Technology Media & Telecommunications. Data Protection & Freedom of Information

Contents

Belgium

Data Protection & Freedom of Information 1 Telecoms 17

Two Years On SWIFT Receives A Clean Bill of Health The Belgian Privacy Commission has finally completed its investigation into SWIFT’s disclosure of information to the US Treasury. It has issued a detailed and comprehensive decision, concluding that SWIFT duly complies with all the provisions of the Belgian data protection law. The investigation and decision, on which Linklaters advised SWIFT, also acknowledge the difficult position private organisations are placed in when presented with conflicting legal demands from different states. A brief history of the SWIFT affair SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is a Belgium-based co-operative company. It provides a secure and encrypted financial messaging service to over 8,300 banking organisations, securities institutions and corporate customers and handles millions of messages per day. SWIFT stores copies of these messages in two operation centres, one in Europe and the other in the US, for resilience purposes. Some of the financial instructions are made on behalf of individuals and, therefore, contain personal data. SWIFT moved into the spotlight in June 2006 when the New York Times revealed that SWIFT had been subject to a number of subpoenas requiring it to disclose messaging information to the US Treasury. The European data protection authorities reacted rapidly and violently to this revelation. Opinions on the disclosure were issued in rapid succession by the Schleswig-Holstein, Belgian and Swiss data protection authorities and both the Article 29 Working Party and the European Data Protection Supervisor strongly challenged the disclosure. The reasoning in these opinions varies, and is sometimes contradictory, but, in the main, they found that: •

SWIFT was data controller or joint data controller in respect of the information (though dissenting views were expressed by the Schleswig-Holstein and Spanish data protection authorities);

Issue 49 ⏐ December 2008

1

•

transferring information to the US operation centre and subsequently disclosing it to the US authorities was in breach of data protection law; and

•

inadequate information was provided to the relevant data subjects and authorities.

SWIFT being established in Belgium, the Belgian Privacy Commission is responsible for any formal enforcement action. Accordingly, the Privacy Commission followed its initial opinion of September 2006 with a control procedure and a recommendation procedure. The recommendation procedure allows for a more detailed investigation and for SWIFT to present its position and arguments. Both procedures have now been completed. The Privacy Commission has issued a final decision (the “Decision”) and closed the case against SWIFT. Overview of the Privacy Commission’s Decision The Privacy Commission’s Decision runs to 80 pages and sets out a detailed and comprehensive analysis of SWIFT’s operations and their compatibility with Belgian data protection law. The key finding is that there was no serious or repeated violation of data protection laws by SWIFT. The Decision looks in detail at the various processing activities carried out by SWIFT and, in relation to each different type of processing, whether SWIFT would be data controller. The conclusion is that SWIFT primarily acts as de facto delegate of the community of users of its messaging service, such community being considered as data controller. SWIFT is only acting as data controller to a limited extent in relation to data it is retrieving and anonymising for statistical and other analytical purposes. This is important for the wider community as this shows that the radical position adopted previously about who is and is not a data controller, has been substantially moderated. In light of this finding, SWIFT has filed two notifications of its processing on the Belgian data protection public register. The Decision also recognises that SWIFT’s disclosures were made in response to the binding subpoenas from the US Treasury. Moreover, SWIFT negotiated a detailed framework to regulate any such disclosures that provided a high level of protection to this information. In particular:

2

•

the US Treasury’s requests have to be for precise types of messages, over set dates and for specified names. “Fishing expeditions” are not permitted;

•

the messaging information could only be used for the fight against terrorism;

•

the information had to be confirmed from a separate source before being used; and

Issue 49 ⏐ December 2008

•

control mechanisms are set up to ensure compliance with these conditions.

SWIFT has also taken a number of steps to complement its legal obligations under data protection laws and to better protect personal data. These steps include: •

establishing a new operating centre in Switzerland for inter-European messages; and

•

the appointment of a full-time Privacy Officer and regular meetings of a data protection working group made of SWIFT users and its representatives to monitor compliance.

