c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 1 0 1 – 1 0 5

ava i lab le at www.sc ienced i rec t . com

www.compseconl i ne .com/ publ i ca t ions /prodc law.h tm

European national news

The regular article tracking developments at the national levelin key European countries in the area of IT andcommunications – Co-ordinated by Herbert Smith LLPand contributed to by firms across Europe

Mark Turner

Herbert Smith LLP, London, United Kingdom

Keywords:

Internet

ISP/Internet Service provider

Software

Data Protection

IT/Information Technology

Communications and European

law/Europe

0267-3649/$ – see front matter ª 2009 Herbedoi:10.1016/j.clsr.2008.12.004

a b s t r a c t

This column provides a concise alerting service of important national developments in key

European countries. Part of its purpose is to compliment the Journal’s feature articles and

Briefing Notes by keeping readers abreast of what is currently happening ‘‘on the ground’’

at a national level in implementing EU level legislation and international conventions and

treaties. Where an item of European National News is of particular significance, CLSR may

also cover it in more detail in the current or a subsequent edition.

ª 2009 Herbert Smith LLP. Published by Elsevier Ltd. All rights reserved.

1. Belgium music of the Sabam repertoire. Furthermore, the Court

1.1. Brussels Courts maintains order for payment ofpenalties by an ISP despite a demonstration that filters arecurrently technically unable to stop illegal music file sharingover its P2P networks

In 2004, the Belgian Society of Authors, Composers and

Publishers (Sabam) filed a lawsuit before the Brussels Court of

First Instance against the Internet Service Provider Scarlet,

claiming that its members’ copyright was being infringed by

illegally sharing music files over the ISP’s peer-to-peer

networks. Sabam obtained an intermediary decision in which

the Court acknowledged that copyright infringements were

being committed by Scarlet’s customers and held the ISP

‘‘responsible’’ for its customers’ illegally sharing of files on its

P2P networks.

In its judgment of 29 June 2007, the Court ordered Scarlet to

prevent its customers from illegally downloading copyrighted

rt Smith LLP. Published b

ordered Scarlet to implement technical measures, recom-

mended by a judicial expert, to put an end to the infringe-

ments, within a period of six months (with a penalty of up to

EUR 2500 per day of delay).

Scarlet entered an appeal against this judgment. A final

decision in this case is not expected before October 2009.

However, in the interim, Scarlet has been ordered to pay

penalties as Sabam continued to detect illegal downloads over

Scarlet’s networks.

Pursuant to a judgment of 22 October 2008, the Court sus-

pended these penalties. Scarlet demonstrated to the Court

that even the use of a filtering system, as suggested by Sabam,

is technically unworkable. On that basis the Court set aside

the order against Scarlet to pay any penalties. However, the

Court ruled that Scarlet has to find other technical solutions to

comply with the judgment of 29 June 2007, as Scarlet has not

sufficiently explored these options. As a consequence, from

1 November 2008 onwards, Scarlet is again facing a penalty of

y Elsevier Ltd. All rights reserved.

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 1 0 1 – 1 0 5102

EUR 2500 per day in case of non-compliance until it comes up

with a viable solution.

Erik Valgaeren, Partner, erik.valgaeren@stibbe.com and Nicolas

Roland, Associate nicolas.roland@stibbe.com from the Brussels

office of Stibbe, Belgium (Tel.: þ32 2 533 53 51).

2. Denmark

2.1. New guide about government authorities’acquisition and use of Open Source Software

The National IT and Telecom Agency has published the new

‘‘Guide on Government Authorities’ Acquisition and Use of Open

Source Software – Legal Issues’’ (the ‘‘Guide’’). The Guide deals

with a number of the legal issues that arise in connection with

acquisition and use of Open Source Software.

The Guide provides an introduction to the legal issues

concerning Open Source Software based on government

authorities’ (the ‘‘Authorities’’) acquisition and the use of

Open Source Software. The Guide contains a general

description of Open Source Software licensing and the copy-

right protection that forms the basis of Open Source licensing

as well as traditional proprietary licensing, and a thorough

legal analysis of different Open Source Software licenses with

special emphasis on the GNU General Public License. The

Guide also considers the European Union Public License pub-

lished by the European Commission in 2007.

