, the competent judicial authorities may order that information on the origin and distribution networks of the goods or services which infringe an intellectual property right be provided by the infringer and/or any other person who: (a) was found in possession of the infringing goods on a commercial scale; (b) was found to be using the infringing services on a commercial scale; (c) was found to be providing on a commercial scale services used in infringing activities; (b) or (d) was indicated by the person referred to in point (a), (b) or (c) as being involved in the production, manufacture or distribution of the goods or the provision of the services.
Data protection and copyright Type of information: (a) the names and addresses of the producers, manufacturers, distributors, suppliers and other previous holders of the goods or services, as well as the intended wholesalers and retailers; (b) (b) information on the quantities produced, manufactured, delivered, received or ordered, as well as the price obtained for the goods or services in question. But this provision shall apply without prejudice to other provisions, such as: “govern the protection of confidentiality of information sources or the processing of personal data”.
Data protection and copyright • On the other hand, the Article 23 of GDPR, entitled «Restrictions», provides that the union or the Member states law may restrict the data subject rights when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; (i) the protection of the data subject or the rights and freedoms of others; (j) the enforcement of civil law claims
Data protection and copyright Peppermint case law- 2003 In 2006, the German record label Peppermint Jam Records Gmbh sent out 3,636 notices of copyright infringements to alleged Italian file-sharers informing them that they have been found guilty of uploading copyrighted songs. Peppermint had watched over consumers in their personal use of the Internet, with the help of their providers, and managed to get users’ data, monitoring their movements. Peppermint in these notices invited the users to pay a compensation for the damage for copyright infringement. The Italian Association consumer consulted the Supervisor Authority, condemning the procedures though which the Peppermint had collected users’ data (IP addresses) ( i.e. without any consent of the users). The final judgement stated that the data collected and the way, in which they were obtained, is unlawful.
Data protection and copyright • Stichting Brein vs Ziggo BV, XS4ALL Internet BV case-law 2017 • Stichting Brein is a foundation governed by Netherlands Law, whose main purpose is to combat the illegal exploitation of subject matter protected by copyright and related rights, and to protect in that area the interests of the holders of those rights. • Ziggo BV and XS4ALL Internet BV (‘XS4ALL’), are companies governed by Netherlands law whose activity consists, inter alia, in providing consumers with an internet service. • Stichting Brein asked to block the access to the Ziggo and XS4ALL Internet BV services by recipients to the internet addresses of the website of TPB, an engine for peer-to-peer file-sharing. The application is based on the fact that the recipients, using those services, commit large-scale copyright infringements, by sharing files containing protected subject matter (mainly music and films) without the authorization of the copyright holders. • Supreme Court of the Netherlands noted, however, that the Court’s case-law did not allow to reply with any certainty to the question as to whether the online sharing platform TPB consisted in a communication to public within the meaning of Article 3(1) of Directive 2001/29, in particular: • – by creating and maintaining a system in which internet users connect with each other in order to be able to share, in segments, works present on their own computers; • – by operating a website from which users can download torrent files which refer to segments of those works; and • – by indexing the torrent files placed online on this website and by categorising them in such a way that the segments of those underlying works can be located and the users can download those works (as a whole) onto their computers. • The CJEU answered to the request of the Court of Netherlands, clarifying that the peer-to-peer tools used by the Website of TPB falls under the concept of communication to public. • For peer to peer tools is meant a sharing platform, which, by means of indexation of metadata relating to protected works and the provision of a search engine, allows users to locate those works and to share them. • Article 3 • 1. Member States shall provide authors with the exclusive right to authorise or prohibit any communication to the public of their works, by wire or wireless means, including the making available to the public of their works in such a way that members of the public may access them from a place and at a time individually chosen by them. • 2. Member States shall provide for the exclusive right to authorise or prohibit the making available to the public, by wire or wireless means, in such a way that members of the public may access them from a place and at a time individually chosen by them: • (a) for performers, of fixations of their performances; • (b) for phonogram producers, of their phonograms; • (c) for the producers of the first fixations of films, of the original and copies of their films; • (d) for broadcasting organisations, of fixations of their broadcasts, whether these broadcasts are transmitted by wire or over the air, including by cable or satellite.