Are we still caught between a rock and a hard place? The SWIFT case vividly illustrated the problems many organisations face when dealing with conflicting legal obligations, particularly those arising out of compliance with US law. Other notable examples include the whistleblowing obligations required by the Sarbanes-Oxley Act and disclosure requests from the SEC. The Decision provides some acknowledgement that private companies are unable to resolve these conflicting obligations single-handedly. The correct approach would be to establish international control and governance structures to protect privacy rights in a world where data flows freely. The Decision is available in Dutch here and in French here By Tanguy Van Overstraeten, Brussels and Richard Cumbley, London

Dismissal Of Employee Valid Despite Alleged Privacy Violation In September 2008, the Antwerp Labour Court of Appeal decided that in certain circumstances an employer can dismiss an employee for serious cause based on the monitoring of their Internet use. This decision is interesting as it is at odds with the current Belgian legal framework which strictly regulates electronic communication monitoring. Internet by the back door The affected employer had introduced a new secured Internet connection for use by employees with a firewall to block access to unsuitable Internet sites. However, an employee in the IT department managed to bypass this new highly secured connection and connected his computer to the old unsecured connection. When the employer discovered the employee was not using the new secured connection they installed a monitoring system to track the employee’s internet usage. This revealed the unsecured connection was being extensively used for private purposes and projects. As a result, the employee was dismissed for serious cause. Technology Media & Telecommunications

3

Alleged violation of CBA No. 81 The employee argued that the evidence used to justify his dismissal was not admissible as it had been obtained in violation of Collective Bargaining Agreement No. 81 (“CBA No. 81”). In particular, the employee was not informed that the monitoring was taking place. However, the Court decided the monitoring tool was installed for network security reasons so no prior information is required and there was no violation of CBA No. 81. The Court also referred to the IT Policy for the employer, which had been signed by the employee and which expressly reflected on the principles of CBA No. 81. This also indicated that the monitoring activity was not illegal. Results of monitoring not considered as illegal evidence What is more interesting is the Court’s comments that, even if the installation of a monitoring tool was illegal, the results of such monitoring would not constitute illegal evidence. Taking into account all circumstances of the case, the evidence was still reliable and did not endanger the due process of law. Where does this leave monitoring of employees in Belgium? Compared to a number of other recent cases, this decision shows a much more lenient approach to the use of monitoring results as evidence in court. It also demonstrates that monitoring employees can lead to different conclusions in different contexts. This decision certainly does not mean that employers have “carte blanche” for monitoring employees; IT usage even if such monitoring is properly documented and proportionate. Employers should still assess monitoring procedures prior to their implementation and implement appropriate policies to ensure that evidence is admissible if the employer needs it in any dismissal proceedings. By Didier Wallaert and Tanguy Van Overstraeten, Belgium

4

Issue 49 ⏐ December 2008

France Withdrawal of Big Brother Database: CNIL Wins The Battle But Not The War Topical data protection issues vary between European Member States with some currently concerned with breach of security and others concentrating on transborder dataflow. In France, the key issue currently debated in the press is state surveillance and the creation of a new police database. The controversy has also demonstrated the powers of the French Data Protection Authority, the CNIL, and its President, Alex Türk, a senator of the Northern region and President of the Article 29 Working Party. In fact, the Decree creating the new French police database (Decree n°2008-632 dated 27 June 2008), EDVIGE, was only made public following intervention by the CNIL. The main aim of EDVIGE was to provide the French police with information about individuals involved in political, institutional, economic, social or religious matters as well as on individuals or entities who “may be” a threat to public order. This type of database is not a new concept in France. Indeed, its predecessor is the joint database of two French Intelligence Services (“Renseignements Généraux” and “Direction de la Surveillance du Territoire”), which was created in 1991 and is said to contain information on 20 million people. The Decree providing for the creation of EDVIGE was introduced as a result of the Interior Ministry merging these two intelligence agencies into the Central Directorate of Internal Intelligence (“Direction Centrale du Renseignement Intérieur”). Publication of details of the EDVIGE database led to a massive public outcry. More than 200,000 people have signed a petition opposing its introduction and use. Opponents of the database worried that it will be used arbitrarily by the police. A number of politicians also objected to the database and have asked the French Supreme Administrative Court (“Conseil d’Etat”) to cancel, suspend or withdraw the relevant decree. Even French Defence Minister, Hervé Morin, has criticised EDVIGE. Thus, on 19 November 2008, the French Prime Minister eventually withdrew the Decree creating EDVIGE, but the issue is still topical as a similar database is about to replace it. The information has also leaked to the public that EDVIGE has a hidden “little sister” named CRISTINA. CRISTINA is another database supposed to contain data identical to EDVIGE’s, which would be used for counterterrorism and counter-espionage. Unlike for EDVIGE, the decree relating to CRISTINA has not been published. A group comprising the League of Human Rights, amongst others, has recently requested cancellation of such decree before the Conseil d’État. To understand why the EDVIGE database has created such controversy, it is necessary to first consider the type of information collected and how it might be used. Technology Media & Telecommunications

