Foreword.

Millions of European internet users access online platforms where their personal data is being collected, processed, analysed or sold. The existence of some of the largest online platforms is entirely based on data driven business models. In the European Union, the protection of personal data is considered a fundamental right. Under Article 8(3) of the EU Charter of Fundamental Rights, compliance with data protection rules should be subject to control by an independent authority. In the EU, enforcement of privacy rules almost solely takes place by the national data protection authorities. They typically apply sector-specific rules, based on the EU Data Protection Directive. In the United States, the Federal Trade Commission is the primary enforcer of consumers’ (online) privacy interests. The agency’s competence is not based on the protection of fundamental rights, but on the basis that maintenance of a competitive, fair marketplace will provide the right choices for consumers to take. In this Article the US legal framework will be discussed and compared to the EU legal framework, which forms our finding that in the EU rules on unfair commercial practices could be enforced in a similar manner to protect people’s privacy. In the EU, the many frictions concerning the market/consumer-oriented use of personal data form a good reason to actually deal with these frictions in a market/consumer legal framework.

On the internet, we encounter take-it-or-leave-it choices regarding our privacy on a daily basis. In Europe, online tracking for targeted advertising generally requires the internet users’ consent to be lawful. Some websites use a tracking wall, a barrier that visitors can only pass if they consent to tracking by third parties. When confronted with such a tracking wall, many people click ‘I agree’ to tracking. A survey that we conducted shows that most people find tracking walls unfair and unacceptable. We analyse under which conditions the ePrivacy Directive and the General Data Protection Regulation allow tracking walls. We provide a list of circumstances to assess when a tracking wall makes consent invalid. We also explore how the EU lawmaker could regulate tracking walls, for instance in the ePrivacy Regulation. It should be seriously considered to ban tracking walls, at least in certain circumstances.

Proceedings of the conference 'Better regulation for copyright: academics meet policy makers', Brussels: University of Southampton & The Greems/EFA in the European Parliament, 6 September 2017, p. 11-16.

ALAI Congress 2017 in Copenhagen, Copyright, to be or not to be

Het is alweer zes jaar geleden dat de laatste kroniek over het Nederlands auteursrecht in Auteurs & Media is gepubliceerd(1). Hoog tijd dus om de draad op te pakken en de stok van mijn illustere voorganger over te nemen. Deze kroniek bespreekt de belangrijkste ontwikkelingen op het gebied van auteursrechtwetgeving en -beleid in Nederland in de afgelopen zes jaren, waaronder de introductie van het auteurscontractenrecht, de afschaffing van geschriftenbescherming, de versterking van het toezicht op collectieve beheersorganisaties en de implementatie van de Richtlijnen 2012/28/EU (verweesde werken) en 2011/77/EU (verlenging beschermingsduur naburige rechten). Door deze nieuwe wetgeving is de Nederlandse Auteurswet (Aw) en Wet op de naburige rechten (Wnr) op diverse plaatsen aangepast.

The dual purpose of this literature review is, first, to identify and summarise limitations that result from the use of copyright licences in a library context, and, second, to illustrate these limitations with specific examples available in both the academic and grey literature. The licences discussed in the reviewed literature deal essentially with access to, and use of, digital content.

Draft version. Final version published in Common Market Law Review, 2017, nr. 5, p. 1427-1466.

In modern markets, many companies offer so-called “free” services and monetize consumer data they collect through those services. This paper argues that consumer law and data protection law can usefully complement each other. Data protection law can also inform the interpretation of consumer law. Using consumer rights, consumers should be able to challenge excessive collection of their personal data. Consumer organizations have used consumer law to tackle data protection infringements. The interplay of data protection law and consumer protection law provides exciting opportunities for a more integrated vision on “data consumer law”.

Amsterdam / Hong Kong: IViR, 2017.

This report presents and draws on multidisciplinary insights into what characterises effective user control over the collection and use of personal data. User controls arise from the interplay of a number of conditions. These are partly technical but also connected to different aspects of user behaviour, the intricacies of design, as well as the internal and external incentives in privacy governance that exist today. Our review of the state of research underscores that devising effective user controls require close collaboration between different disciplines, clear regulatory guidance and scientifically-backed assessments.