Further, the Guide deals with the practical use of Open

Source Software by the Authorities and contractual issues

concerning Open Source Software. The Guide does not

consider whether the Authorities should adopt a general

policy for the use of Open Source Software, or how an

Authority may implement a compliance programme in order

to secure compliance with a particular software policy.

One of the challenges concerning Open Source Software is

that, although IT departments are familiar with using Open

Source Software in the development of software, many in-

house lawyers and attorneys are not fully capable of handling

the legal issues associated with the use of Open Source

Software.

The Guide is so far the most comprehensive legal presen-

tation of Open Source Software in Danish. It is likely that the

Danish courts will look to the Guide when interpreting Open

Source Software licenses under Danish law.

The Guide is available at the website of the National IT and

Telecom Agency www.itst.dk.

Carsten Raasteen, Partner, cr@kromannreumert.com and Thomas

Nikolaj Ingerslev, Assistant Attorney, tin@kromannreumert.com

from the Copenhagen office of Kromann Reumert, Denmark (Tel.:

þ45 70 12 12 11).

3. Germany

3.1. Sale of used software in Germany

The issue of dealing in ‘‘used’’ software is a subject of

controversy in Germany. The Higher Regional Court of Munich

(OLG Munchen) has now found (Case no. 6 U 2759/07) that

such transactions against the will of the manufacturer of the

software are prohibited. The Court ruled in favour of

a complaint brought by Oracle against Usedsoft, which had

purchased Oracle licenses from customers and resold them to

third parties. The software itself was not provided by the

defendant, but could be downloaded from Oracle’s website.

The Higher Regional Court of Munich found that this consti-

tuted an infringement of Oracle’s copyrights and that the

exhaustion of rights principle does not apply in this case.

In its general terms and conditions, Oracle prohibits its

customers from transferring use rights to third parties.

According to the Court, this represented a permissible

restriction of use that also effectively applied to third parties.

Even if the clause were invalid, no further reaching rights

would be transferred to the acquirers as a result of that

invalidity.

The Court further reviewed the applicability of the

exhaustion of rights principle pursuant to section 69c no. 3 of

the German Copyright Act (UrhG), i.e. that once a software

unit has been brought into circulation by sale, the copyright

holder can generally no longer control the distribution of that

unit. An application of the exhaustion of rights principle in

this case would have meant that the customers of Oracle

could resell the licenses. However, the Court found that this

principle does not apply. For one thing, the defendant was not

distributing the work itself, but merely the right to use it. An

analogous application was not possible since the loophole in

the statute was intentional given the Recital 29 of Directive

2001/29/EG. Finally, the Court pointed out that the use of

computer programs necessarily involved a reproduction of the

programme, if only temporarily, since it at least has to be

loaded into the RAM. Pursuant to section 69c Copyright Act,

this could require the consent of the right holder, which was

not granted.

Whether this argument is actually convincing appears to

be highly doubtful, since that would mean that the exhaustion

of rights principle would virtually never be applicable to

software. It is further unclear whether this would also apply if

only one copy of a program were physically handed over. It is

therefore not surprising that this ruling has created quite

a sensation. The question of whether used software can be

distributed in Germany therefore has yet to be definitively

resolved by the Federal Supreme Court. Currently, it is still

unclear under what conditions used software can be sold in

Germany.

Dr. Stefan Weidert, LL.M, Partner, Stefan.Weidert@gleisslutz.com

from the Berlin office of Gleiss Lutz, Germany (Tel.:þ49 30 800979 0).

4. Italy

4.1. Privacy protection in social network services

On 17 October 2008, the 30th International Conference of Data

Protection and Privacy Commissioners, attended by 78 Data

Protection Authorities and Privacy Commissioners from every

continent, adopted, inter alia, a resolution on ‘‘Privacy

Protection in Social Network Services’’ (‘‘Resolution’’). The

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 1 0 1 – 1 0 5 103

Resolution deals with specific privacy and security risks

associated with the use of social network services (‘‘SNS’’),

such as the disclosure of personal information about the

individuals/users; possible loss of control by individuals over

how data will be used by third parties once they are published

on the network; use of personal data for profiling purposes; re-

publishing of data; removing of personal data from the

Internet; indexing of data from profiles by search engines; use

of profile information from SNS by companies for recruitment

purposes and by providers of SNS for the delivery of targeted

marketing messages, etc.