5

About whom could data be collected? Information about a wide range of people could be collected and stored on EDVIGE. The Decree permitted collection of information about: (i)

Anyone who has ever sought, held or is holding a political, trade-union or economical role or who plays a significant institutional, economic, social or religious role. The inclusion of individuals who play a significant role in institutional, economic, social or religious affairs means that EDVIGE could collect information about a much wider range of individuals than the earlier 1991 database.

(ii)

Individuals, groups, organisations and entities which might endanger “public order”. The expression public order is not entirely clear and could be subject to a wide interpretation by French police authorities.

(iii)

Candidates for “sensitive jobs” (such as, for instance, security guards, judges, prefects) for the purpose of investigating their suitability. Hence, there was a risk that investigations of morality for such candidates would include an assessment that is based on political, religious or union membership as well as on behaviours which are considered potentially to be a threat to public order (which, as indicated, can be interpreted very widely).

Moreover, information could be collected not just on the individuals listed above but also on individuals who are or have been in direct contact with such persons. The Decree also permitted the collection of information on individuals as young as 13 years old. What information was collected? EDVIGE could collect a very wide range of information including, inter alia, civil status and occupation, full address details including e-mail address, distinguishing marks, pictures and behaviours, tax information, criminal record and more importantly ethnic origins, political, philosophical or religious opinions, union membership and information on health and sexual life. This juxtaposition of “sex” and “health” has led to allegations that HIV status would be included in the database. What about individuals rights? The Decree placed a number of restrictions on the fundamental rights of data subjects: (i)

6

Firstly, subject access rights were only allowed indirectly via the CNIL. In addition, as regards police files in general, the data controller could refuse access to data where it considered, on a discretionary basis, that such communication would be a threat to public security. Moreover, it appears that in practice, information is generally provided with a delay ranging from several months to two years (see Blog

Issue 49 ⏐ December 2008

Dalloz, “L’opinion publique et le fichier EDVIGE: un sursaut citoyen salutaire”, 10 September 2008). (ii)

Individuals falling into the scope of EDVIGE were not granted the right to object to the processing of their data.

Of course, there is a justification for these restrictions given the purpose of this database was primarily to protect public order and national security. However, in the present case, given the scope of EDVIGE it seems difficult to find it fully legitimate or proportionate. This is particularly the case given EDVIGE did not impose any time limit for retaining the data except where data was collected for the purpose of an administrative investigation. Proposed amendments In light of the huge controversy this database has provoked, the French Government has proposed a number of modifications to EDVIGE. Thus, a draft “EDVIGE 2.0” renamed EDVIRSP was transmitted to the CNIL for its consideration in September 2008. The main changes are: (i)

Taking data relating to health and sexual life out of the scope. However, racial and ethnic origins, political, philosophical or religious opinions and union membership can still be collected.

(ii)

Individuals involved in politics, trade-unionists and religious personalities cannot now be included in the database. These individuals will, however, be filed in an administrative directory managed by prefectures.

(iii)

Individuals can only be included in the database if they endanger “public security”, as opposed to “public order”.

(iv)

Stricter controls over recording information about minors. Their details should be erased when they reach the age of 18 in principle or at the age of 21 where any event falling into EDVIRSP’s scope occurs between the ages of 16 and 18.

Given the level of opposition to EDVIGE / EDVIRSP, the French government should also consider relevant decisions of the European Court of Human Rights. For example, the storage of certain information in the Swedish security police files and the refusal of Swedish authorities to reveal the extent of the information stored. Sweden was criticised because individuals were not granted any effective right to obtain deletion of the concerned data, within the meaning of article 13 of the European Convention on Human Rights (right to an effective remedy) (see Segerstedt-Wiberg and Others v. Sweden). Wider perspective and new dangers This matter has certainly given a new weight to the CNIL, whose stance has attracted huge support from the French population.

