c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 1 9 4 – 1 9 8

ava i lab le a t www.sc iencedi rec t .com

www.compsecon l ine .com/publ i ca t i ons /prodc law.h tm

European national news

Mark Turner

Herbert Smith LLP, London, United Kingdom

Keywords:

Internet

ISP/Internet Service provider

Software

Data Protection

IT/Information Technology

Communications

European law/Europe

0267-3649/$ – see front matter ª 2009 Herbedoi:10.1016/j.clsr.2009.02.011

a b s t r a c t

The regular article tracking developments at the national level in key European countries in

the area of IT and communications – co-ordinated by Herbert Smith LLP and contributed to

by firms across Europe. This column provides a concise alerting service of important national

developments in key European countries. Part of its purpose is to compliment the Journal’s

feature articles and Briefing Notes by keeping readers abreast of what is currently happening

‘‘on the ground’’ at a national level in implementing EU level legislation and international

conventions and treaties. Where an item of European National News is of particular

significance, CLSR may also cover it in more detail in the current or a subsequent edition.

ª 2009 Herbert Smith LLP. Published by Elsevier Ltd. All rights reserved.

1. Belgium violated their fundamental rights. The President found it

1.1. Belgium court of commerce restrains viralmarketing on the internet

On 24 June 2008, the President of the Court of Commerce of

Huy found certain forms of viral marketing on the internet

unlawful. Viral marketing is a form of direct marketing

whereby publicity is directly addressed to people who did not

give their prior consent thereto, but whose e-mail addresses

were passed on by acquaintances.

In the present case, Dialo BVBA, the manager of the dating

website www.toietmoi.be, claimed that the competing web-

site www.nicepeople.be owed its success to sending unsolic-

ited publicity using two illegal techniques: (i) offering people

the possibility to provide their e-mail address and the pass-

word of their mailbox during the membership registration

process and (ii) asking members to provide the e-mail

addresses of their acquaintances. Members who did so were

rewarded by an increase of their popularity. People whose e-

mail addresses were obtained in either of these two ways

received unsolicited publicity via e-mail.

In its judgment, the President ruled that the privacy

interest of the addressees prevails over the commercial

interests of those resorting to techniques of viral marketing.

The collection of e-mail addresses of acquaintances by

members to subsequently send them unsolicited publicity

rt Smith LLP. Published b

unacceptable that (i) Nicepeople’s members were rewarded

for providing the e-mail addresses, (ii) they were not informed

about what Nicepeople would do with these e-mail addresses,

and (iii) people received unsolicited publicity about a website

to which they did not want to be linked.

Following Article 14 of the Electronic Commerce Act, the

use of e-mail for publicity is prohibited without the addres-

see’s prior consent (‘opt-in’). According to the President, this

Article does not only prohibit the direct use of e-mail for

publicity purposes but also the indirect use, in this case via the

members that acted on the viral marketing.

The case can be found at: http://www.juriscom.net

Erik Valgaeren, Partner erik.valgaeren@stibbe.com and Sofie Cos-

termans, Associate sofie.costermans@stibbe.com from the Brussels

office of Stibbe (Tel.: þ32 2 533 53 51).

2. Denmark

2.1. Difo likely to be appointed administratorof .dk domain

The Danish top-level domain .dk is administered in accor-

dance with the Danish Act on Internet Domains Specifically

y Elsevier Ltd. All rights reserved.

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 1 9 4 – 1 9 8 195

Allocated to Denmark (the ‘‘Act’’). Pursuant to the Act the

Minister for Science, Technology and Innovation may decide

that the National IT and Telecom Agency should issue a public

invitation to tender for the administration of the .dk domain.

The National IT and Telecom Agency published the tender

documents in December 2007. Two tenders were submitted –

one by Afilias, an Irish entity, on behalf of dotDK and one by DIFO

(Dansk Internet Forum, a Danish entity) which has administered

the .dk domain since 1999. In June 2008 the National IT and

Telecom Agency appointed Afilias as the winner.

In the Act it is laid down, however, that the administrator

shall have a broad representation of participants from the

Danish internet community, including private users, profes-

sional users and the internet industry (service providers). In

the tender documents the requirement was stated as

a condition that the appointed tenderer submitted letters of

support from organisations that back up the tender within 60

days from the appointment. The appointed tenderer should

submit letters of support from minimum four important

organisations that altogether represented private users,

professional users and the internet industry.

In November 2008 the National IT and Telecom Agency

disqualified Afilias as the letters of support submitted by Afi-

lias did not fulfil the requirements. DIFO now has the oppor-

tunity to show that it has sufficient support in the Danish

internet community to be approved.

