Tag Archives: European Union

Whistleblowing Directive: What You Need To Know

Legal news, , , , ,

Whistleblowing, or reporting of breaches of the law, is often regulated in a fragmented and non-comprehensive fashion. This is about to change thanks to Directive 2019/1937 of October 23, 2019 “on the protection of persons who report breaches of Union law” (the “Directive”), aimed at harmonizing and broadening the protection of whistleblowers and of reported entities.

In Italy whistleblowing is currently governed by Legislative Decree no. 165/2001 (for public employees) and by Legislative Decree no. 231/2001 (for private employees). With regard to the private sector, whistleblowing provisions are only applicable to companies who have adopted a “231 Organizational Model”.

The Directive should have been implemented by December 17, 2021. The Italian government has been delegated by the Parliament to adopt the necessary implementing measures but, as many other EU countries, the legislative process has already exceeded the December 17 deadline.

While the details of the national law that will implement the Directive are still unknown, certain basic principles can already be envisaged:

  • In principle, the Directive applies to public entities and to private entities with at least 50 employees or with an annual turnover of more than Euro 10 million, with two caveats: (i) the Directive is applicable, regardless of the number of employees, if your company operates within the scope of EU legislation preventing money laundering and terrorist financing (e.g., financial services); and (ii) Member States may decide to apply new whistleblowing provisions also to companies below the 50-employees threshold;
  • The Directive broadens the concept of reporting person: among others, also self-employed workers, shareholders, members of the key company’s bodies, (sub)contractors and suppliers will be covered by the protection afforded by whistleblowing legislation (such as the protection of their identity), even if their work relationship has ended or has yet to begin;
  • The Directive also broadens the subject matter of the report: to be covered by the Directive, reports have to relate to breaches of EU law in specific sectors. However, the Directive provides for the possibility to broaden the subject matter as to include violation of domestic legislation;
  • The Directive provides for three reporting channels:
    • Internal channel: if you have adopted a 231 Model, you are surely already equipped with an internal whistleblowing channel, which however will require to be upgraded as to cover the new definition of reporting person and the strict reporting and follow-up requirements established by the Directive;
    • External channel, which will be set up by the government and will likely allow to blow the whistle to public authorities, such as the Italian Anticorruption Authority. (If you have an IT provider which helps you run a whistleblowing channel, that’s an internal one);
    • Public disclosure: reporting persons may “go public” only if other channels have not been successful.
  • In relationto groups of companies, the European Commission has clarified the matter with two opinions, dated June 2, 2021 and June 29, 2021: each legal entity with 50 or more workers is required to set up its own channels and procedures for internal reporting. Entities with 50 to 249 employees, may “share resources” with their parent companies (but also with non-linked companies) and may also, but not exclusively, rely on their channels;
  • Data collection and processing activities under whistleblowing provisions must be carried out in compliance with the GDPR: as an example, personal data which are manifestly not useful for the purposes of a specific report must not be collected or, if collected accidentally, deleted.

While we wait for the Italian law implementing the Directive, the above basics already give you an idea of what is to come.

Agreement Reached on the European Copyright Directive

Legal news, , , , , , , , ,

An agreement has been reached on the much discussed European Directive on copyright. http://europa.eu/rapid/press-release_IP-19-528_en.htm. In a race against time to close the dossier by the end of the legislature, in the late evening of February 13, the Parliament, the Commission and the Council of the European Union have finally found an agreement on the copyright directive, which this blog already illustrated https://lawhealthtech.com/2018/09/24/copyright-european-legislation-getting-ready-for-the-digital-era/ .

The vice president of the European Commission immediately tweeted «Europeans will finally have modern copyright rules fit for digital age!». Supporters insist that the new provision will guarantee rights for users, fair remuneration for creators and clarity of rules for platforms. On the other hand, the opposition, stronger than ever before, wants to prevent the imminent change of the internet as we know it.