Technology Media & Telecommunications

7

Alex Türk has used the opportunity, given the audience on this subject, to voice his other concerns and to increase public awareness about the dangers of less obvious “surveillance” be it by the state or by other parties. Indeed, amongst the issues which he considers as “1000 times more disquieting than EDVIGE” (Telerama.fr, Alex Türk: le plus grand danger ce n’est pas Edvige, c’est le traçage des personnes. ) he has pointed out the development of “people tracking” via cell phone, credit cards, transport passes, geo-localisation, biometrics, Internet etc. Alex Türk also highlights the privacy dangers of social networks, namely Facebook. The President of the CNIL militates for a “droit à l’oubli” (i.e. to enable users to withdraw personal data they have provided to such websites). The task is challenging due to the extent of the types of data (texts, photos, videos etc.) and their rapid spread across the Internet. In the context of the information society, control of personal data is definitely a growing issue. By Stephanie Faber and Grégory Sroussi, Paris.

Spain Jurisdiction and Branch Offices The Spanish Data Protection Agency (the “AEPD”) recently considered if branch offices based in Spain are subject to Spanish data protection law. While its conclusions on this issue are unlikely to be controversial, some of its other findings will be of concern. Jurisdiction and establishment The AEPD recently issued a report on jurisdiction in response to a query from a data controller. The report sets out the AEPD’s opinion on the application of Spanish Organic Law 15/1999, on personal data protection (the “Spanish Data Protection Act”) and Royal Decree 1720/2007 approving the regulations implementing the Spanish Data Protection Act (the “Royal Decree 1720/2007”) to Spanish branches of companies located in another Member State of the European Union. The starting point is articles 2.1 of the Spanish Data Protection Act and 3.1 of Royal Decree 1720/2007, which confirm Spanish data protection law shall apply if processing is carried out in Spain in the framework of the activities of an establishment of a data controller. This is in accordance with article 4 of the Data Protection Directive. Therefore, if a company is located in the European Union and operates through a branch in Spain, the relevant criteria for the application of Spanish data protection law will be whether the decisions on the purposes, content and use of the data processing are taken by the Spanish branch or by the EU company. In this regard, it is worth noting that under Royal Decree 1720/2007, entities without legal personality acting as separate parties in the market may also be data controllers.

8

Issue 49 ⏐ December 2008

Accordingly, the AEPD concludes that if a branch decides on the purposes, content and use of the data processing, the branch shall be responsible for the data processing and compliance with Spanish data protection law (rather than the regulations of the country where the company is located). And what if the decisions are taken jointly? The report states nothing in this respect. Transfers between branch and parent company The more surprising part of the analysis relates to the transfer of personal data between the branch and its parent company - i.e. within the same legal entity. The AEPD considers that such transfers must each be justified under Spanish data protection law. This means they must comply with the principle of consent if none of the exceptions to the principle of consent applies and must comply with the right of information of the data subject. However, in this case, at least, there would not be an international transfer of data, given that the parent company is within the European Economic Area. The question that should now be raised is whether the AEPD will make a distinction as to which business unit within an organisation decides on the purposes, content and use of data processing, and whether, accordingly, the transfer of data between business units even within Spain itself will have to comply with the right of information of the data subject and principle of consent. By Carmen Burgos and Carmen Guillén, Madrid

Technology Media & Telecommunications

9

The PRC Update on Data Privacy There is growing concern within the People’s Republic of China (the “PRC”) about data privacy. However, the regime in the PRC is, unlike in European countries, under-developed and there is not a single overarching law governing the protection of personal data. This article considers the current status of the law and recent proposals for change. Current status A general concept of privacy is partly recognised by the fundamental laws of the PRC. The PRC Constitutional Law provides that ‘personal dignity’ and the ‘freedom and privacy of communication’ are fundamental human rights and sets out several general principles for their protection. In the PRC Civil Law, a general ‘right to reputation’ is recognised, and any written or oral disclosure that has a negative impact on the privacy of the persons concerned may be considered as an infringement of their ‘right of reputation’. There is unfortunately little guidance as to what is meant by ‘privacy’ or ‘negative impact’. As in some other countries, there is also a patchwork of other laws and regulations in the PRC with specific application to the protection of certain types of personal data such as bank customer records, credit status, personal insurance information, medical records and tax data. For example, data privacy protection is a particular issue for financial institutions doing businesses in the PRC. Commercial banks, and insurance companies, are generally obliged, under the PRC Commercial Banking Law, the PRC Insurance Law and PRC Anti-Money Laundering Law, to keep the personal information and transaction records (such as bank deposits, credit card and internet banking transactions) of each client confidential. Commercial banks are however expressly allowed, under the Electronic Banking Administration Regulations, to transmit their electronic banking business data to an affiliate for internal corporate purposes as long as adequate measures have been adopted to preserve the confidentiality of this business data. The way ahead The PRC has, however, sought to increase the level of protection for personal data. In August 2008, there was a proposed amendment to the PRC Criminal Law, to criminalise employees in government agencies, financial institutions, telecommunication, transportation, education and medical institutions, who, in violation of the law, sell or provide to any other person the personal data obtained from the performance of their duties or from the provision of services. Such breaches could, in a serious case, result in up to three-years’ imprisonment, as well as fines. The punishment also