The tender has been subject to much press coverage and

especially, the condition about broad representation in the

Danish internet community has been debated. On the onehand

the support is important to ensure trust in the administrator

and thatboth private and professional interests are considered.

On the other hand the requirement creates a barrier for foreign

administrators that wish to submit a tender.

2.2. High court of eastern Denmark confirmspirate bay ruling

In Computer Law and Security Review volume 24 issue 3 we

reported that a Danish enforcement court issued an injunc-

tion against the Danish internet service provider Tele 2 A/S,

which was ordered to block access to the website

thepiratebay.org, notwithstanding that thepiratebay.org did

not host copyrighted materials on its server. Tele 2 A/S

appealed the ruling and on 26 November 2008 the High Court

of Eastern Denmark upheld the ruling.

Tele 2 A/S will petition the Appeals Permission Board in

order to have the case tried before the Supreme Court.

Carsten Raasteen, Partner, cr@kromannreumert.com and Thomas

Nikolaj Ingerslev, Assistant Attorney, tin@kromannreumert.com

from Kromann Reumert, Copenhagen office, Denmark (Tel.: þ45 70

12 12 11).

3. Germany

3.1. Enforcement-directive (2004/48/EC)

The ‘‘Enforcement-Directive’’ (2004/48/EC) was not imple-

mented in Germany until September 2008. One of the most

important new provisions pertains to the right to demand

disclosure of information not only from the infringer, but also

from third parties, such as Internet service providers. This right

is of great practical significance for copyright infringements in

the Internet. In accordance with Article 8 (1) Directive 2004/48/

EC, the German law (sec. 101 German Copyright Act) provides

that this claim for disclosure exists only if an infringement ‘‘on

a commercial scale’’ was committed. However, in Germany,

there is much debate on the interpretation of this term. There

have already been several court decisions on this subject. But

since the range of the possible requirements is extremely

broad, doubts have already been raised as to the con-

stitutionality of the provision. Several courts have already

found it sufficient if one music album is published before or

shortly after it has appeared on a P2P platform. Other courts, on

the other hand – invoking directives of the public prosecutor’s

office – demand that 3,000 music files or 100–200 films be

offered for sale. This could make prosecutions in Germany

much more difficult, also in view of the fact that the relevant

transaction data are only stored for a brief period of time (seven

days) or with flat rates, in some cases not at all. It is to be

expected that the German Federal Court of Justice will soon be

determining when a ‘‘commercial scale’’ is present.

Dr. Stefan Weidert, LL.M, Partner, Stefan.Weidert@gleisslutz.com

from the Berlin office of Gleiss Lutz, Germany (Tel.:þ49 308009790).

4. Italy

4.1. Four Google managers committed to trial inconnection with illicit video uploading

On December 12, 2008, four managers of Google Italia were

committed to trial for having allegedly co-operated in the

offence of defamation and unlawful data processing. The trial

is due to start in February 2009.

The facts of the case are as follows: On November 20, 2006

four teenagers bullied a classmate affected by Down’s

syndrome. The four also shot the bullying with a cellular

phone and then up-loaded the video onto Google Video. As

soon as the news of the event spread over the Italian internet

community – and was massively reported by traditional

Italian mass media – the video was removed and official action

was taken against the teenagers. After conviction of the

youngsters, the Office of the Public Prosecutor of Milan started

investigations against the Google managers, and requested

committal to trial for four of them, alleging that, on account of

their positions inside the company, they had not prevented

the abusive upload of the video and acted in breach of Law

196/2003 (the ‘‘Italian Privacy Law’’). In particular, the public

prosecutors of the Milan Tribunal have apparently charged

the Google managers for having failed to display on the web-

site video.google.it a comprehensive information as to the

privacy policy in accordance with the Italian Privacy Law and

for having breached the provisions of the Italian Privacy law as

to the processing of medical/health data relevant to the

bullied boy (including the provisions which require the

consent in writing by the data subject and the authorisation

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 1 9 4 – 1 9 8196

by the Italian Privacy Authority). Moreover, on the basis that

Google accrues economic benefits by renting advertising

spaces on the pages of the website, some of the managers

have been also charged with the crime punished under

section 167 of the Italian Privacy Law, according to which

whoever for personal gain or for the gain of an another person

processes data in breach of certain provisions of the Italian

Privacy Law is punished with the imprisonment of up to 3

years, if the conduct causes a damage.

http://www.ilsole24ore.com/art/SoleOnLine4/Norme%20e%

20Tributi/2008/12/google-rinviata-giudizio-bullismo-youtube.

shtml?uuid¼476397ce-c847-11dd-baf9-fbc7a4fc4e23&DocRules

View¼Libero&fromSearch

Salvatore Orlando, Partner, s.orlando@macchi-gangemi.com and

Stefano Bartoli, Associate, s.bartoli@macchi-gangemi.com From the

Rome office of Macchi di Cellere Gangemi (Tel.: þ39 06 362141).

