Legal and Ethical Aspects of Cybersecurity and IT Law PDF
Document Details
Uploaded by LowRiskBlack
European University Cyprus
Tags
Summary
This document from the European University Cyprus introduces the legal and ethical aspects of cybersecurity and IT law. It provides an overview of topics such as cybercrime, intellectual property, privacy, and ethical issues relevant to the digital world.
Full Transcript
Chapter 7 Legal and Ethical Aspects 1 Applicable cybersecurity and IT law Software licensing, Data privacy and security, Electronic signatures, Legal and regulatory risks, cyberattacks, digital forensics, liability issues, trust....
Chapter 7 Legal and Ethical Aspects 1 Applicable cybersecurity and IT law Software licensing, Data privacy and security, Electronic signatures, Legal and regulatory risks, cyberattacks, digital forensics, liability issues, trust. 2 Legal and Ethical Aspects touch on a few topics including: ⚫ cybercrime and computer crime ⚫ intellectual property issues ⚫ privacy ⚫ ethical issues 3 Cybercrime / Computer Crime “criminal activity in which computers or computer networks are a tool, a target, or a place of criminal activity” categorize based on computer’s role: ⚫ as target ⚫ as storage device ⚫ as communications tool more comprehensive categorization seen in Cybercrime Convention, Computer Crime Surveys 4 Law Enforcement Challenges 5 Intellectual Property 6 Copyright protects tangible or fixed expression of an idea but not the idea itself is automatically assigned when created may need to be registered in some countries exists when: ⚫ proposed work is original ⚫ creator has put original idea in concrete form ⚫ e.g. literary works, musical works, dramatic works, pantomimes and choreographic works, pictorial, graphic, and sculptural works, motion pictures and other audiovisual works, sound recordings, architectural works, software-related works. 7 Copyright Rights copyright owner has these exclusive rights, protected against infringement: Reproduction right: lets the owner make copies of a work. Modification right: also known as the derivative-works right, concerns modifying a work to create a new or derivative work. Distribution right: lets the owner publicly sell, rent, lease, or lend copies of the work. Public-performance right: applies mainly to live performances. Public-display right: lets the owner publicly show a copy of the work directly or by means of a film, slide, or television image 8 Patents grant a property right to the inventor ⚫ to exclude others from making, using, offering for sale, or selling the invention types: ⚫ utility - any new and useful process, machine, article of manufacture, or composition of matter ⚫ design - new, original, and ornamental design for an article of manufacture ⚫ plant - discovers and asexually reproduces any distinct and new variety of plant e.g. RSA public-key cryptosystem patent 9 Trademarks a word, name, symbol, or device ⚫ used in trade with goods ⚫ indicate source of goods ⚫ to distinguish them from goods of others trademark rights may be used to: ⚫ prevent others from using a confusingly similar mark ⚫ but not to prevent others from making the same goods or from selling the same goods or services under a clearly different mark 10 Intellectual Property Issues and Computer Security software programs ⚫ protect using copyright, perhaps patent database content and arrangement ⚫ protect using copyright digital content audio / video / media / web ⚫ protect using copyright algorithms ⚫ may be able to protect by patenting 11 Digital Rights Management (DRM) systems and procedures ensuring digital rights holders are clearly identified and receive stipulated payment for their works ⚫ may impose further restrictions on their use no single DRM standard or architecture goal often to provide mechanisms for the complete content management lifecycle provide persistent content protection for a variety of digital content types / platforms / media 14 DRM Components 15 DRM System Architecture 16 Privacy overlaps with computer security have dramatic increase in scale of info collected and stored ⚫ motivated by law enforcement, national security, economic incentives but individuals increasingly aware of access and use of personal / private info concerns on extent of privacy compromise have seen a range of responses 17 EU Privacy Law European Union Data Protection Directive was adopted in 1998 to: ⚫ ensure member states protect fundamental privacy rights when processing personal info ⚫ prevent member states from restricting the free flow of personal info within EU organized around principles of: ⚫ notice, consent, consistency, access, security, onward transfer, enforcement Has been replaced by GDPR 18 The General Data Protection Regulation (GDPR) The European Union’s General Data Protection Regulation (GDPR) is another example of far- reaching cybersecurity regulation akin to national or federal regulation. The GDPR is an example of cyber law that applies to businesses even if they do not have a physical presence within the EU. The GDPR applies to: Organizations based in the EU that process the personal data of data subjects residing in the EU; and Organizations that do not have a branch in the EU, but who offer goods and services to EU citizens and who process the personal data of data subjects in the EU. Terminology The GDPR defines the above-mentioned terms as follows: Personal data refers to “any information relating to an identified or identifiable natural person.” Processing of personal data includes “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Data subject rights The GDPR gives individuals rights over their data, such as a right to access data and a right to be forgotten. For example, a user can ask an organization to provide all the data it holds that may be used to identify the user. Organizations may also be required to give users clear information about how their data will be used. It also obliges organizations to implement appropriate technical safeguards and impose breach notification requirements Processing and controlling of data As the GDPR regulates the processing of personal data, it imposes obligations on the “controllers” and “processors” of that data. The relationship between a controller (a person or organization who controls how data is processed) and processor (the organization who processes data on behalf of the controller) is often based on a third- party contract. Breach notification and incident response In the event of a breach that compromises the rights of individuals’ data, a supervisory body will need to be notified if the breach is likely to have a serious negative effect on individuals, such as exposing them to identify theft, reputational damage, or financial loss. This needs to be done within 72 hours of the organization becoming aware of the breach. Penalties for non-compliance Because the GDPR gives data rights to individuals, it allows individuals to claim compensation from companies that did not comply with the GDPR’s requirements. Penalties for non-compliance It also empowers supervisory authorities to impose heavy administrative fines for certain kinds of non-compliance (such as not acquiring sufficient consent when processing a child’s information, or for not having implemented appropriate technical safeguards). Breaching the requirement to implement technical safeguards can make an organization liable for fines of up to €20,000,000, or even up to 4% of its worldwide annual turnover. US Privacy Law have Privacy Act of 1974 which: ⚫ permits individuals to determine records kept ⚫ permits individuals to forbid records being used for other purposes ⚫ permits individuals to obtain access to records ⚫ ensures agencies properly collect, maintain, and use personal info ⚫ creates a private right of action for individuals also have a range of other privacy laws 27 Organizational Response “An organizational data protection and privacy policy should be developed and implemented. This policy should be communicated to all persons involved in the processing of personal information. Compliance with this policy and all relevant data protection legislation and regulations requires appropriate management structure and control. Often this is best achieved by the appointment of a person responsible, such as a data protection officer, who should provide guidance to managers, users, and service providers on their individual responsibilities and the specific procedures that should be followed. Responsibility for handling personal information and ensuring awareness of the data protection principles should be dealt with in accordance with relevant legislation and regulations. Appropriate technical and organizational measures to protect personal information should be implemented.” 28 Common Criteria Privacy Class 29 Privacy and Data Surveillance Ethical Issues have many potential misuses / abuses of information and electronic communication that create privacy and security problems ethics: ⚫ a system of moral principles relating benefits and harms of particular actions to rightness and wrongness of motives and ends of them ethical behavior here not unique but do have some unique considerations ⚫ in scale of activities, in new types of entities 31 Ethical Hierarchy 32 Ethical Question Examples whistle-blower ⚫ when professional ethical duty conflicts with loyalty to employer ⚫ e.g. inadequately tested software product ⚫ organizations and professional societies should provide alternative mechanisms potential conflict of interest ⚫ e.g. consultant has financial interest in vendor which should be revealed to client 34 Codes of Conduct ethics not precise laws or sets of facts many areas may present ethical ambiguity many professional societies have ethical codes of conduct which can: 1. be a positive stimulus and instill confidence 2. be educational 3. provide a measure of support 4. be a means of deterrence and discipline 5. enhance the profession's public image 35 Codes of Conduct see ACM, IEEE and AITP codes place emphasis on responsibility other people have some common themes: 1. dignity and worth of other people 2. personal integrity and honesty 3. responsibility for work 4. confidentiality of information 5. public safety, health, and welfare 6. participation in professional societies to improve standards of the profession 7. the notion that public knowledge and access to technology is equivalent to social power 36 Summary reviewed a range of topics: ⚫ cybercrime and computer crime ⚫ intellectual property issues ⚫ privacy ⚫ ethical issues 37 Love and computer science = secret love affair? Rules Exceptions Interpretations 43 About Internet Law… Public international law Criminal law of Administrative obligations law Civil Internet Commercial obligations law law 44 Cybercrime law Cybercrime – includes violations of intellectual property, hate Cybercrime speech, child pornography etc. stricto sensu - infractions only with the use of computers 45 Plan I Personal Data protection The legal nature of IP address, the IP address as a key