The Resolution sets forth a number of recommendations to

users and providers of SNS, including the following:

(a) users of SNS should (i) consider carefully which personal

data they publish in a profile (in particular, a recommen-

dation to minors is made not to disclose home addresses

and telephone numbers); (ii) respect the privacy of others

(e.g. by obtaining prior consent in case of publishing of third

parties’ personal information, including pictures and tag-

ged pictures);

(b) providers of SNS should (i) clearly inform the users about

the processing of their personal data;(ii) improve user

control over the use of profile data by community

members and allow for restriction of visibility of profiles/

data and in community search functions; (iii) allow for

user control over secondary use of profile and traffic data;

(iv) offer privacy-friendly default settings for user profile

information (especially with respect to minors’ data); (v)

improve and maintain security of the information systems

and protect users against fraudulent access to their profile

(vi) grant individuals (regardless of whether they are

members of the SNS or not), the right to access, correct and

delete their personal data held by the provider; (vii) allow

users to easily terminate their membership; (viii) ensure

that user data can only be crawled by external search

engines if the user has given a prior and informed consent.

In addition, the recommendation is made to providers of

SNS operating in different countries or even globally to

respect the privacy standards of the countries where they

operate their services, possibly consulting with the local

Data Protection Authority.

http://www.privacyconference2008.org/index.php?page_

id¼197

Salvatore Orlando, Partner, s.orlando@macchi-gangemi.com and

Laura Liberati, Associate l.liberati@macchi-gangemi.com, from the

Rome office of Macchi di Cellere Gangemi (Tel.: þ39 06 362141).

5. The Netherlands

5.1. Court finds that appropriation of Internetconnection bandwidth does not constitute theft

The three-judge criminal section of the District Court of

Amsterdam ruled on 11 September 2008 that the appropriation

of data (traffic) and bandwidth capacity of an Internet

connection does not constitute a theft under Article 310 of the

Dutch Penal Code (hereafter ‘DPC’).

One of the suspects in this case worked for a short time as

a plumber in a student apartment. During his work he noticed

that in the apartment a high speed Internet connection was

installed. The plumber offered a number of third persons the

opportunity to take advantage of this high speed connection.

Five computers were installed above the ceiling tiles and were

connected to the Internet. One of these computers belonged to

the fellow-suspect. The case came to light when the concierge

heard a humming noise and removed one of the ceiling tiles to

discover the computers.

The key point in this case is whether or not the appropri-

ation of data (traffic) and bandwidth capacity of an Internet

connection constitutes theft of the Internet connection.

Article 310 of the DPC defines theft as: ‘removing any good

belonging entirely or in part to another with the intention of

unlawfully appropriating it’. The writ of summons accused

the suspect of unlawfully removing (i) data traffic, (ii) band-

width capacity and (iii) speed of the Internet connection –

which was indicated by the public prosecutor as the essence

of the Internet connection.

The District Court ruled that these elements do not fall

under the definition of ‘‘good’’ within the meaning of article

310 of the DPC. According to a judgment of the Supreme Court

(HR 3 December 1996, NJ 1997, 574) the deciding factor is

whether or not the unauthorized use of the Internet connec-

tion results in the entitled party (owner) losing actual control

over the Internet connection. According to the District Court

this was not the case.

Link (in Dutch only):

http://www.boek9.nl/www.delex-backoffice.nl/uploads/file/

Boek9%20/Boek%209%20Uitspraken/Auteursrecht/Strafzaak%20

computers%20studentenflat.pdf

Reinout Rinzema, Partner, Reinout.Rinzema@stibbe.com and Rem-

brandt Brouwer, Associate, Rembrandt.Brouwer@Stibbe.com from

the Amsterdam Office of Stibbe, The Netherlands (Tel.: þ31 20 546

01 12).

6. Norway

6.1. Norwegian proposition for a new and extensivepupil register

National surveys over the past few years have revealed that

the quality of Norwegian compulsory education is falling. As

a measure to counter this development, the Norwegian

Ministry of Education and Research has proposed to create

a new register for pupils in compulsory schools. The aim of the

proposed register is to obtain further knowledge of factors

that are significant for the pupils’ development. In order to

achieve this, the Ministry claims that it is essential to have

access to personal data of individual pupils, including sensi-

tive data. Earlier this year, the Ministry circulated a discussion

paper to relevant administrative bodies and other parties to

obtain their comments.