10

Issue 49 ⏐ December 2008

applies to those who have access to such personal data via theft, purchase or other illegal means. It is worth noting that a general draft PRC Personal Information Protection Law has been talked about for years but has not yet been released to the public. Some reports indicate that the latest draft PRC Personal Information Protection Law would address relevant issues such as introducing obligations and restrictions on both government and non-government institutions regarding their collection and processing of personal information. It remains unclear whether this law would also provide for a central authority for the enforcement of personal information protection. By Vincent Zhang, Shanghai

Technology Media & Telecommunications

11

United Kingdom The Leaking Of The BNP Membership List The membership list for the British National Party, a party to the right of the political spectrum, was recently published on the internet, copied and widely disseminated. Regardless of one’s opinion of the BNP, this is a serious breach of data protection legislation and the members’ right to privacy. This article considers the background to the breach and the implications for the various parties involved. Genie from the bottle The membership was first published on a blog, allegedly by a disgruntled former employee. Once published it was copied and rapidly disseminated across the, web being uploaded to wikileaks, appearing on a number of torrent sites and even included in a Google maps mash up, allowing each member to be located on a map. While the list was rapidly removed from the original blog and a number of other sites, it remains widely available. Google lists over 1,000 sites holding a copy. The list itself is in the format below. The “Other Information” field contains a range of information such as details of members’ professions (including a number of solicitors, police officers and teachers) or hobbies (including “growing mistletoe” and “rune making (wood)”): > Name > Address > Telephone Number > Email Address > Other Information The ramifications for members of the BNP have been serious. There are reports of members being harassed and even firebombed and members in the police force and prison service face dismissal as a result of a ban on membership. Some people on the list deny being members of the BNP and claim to have only had incidental contact with the BNP - for example, one couple who claim they were only included because they were invited to a BNP social event. Implications: The BNP The Information Commissioner announced it is investigating the leak. The thrust of this investigation is likely to be the technical and organisational measures used by the BNP to protect the members list. This is not a straightforward issue. On the one hand, it appears the disclosure of this information was an inside job by a disgruntled former member. This would have made it difficult for the BNP to prevent the data being stolen, particularly if that member needed regular access to the list, and so cannot be compared with other data losses where information was lost on a train or in the post. On the other hand, the information is “sensitive personal data” and should have been given a high level of protection. 12

Issue 49 ⏐ December 2008

Moreover, the BNP’s obligations to take appropriate measures also require it to ensure the reliability of employees who have access to this information. Much will depend on the facts. If the BNP did not have proper access controls to the members list or failed to check the bona fides of the member who accessed it, then enforcement action could be on the way. There may also be subsidiary compliance issues. If some people included on the list are, in fact, not members of the BNP then there will be difficult questions about the accuracy of the list. It also seems excessive to record information such as “growing mistletoe” in the Other Information section, though this is of a lesser order and in general the Other Information on the list is relatively sparse. Implications: The leaker The implications for the person(s) leaking the information are also serious. The BNP will be data controller of the list and the information was posted on the internet without its consent. This means that the leakers has almost certainly committed an offence by unlawfully disclosing personal data (see section 55 of the Data Protection Act 1998) and there are reports that Nottinghamshire police have already arrested two people in connection with this leak. The maximum penalty for this offence is currently an unlimited fine, though the Government has the power to increase this penalty to two years’ imprisonment. Those leaking the information ought to be relieved this sanction is not currently available. If they were then a custodial sentence would clearly be appropriate in these circumstances. The leaker could also have civil liability to the BNP members for misusing their private information (in accordance with Article 8 of the European Convention of Human Rights) and to the BNP for infringing its copyright and database rights in the list. Finally, there are reports that the leaker(s) may have been subject to an injunction preventing further disclosure of the information. If so, they will have contempt of court to add to the list. Implications: Websites hosting the list Any website hosting the list also faces a range of liability. It may be in breach of the Data Protection Act 1998, though this depends on whether it is are controller or processor in respect of this information. It could also be infringing the copyright and database rights of the BNP and also be liable for misusing the private information of the members. However, the websites should benefit from the notice and takedown provisions in the e-Commerce Directive. As long as a website is only hosting that material on a third party’s behalf (i.e. it has not published it itself) and removes it promptly once it has notice, it may well escape liability. This explains why the list of websites hosting the list changes frequently and many of them are based in remote jurisdictions.