Recomendados

Is Pandemia a Good Reason to Give Up on Privacy
Is Pandemia a Good Reason to Give Up on PrivacyIs Pandemia a Good Reason to Give Up on Privacy
Is Pandemia a Good Reason to Give Up on Privacy
Giovanni Maria Riccio
 
Quick guide gdpr
Quick guide gdprQuick guide gdpr
Quick guide gdpr
Miguel Mello
 
Privacy and Data Protection in South Africa
Privacy and Data Protection in South AfricaPrivacy and Data Protection in South Africa
Privacy and Data Protection in South Africa
blogzilla
 
euregs
euregseuregs
euregs
bwgoodman
 
Quick Guide to GDPR
Quick Guide to GDPRQuick Guide to GDPR
Quick Guide to GDPR
Pavol Balaj
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
Cyber Watching
 
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
Fife Centre for Equalities
 
Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?
Edouard Nguyen
 

Recomendados

Is Pandemia a Good Reason to Give Up on Privacy
Is Pandemia a Good Reason to Give Up on PrivacyIs Pandemia a Good Reason to Give Up on Privacy
Is Pandemia a Good Reason to Give Up on Privacy
Giovanni Maria Riccio
 
Quick guide gdpr
Quick guide gdprQuick guide gdpr
Quick guide gdpr
Miguel Mello
 
Privacy and Data Protection in South Africa
Privacy and Data Protection in South AfricaPrivacy and Data Protection in South Africa
Privacy and Data Protection in South Africa
blogzilla
 
euregs
euregseuregs
euregs
bwgoodman
 
Quick Guide to GDPR
Quick Guide to GDPRQuick Guide to GDPR
Quick Guide to GDPR
Pavol Balaj
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
Cyber Watching
 
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
Fife Centre for Equalities
 
Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?
Edouard Nguyen
 
Factsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenFactsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be Forgotten
Edouard Nguyen
 
[CB19] Applicability of GDPR and APPI to international companies and the impa...
[CB19] Applicability of GDPR and APPI to international companies and the impa...[CB19] Applicability of GDPR and APPI to international companies and the impa...
[CB19] Applicability of GDPR and APPI to international companies and the impa...
CODE BLUE
 
Clyrofor popia readiness webinar
Clyrofor popia readiness webinarClyrofor popia readiness webinar
Clyrofor popia readiness webinar
Lesedi Mnisi
 
The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)
FOTIOS ZYGOULIS
 
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Hacking Health Camp Strasbourg health data & data protection in the Netherlands Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Axon Lawyers
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
Yizi
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
IT Governance Ltd
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?
IT Governance Ltd
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR
IT Governance Ltd
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
IT Governance Ltd
 
ILP Durham webinar: GDPR in the Lighting Industry
ILP Durham webinar: GDPR in the Lighting IndustryILP Durham webinar: GDPR in the Lighting Industry
ILP Durham webinar: GDPR in the Lighting Industry
Institution of Lighting Professionals
 
data privacy
data privacydata privacy
data privacy
Prof. Jacques Folon (Ph.D)
 
Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016
Mark Honeyball
 
GDPR will be the new regulation on may 2018
GDPR will be the new regulation on may 2018GDPR will be the new regulation on may 2018
GDPR will be the new regulation on may 2018
Marjane Moghimi, ERP
 
Proposal for a Regulation establishing the interoperability of EU informatio...
Proposal for a Regulation establishing the interoperability of EU informatio... Proposal for a Regulation establishing the interoperability of EU informatio...
Proposal for a Regulation establishing the interoperability of EU informatio...
Thierry Debels
 
4
44
4
Shredsec Secure Shredding
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
IT Governance Ltd
 
Порядок денний асоціації Україна-ЄС (18.06.2013)
Порядок денний асоціації Україна-ЄС (18.06.2013)Порядок денний асоціації Україна-ЄС (18.06.2013)
Порядок денний асоціації Україна-ЄС (18.06.2013)
Ira Smertyha
 
Dgi slideshare 2014-05-06_en
Dgi slideshare 2014-05-06_enDgi slideshare 2014-05-06_en
Dgi slideshare 2014-05-06_en
Directorate General Human Rights and Rule of Law - Council of Europe
 
GDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORIGDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORI
Karel Holst
 
GDPR - New European Union Legislation
GDPR - New European Union LegislationGDPR - New European Union Legislation
GDPR - New European Union Legislation
Tekwill
 
Dataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptxDataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptx
Marco Gioanola
 