to Cybercrime Enforcement Privacy of communication and mass-surveillance Cybercriminality legal framework Cyber-attacks regulation Child Pornography 46 Plan II Copyright law Enforcement Notions of Criminal Copyright law Mass piracy, peer to peer networks Intermediaries liability The safe harbor The injunctions 47 Plan III Judiciarity issue s Other issues of criminal internet law Hate speech 48 Personal Data protection in EU 49 History of personal data protection Convention 108 of General Data the council of protection The Europe The EU regulation * Shoah legislation The next step World War II Directive 95/59 * Download the GDPR : http://eur-lex.europa.eu/legal- content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=en 51 The three generations of the protection Protection Protection Protection against the against the against state multinationals ourselves? companies 52 A complex web of protection The EU legislation The new Regulation Protection of Personal The regulation’s The national legislation application data by The right of The Constitution informational autodetermination The international Right to Privacy (article treaties 8 ECDH) The European Charter Articles 7 and 8 of fundamental rights 53 EU Charter of fundamental rights (Treaty of Lisbon, 2009) Article 7 - Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications. Article 8 - Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority. 54 CJEU, C-291/12, Michael Schwarz vs Stadt Bochum (2013) Although the taking and storing of fingerprints in passports constitutes an infringement of the rights to respect for private life and the protection of personal data, such measures are nonetheless justified for the purpose of preventing any fraudulent use of passports 55 Key notions of the legal framework A communication Data Personal Receiver Subject Data Process Data controller Database Data processor 56 When does the regulation apply? Personal Controller’s Processing data liability ‘processor’ means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; 58 Personal Data Definition (The GDPR, Art.4(1)) "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. 59 Sensitive personal data (The GDPR, Rec.10, 34, 35, 51; Art.9(1) “Sensitive Personal Data" are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislative competence). 60 About “profiling” 'profiling' means any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; 61 Objective (DNA) information Subjective (opinion) Content/ Purpose Text, picture, / Consequence sound, video… About someone About an object? Personal Data (ex: house value?) What’s the A close context? relationship Who can be identified In concreto But… data mining analysis About a natural alive person 62 When does the regulation not apply? National Security, defense, EXCEPTIONS State protection Purely personal or household activity Cache memory Open access Pseudonymisation 63 purely personal or household activity CJEU, Βοdil Lindquist, 6 November 2003, C-101/01. 64 CJEU, Frantiaek RyneS v. Úřad pro ochranu Home camera = personal use? osobních údajů (Case C-212/13), 2014 video surveillance which covers a video surveillance the image of a public space and involving the person recorded by which is accordingly recording and a cameraconstitutes directed outwards storage of personal personal data from the private data falls within the because it makes it setting of the person scope of the possible to identify processing the data Directive, since it the person cannotbe regarded constitutes automatic concerned. as an activity which is data processing. a ‘purely personal or household activity’ 65 CJEU, C-28/08 P, Commission v The Bavarian Lager Co. Ltd., 29 June 2010 Open Personal access to Data Public data 66 GDPR (recital 26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data67 “Data Mining” 68 Data processing (The GDPR, Art.4(2) "Processing" means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 71 Personal data legal framework General principles Transnational Lawfulness of flux processing Special Data subjects situations rights 72 The principles lawfulness, fairness and transparency PRINCIPLES purpose limitation data minimisation Accuracy storage limitation integrity and confidentiality 73 Lawfulness of processing (GDPR, Art. 6) Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their 74 The consent Controller has the burden of the proof It must be clearly distinguished from other matters “When assessing whether consent is freely given, utmost account shall be taken of the fact whether, among others, the performance of a contract, including the provision of a service, is made conditional on the consent to the processing of data that is not necessary for the performance of this contract” No consent for child below 16 (or 13 if the State prefers) in relation to information society services 75 Consent case study 1 : the cookies https://youtu.be/gMaaxptSCoI 76 Data subject rights Right to Right to Right to access restriction of rectification processing Right to erasure Right todata Right to object (“right tobe portability forgotten") 77 Processing of special categories of personal data : sensitive data The processing of personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data in order to uniquely identify a person or data concerning health or sex life and sexual orientation shall be prohibited. 