Technology Media & Telecommunications

13

Implications: BNP members Finally, the leak will have implications for the members of the BNP. Some are unconcerned about the leak. The BNP’s discussion board includes comments such as “I am proud to be on the list of members of the most decent, honest, forthright and unashamedly British party in Great Britain”. However, other members will be very aggrieved by this disclosure, especially where the disclosure has led to harassment or dismissal from their employment (as may be the case if the member is a police officer or prison warden). These members will have a range of options available to them. If the BNP did not provide adequate protection for the list then there may be a right to compensation under the Data Protection Act 1998 and an action against the BNP for breach of confidence (as exemplified by the recent decision of the European Court of Human Rights in I v Finland). Similarly, they may have an action for misuse of their personal information against the leaker and against the websites hosting the material. A serious breach The disclosure of this information is a serious matter. The leader of the BNP, Nick Griffin, may consider there is a positive spin to this and that: “The whole affair has blown up in the faces of the plotters and the anti-British traitors”. However, many of his members may be less pleased about their data protection and privacy rights being infringed in this manner. By Amy Dixon and Peter Church, London Is Your Information Safe With The FSA? Financial services firms have become relatively comfortable that information provided to the FSA will not be disclosed under the Freedom of Information Act 2000 (“FOIA”). This is because the FSA is subject to a statutory prohibition on disclosure of information it receives in the course of its duties. However, a recent decision by the Information Tribunal tests the limits of this prohibition and found that information such as informal settlements may not be protected as it is not “received” by the FSA. The decision is subject to appeal but is clearly relevant to any firm considering an informal settlement with the FSA in the meantime. The Lautro 19 The Tribunal’s judgment relates to two requests for information to the FSA. The first asked for the names of the firms who used inappropriate charges when providing endowment mortgages, the so-called Lautro 19. The second is for the names of firms who were subject to a mystery shopping exercise. This article concentrates on the former request. The use of inappropriate charges was a serious issue. Inappropriate charges have been applied to over 600,000 policies and the firms agreed to pay compensation estimated to be £274 million. However, because the firms had paid compensation voluntarily, the FSA did not censure them or take any

14

Issue 49 ⏐ December 2008

other enforcement action. The FSA’s view was that a firm that “co-operates with this approach does not expect to be the subject of the formal sanction of publicity”. Moreover, “disclosure of the names of companies now would potentially undermine the willingness of those companies, and regulated companies in general, to engage in open dialogue with it”. Such arguments did not impress the Information Commissioner who decided that the names of the firms were not exempt and must be disclosed. The FSA appealed against that decision to the Tribunal. Preliminary issues: Statutory bar on disclosure The request potentially engages a number of exemptions, including that disclosure would prejudice its law enforcement activities and would prejudice the commercial interests of the Lautro 19. However, the Information Tribunal decided to deal with a single exemption as a preliminary issue - whether disclosure of the names of the Lautro 19 is prohibited by or under an enactment (section 44 FOIA). The relevant statutory provisions are: •

section 348 of the Financial Services & Markets Act 2000 (“FSMA”), which prohibits the FSA from disclosing information received for the purposes of its functions; and

•

sections 205-207 of FSMA, which prevents the FSA publicly censuring a firm without following statutory procedures.