Más contenido relacionado

La actualidad más candente

[CB19] Applicability of GDPR and APPI to international companies and the impa...
[CB19] Applicability of GDPR and APPI to international companies and the impa...[CB19] Applicability of GDPR and APPI to international companies and the impa...
[CB19] Applicability of GDPR and APPI to international companies and the impa...
CODE BLUE
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
Yizi
 
ILP Durham webinar: GDPR in the Lighting Industry
ILP Durham webinar: GDPR in the Lighting IndustryILP Durham webinar: GDPR in the Lighting Industry
ILP Durham webinar: GDPR in the Lighting Industry
Institution of Lighting Professionals
 
Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016
Mark Honeyball
 
Proposal for a Regulation establishing the interoperability of EU informatio...
Proposal for a Regulation establishing the interoperability of EU informatio... Proposal for a Regulation establishing the interoperability of EU informatio...
Proposal for a Regulation establishing the interoperability of EU informatio...
Thierry Debels
 
Порядок денний асоціації Україна-ЄС (18.06.2013)
Порядок денний асоціації Україна-ЄС (18.06.2013)Порядок денний асоціації Україна-ЄС (18.06.2013)
Порядок денний асоціації Україна-ЄС (18.06.2013)
Ira Smertyha
 

La actualidad más candente (20)

Factsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenFactsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be Forgotten
 
[CB19] Applicability of GDPR and APPI to international companies and the impa...
[CB19] Applicability of GDPR and APPI to international companies and the impa...[CB19] Applicability of GDPR and APPI to international companies and the impa...
[CB19] Applicability of GDPR and APPI to international companies and the impa...
 
Clyrofor popia readiness webinar
Clyrofor popia readiness webinarClyrofor popia readiness webinar
Clyrofor popia readiness webinar
 
The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)The implementation of gdpr in greece (1)
The implementation of gdpr in greece (1)
 
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Hacking Health Camp Strasbourg health data & data protection in the Netherlands Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
 
ILP Durham webinar: GDPR in the Lighting Industry
ILP Durham webinar: GDPR in the Lighting IndustryILP Durham webinar: GDPR in the Lighting Industry
ILP Durham webinar: GDPR in the Lighting Industry
 
data privacy
data privacydata privacy
data privacy
 
Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016
 
GDPR will be the new regulation on may 2018
GDPR will be the new regulation on may 2018GDPR will be the new regulation on may 2018
GDPR will be the new regulation on may 2018
 
Proposal for a Regulation establishing the interoperability of EU informatio...
Proposal for a Regulation establishing the interoperability of EU informatio... Proposal for a Regulation establishing the interoperability of EU informatio...
Proposal for a Regulation establishing the interoperability of EU informatio...
 
4
44
4
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
 
Порядок денний асоціації Україна-ЄС (18.06.2013)
Порядок денний асоціації Україна-ЄС (18.06.2013)Порядок денний асоціації Україна-ЄС (18.06.2013)
Порядок денний асоціації Україна-ЄС (18.06.2013)
 
Dgi slideshare 2014-05-06_en
Dgi slideshare 2014-05-06_enDgi slideshare 2014-05-06_en
Dgi slideshare 2014-05-06_en
 
GDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORIGDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORI
 

Similar a GDPR and Copyright Law

Guide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationGuide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulation
N N
 
I (Legislative acts) REGULATIONS REGULATION (EU) 2.docx
I (Legislative acts) REGULATIONS REGULATION (EU) 2.docxI (Legislative acts) REGULATIONS REGULATION (EU) 2.docx
I (Legislative acts) REGULATIONS REGULATION (EU) 2.docx
sheronlewthwaite
 
General Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity ArchitectsGeneral Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity Architects
WSO2
 

Similar a GDPR and Copyright Law (20)

GDPR - New European Union Legislation
GDPR - New European Union LegislationGDPR - New European Union Legislation
GDPR - New European Union Legislation
 
Dataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptxDataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptx
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection Regulation
 
Gary Davis
Gary DavisGary Davis
Gary Davis
 
Guide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationGuide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulation
 
I (Legislative acts) REGULATIONS REGULATION (EU) 2.docx
I (Legislative acts) REGULATIONS REGULATION (EU) 2.docxI (Legislative acts) REGULATIONS REGULATION (EU) 2.docx
I (Legislative acts) REGULATIONS REGULATION (EU) 2.docx
 