The highest expectations, placed on the trilogue, concerned the much debated articles 11 and 13, and these have reported to be the outcomes:

  • With regard to the publishers rights, the new version of article 11 sets forth a general need to get a license for the online use of publishers’ press publications, with the only exception for the use of «individual words or very short extracts». According to the Commission, mere hyperlinks and snippets are, therefore, not included in the reform. However, how short should be a “very short extracts” is still to be understood.
  • With regard to the use of protected content by online content sharing services provider, online platforms should obtain a preemptively authorization from the right holders, concluding licensing agreements (where online platform is defined as «a provider of an information society service whose main or one of the main purposes is to store and give the public access to a large amount of works or other subject-matter uploaded by its users which it organizes and promotes for profit-making purposes»). Indeed, an exception has been created for small online platforms, which will not be subject to the abovementioned obligation if they: have been available to the public for less than three years; have an annual turnover below 10 million of euro; and have less than 5 million of visitors.

In the other cases, if no authorization is granted, sharing services providers shall be liable for unauthorized acts of communication unless they demonstrate not only to have made the best efforts to obtain the authorization, but also, in accordance with high industry standards of professional diligence, to have made the best efforts to ensure the unavailability of specific works, as well as to have acted expeditiously to remove the content, after receipt of a notice from the right holders.

We will see if the agreement will survive until the finishing line or if the vote of the European Parliament, scheduled for March-April, will block the text once again, as, unfortunately, already happened.

Copyright European Legislation: Getting Ready for the Digital Era.

Legal news, , , , , , , , , , ,

On September 12th the European Parliament approved amendments to the controversial Proposal for a Copyright Directive, the Directive of the European Parliament and of the Council on Copyright in the Digital Single Market, which aims at updating copyright rules.

Not many topics have polarized opinions in recent years in Europe. While supporters claim to have protected artists and to have inflicted a blow to the American tech giants, critics have talked about the “death of the internet”.

For clarity, even if the Directive passed the European Parliament vote, the changes are not yet definitive and it may be too early to conclude on what this decision entails. The Directive text shall be further reviewed in subsequent negotiations and there is still a slight chance that it may be rejected at another vote by the European Parliament in 2019. In addition, the Directive, even if (and when) definitely approved, should be implemented by single Member States.

But which results does the Directive aim to achieve?

Its scope and purpose appear based on the evolution of digital technologies, which has changed the way copyright works and other protected material are created, produced, distributed and exploited, with the consequence that new uses, new payers and new business models have emerged. The digital environment has given birth to new opportunities for customers to access copyright-protected content. In this new framework, right-holders face difficulties to be remunerated for the online distribution of their works. So, even if the objectives and principles laid down by the EU copyright framework remain valid, there is an undeniable need to adapt them to the new reality.

The Directive also intends to avoid the risk of fragmentation of rules in the internal market. In fact, the Digital Single Market Strategy1 adopted in May 2015 identified the need «to reduce the differences between national copyright regimes and allow for wider online access to works by users across the EU». The idea expressed in the 2015 by the European Commission was to «move towards a modern, more European copyright framework». The EU legislation purports to harmonize exceptions and limitations to copyright and connected rights, however some of these exceptions, which aim at achieving public policy objectives, such as research or education, remain regulated on national level, with the consequence that legal certainty around cross-border uses is not guaranteed.

As to the content of the Directive, we note the following points:

  • With specific regard to the scientific research, recital number 9 of the Directive says that the Union has already provided certain exceptions and limitations (even if optional and not fully adapted to the use of technology in the scientific research) covering uses for scientific research purposes which may apply to acts of text and data mining. Where researcher have lawful access to content, for example through subscription to publication or open access licenses, the term of the licenses may exclude text and data mining.
  • Article 11, called “link tax”, gives publishers a right to ask for paid licenses when online platforms share their stories. The amended version clarifies that this new rights «shall not prevent legitimate private and non-commercial use of press publications by individual users». The amendment tries also to clarify what can be considered as “sharing a story”, indicating that the mere hyperlinks cannot be taxed, nor can individual words.
  • Article 13, called by the critics as “upload filter”, sets forth that platforms storing and giving access to large amounts of works uploaded by their users shall conclude licensing agreements that include liability for copyright infringement, thus putting a large responsibility on platforms and copyright holders that must «cooperate in good faith» to stop this infringement by carefully monitoring every upload.

