Thursday, 20 October 2016

ECJ: dynamic IP addresses can be personal data- and yet websites may be able to store them without consent

Yesterday, the Court of Justice delivered its decision in Breyer v Bundesrepublik Deutschland (C-582/14, not yet available in English), a case concerning the lawfulness of the retention of dynamic IP addresses and other information by internet service providers. 

Mr Breyer contested the practice of the German federal government's websites, which keep a register of all IP addresses accessing information on their pages, together with a record of the pages visited and the time of each visit. The purpose of this information storage, according to the German government, is to prevent and/or readily prosecute cyberattacks. 

Two questions were raised before the Court of Justice: 1) whether, contrary to the assumptions of the Government when devising this practice, the information concerned constituted personal data under Directive 95/46; 2) if so, whether the German rules applicable to the retention of personal data by websites, which would make the Government's practice illegal, were compatible with the directive.

As to the first question, the Court of Justice answered that the collection of dynamic IP can be qualified as collection of personal data. The main issue to be discussed in this context was whether dynamic IP information, which is by definition not constantly associated to an individual user, can nevertheless be considered as capable of identifying that user. This is materially possible only through obtaining additional information from the internet service provider which has issued the IP number. 

Making reference to the directive's 26th recital, the Court reasoned that the answer to the question depends on the ability, for the website's owners, to obtain the "missing" information legally and without disproportionate expenditure. The ECJ considers that this possibility is clearly present in a case such as the one under scrutiny, especially in the event of a cyberattack. 

Therefore, the answer to the first question is that dynamic IP addresses are to be considered and treated as personal data by a provider which has the possibility to use them, in case of need, in order to identify the users associated to them. 

As to question 2), the Court had to consider the compatibility with Directive 95/46 of the German provision according to which- thus the interpretation prevailing in Germany- online service providers are only allowed to collect personal data for purposes related to their service provision- and charging of potentially ensuing fees. 

In particular, the Court considered whether a similarly interpreted restriction was compatible with article 7 letter f of the Directive, according to which providers can collect and preserve data in pursuit of their legitimate interests, provided they do not disproportionately impinge on the user's fundamental rights and liberties. The national legislation implementing the directive must leave some room for the balancing required by this provision. 

According to the Court, therefore, article 7 letter f of Directive 95/46 stands in the way of a national rule that generally disallows providers to store personal data with the purpose of securing the website's continued workability- which, inter alia, encompasses the prevention and prosecution of cyberattacks.

Thus, the answer of the second question is that the Directive does not allow national legislation to be interpreted in such a manner that would render the collection of personal data (ie dynamic IP addresses and access information) for the prevention of cyberattacks illegal.    

This decision is rather double-faced: on the one hand, it has a privacy-friendly attitude insomuch as it makes clear that all information can be personal data when the provider collecting it has the possibility to, at some point in time, use it to identify people who have accessed its webpages. On the other hand, though, it threatens to preempt national legislations giving a strict interpretation of the legitimate interests allowing data collection. It will be interesting to see which of the two faces will become more visible in the decision's aftermath. 

Wednesday, 19 October 2016

Comparing prices in hyper- and supermarkets - AG Saugmandsgaard Øe in Carrefour Hypermarchés (C-562/12)

AG Saugmandsgaard Øe has issued an opinion today in the case C-562/12 (Carrefour Hypermarchés) concerning an issue of a potential misleading and comparative advertising. Carrefour holding consists of many hyper- and supermarkets across France, with supermarkets generally being smaller in size than hypermarkets. One of its main competitors is Intermarché holding that also operates many hyper- and supermarkets. While Carrefour has 223 hypermarkets, Intermarché has 79. 

In December 2012 Carrefour run a new advertising campaign, both on TV and online, in which it compared prices of selected 500 leading brand products in its shops and competitors' shops under a slogan 'Lowest price guarantee'. The comparison was clearly favourable to Carrefour, who also promised to pay twice the price difference if consumers proved that the advertised prices were incorrect. Intermarché questioned the objectivity of this price comparison and its correctness, as well as a possibility of this advertisement misleading consumers, as it wasn't made clear to consumers that the comparison was between prices of consumer products in Carrefour's hypermarkets and Intermarché's supermarkets. Especially, since both Carrefour and Intermarché belong to retail outlets which each have shops of identical format and size, whose prices where then not directly compared with.

The CJEU was asked to answer such questions as (1) whether comparative advertisement referring to prices of consumer goods should be allowed only if the shops are of the same size and format; (2) if the compared shops differ in size and format whether consumers should be informed about this under the UCPD's obligation of Art. 7 to reveal material information to consumers; (3) if (2) is answered positively, how should this information be given to consumers.

The AG advises the Court to answer that indeed (1) comparative advertisement may only compare prices of goods sold in shops of similar formats and sizes but only IF:

"it is found, in the light of all the relevant circumstances of the case, and in particular in the light of the information in or omissions from the advertising at issue, that the transactional decision of a significant number of consumers to whom that advertising is addressed is likely to be made in the mistaken belief that all the shops in those retail chains have been taken into account in calculating the general price level and the amount of savings which are claimed by the advertising and that, accordingly, those consumers will make savings of the kind claimed by the advertising by regularly buying their everyday consumer goods from shops in the advertiser’s retail chain rather than from shops in the competitor’s retail chain"

or 

"the selection of the shops for the comparison has the effect of artificially creating or increasing any difference between the prices charged by the advertiser and by the competitor."