78 Notification of a personal data breach 80 II) Cyber-attacks legal framework General introduction to Cybercrime legal framework 83 problematic Convention on cybercrime (ETS N° 185) EU legislation : Directive 2013/40 National legislation 85 DIRECTIVE 2013/40/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 August 2013 on attacks against information systemsand replacing Council Framework Decision 2005/222/JHA 86 The general philosophy illegal Data access interception System Data interference interference 87 notion : information system Information system Digital Network of device devices 88 Article 3 : Illegal access to information systems Member States shall take the necessary measures to ensure that, when committed intentionally, the access without right, to the part of an information system, is criminal offence where by infringing a security measure at least for cases which are not minor. 89 Security measure infringement? What about Brute force attack ? 90 Article 4 : Illegal system interference Member States shall take the necessary measures to ensure that seriously hindering or interrupting the functioning of an information system by inputting computer data, by transmitting, damaging, deleting, deteriorating, altering or suppressing such data,or by rendering such data inaccessible and intentionally a without right, is punishable as criminal offence, at least for cases which are not minor. 91 bandwidth Not a cyber-attack but : Database protection law Civil law (contract law, parasitism) 92 Article 5 : Illegal data interference Member States shall take the necessary measures to ensure that deleting, damaging, deteriorating, altering or suppressing computer data on an information system, or rendering such data inaccessible, intentionally and without right, is punishableas a criminal offence, at leastfor cases whichare not minor. 93 Article 6 : Illegal interception Member States shall take the necessary measures to ensure that intercepting, by technical means, non- public transmissions of computer data to, from or within an information system, including electromagnetic emissions from an information system carrying such computer data, intentionally and without right, is punishable as a criminal offence,at leastfor cases which are not minor. 94 Mass-surveillance phenomenon 95 Article 7 : Tools used for committing offences Member States shall take the necessary measures to ensure that the intentional production, sale, procurement for use, import, distribution or otherwise making available, of one of the following tools, without right and with the intention that it be used to commit any of the offences referred to in Articles 3 to 6, is punishable as a criminal offence, at least for cases which are not minor: (a) a computer programme, designed or adapted primarily for the purpose of committing any of the offences referred to in Articles 3 to 6; (b) a computer password, access code, or similar data by which the whole or any part of an information system is capable of being accessed. 96 Article 8 : Incitement, aiding and abetting and attempt 1. Member States shall ensurethat the incitement, or aiding and abetting, to commit an offence referred to in Articles 3 to 7 is punishable as a criminal offence. 2. Member States shall ensurethat the attempt to commit an offence referred to in Articles 4 and 5 is punishable as a criminal offence. 97 Article 12 Jurisdiction 1. Member States shall establish their jurisdiction with regard to the offences referred to in Articles 3 to 8 where the offence has been committed: (a) in whole or in part within their territory; or (b) by one of their nationals, at least in cases where the act is an offence whereit was committed. 2. When establishing jurisdiction in accordance with point (a) of paragraph 1, a Member State shall ensure that it has jurisdiction where: (a) the offender commits the offence when physically present on its territory, whether or not the offence is against an information system on its territory; or (b) the offence is againstan information system on its territory, whether or not the offender commits the offence when physically present on its territory. 3. A Member State shall inform the Commission where it decides to establish jurisdiction over an offence referred to in Articles 3 to 8 committed outside its territory, including where: (a) the offenderhas his or her habitual residence in its territory; or (b) the offence is committed for the benefit of a legal person established in its territory. 98 III) Child pornography’s regulation 99 Notion Child icturesof Pictures Child pornography minor’ minor’s abuse nogra abuse 100 Two different theatrical justifications of the offense Humanist : The pictures constitutes by themselves a Economic: human rights violation The demand creates the market 101 Multiple layers of protection UN Convention for the rights of Article 34. C children (1990) International law Budapest’s Article 9 Legal convention framework Framework Directive EU law decision 2004/68 2011/92 102 CEDH, K.U. v Finland, 2/12/2008 This case concerned an advertisement of a sexual nature posted about a 12-year old boy on an Internet dating site. Under Finnish legislation in place at the time, the police and the courts could not require the Internet provider to identify the personwho had posted the ad. In particular, the service provider refused to identify the person responsible, claiming it would constitute a breachof confidentiality. The Court held that therehad been a violation of Article 8 (right to respect for private and family life) of the Convention. It considered that posting the ad was a criminal act which madea minor a targetfor paedophiles. The legislature should have provided a framework for reconciling the confidentiality of Internet services with the prevention of disorder or crime and the protection of the rights and freedoms of others, and in particular children and other vulnerable individuals. 