The Directive has been designed with the intent to rebalance the core problem of contemporary web: big platforms like Facebook and Google are making huge amounts of money providing access to material made by other people. Nevertheless critics object that this intent could lead to serious collateral effects.

We will see what the future of this Directive will be, and which consequences will entail. The path seems to be still long, but, at least, it has started.

 

2017 New Year’s Privacy Resolution: Road to Compliance with the New European Privacy Framework

Legal news, , , , , , , , , , , ,

Year 2017 already brought to us some exciting change. The beginning of the year is also the perfect time for appraisals of the past and resolutions for the near future. Whether we see it as a welcome enhancement of personal data rights or simply as another burdensome European set of requirements, 2016 delivered the new European General Data Protection Regulation (Regulation EU 2016/679, “GDPR”). Already 233 days passed since GDPR entered into force and 498 days are left until the new Regulation will start to apply on May 25, 2018. Roughly, one third of the time given to comply with the new regulatory framework has already gone by. Then, perhaps, the beginning of 2017 can be a good chance to ask ourselves what has already been done in the first 233 days and what still needs to be done in the future 498 days in order not to miss May 2018’s deadline.

The GDPR imposes a much more burdensome level of compliance requirements to companies acting as data controllers and data processors.

Some of them require the assessment and preparation of organizational and implementing measures that need to be put in place well in advance of May 2018.

  • Data controllers and data processors must appoint a data protection officer (“DPO”). The controller and the processor shall ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. The controller and processor shall support the DPO in performing his/her tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his/her expert knowledge. The controller and processor shall also ensure that the DPO does not receive any instructions regarding the exercise of those tasks. Furthermore, the DPO shall not be dismissed or penalized by the controller or the processor for performing his tasks and shall directly report to the highest management level of the controller or the processor.
  • Data protection by design and by default will have to be implemented. The data controller: (i) both at the time of the determination of the means for processing and at the time of the processing itself, must “implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of [the GDPR] and protect the rights of data subjects” and (ii) “to implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.
  • A data protection impact assessment must be carried out. Such impact assessment must contain: a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data subjects; the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR.
  • Data controllers must guarantee the effectiveness of the data subject’s right to be forgotten and right to portability. This requires an assessment of the adequacy of the technical and organizational instruments currently available and, possibly, their improvement. More specifically, data controllers must be able to fulfill: (i) in relation to the right to be forgotten, their obligation to “take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”; (ii) as regards to the right to portability, their obligation to allow the data subjects to effectively exercise their right to “receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller”.
  • Data controllers shall notify personal data breaches to the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. This imposes on controllers the preparation of appropriate notification forms, as well as organizational measures to guarantee adequate resources to complete such task.
  • The mandatory content of the written contract between the data controller and the data processor requires a revision of all such contracts. They shall include, inter alia, the obligations of the processor to: process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization; ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; delete or return all the personal data to the controller after the end of the provision of services relating to processing, including copies; make available to the controller all information necessary to demonstrate compliance with the obligations under GDPR; allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
  • Information notice forms currently in use will need to be revised. In fact, information to be provided to data subjects must include, inter alia: the contact details of the DPO; the legal basis for the processing; the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission; the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; the existence of the right to data portability; the existence of the right to withdraw consent at any time for processing based on consent; the existence of the right to lodge a complaint with a supervisory authority; the existence of automated decision-making, including profiling.
  • Data controllers and data processors must keep record of processing activities under their responsibility. Records to be kept by data controllers shall contain all of the following information: the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the DPO; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations; where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards; where possible, the envisaged time limits for erasure of the different categories of data; where possible, a general description of the technical and organizational security measures. Records to be kept by data processors shall include: the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the DPO; the categories of processing carried out on behalf of each controller; where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards; where possible, a general description of the technical and organizational security measures. Data controllers and data processors shall therefore dedicate and organize resources to be able to start keeping such records.