Thus, the national court has to consider the effect of a given advertisement on both consumers and fair competition to assess whether in a given case the comparative advertisement showed by Carrefour has infringed requirements of the Directive 2006/114/EC. If it is not misleading and it is done in an objective way, it should be allowed. 

"In my view, there is in principle no reason to consider that an advertiser’s economic freedom does not also extend to the possibility of comparing prices in shops having different formats and sizes. In so far as an advertiser is capable of benefiting from economies of scale, as a result of the size, format or number of shops available to him, and, consequently, of charging prices lower than those of his competitors, he should be able to derive the benefits therefrom for marketing purposes." (Par. 30)

The discretion of the advertiser in designing his marketing strategies is not unlimited, however, and should consider the need to provide objective comparisons and not to mislead consumers.

The AG expresses also an interesting view on the capabilities of average consumers: "I consider that the average consumer is fully capable of deciding whether a price difference justifies, in his view, purchasing a product in one or other of the shops, when those shops have different formats or sizes, which may also entail differences in terms of the geographical proximity of the shops." (Par. 31) However, in the particular case: "I consider that an asymmetric comparison of that kind might deceive an average consumer as to the actual difference in the prices charged in the advertiser’s shops and in the competitor’s shops, by giving that consumer the impression that all the shops in the retail chains were taken into consideration in calculating the price information presented in the advertising, although that information applies only to certain types of shops in those retail chains." (Par. 42)

Only the second requirement - whether the comparison might artificially create or increase difference in charged prices on the market - should, however, be considered by the national court when assessing (2) whether consumers should have been informed about divergence in size and format of shops compared in this advertising. In general, the AG does not see the information on size and format of shops as always being material to consumers, but in certain circumstances it may become material information. (Par. 68-69)

If the information on the difference between compared shops should have been given to consumers, this would need to occur in the advertisement itself (3), pursuant to the AG. Only such dissemination would assure that the information is provided in a clear, intelligible, unambiguous and timely manner, esp. since choosing to compare prices of goods sold in shops with different sizes/ formats was a voluntary choice of the advertiser. (Par. 78)


Wednesday, 12 October 2016

Putting an end to silos enforcement of consumer (data protection) rights?

Last month, BEUC and the European Data Protection Supervisor (EDPS) held a joint conference on the enforcement of fundamental rights- notably, the right to privacy- in the age of big data. 

BEUC urges all competent authorities to coordinate their actions and strategies in this field, putting an end to "silos" enforcement, which is unable to guarantee equal respect of consumer rights across policy areas. 

BEUC particularly welcomed the EDPS's recently published opinion on "coherent enforcement of fundamental rights in the age of big data", which contains a set of recommendations, Here an excerpt from the study summary:

"The EU institutions and bodies, and national authorities when implementing EU law, are required to uphold the rights and freedoms set out in the Charter of Fundamental Rights of the EU. Several of these provisions, including the rights to privacy and to the protection of personal data, freedom of expression and non-discrimination, are threatened by normative behaviour and standards that now prevail in cyberspace. The EU already has sufficient tools available for addressing market distortions that act against the interests of the individual and society in general. A number of practices in digital markets may infringe two or more applicable legal frameworks, each of which is underpinned by the notion of ‘fairness’. Like several studies in recent months, we are calling for more dialogue, lesson-learning and even collaboration between regulators of conduct in the digital environment. We also stress the need for the EU to create conditions online, as well as offline, in which the rights and freedoms of the Charter may thrive.

This Opinion therefore recommends establishing a Digital Clearing House for enforcement in the EU digital sector, a voluntary network of regulatory bodies to share information, voluntarily and within the bounds of their respective competences, about possible abuses in the digital ecosystem and the most effective way of tackling them. This should be supplemented by guidance on how regulators could coherently apply rules protecting the individual. We also recommend that the EU institutions with external experts explore the creation of a common area, a space on the web where, in line with the Charter, individuals are able to interact without being tracked. Finally, we recommend updating the rules on how authorities apply merger controls better to protect online privacy, personal information and freedom of expression."
According to the opinion, the Digital Single Market strategy represents a good opportunity for taking a more coherent approach. We will see whether the different actors involved will be willing to seize the chance!

Monday, 3 October 2016

Tax increase on consumer goods - an effective nudging tool?

There is an interesting article in today's The Guardian by P. Barkham on how the introduction of a 5p charge for plastic bags last year in the UK has led to significant changes in consumer purchasing behaviours and ultimately contributed to better environment protection (Six billion plastic bags can't be wrong - so what do we tax next?). Logically, you wouldn't think that just the fact that consumers were faced with having a choice of paying less for their groceries if they brought their own bags, would lead to significant behavioural changes, considering the diminutive amount of the price increase. But still... of course, just the fact of having to confirm this additional charge might have been discouraging, as well as could have brought consumers' attention to the reason behind this sudden charge - environmental protection. The author poses a valid question whether tax policy is where we may expect more nudges to occur in the future.