General Data Protection Regulation (GDPR) | Privacy Law in India |
General Data Protection Regulation (GDPR) | Privacy Law in India |General Data Protection Regulation (GDPR) | Privacy Law in India |
General Data Protection Regulation (GDPR) | Privacy Law in India |
 
Safety And Security Of Data 4
Safety And Security Of Data 4Safety And Security Of Data 4
Safety And Security Of Data 4
 
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017
 
General Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity ArchitectsGeneral Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity Architects
 
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
 
VIAF GDPR
VIAF GDPRVIAF GDPR
VIAF GDPR
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)
 
Day 02 - Data-protection EDPB.pdf
Day 02 - Data-protection EDPB.pdfDay 02 - Data-protection EDPB.pdf
Day 02 - Data-protection EDPB.pdf
 
Ubicomp challenges for privacy law
Ubicomp challenges for privacy lawUbicomp challenges for privacy law
Ubicomp challenges for privacy law
 
1º Palestra sobre Proteção de Dados Pessoais
1º Palestra sobre Proteção de Dados Pessoais1º Palestra sobre Proteção de Dados Pessoais
1º Palestra sobre Proteção de Dados Pessoais
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
 
Overview of privacy and data protection considerations for DEVELOP
Overview of privacy and data protection considerations for DEVELOPOverview of privacy and data protection considerations for DEVELOP
Overview of privacy and data protection considerations for DEVELOP
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
 
General Data Protection Regulations (GDPR) Summary
General Data Protection Regulations (GDPR) Summary General Data Protection Regulations (GDPR) Summary
General Data Protection Regulations (GDPR) Summary
 

Más de Giovanni Maria Riccio

Copyright collecting societies luiss 19.4.13
Copyright collecting societies luiss 19.4.13Copyright collecting societies luiss 19.4.13
Copyright collecting societies luiss 19.4.13
Giovanni Maria Riccio
 

Más de Giovanni Maria Riccio (20)

Artificial Intelligence and Copyright: How to Find Balances between Human Cr...
Artificial Intelligence and Copyright: How to Find Balances between Human Cr...Artificial Intelligence and Copyright: How to Find Balances between Human Cr...
Artificial Intelligence and Copyright: How to Find Balances between Human Cr...
 
Intelligenza artificiale, data protection e copyright
Intelligenza artificiale, data protection e copyrightIntelligenza artificiale, data protection e copyright
Intelligenza artificiale, data protection e copyright
 
Authorship NFT Artificial Intelligence.pptx
Authorship NFT Artificial Intelligence.pptxAuthorship NFT Artificial Intelligence.pptx
Authorship NFT Artificial Intelligence.pptx
 
Metaverso e proprietà intellettuale (copyright, trademark)
Metaverso e proprietà intellettuale (copyright, trademark)Metaverso e proprietà intellettuale (copyright, trademark)
Metaverso e proprietà intellettuale (copyright, trademark)
 
Diritto d'autore, design e moda
Diritto d'autore, design e modaDiritto d'autore, design e moda
Diritto d'autore, design e moda
 
Art in Public Spaces and Cultural Heritage
Art in Public Spaces and Cultural HeritageArt in Public Spaces and Cultural Heritage
Art in Public Spaces and Cultural Heritage
 
Privacy e telemarketing
Privacy e telemarketing Privacy e telemarketing
Privacy e telemarketing
 
Patrimonio culturale e mondo digitale
Patrimonio culturale e mondo digitalePatrimonio culturale e mondo digitale
Patrimonio culturale e mondo digitale
 
Cinema e contratti
Cinema e contratti Cinema e contratti
Cinema e contratti
 
Out-of-Commerce Works and the Copyright Proposal Directive
Out-of-Commerce Works and the Copyright Proposal DirectiveOut-of-Commerce Works and the Copyright Proposal Directive
Out-of-Commerce Works and the Copyright Proposal Directive
 
Le regole dei giochi
Le regole dei giochiLe regole dei giochi
Le regole dei giochi
 
Startup - Marchi, Copyright, Confidentiality Agreement
Startup - Marchi, Copyright, Confidentiality AgreementStartup - Marchi, Copyright, Confidentiality Agreement
Startup - Marchi, Copyright, Confidentiality Agreement
 
G.M. Riccio - National Efforts to Control the Internet: to Regulate or Not? ...
G.M. Riccio - National Efforts to Control the Internet: to Regulate or Not? ...G.M. Riccio - National Efforts to Control the Internet: to Regulate or Not? ...
G.M. Riccio - National Efforts to Control the Internet: to Regulate or Not? ...
 