Last month the Norwegian Data Inspectorate published its

reply to the Ministry’s discussion paper, expressing its concern

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 1 0 1 – 1 0 5104

about the proposition. According to the Data Inspectorate, the

register will result in detailed information about an entire

generation being stored for an indefinite period of time,

including information about individuals’ social life, health

conditions, religious views, sexual orientation and ethnicity.

Further, the Ministry’s discussion paper leaves several impor-

tant questions unanswered, inter alia with regard to collection

of data, quality assurance of collected data and access to the

register. On this background, the Data Inspectorate holds the

opinion that the establishment of the proposed register will be

disproportionate to the aim sought, and regrets that the

Ministry has not examined other and less radical alternatives

for improving Norwegian compulsory schools.

At present, the proposition is only in the preparatory

phase, and it will be interesting to see whether other bodies

share the Data Inspectorate’s views.

Haakon Opperud, Partner, hop@thommessen.no and Stein-Erik

Jahr Dahl, Associate, sjd@thommessen.no, from Thommessen

Krefting Greve Lund AS, Norway (Tel.: þ47 23 11 14 94).

7. Spain

7.1. Application of the Data Protection Directive toInternet search engines

Users often want Internet search engines that may not be in

Europe to delete their personal data from lists of results. The

problem arises as to whether the effects of the Data Protection

Directive (DPD) can be extended beyond European territory.

Under its Article 4, the DPD applies to data processing

when the controller is established in Europe or when it uses

material resources located in Europe to process data. Conse-

quently, only the second of these two circumstances would

justify an extension of the effects of the Directive.

The ‘‘Opinion on data protection issues related to search

engines’’ (WP148), which the Article 29 Group drafted in April

2008, states that ‘‘as providers of content data [.], generally they

are not to be held as primarily responsible under European data

protection law for the personal data they process.’’

But also according to WP148, when the search engine uses

a related establishment, the DPD is applicable if ‘‘the processing

operation is carried out in the context of the activities’ of the estab-

lishment. This means that the establishment should also play

a relevant role in the particular processing operation.’’

This ‘‘relevant role’’ can only mean that the establishment

is a necessary co-operator, that processing would not be

possible without its intervention.

WP148 considers this cooperation to exist when the

establishment in a Member State: (i) is responsible for relations

with users; (ii) is involved in selling advertisements aimed at

that State; or (iii) complies with the authorities’ requirements

on user data. However, only the third condition covers pro-

cessing data in lists of results, as the first two refer to user data.

People hosting personal data on websites know that

anyone can access the data, with the help of search engines.

Therefore, the controllers of these websites (which are nor-

mally based in Europe because personal information is usually

of local interest) must limit the effects of publication in

accordance with the applicable data protection law, using

codes that prevent search engines from trawling and indexing

the information.

However, WP148 states that some data protection author-

ities (such as the Spanish) oblige search engines to delete the

data from lists, but this obligation should only be imposed on

the related establishment if it plays a relevant role in the

searching service. It is not admissible to take the establish-

ment hostage to demand that the search engine complies with

obligations laid down by laws that do not extend to the

country in which it operates.

Javier Aparicio, Intellectual Property Partner, JAPS.@cuatr

ecasas.com from the Madrid Office of Cuatrecasas, Spain (Tel.:

þ34 915 247 717).

8. Sweden

8.1. Proposal on anti-piracy legislation approved by theSwedish Council on Legislation

On 22 October 2008, the Swedish Council on Legislation (Sw.

Lagradet) approved, without any significant reservations, the

Government’s proposal concerning new legislation, which

will enable intellectual property right holders to obtain

personal data regarding individual users’ IP addresses. Pur-

suant to the proposed legislation, a court may upon request by

a right holder, order Internet service providers to disclose

personal data tied to IP addresses if there is ‘probable cause’

that a person has infringed intellectual property rights by way

of file sharing.