5. The Netherlands

5.1. A Dutch ‘notice-and-take-down’ code of conduct

On 9 October 2008 the Dutch Minister for Foreign Trade (Frank

Heemskerk) presented the ‘Notice-and-Take-Down’ Code of

Conduct (hereafter: ‘‘the Code’’). The Code is based on good

practices from businesses, governments and other parties

willing to act against cybercrime. The Code has been initiated by

market parties including KPN, XS4ALL, ISPConnect, Dutch

Hosting Provider Association, NLKabel, Ziggo, UPC, and SIDN and

is drawn up under the flag of the National Infrastructure Cyber-

crime (Ministry of Economic Affairs). Ministries, the police and

investigation services as well as organisations such as Markt-

plaats, eBay and Google collaborated in setting up the Code.1

The above mentioned parties took this initiative because

those responsible for placing unlawful content on the Internet

are difficult to trace and in the past reports about (possible)

unlawful content were rarely acted upon. The Code sets out

the specific roles of the Internet user and the intermediary in

dealing with unlawful content.

In principle, everybody can report any (possible) unlawful

content they come across while using the Internet to the

relevant content provider. If the notifier and the content

provider fail to reach an agreement the notifier may contact

the relevant intermediary and issue a report containing at

least: (i) contact details of the notifier, (ii) the URL, (iii)

a description detailing why the content is unlawful and (iv)

a statement why the notifier believes the intermediary is the

most appropriate party to contact. On receipt the interme-

diary will evaluate the report according to its own procedure.

In the event the intermediary determines that the content is

not unequivocally unlawful it will inform the notifier accord-

ingly. In the event the intermediary determines that the

content is unequivocally unlawful, it will ensure its removal.

In case of uncertainties with respect to (un)lawfulness of

content the intermediary will request the content provider to

1 See, http://www.samentegencybercrime.nl/NTD/Initiatiefnemers_en_partners?p¼content, in Dutch only.

remove the relevant content or to contact the notifier. Should

the notifier and the content provider fail to reach an agree-

ment (as stated above); the notifier may contact the police.

The Code is available in English, see: http://www.

samentegencybercrime.nl/UserFiles/File/NTD_Gedragscode_

Opmaak_Engels.pdf

Reinout Rinzema, Partner, Reinout.Rinzema@stibbe.com and Rem-

brandt Brouwer, Associate, Rembrandt.Brouwer@Stibbe.com from

the Amsterdam Office of Stibbe, The Netherlands (Tel.: þ31 20 546

01 12).

6. Norway

6.1. New report on the use of CCTV surveillance cameras

The Norwegian Data Inspectorate recently published a report

on the use of CCTV surveillance. The report is based on unan-

nounced inspections of 82 shops within different business

areas, all of which are locatedwithin a narrowgeographicalarea

in the centre of a medium sized Norwegian city. The objective

was primarily to check whether shop owners comply with the

obligation to inform customers of the operation of CCTV

cameras in an adequate manner and the obligation to notify the

Data Inspectorate of such security surveillance.

The results were depressing. Among the shops that had

CCTV cameras installed, all but one were found to violate at

least one of the said requirements. The lack of basic knowledge

about such simple and straight forward rules gives reason to

believe that more complex and discretionary rules are also

neglected. It is, for instance, a condition for CCTV surveillance

that the controller’s legitimate interest in the processing of

personal data overrides the interests of the data subject.

Nevertheless, CCTV cameras were more often found in regular

newsstands selling chocolate and magazines than in jewellery

shops, where one would reasonably expect the value of the

goods to require comprehensive surveillance. The Data

Inspectorate also reported another alarming trend, namely an

increase in CCTV cameras operating in cafes and restaurants,

where people stay for longer periods of time and expect

a greater degree of discretion. Coupled with little or no infor-

mation to customers, this development is cause for concern.

Although the number of inspections is insufficient to draw

statistically reliable conclusions, the results were in line with

a previous, corresponding report from another Norwegian city.

Hence, theresultscouldserveasanindicatorof thegeneral levelof

compliance with privacy law with respect to CCTV surveillance.