All this may appear daunting. Nevertheless, 498 days are more than enough to take all necessary steps, if we let one of our New Year’s resolutions be to timely walk the road to compliance with the GDPR.

Italian Data Protection Authority Authorizes the “Privacy Shield”

Legal news, , , , , , , ,

The Italian Data Protection Authority has authorized the transfer of personal data to the United States on the basis of the new “Privacy Shield” program, designed by the European Commission and the U.S. Department of Commerce to provide companies with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. On July 12, 2016 the European Commission deemed that the “Privacy Shield” offered adequate protection and could enable data transfers under EU legislation.

The Italian Data Protection Authority has now issued a general authorization for the processing and transfer of personal data in accordance with the “Privacy Shield” program and with the European Commission adequacy decision. The general authorization will be published today on the Official Gazette. Italian companies and multinational corporations active in Italy will therefore be able to transfer personal data to United States entities adhering to the “Privacy Shield”.

This latest decision comes after the expiration of the previous general authorization allowing the transfer of personal data to the United States pursuant to the “Safe Harbor” framework, held invalid by the Court of Justice of the European Union on October 22, 2015.

The European Commission plans to implement a continuous monitoring of the “Privacy Shield”, while at the moment it remains unclear how many business entities will seize this opportunity and join in the new program.

Artificial intelligence and robotics: a report reflects on legal issues

Legal news, , , , , , , , , , , , , , ,

With its report issued on May 31, 2016 by the European Parliament (“Report”), the European Union has stepped into the debate on how to deal with artificial intelligence and robotics (“AI&R”). The ultimate goal of the European Parliament is to set forth a common legal framework that may avoid discrepancies arising from different national legislations, which would otherwise create obstacles to an effective development of robotics.

The Report introduces ethical principles concerning the development of AI&R for civil use and proposes a Charter on Robotics, composed by a Code of Ethical Conduct for Robotics Engineers, a Code for Research Ethics Committees and Licenses for Designers and Users.

Furthermore, the Report suggests the creation of a European Agency for AI&R, having an adequate budget, which would be able to generate the necessary technical, ethical and regulatory expertise. Such agency would monitor research and development activities in order to be able to recommend regulatory standards and address customer protection issues in these fields.

The Report, which recommends to the Commission to prepare a proposal of directive on civil law rules on robotics, illustrates many of the issues that society could face in a few decades regarding the relationship between humans and humanoids. In fact, a wide range of robots already can, and could even more in the future, affect people’s life in their roles as care robots, medical robots, human repair and enhancement robots, doctor training robots, and so on.

A further development that may be concerning for lawyers is connected to the announcement, a few days ago, by the University College London that a computer has been able to predict, through a machine-learning algorithm, the decisions by the European Court of Human Rights with a 79% accuracy. Will this result in a more automatic and predictable application of the law?

In order to secure the highest degree of professional competence possible, as well as to protect patients’ health when AI&R is used in the health field, the Report recommends to strengthen legal and regulatory measures such as data protection and data ownership, standardization, safety and security.

One concern arising from the Report is civil liability arising from the use of robots. Should the owner be liable for damages caused by a smart robot? In fact, in the future, more and more robots will be able to make “smart” autonomous decisions and interact with third parties independently, as well as cause damages by their own. Should such damages be the responsibility of the person who designed, trained or operated the robot?

Some argue in favor of a strict liability rule, “thus requiring only proof that damage has occurred and the establishment of a causal link between the harmful behavior of the robot and the damage suffered by the injured party”.

The Report goes even further by asking the Commission to create a compulsory insurance scheme for owners and producers to cover damage potentially caused by robots and a compensation fund guaranteeing compensation for damages, but also allowing investments and donations in favor of robots.

Exciting times lay ahead of us. It remains to be seen if the current legal principles will be sufficient or if new ones will actually be necessary.