103 Directive 2011/92/EU of the European Parliament and of the Council of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and childpornography, and replacing Council Framework Decision 2004/68/JHA 104 Definition ‘child pornography’ : (iii) any material that visually depicts any person appearing tobe a child (iv) realistic engaged in real or images of a child (i) any material simulated sexually engaged in sexually (ii) any depiction explicit conduct or that visually depicts a explicit conduct or of the sexual organs realistic images of child engaged in real any depiction of of a child for the sexualorgans of a or simulated sexually the sexual organs of primarily sexual child, for explicit conduct; any person purposes; primarily sexual appearing to be a child, for primarily purposes; sexual purposes; or 105 Who is a child ? ‘child’ means any person below the age of 18 years; 106 The offence (article 5) 1. Member States shall take the necessary measures to ensurethat the intentional conduct, when committed without right, referred to in paragraphs 2 to 6 is punishable. 2. Acquisition or possession of child pornography shall be punishable by a maximum term of imprisonment of at least 1 year. 3. Knowingly obtaining access, by means of information and communication technology, to child pornography shall be punishable by a maximum term of imprisonment of at least 1 year. 4. Distribution, dissemination or transmission of child pornography shall be punishable by a maximum term of imprisonment of at least 2 years. 5. Offering, supplying or making available child pornography shall be punishable by a maximum term of imprisonment of at least 2 years. 6. Production of child pornography shall be punishable by a maximum term of imprisonment of at least 3 years. 107 Limitations of the protection The real age ? The virtual picture? 7. It shall be within the discretion of 8. It shall be within the discretion of Member States to decide whether Member States to decide whether this Article applies to cases involving child paragraphs 2 and 6 of this Article apply to cases where it is established that pornography as referred to in Article pornographic material as referred to in 2(c)(iii), where the person appearing tobe a Article 2(c)(iv) is produced and child was in fact possessed by the producer solely for his 18 years of age or older at the time or her private use in so far as no of depiction. pornographic material as referred to in Article 2(c)(i), (ii) or (iii) has been used for the purpose of its production and provided that the act involves no risk of dissemination of the material. 108 Virtual child pornography vs Freedom of expression ALAvs. USA, 123 5 et 2293 Ashcroft vs. ACLU, 542 US 656 (2004) 109 Article 6 : Solicitation of children for sexual purposes 1. Member States shall take the necessary measures to ensure that the following intentional conduct is punishable: the proposal, by means of information and communication technology, by an adultto meet a child who has notreached the age of sexual consent, for the purpose of committing any of the offences referred to in Article 3(4) and Article 5(6), where that proposal was followed by material acts leading to sucha meeting, shall be punishable by a maximum term of imprisonment of at least 1 year. 2. Member States shall take the necessary measures to ensure that an attempt, by means of information and communication technology, to commit the offences provided for in Article 5(2) and (3) by an adult soliciting a child who has notreached the age of sexual consent to provide child pornography depicting that child is punishable. 110 Enforcement 111 Policemethods and “entrapment” hyperlink-enticement technique : false link to child pornography material False chat with robot 112 The active participation of private sector http://www.inhope.org/gns/home.aspx 113 Article 25 : Measures against websites containing or disseminating child pornography 1. Member States shall take the necessary measures to ensure the prompt removal of web pages containing or disseminating child pornography hosted in their territory and to endeavour to obtain the removal of such pages hosted outside of their territory. 2. Member States may take measures to block access to web pages containing or disseminating child pornography towards the Internet users within their territory. These measures must be set by transparent procedures and provide adequate safeguards, in particular to ensure that the restriction is limited to what is necessary and proportionate, and that users are informed of the reason for the restriction. Those safeguards shall also include the possibility of judicial redress. 114 III) Copyright law and Internet General introduction to Cybercrime legal framework 115 General principles – introduction to Copyright law No formalities ! Originality ! Pecuniary and moral rights Exceptions (short citation, copy for private use, parody, etc.) 70 post morterm auctoris 116 Copyright Enforcement on Internet ? 117 Peer-to-peer: 3 phases of the struggle First Phase. Law suits against network or p2p Third Phase. software Napster Second Phase. Law Intermediary’s liability. (2001), Kazaa (Holland, suits against users. Pirate Bay Case 2002), Kazaa (USA (Suede, 17/4/2009). 