Startup innovative
Startup innovativeStartup innovative
Startup innovative
 
International Summer School on Cyber Law - Moscow - July 2014
International Summer School on Cyber Law - Moscow - July 2014International Summer School on Cyber Law - Moscow - July 2014
International Summer School on Cyber Law - Moscow - July 2014
 
Social Network: come rispettare la legge
Social Network: come rispettare la leggeSocial Network: come rispettare la legge
Social Network: come rispettare la legge
 
La dematerializzazione dei contratti
La dematerializzazione dei contrattiLa dematerializzazione dei contratti
La dematerializzazione dei contratti
 
Copyright collecting societies luiss 19.4.13
Copyright collecting societies luiss 19.4.13Copyright collecting societies luiss 19.4.13
Copyright collecting societies luiss 19.4.13
 
E commerce - slide
E commerce - slideE commerce - slide
E commerce - slide
 
Axioma privacy 29.2.12
Axioma privacy 29.2.12Axioma privacy 29.2.12
Axioma privacy 29.2.12
 

Último

一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
A AA
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
ss
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
bd2c5966a56d
 
Interpretation of statute topics for project
Interpretation of statute topics for projectInterpretation of statute topics for project
Interpretation of statute topics for project
VarshRR
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
Airst S
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
Airst S
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
Airst S
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
Airst S
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
seri bangash
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
F La
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
irst
 

Último (20)

Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
 
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
 
Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
 
Interpretation of statute topics for project
Interpretation of statute topics for projectInterpretation of statute topics for project
Interpretation of statute topics for project
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
 
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURYA SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
 
Hely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdfHely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdf
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
 
Chambers Global Practice Guide - Canada M&A
Chambers Global Practice Guide - Canada M&AChambers Global Practice Guide - Canada M&A
Chambers Global Practice Guide - Canada M&A
 
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy NovicesIt’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
 
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersPhilippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
 
ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.
 