Haakon Opperud, Partner, hop@thommessen.no and Stein-Erik

Jahr Dahl, Associate, sjd@thommessen.no, Thommessen Krefting

Greve Lund AS, Norway (Tel.: þ47 23 11 14 94).

7. Spain

7.1. NGA regulation in Spain

Following the debacle over its proposals for the regulation of

Telefonica’s Wholesale Broadband Access service, the

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 1 9 4 – 1 9 8 197

Spanish National Regulatory Authority for Telecommunica-

tions (the CMT) has recently encountered further resistance

from the European Commission concerning its proposals for

regulation of the roll-out of high-speed next generation access

networks (NGA), this time in connection with measures

relating to in-building wiring (the installation of optical fibre

all the way to the home, FTTH).

The draft measures propose to require all telecommuni-

cations operators, whether or not they hold significant market

power, to provide access to their in-building NGA wiring.

Specifically, the CMT proposes to require the first operator

deploying fibre in a building to: (i) meet reasonable requests

for access to its network elements (and sign agreements

within four months); (ii) offer reasonable prices; and (iii)

comply with transparency obligations permitting third parties

to plan their access requests.

The imposition of symmetrical obligations in this way is an

exceptional remedy under the regulatory framework. Since

2003, telecoms rules have been based on the principle of

imposing ex ante obligations only on dominant operators in

a number of specific markets.2 Nevertheless, the framework

does, exceptionally, foresee mechanisms for broader regula-

tory intervention, for instance to ensure interoperability and

access to end users or encourage infrastructure sharing where

planning or environmental constraints make alternative

infrastructures unviable. The latter (Article 12 of the Frame-

work Directive) is the legal base invoked by the CMT in this

case.

On 1 December 2008, the European Commission issued

its comments on the draft measure criticising the CMT for

not properly justifying the measure under the criteria set

down by Article 12 of the Framework Directive. In particular,

the Commission considers that the CMT refers only to

technical, practical, legal and economic difficulties of access

when the application of Article 12.2 is limited to cases

justified by public policy considerations of an environmental

or planning nature. The Commission has asked the CMT to

accredit to what extent undertakings would, in fact, be

deprived of access to reasonable alternatives for these

reasons.

The Commission has also suggested the CMT consider

imposing additional obligations with regard to in-building

wiring on the operator designated as having SMP on Market 4

(local loop).

The CMT is required to take into consideration the Com-

mission’s comments before it adopts its final measure, but

these comments are not binding. In the context of the devel-

opment of the Commission’s guidelines on NGA regulation3

and the recent adoption by France of legislation on this

matter, the outcome of this case, which is vital to FTTH roll-

out, is one to watch.

Paul Hitchings, associate paul.hitchings@cuatrecasas.com from

the Barcelona Office of Cuatrecasas, Spain (Tel.: þ34 93 290 55 00).

2 In November 2007, the Commission adopted its new list ofrelevant markets, now reduced to only seven.

3 Draft Recommendation published in September 2008.

8. Sweden

8.1. Proposed new gambling legislation in Sweden

Pursuant to an investigatory governmental committee report

issued on 15 December 2008 (‘‘the Report’’), commercial

operators shall be entitled to provide gambling services in

Sweden under a national licensing system. A licence to

provide gambling would include betting (odds and pools), with

the exception of betting on horse races, both via the Internet

and at betting agencies.

In order for a national licensing system to be effective, the

Report proposes that licensees should be afforded protection

within the Swedish system. Protective measures should,

according to the Report, include the blocking of IP addresses

and domain names for websites providing gambling which are

not organised in accordance with the proposed new legisla-

tion. In addition, the mediation of stakes in unlawful lotteries

shall be blocked. The proposed legislation would result in

a ban on all gambling websites without a Swedish licence.

The Report has been referred for consideration to the

relevant bodies and the new legislation is proposed to enter

into force on 1 January 2011. A link to the Report including

a summary in English can be found at: http://www.regeringen.

se/sb/d/10283/a/117594

8.2. Amendments to the Swedish Signal Surveillance Act

On 1 January 2009 the new Signal Surveillance Act (‘‘the Act’’)

entered into force. The Act entitles the National Defense Radio

Establishment (‘‘FRA’’) to collect electronic signals trans-

mitted over air or by wire for defense intelligence purposes.

Following major discussion and critique of the Act, the

Government has proposed amendments to the new Act, in

order to increase privacy protection. The proposal has been

referred for consideration to the relevant bodies and

comments on the proposal shall be submitted at the latest on

27 February 2009.

A link to the proposal in Swedish can be found at: http://

www.regeringen.se/content/1/c6/11/80/70/6821847c.pdf

Bjorn Gustavsson, Partner, Bjorn.Gustavsson@vinge.se, and Daniel

Jarmen, Associate, Daniel.Jarmen@vinge.se from Advokatfirman

Vinge KB, Sweden (Tel.: þ46 8 614 30 00).