The extent to which digital consumption of pirated materials displaces legitimate purchases is of fundamental importance for EU copyright policy design. The European Commission has commissioned Ecorys to carry out a study on the relation between online copyright infringement (digital piracy) and sales of copyrighted content. This study adds to the existing literature in at least three ways. Firstly, it compares piracy rates in multiple EU Member States calculated according to the same methodology. This makes it possible to compare results between countries. Secondly, displacement rates are estimated in the presence of an important recent phenomenon, i.e. the widespread availability of a wide variety of services for downloading or streaming content. Thirdly, the study includes minors to assess the extent of piracy among this group.

Under European data protection law, consent of the data subject is one of the six grounds for lawful processing of personal data. It is such an important ground that lawmakers considered it necessary to provide a legal definition of consent. One of the conditions under this definition is that it needs to be “freely given.” The General Data Protection Regulation (GDPR) 3 has further expanded on this concept in Article 7(4). It refers to a situation under which consent might not be considered “freely given.” If consent is invalid because it is not freely given, the processing is usually unlawful. Consequently, a legal basis for processing is missing. Therefore, this is an important provision. Yet the wording of this new provision is vague and its scope is unclear. Thus, the question arises as to how Article 7(4) should be applied. In this paper, the authors tease out the assessment criteria for the application of this provision on the basis of its text, structure and history. These criteria will then be applied to hypothetical cases in the final section.

In: Bulk Collection: Systematic Government Access to Private-Sector Data, ed. F.H. Cate & J.X. Dempsey, Oxford University Press, 2017, ISBN: 9780190685515.

There are many ways to approach the question of government access to private-sector data. Much of the recent public debate has focused on access in the context of national security and traditional law enforcement, with respect to both targeted and untargeted access to data collected and processed by third parties. As more and more data is collected and stored by the private sector (“big data”), the amount of data that can be retrieved by governments is steadily increasing. A new “third domain” has emerged, where data is used for social security and tax surveillance and other types of non- traditional law enforcement. The Digital Rights Ireland case is the point of departure of this chapter. Next, two recent judgments by national courts are described, in which national data retention rules were tested against the ruling in the Digital Rights Ireland case and the necessity of independent oversight was discussed in further detail. This chapter draws from a recent study by the Institute for Information Law (IViR) to formulate standards for independent oversight. These standards are based on a broader analysis of the relevant jurisprudence of the European Court of Justice— including the Digital Rights Ireland case— and of the European Court of Human Rights (ECtHR). The analysis is also based on selected studies, reports, resolutions, and recommendations.

IRIS Special, 2017-1, European Audiovisual Observatory, Strasbourg, ISBN: 9789287184870

Publication forthcoming in Kritika. Essays on Intellectual Property, Vol. III

This paper argues against the idea of a ‘data producer’s right’. Introducing a property right in machine-generated data would seriously compromise the system of intellectual property law that currently exists in Europe. It would also contravene fundamental freedoms enshrined in the European Convention on Human Rights and the EU Charter, distort freedom of competition and freedom of services in the EU, restrict scientific freedoms and generally undercut the promise of big data for European economy and society.

This article assesses how the European Court of Human Rights has responded to the argument that holding online news media liable for reader comments has a chilling effect on freedom of expression. The article demonstrates how the Court first responded by dismissing the argument, and focused on the apparent lack of evidence for any such chilling effect. The article then argues that the Court has moved away from its initial rejection, and now accepts that a potential chilling effect, even without evidence, is integral to deciding whether online news media should be liable for reader comments. Finally, the article argues that this latter view is consistent with the Court’s precedent in other areas of freedom of expression law where a similar chilling effect may also arise.

Online shops could offer each website customer a different price. Such personalized pricing can lead to advanced forms of price discrimination based on individual characteristics of consumers, which may be provided, obtained, or assumed. An online shop can recognize customers, for instance through cookies, and categorize them as price-sensitive or price-insensitive. Subsequently, it can charge (presumed) price-insensitive people higher prices. This paper explores personalized pricing from a legal and an economic perspective. From an economic perspective, there are valid arguments in favour of price discrimination, but its effect on total consumer welfare is ambiguous. Irrespectively, many people regard personalized pricing as unfair or manipulative. The paper analyses how this dislike of personalized pricing may be linked to economic analysis and to other norms or values. Next, the paper examines whether European data protection law applies to personalized pricing. Data protection law applies if personal data are processed, and this paper argues that that is generally the case when prices are personalized. Data protection law requires companies to be transparent about the purpose of personal data processing, which implies that they must inform customers if they personalize prices. Subsequently, consumers have to give consent. If enforced, data protection law could thereby play a significant role in mitigating any adverse effects of personalized pricing. It could help to unearth how prevalent personalized pricing is and how people respond to transparency about it.