GDPR and Copyright Law

  • 1. GDPR Krakow Intellectual Property Summer School Giovanni Maria Riccio Professor of Law gmriccio@unisa.it
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7. The History of the General Data protection Regulation • In 1995, the European Data protection Directive (Directive 95/46 CE) on the protection of individuals with regard to the processing of personal data and on the free movement of these data was adopted. • For the first time, a definition of «personal data» was provided: «any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity» • The Directive specified the meaning of processing data, with a broad definition: «any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction»
  • 8. The History of the General Data protection Regulation • In 2011, the European Data Protection Supervisor published an Opinion on the European Commission Communication, entitled «a comprehensive approach on the personal data protection in EU» • In 2012, the European Commission proposed a comprehensive reform of the Directive 95/46 to streghten online privacy rights and the European Data Protection Supervisor adopted an opinion on the Commission’s data protection reform package. • In 2014, the European Parliament supported the new regulation on data protection and in 2015 an agreement was reached by the European Parliament, the Council and the Commission. • In 2016, the Regulation (EU) 2016/679 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data was published and entered into force from 24th May 2016. • From 25th May 2018, the GDPR started to be applied
  • 9. General Data Protection Regulation The General Data Protection Regulation (EU) 2016/679 The same law and the same text for all the member States Approved on May 2016 – Came into force on May 2018 It is applicable also to non European entities where they offer products or services or when they monitor European citizens (eg Google Maps, Facebook, Instagram, etc.)
  • 10. GDPR - a common framework • The difference between the Directive and the GDPR is that the GDPR does not require the implementation into the national legal framework by the Member States. In fact, the Directive soght to harmonise the protection of fundamental rights and freedoms of natural persons • So, the GDPR is a common framework in all the Member States, without any differences. • The most important aims of GDPR are: - to promote the protection of personal data of natural persons both in the Community and in the external context - to update the legislation on data protection in Europe, with a common framework, that is more adequate to be modified in order to the technological and sociological scenario. • «In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used ». (Whereas 15).
  • 11. GDPR - a common framework • The Whereas specified the most relevant purposes of the GDPR. The protection of natural persons in relation to the processing of personal data is a fundamental right. • Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her. Article 8: «1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.» Article 16: «1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.»
  • 12. The scope of GDPR • The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. • Only to the processing of personal data of natural persons. • To the processing of personal data in the context of the activities of an establishment of a Controller or a Processor in the Union, regardless of whether the processing takes place in the Union or not. • To the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; 2. the monitoring of their behaviour as far as their behaviour takes place within the Union.
  • 13. The scope of GDPR The processing of personal data should be designed to serve mankind. But the right to the protection of personal data is not an absolute right: it must be balanced against other fundamental rights, in accordance with the principle of proportionality. The GDPR respects all fundamental rights and observes the freedoms and principles, specifically: -the respect for private and family life, home and communications; -the freedom of expression and information; - freedom to conduct a business; -the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity. The GDPR does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of the Regulation 679/2016 into their national law.
  • 14. Definitions The Article 4 of GDPR provides the most important definitions: Personal data Processing Controller Processor Data Subject any information relating to an identified or identifiable natural person (“the data subject”); for instance, a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity the identified or identifiable natural person, that can be identified directly or indirectly, whose personal data is being collected, held or processed. any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
  • 15. Definitions • There are special categories of personal data, including the personal data that reveal: 1. racial or ethnic origin; 2. political opinions; 3. religious or philosophical beliefs; 4. trade union membership; Or: 1. genetic data, biometric data; 2. concerning health or a natural person's sex life or sexual orientation. 3. data relating to criminal convictions and offences. Another category consists in anonymous information: the anonymous information is the one that does not relate to an identified or identifiable person or to personal data rendered anonymous in a such manner that the data subject is not or no longer identifiable. But the GDPR does not concern the processing of anonymous information, including for statistical or research purposes.
  • 16. Principles relating to processing of personal data • Lawfulness, fairness and transparency • Purpose limitation • Data minimisation Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. The data subject must be informed about the processing of these data and the purposes. The Processing shall be lawful only if and to the extent that at least one of the conditions, provided by the Article 6 of GDPR. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • 17. Principles relating to processing of personal data • Accuracy • Storage limitation • Integrity and confidentiality Personal data shall be accurate and, where necessary, kept up to date. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measure.
  • 18. The principle of accountability The GDPR introduced a new principles to data protection, that of accountability. Controllers and processors have to take responsibility for their processing activities and for how they comply with data protection principles and they must be able to demonstrate compliance. Being responsible for compliance means being proactive and organised about data protection, while demonstrating compliance is the ability to present evidence of the steps taken to comply.
  • 19. Consent • Processing of personal data is lawful only under one of the six legal basis, provided by the Article 6 of GDPR. • The first condition is CONSENT. The data subject has to give his or her consent to the processing of personal data for one or more specific purposes. What does consent mean? And what are the GDPR requirements ? Consent of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. So, the consent must: 1. be freely given; 2. be specific; 3. be informed; 4. be unambiguous. The controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