9. UK

9.1. ECHR rules that UK DNA database infringesprivacy rights

Case: S. and Marper v UK 30562/04 and 30566/04 ECHR

On 4 December 2008, the ECHR ruled unanimously that the

UK’s powers of retention of the fingerprints and DNA data of

persons suspected or charged with a crime, but not actually

convicted, violated the right to respect for private and family

life under Article 8(1) of the European Convention on Human

Rights.

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 1 9 4 – 1 9 8198

The applicants had both been arrested and charged with an

offence. Subsequently, S was acquitted and the case against

Marper was discontinued. The applicants made a request that

the fingerprints and DNA samples taken by the police on their

arrest be destroyed, which was refused. The applicants failed

to achieve judicial review of the authority’s decision in the UK

courts and applied to the ECHR alleging a violation of Article 8

of the Convention by the UK authorities.

The court concluded that the retention of DNA and

fingerprint data constituted an interference with private life

within the meaning of Article 8, since they contained unique

information about the individual concerned. The court ruled

that retention of such data failed to strike a fair balance

between the competing public and private interests, and

constituted a disproportionate interference with the right to

respect for private life which could not be regarded as

necessary in a democratic society.

This land mark decision will have major implications for

the UK government, which will need to review the powers

given to authorities under a number of criminal justice stat-

utes. Police in England, Wales and Northern Ireland currently

have powers under the Police and Criminal Evidence Act 1984

to take DNA and fingerprints from everyone they arrest, and

there are currently around 570,000 DNA profiles in the

National DNA Database belonging to innocent individuals will

have to be deleted.

For further information, please see: http://www.bailii.org/

cgi-bin/markup.cgi?doc¼/eu/cases/ECHR/2008/1581.tml&query¼titleþ(þMarperþ)þandþtitleþ(þunitedþ)þandþtitleþ(þkingdomþ)

&method¼boolean

9.2. UK Government will pass a law to force ISP’s to acton unlawful file sharing

On 29 January, the UK government published an interim

report on its Digital Britain action plan, which considers the

future of the digital and communications industries. The

government confirmed its intention to legislate on peer-to-

peer file sharing, and will hold a consultation on the new

legislation in spring 2009. The new law will require ISP’s to

gather information on customers engaged in illegal file

sharing, notify alleged infringers of rights (subject to reason-

able levels of proof from rights-holders), and contact repeat

offenders and provide warnings that their conduct is unlaw-

ful. The anonymised information collected by ISP’s would be

made available to rights-holders, together with personal

details, on receipt of a court order.

The proposed legislation will not force ISPs to directly

disconnect suspected file-sharers.

In order to regulate the new measures, the law will create

a code on unlawful file sharing which ISPs will have to sign,

and whose enforcement would be carried out by the UK’s

communications regulator, OfCom.

9.3. UK Computer Misuse Act amended to includeoffences of denial of service and the supply of hacking tools

The amended Computer Misuse Act 1990 (CMA) came in to

force in October 2008. The amendments were made following

deficiencies in the original CMA to deal adequately with

technological advances, in particular the web. The effect of

the amendments is to make denial-of-service attacks and the

supply of hacking tools criminal offences. It is now an offence

under the CMA (new section 3A) for a person to make, adapt,

supply or offer to supply any article intending it to be used to

commit, or assisting with the commission of, an offence

under section 1 or section 3 of the CMA. There are two addi-

tional related offences: (i) supplying or offering to supply any

article believing that it is likely to be used to commit, or to

assist in the commission of, an offence under section 1 or 3

(section 3A(2)) and (ii) obtaining any such article with a view to

its being supplied for use to commit, or to assist in the

commission of, an offence under section 1 or 3 (section 3A(3)).

The amendments also increase penalties for section 1

unauthorised computer access offence (hacking) from 6

months to 2 years, making it the crime eligible for extradition

from foreign countries. The statutory limitation on Section 1 is

abolished (formerly a charge had to be brought no later than 6

months from an arrest, and nothing older than 3 years ago

could be considered).

For further information, please see: http://www.opsi.gov.

uk/si/si2008/uksi_20082503_en_1

Mark Turner, CLSR Professional Board, Partner, mark.turner@

herbertsmith.com from the London Office of Herbert Smith LLP

(Tel.: þ44 20 7374 8000).