Section 348: Did the FSA “receive” the information? The FSA received a wide range of information from the Lautro 19 as part of their investigation and, on the basis of that information, the FSA concluded that those firms had applied inappropriate charges. The issue was whether disclosure of the firms’ names is an implicit disclosure of the information collected earlier in the process. In deciding this issue, the Information Tribunal referred to Melton Medes v SIB [1995] CH 137. In relation to the predecessor to section 348, Lightman J decided that “Disclosure of what is a mere possible deduction from information is not as it seems to me, at least in this context, disclosure of the information itself”. Applying such reasoning, the disclosure of the firms’ names would not result in the disclosure of any information received by the FSA as it is not “possible to effect a trail back to the confidential information which was in issue”. In particular, disclosure of this information would not enable anyone to discover the nature of the inappropriate charges, the period during which they were used or any other information received as part of the investigation. As an alternative, the FSA argued that releasing the firms’ names would disclose some form of agreement between the firms and the FSA to compromise the dispute. However, the Tribunal dismissed the suggestion that any such agreement could constitute information “received” from the firms in question (following similar reasoning to the Tribunal’s decision in Derry City Council v Information Commissioner). Technology Media & Telecommunications

15

Sections 205-207: Is disclosing the firm’s names a public censure? The FSA has the power to publicly censure a firm under section 205, subject to a number of safeguards including an obligation to serve a warning notice, to give the relevant firm a right to state their case and a right to appeal to the Financial Services and Markets Tribunal. The FSA argued that disclosing the names of the Lautro 19 would be a finding that those firms had used inappropriate charges and had been held liable to compensate customers. It would therefore amount to issuing a public censure without applying the necessary safeguards and due process. The Tribunal had little time for this argument, finding that the relevant prohibitions in FSMA did not constitute a prohibition on disclosure and, even if they did, they were not applicable to disclosures under FOIA. The Tribunal was also dismissive of the suggestion that the disclosure would be an infringement of the firms’ right to a fair trial and right to privacy under Articles 6 and 8 of the European Convention on Human Rights. The firms’ settlement with the FSA was a voluntary choice on their part and they did not reserve their rights under Article 6 or 8. Moreover, Article 8 does not constitute a statutory prohibition on disclosure for the purposes of FOIA. Appeal to the High Court The FSA has already lodged an appeal at the High Court challenging the Tribunal’s interpretation of section 348 and sections 205-207. This is unsurprising as the decision could have a serious impact on the FSA’s ability to reach informal settlements with firms in the future. Moreover, if the FSA does release the information, and the Tribunal’s interpretation is incorrect, then the FSA risks committing an offence. If the appeal is unsuccessful then the Tribunal will have to consider if the information is exempt for other reasons, for example because disclosure would prejudice its law enforcement activities and would prejudice the commercial interests of the Lautro 19. Therefore, it may be some time before the firms’ identities are uncovered. The Information Tribunal’s judgment in Financial Services Authority v Information Commissioner EA/2007/0093 and 0100 is available here By Peter Church, London

16

Issue 49 ⏐ December 2008

Telecoms Belgium Government Tunes Into Radio Regulation Radio stations of the French-speaking Community of Belgium have been effectively unregulated for the last ten years. Since the last analogue licences expired in December 1997, radio stations have used frequencies in the FM wave band without complying with any rules, including basic rules to avoid interference, such as keeping a distance of at least 0.3 MHz between two radios. However, the Government of the French-speaking Community has recently stepped in to regulate and legitimise the radio sector. The Government launches tender On 21 December 2007, the Government of the French-speaking Community enacted several decrees and the corresponding implementing ministerial decisions to properly regulate the radio sector. The intention was to set up a radio network plan, establish a register for radio frequencies and launch a bid for tenders specifying the requirements for candidates to apply for a radio frequency. A tender for such frequencies was launched on 22 January 2008 and was based on four main selection criteria: •

promotion of culture, including broadcasting quotas of Frenchspeaking productions;

•

originality and innovation of the radio programme;

•

informative value. This considered the quality and independence of the management, involvement of professional journalists, etc.; and

•

technical and financial stability.

In addition, a frequency plan was adopted by the French-speaking Community to prevent operators from gaining excessive market power likely to harm the public interest. SCA selects new radio providers The Conseil supérieur de l’Audiovisuel (“SCA”), which is responsible for audiovisual matters in the French-speaking Community in Belgium, was responsible for the award of the new radio broadcasting licences and specifying the conditions attaching to such licences. The SCA received 163 responses to the tender and, on 17 June 2008, it awarded 10 provisional or urban licences and 78 licences for independent radio stations. The award was intended to reflect fundamental principles such as pluralism and diversity in light of the sociological and cultural needs of the French-speaking Community. In order to meet these requirements, the applications were broken down into five groups: Technology Media & Telecommunications

17

•

generalist stations which cover a wide range of content and appeal to the general public regardless of their location;

•

thematic stations which are specific to a particular musical or editorial theme;

•

local radio stations covering a particular geographic area;

•

free expression stations which are not commercially-oriented but rather are intended to promote proactive citizenship; and

•

community radios which are culturally-oriented towards a particular group.