The proposed legislation implements directive 2004/48/

EC on the enforcement of intellectual property rights

(IPRED). However, the Swedish Council on Legislation states

in its consultation that the proposal goes beyond what is

required by the directive. In the directive, the right to

access such personal data is limited only to judicial

proceedings concerning an infringement of intellectual

property rights.

The recent approval by the Swedish Council on Legislation

has attracted substantial attention in the media and caused

a debate between interested parties. The evidentiary

requirement of ‘‘probable cause’’ is one of the main issues. In

many situations, the person performing file sharing and the

person registered as subscriber to the Internet service may be

two different persons. Furthermore, where file sharing is

performed via unsecured, wireless routers, tracking of the

person performing file sharing will be complicated.

The next step in the legislative process is for the Govern-

ment to present the proposal to the Swedish Parliament. The

proposed anti-piracy legislation is planned to enter into force

in April 2009.

Find out more about the report at http://www.regeringen.se/

content/1/c6/11/31/81/465ad177.pdf (in Swedish)

Bjorn Gustavsson, Partner, Bjorn.Gustavsson@vinge.se, and Eva

Fredrickson, Associate, Eva.Fredrikson@vinge.se from Advokatfir-

man Vinge KB, Sweden (Tel.: þ46 8 614 30 00).

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 1 0 1 – 1 0 5 105

9. United Kingdom

9.1. Patenting Computer Software gets easier in the UK

The recent Court of Appeal case Symbian Limited v Comptroller

General of Patents ([2008] EWCA Civ 1066, 8 October 2008)

suggests that the patenting of computer software in the UK

may be easier in future. The Court confirmed that if a ‘‘tech-

nical contribution’’ is achieved by software over and above

merely computerising a function, this may be patentable.

Article 52(2) of the European Patent Convention excludes

computer programs (‘‘as such’’) from patent protection. The

Court of Appeal applied the assessment of patentable subject

matter under section 1(2) of the Patents Act 1977, which it had

set out in Aerotel v Telco; Macrossan’s Application [2007] RPC, (i)

properly construe the claim; (ii) identify the actual contribu-

tion; (iii) ask whether it falls solely within the excluded subject

matter; (iv) check whether the actual or alleged contribution is

actually technical in nature. However, it held that it is

permissible to combine the third and fourth steps, thus

making technical contribution part of the examination of

whether the claimed invention fell solely within the excluded

subject matter. The mere fact that the invention sought to be

registered was a computer program was not determinative.

The key question was whether the invention revealed a tech-

nical contribution to the state of the art; Symbian’s invention

(involving software to enhance data access in computer

systems) was held to have done so and therefore was not

excluded from protection.

Since modern day inventions often have a software

element, whether the inclusion of a computerised element in

an invention should render the whole invention unpatentable

is a matter of significant commercial importance. This deci-

sion should be welcomed by any businesses involved in

developing products using software to achieve a novel effect

since software that solves a genuine technical problem would

now appear to be more readily patentable.

The Court refused to follow recent EPO case law on

patentability as it did not consider it to be established,

authoritative and settled. Giving judgment in Symbian, Lord

Neuberger commented that there should be a two-way dia-

logue between the national tribunals of the EPC member

states and the EPO. Shortly after this decision, the EPO Presi-

dent has referred several questions to the EPO’s Enlarged

Board of Appeal for clarification on the approach to be taken to

patentability of software-related inventions. A response is not

expected until next year.

9.2. Communications Data Bill

The government has scrapped plans to push through the

controversial Communications Data Bill which mandates the

retention of data by Internet service providers (ISPs) and tel-

ecoms companies. The government will hold a second public

consultation in the New Year, which means that the UK could

miss its self-imposed deadline to comply with the European

Data Retention Directive by March 2009.

It is also expected to slow the progress of the Interception

Modernisation Programme, a scheme to create a centralised

database of all electronic communications between everyone

in the UK.

Mark Turner, CLSR Professional Board, Partner, mark.turner@

herbertsmith.com and Tony Lai, Associate, tony.lai@herbertsmith.

com with the contribution of David Wilson, Partner, david.

wilson@herbertsmith.com and Chris Sharp, Associate, christopher.

sharp@herbertsmith.com from the London Office of Herbert Smith

LLP (Tel.: þ44 20 7374 8000).