  • 20. Other legal basis • Contractual perfomance: the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. • Legal obligation: the processing is necessary for compliance with a legal obligation to which the controller is subject. • Vital interest: the processing is necessary in order to protect the vital interests of the data subject or of another natural person. • Public interest or acting under official public authority: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. • Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  • 21. What are the rights of the data subject? • the right of access: the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed • the right to rectification: the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. • the right to erasure: the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. • the right to restrict processing: the data subject shall have the right to obtain from the controller restriction of processing, in case of lack of accuracy, when the processing is unlawful, and when the controller no longer needs the personal data for the purposes of the processing. • the right to data portability: the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. • the right to object to processing: the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data • the rights in relation to automated decision making and profiling: the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  • 22. The right to be informed There is a need for transparency regarding the gathering and use of data in order to allow EU citizens to exercise their right to the protection of personal data. The GDPR acknowledges to individuals the right to be informed about the collection and use of their personal data, which leads to a variety of information obligations by the controller. There are two cases: 1. Where data is obtained directly, the data subject must be immediately informed, at the time the data is obtained. In terms of content, the Controller’s obligation to inform includes his or her identity, the contact data of the Data Protection Processor (if available), the processing purposes and the legal basis, any legitimate interests pursued, the recipients when transmitting personal data, and any intention to transfer personal data to third countries. 2. If personal data is not obtained from the data subject, he or she must be provided the information within a reasonable period of time, but at latest after a month. In cases where the gathered information is used to directly contact the data subject, he or she has the right to be informed immediately upon being approached. As far as content is concerned, the controller has to provide the same specific information as if the personal data would have been directly obtained from the data subject.
  • 23. The obligations of Controller The data Controller determines the purposes for which, the means by which personal data is processed. But, also the Controller determines the nature, the storage of the processing, and also the data categories. The Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Indeed, taking into account the nature, scope, context and purposes of processing, the Controller shall implement appropriate technical and organisational measures, such as pseudonymization and data minimization. The data pseudonymization consists in substituting the identity of the data subject in such a way that additional information is required to re-identify the data subject. It is different from anonymization, that actually consists in irreversibly destroying any way of identifying the data subject. The Controller shall maintain a record of processing activities under its responsibility, for instance: the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organization etc.
  • 24. The role of the Data Processor The data processor processes personal data only on behalf of the controller. Where processing is to be carried out on behalf of a Controller, the Controller shall use only Processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Processing by a Processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the Controller and that sets out the subject- matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. The Processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the Controller.
  • 25. What does DATA BREACH mean? Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In case of data breach, the controller should communicate to the data subject, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities. Indeed, the Controller shall notify the personal data breach to the supervisor authority not later than 72 hours (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons).
  • 26. The role of DPO • The controller and the processor shall designate a data protection officer in any case where: 1. The processing is carried out by a public authority or body; 2. When the processing operations require regular and systematic monitoring of data subjects on a large scale; 3. When the processing on large scale involves special categories of data. The data protection officer shall have these tasks: 1. to inform and advise the Controller or the Processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; 2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data; 3. to provide advice where requested; 4. to cooperate with the supervisory authority
  • 27. The role of the Data Protection Authority Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of GDPR, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union. • Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers. • Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by: - their Parliament; - their Government; - their head of State; or - an independent body entrusted with the appointment under Member State law Each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.
  • 28. Cooperation, mutual assistance and consistency Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission. • Supervisory authorities shall provide each other with relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective cooperation with one another. • Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorizations and consultations, inspections and investigations. The supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism. This mechanism should in particular apply where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States. It should also apply where any supervisory authority concerned or the Commission requests that such matter should be handled in the consistency mechanism. The mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties
  • 29. The role of the EDPB The European Data Protection Board is established as a body of the Union, shall have legal personality and shall act independently when performing its tasks. The Board shall ensure the consistent application of GDPR. Some of the relevant tasks of the Board are: • advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of the Regulation; • advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules; • issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services; • examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of the Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of the Regulation
  • 30. Data protection and copyright How could a balance be possible between the data protection and the right to information, to ensure protection to copyright? The problem of the legitimate restriction of the right to the protection of personal data for the protection of intellectual rights arises with particular reference to the disclosure mechanism, by certain intermediaries, involving the personal data of third parties, previously collected by them for the provision of their services, to copyright holders, to allow to see the violations against them. Examples of violations are: 1. File-sharing networks 2. Peer-to-peer In order to be able to fully exercise their right of defense, the holders of intellectual property rights need to provide contact information relating to offenders, this information that is held by the providers of the connectivity services and/or the hosting providers.