2003), Grokster (USA., 2005) 118 Is there an obligation to communicate personal data in order to ensure effective protection of copyright in the context of civil proceedings? Does the private use exception apply to illegal downloading 119 CJUE, C-314/12, UPC Telekabel an injunction such as that at issue Wien in the main proceedings results primarily in a conflict between (i) copyrights and related rights, which are intellectual property and are therefore protected under Article 17(2) of the Charter, (ii) the freedom to conduct a business, which economic agents such as ISPs enjoy under Article 16 of the Charter, and (iii) the freedom of information of internet users, whose protection is ensured by Article 11 of the Charter. "EU law must be interpreted as not precluding a court injunction prohibiting an internet service provider from allowing its customers access to a website placing protected subject-matter online without the agreement of the rightholders when that injunction does not specify the measures which that access provider must take and when that access provider can avoid incurring coercive penalties for breach of that injunction by showing that it has taken all reasonable measures, provided that (i) the measures taken do not unnecessarily deprive internet users of the possibility of lawfully accessing the information available and (ii) that those measures have the effect of preventing unauthorised access to the protected subject-matter or, at least, of making it difficult to achieve and of seriously discouraging internet users who are using the services of the addressee of that injunction from accessing the subject- 120 The internet connection suspension Internet 1st warning 2nd warning connection suspension 121 IV. Internet intermediaries criminal liability 122 History of the Safe Harbor US Online Copyright Infringement Liability Limitation Act (1998) EU Electronic Commerce directive (2001) 123 Who the intermediary is ? Online Service Providers (OSPs) Internet Service websites based Providers on User Generated (ISPs) Content (UGC) mere conduit caching hosting 124 The Safe Harbor principles Mere Caching Hosting conduit (article 13) (article 14) (article 12) 125 Article 12 "Mere conduit" 1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider: (a) does not initiate the transmission; (b) does not select the receiver of the transmission; and (c) does not select or modify the information contained in the transmission. 2. The acts of transmission and of provision of access referred to in paragraph 1 include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission. 3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement. 126 Article 13 “caching" 1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information's onward transmission to other recipients of the service upon their request, on condition that: (a) the provider does not modify the information; (b) the provider complies with conditions on access to the information; (c) the provider complies with rules regarding the updating of the information, specified in a manner widely recognised and used by industry; (d) the provider does not interfere with the lawful use of technology, widely recognised and used by industry, to obtain data on the use of the information; and (e) the provider acts expeditiously to remove or to disable access to the information it has stored upon obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network, or access to it has been disabled, or that a court or an administrative authority has ordered such removal or disablement. 2. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement. 127 Article 14 “hosting" 1. Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that: (a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or (b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information. 2. Paragraph 1 shall not apply when the recipient of the service is acting under the authority or the control of the provider. 3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement, nor does it affect the possibility for Member States of establishing procedures governing the removal or disabling of access to information. 128 The hosting category in practice videos, pictures, journalistic small texts articles, personal (twits), ideas, blogs, hotels and souvenirs restaurant services Commenti Sharing ng Negotiati contributi ng ng goods, services, encyclopaedias even new and other romances. collective works 129 No general monitoring obligation Member States are not allowed to impose a general monitoring obligation to intermediary service providers This principle does not affect: monitoring obligations in specific cases orders by national authorities Member States may establish obligations for service providers to inform authorities of illegal activities or information and obligations to communicate information allowing the identification of recipients of their service with whom they have storage agreements 130 The “notice and take down” procedure Reflexions on a more detailed procedure (EU Commission) Growing dissatisfaction on the “notice and take down” daily operation 131 The “passive role” jurisprudence Google France and Google v. Louis Vuitton (C- 238/08, L’Oréal2010) SA and others v. eBay International AG, and others, (C-324/09, 2011) The Good Samaritan Syndrome : no intervention = safe harbor 132 Nowadays situation on the safe harbor application Raising issues of Human rights protection (ECHR Delfi v Estonia case) A semantic evolution : from the safe harbor idea of no liability to a fault based approach 133
