Operators of online hosting platforms will soon know exactly what responsibility to assume for illegal or hateful content published on these platforms. The current climate seems to be very conducive to clarifying the nature and extent of their liability.
In this respect, two schools of thought clash: for some, it is necessary to impose obligations to control the content published on these platforms, but for others, this would reflect the attribution of a new role to these operators, which has not been given to them on a basic level.
“There would be a risk that platform operators would become judges of online legality and a risk of ‘over-withdrawing’ content stored by them at the request of users of their platforms, to the extent that they also remove legal content,” said Advocate General Henrik Saugmandsgaard Øe, who presented his conclusionsbefore the Court of Justice of the European Union (CJEU) on July 20, referring to request for preliminary ruling a preliminary ruling made by the Bundesgerichtshof, the German Federal Court of Justice, on two disputes brought before the German national courts.
The first dispute (1) was between Frank Peterson, a music producer, and the video-sharing platform YouTube and its parent company Google over the users posting , of several phonograms without Mr. Peterson’s permission, to which he claims to hold rights.
In the second (2), Elsevier Inc, an editorial group, sued Cyando AG, in connection with its operation of the Uploadedhosting and file-sharing platform, over the uploading, again by users without its authorization, of various works to which Elsevier holds exclusive rights.
In said requests for preliminary ruling, it is a question of knowing whether the operator of content platforms such as YouTube, performs acts of communication to the public pursuant to Article 3(1) of Directive 2001/29 of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, a directive that was invoked against YouTube.
The answer is negative, according to the Advocate General, who invites the CJEU to bear in mind that the legislator of the Union has specified that the “mere provision of facilities intended to enable or carry out a communication does not in itself constitute a communication within the meaning of [this directive]”. According to the Advocate General, it is, therefore, important to distinguish a person performing the act of “communication to the public”, within the meaning of the Article 3(1) of the Directive 2001/29, from service providers, such as YouTube and Cyando, who, by providing the “facilities” enabling this transmission to take place, act as intermediaries between that person and the public. On the other hand, a service provider goes beyond the role of intermediary when it actively intervenes in the communication to the public – if it selects the content transmitted, or presents it to the public in a different way from that envisaged by the author.
Such a conclusion would lead to the non-application of the Article 3(1) of the Directive 2001/29 to those people facilitating the performance, of unlawful acts of “communication to the public”, by third parties.
Moreover, it is a question of knowing whether the safe harbour – in the case of “provision of an information society service consisting in storing information provided by a recipient of the service” – provided for in the Article 14 of the the Directive on electronic commerce n°2000/31 is in principle accessible to these platforms (according to the Advocate General, it is).
This provision provides that the provider of such a service cannot be held liable for the information that it stores at the request of its users, unless the provider, after becoming aware or conscious of the illicit nature of this information, has not immediately removed or blocked it.
However, according to the Attorney General, by limiting itself to a processing of this information that is neutral with respect to its content without acquiring intellectual control over this content, the provider such as YouTube, cannot be aware of the information it stores at the request of the users of its service.
The CJEU will, therefore, have to rule on these issues in the coming months.
Furthermore, it should be noted that in 2019, the Union legislator adopted the Directive No. 2019/790, not applicable to the facts, on copyright and related rights in the single digital market, modifying in particular the previous Directive of 2001. A new liability regime was introduced in Article 17 for operators of online hosting platforms.
Consumers are now demanding more privacy and security in t he processing of their personal data.
What are the challenges for the data controller?
There are several challenges for the data controll
er – i.e. the legal or natural person who determines the purposes and means of a processing operation – to overcome at different scales:
– information management: reducing the data collected by establishing a precise commercial context, and reducing the risks by taking care of the contracts;
– communication with suppliers: being able to find solutions and evaluate each other;
– monitoring of data processing: setting up mechanisms for reporting data breaches or threats concerning suppliers (for example, if Easyjet has had a data breach, the data controller, operating in the same business sector as the airline, if notified, can redirect its decisions.
What are the risk management methods?
A more effective risk management includes precise identification of suppliers, prior audits when integrating new suppliers, automation of evaluation and control processes, and risk prevention to protect data.
What about cookies?
They are used to collect data. Their presence is materialized by the banners you find on websites that ask for your consent to collect certain data.
In summary, there are 3 types of cookies:
– cookies strictly necessary for the operation of the site;
– cookies intended to improve the performance and functionality of the site;
– advertising cookies (which will soon disappear, Firefox has already put an end to them, and Google has announced that Chrome will no longer use them in 2021).
How do I collect online consent?
Remember that in France, consent must be free, specific, informed and unambiguous (GDPR).
Nevertheless, in order to collect consent, the user must understand what he is consenting to. He must receive clear information (purpose and duration of the use of cookies, list of third parties with whom the information is shared etc…) and the data controller must be particularly attentive to the layout of his banner.
What should be the role of the DPO (Data Protection Officer) in a modern company?
If the company promotes ethics, innovation, data, then the DPO has a key role: they shed light on data collection, and bring their vision on risks from an individual’s point of view.
In the past, their role was purely administrative, but today it is different, the DPO accompanies the company on a permanent basis, but they cannot guarantee compliance on their own: they have to expand a web within the organization (with the digital or marketing departments in particular) in order to promote the essential principles.
What changes are taking place within companies, in terms of GDPR awareness?
When GDPR came into force, programs were launc
hed to raise awareness of it, , and it was necessary to mobilize the entities and ensure they had good skills (setting up e-learning internally, for example).
Despite the existing similarities in legislation, what differences persist and what are the challenges that companies have to face in this respect?
There are technical differences (in terms of data retention time, each country has its obligations) and very important cultural differences, the way in which people in different countries deal with these subjects depends on their history. Consequently, it is difficult to find “golden rules” (= harmonized rules).
How can organizations benefit from their compliance efforts?
One way to recognize that companies have done their job properly is through certifications, such as HDS certification.
Our site uses cookies to offer you the best service and to produce statistics, and measure the website's audience. You can change your preferences at any time by clicking on the "Customise my choices" section.
When browsing the Website, Internet users leave digital traces. This information is collected by a connection indicator called "cookie".
Dreyfus uses cookies for statistical analysis purposes to offer you the best experience on its Website.
In compliance with the applicable regulations and with your prior consent, Dreyfus may collect information relating to your terminal or the networks from which you access the Website.
The cookies associated with our Website are intended to store only information relating to your navigation on the Website. This information can be directly read or modified during your subsequent visits and searches on the Website.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Dreyfus is concerned about protecting your privacy and the Personal Data ("Data"; "Personal Data") it collects and processes for you.
Hence, Dreyfus complies every day with the European Union legislation regarding Data protection and particularly the European General Data Protection Regulation Number 2016/679 of 27 April 2016 (GDPR).
This Privacy Policy is aimed at informing you clearly and comprehensively about how Dreyfus, as Data Controller, collects and uses your Personal Data. In addition, the purpose of this Policy is to inform you about the means at your disposal to control this use and exercise your rights related to the said processing, collection and use of your Personal Data.
This Privacy Policy describes how Dreyfus collects and processes your Personal Data. The collection happens when you visit our Website, when you exchange with Dreyfus by e-mail or post, when exercising our Intellectual Property Attorney and representative roles, when we interact with our clients and fellow practitioners, or on any other occasion when you provide your Personal Data to Dreyfus, in particular when you register for our professional events.
Webinar September 10, 2020 :