  • 31. Data protection and copyright The main issue is whether the transfer of this category of data to the copyright holders is lawful without the express consent of the data subjects. Could the transfer only appear as an unauthorized and as unlawful processing of personal data? On one hand, disclosure of data for the identification of infringers could be considered as a transfer to third parties without a legal basis; on the other hand, in the absence of such information, the other subjects may remain unprotected without the possibility to end the violations and obtaining compensation for the economic damages suffered. Is there a right to information that is superior than the personal data protection?
  • 32. Data protection and copyright • The Article 6 of the Directive 2004/48/EC on the enforcement of intellectual property rights, provides: 1. Member States shall ensure that, on application by a party which has presented reasonably available evidence sufficient to support its claims, and has, in substantiating those claims, specified evidence which lies in the control of the opposing party, the competent judicial authorities may order that such evidence be presented by the opposing party, subject to the protection of confidential information. For the purposes of this paragraph, Member States may provide that a reasonable sample of a substantial number of copies of a work or any other protected object be considered by the competent judicial authorities to constitute reasonable evidence. 2. Under the same conditions, in the case of an infringement committed on a commercial scale Member States shall take such measures as are necessary to enable the competent judicial authorities to order, where appropriate, on application by a party, the communication of banking, financial or commercial documents under the control of the opposing party, subject to the protection of confidential information.
  • 33. Data protection and copyright The Article 8 of the Directive 2004/48/EC on the enforcement of intellectual property rights, entitled «Right to information» states: 1. Member States shall ensure that, in the context of proceedings concerning an infringement of an intellectual property right and in response to a justified and proportionate request of the claimant, the competent judicial authorities may order that information on the origin and distribution networks of the goods or services which infringe an intellectual property right be provided by the infringer and/or any other person who: (a) was found in possession of the infringing goods on a commercial scale; (b) was found to be using the infringing services on a commercial scale; (c) was found to be providing on a commercial scale services used in infringing activities; (b) or (d) was indicated by the person referred to in point (a), (b) or (c) as being involved in the production, manufacture or distribution of the goods or the provision of the services.
  • 34. Data protection and copyright Type of information: (a) the names and addresses of the producers, manufacturers, distributors, suppliers and other previous holders of the goods or services, as well as the intended wholesalers and retailers; (b) (b) information on the quantities produced, manufactured, delivered, received or ordered, as well as the price obtained for the goods or services in question. But this provision shall apply without prejudice to other provisions, such as: “govern the protection of confidentiality of information sources or the processing of personal data”.
  • 35. Data protection and copyright • On the other hand, the Article 23 of GDPR, entitled «Restrictions», provides that the union or the Member states law may restrict the data subject rights when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; (i) the protection of the data subject or the rights and freedoms of others; (j) the enforcement of civil law claims
  • 36. Data protection and copyright Peppermint case law- 2003 In 2006, the German record label Peppermint Jam Records Gmbh sent out 3,636 notices of copyright infringements to alleged Italian file-sharers informing them that they have been found guilty of uploading copyrighted songs. Peppermint had watched over consumers in their personal use of the Internet, with the help of their providers, and managed to get users’ data, monitoring their movements. Peppermint in these notices invited the users to pay a compensation for the damage for copyright infringement. The Italian Association consumer consulted the Supervisor Authority, condemning the procedures though which the Peppermint had collected users’ data (IP addresses) ( i.e. without any consent of the users). The final judgement stated that the data collected and the way, in which they were obtained, is unlawful.
  • 37. Data protection and copyright • Stichting Brein vs Ziggo BV, XS4ALL Internet BV case-law 2017 • Stichting Brein is a foundation governed by Netherlands Law, whose main purpose is to combat the illegal exploitation of subject matter protected by copyright and related rights, and to protect in that area the interests of the holders of those rights. • Ziggo BV and XS4ALL Internet BV (‘XS4ALL’), are companies governed by Netherlands law whose activity consists, inter alia, in providing consumers with an internet service. • Stichting Brein asked to block the access to the Ziggo and XS4ALL Internet BV services by recipients to the internet addresses of the website of TPB, an engine for peer-to-peer file-sharing. The application is based on the fact that the recipients, using those services, commit large-scale copyright infringements, by sharing files containing protected subject matter (mainly music and films) without the authorization of the copyright holders. • Supreme Court of the Netherlands noted, however, that the Court’s case-law did not allow to reply with any certainty to the question as to whether the online sharing platform TPB consisted in a communication to public within the meaning of Article 3(1) of Directive 2001/29, in particular: • – by creating and maintaining a system in which internet users connect with each other in order to be able to share, in segments, works present on their own computers; • – by operating a website from which users can download torrent files which refer to segments of those works; and • – by indexing the torrent files placed online on this website and by categorising them in such a way that the segments of those underlying works can be located and the users can download those works (as a whole) onto their computers. • The CJEU answered to the request of the Court of Netherlands, clarifying that the peer-to-peer tools used by the Website of TPB falls under the concept of communication to public. • For peer to peer tools is meant a sharing platform, which, by means of indexation of metadata relating to protected works and the provision of a search engine, allows users to locate those works and to share them. • Article 3 • 1. Member States shall provide authors with the exclusive right to authorise or prohibit any communication to the public of their works, by wire or wireless means, including the making available to the public of their works in such a way that members of the public may access them from a place and at a time individually chosen by them. • 2. Member States shall provide for the exclusive right to authorise or prohibit the making available to the public, by wire or wireless means, in such a way that members of the public may access them from a place and at a time individually chosen by them: • (a) for performers, of fixations of their performances; • (b) for phonogram producers, of their phonograms; • (c) for the producers of the first fixations of films, of the original and copies of their films; • (d) for broadcasting organisations, of fixations of their broadcasts, whether these broadcasts are transmitted by wire or over the air, including by cable or satellite.