The 88 licences entered into force on 22 July 2008. Radio stations without licences had to immediately stop broadcasting or face enforcement procedures conducted by the relevant federal authority and the Belgian Institute for Postal Services and Telecommunications (“BIPT”). Not all available slots were taken up in the first tender. Six slots for independent radio and one multi-cities radio network were still available. On 4 July 2008, the Government of the French-speaking Community launched an additional tender by way of three new decrees. The SCA awarded these new licences on 16 October 2008. Further developments Several dismissed candidates commenced proceedings against the SCA’s decision before the Council of State alleging serious prejudice as a result of being forced to stop their broadcasting activities. The Council of State admitted some of these claims and dismissed others. For example, the Council of State dismissed proceedings by the popular radio station “Mint” (operated by the RTL Group). The SCA refused to grant a licence to Mint to prevent a concentration of market power between it and other RTL stations such as Radio Contact and Bel RTL. New enforcement powers for the BIPT The Royal Decree of 26 January 2007 regarding the police of the waves for frequency modulation within the 87.5 MHz – 108 MHz waveband entered into force on 1 June 2008. This gave BIPT power to control and enforce regulations vis-à-vis radio broadcasters from this date to become the socalled “police of the waves”. The BIPT’s powers include intervention and arbitration between radio stations in the event of disputes regarding the allocation of radio frequencies or interference problems. It also controls technical aspects of radio broadcasting such as the authorisation to broadcast, the schedule and means of broadcasting, the allocated frequency, the infrastructure used for broadcasting, the maximum volume authorised for radio transmission. The BIPT can exercise its powers at its own initiative or upon request of a

18

Issue 49 ⏐ December 2008

Community, a regulatory authority (such as the SCA), a prosecutor, an individual or a legal entity authorised to broadcast. Under the Royal Decree, the BIPT can take the following action: •

broadcasting without a licence - the BIPT may order an end to the broadcasting. In order to ensure that the radio transmitter will not be put into service again, the BIPT may take all appropriate measures, including seizure of the equipment;

•

breach of radio licence - the BIPT must inform the relevant Community and take all appropriate measures to ensure that the broadcaster complies with their licence terms. In the event of recurrent offence, the BIPT may request the end of the broadcasting and seize the equipment.

Conclusion The new framework for radio in the French-speaking Community should provide benefits to both radio audiences and francophone radio stations. Radio audiences should benefit from a greater choice of quality radio stations. The new frequency plan should offer francophone radio stations better security and protection against interference. However, this new frequency plan has been subject to much criticism from unhappy listeners who have lost their favourite radio stations. By Alexandra Ost and Tanguy Van Overstraeten, Belgium

Technology Media & Telecommunications

19

Czech Republic Proposals For New Telecoms Laws and New Liberalisation The Czech Parliament will discuss an important governmental proposal amending, among others, the Electronic Communications Act and the Radio and Television Broadcasting Act. The draft legislation, which was coauthored by the Ministry of Industry and Trade, the Ministry of Culture and the Czech Telecommunication Office, reflects the experience gained by the authorities during the first years of the Electronic Communications Act and related acts. Further liberalisation of the broadcasting market Two of the most interesting changes in the proposal are related to broadcasting. One is the lifting of the cross-ownership ban. The present wording of the Radio and Television Broadcasting Act does not allow an operator of an electronic communications network to acquire a licence for the provision of digital radio or television broadcasting. Such prohibition restricts competition in the field of broadcasting and, once it has been abolished, electronic network operators will be free to enter the broadcasting market. The other ban to be lifted is the prevention of an operator of a radio or digital terrestrial TV broadcasting network from operating more than two such networks at the same time. This is yet another step to help liberalise the broadcasting market. According to the proposal, any resulting competition concerns relating to the broadcasting market should be handled effectively by the Competition Office alone and, in this respect, ex-ante regulation is no longer needed. Funding of universal service Under the Electronic Communications Act, the provision of universal service is funded partly from a special fund, to which the operators contribute, and partly by the state. The state’s contribution covers the extra costs incurred by the operators providing preferential pricing schemes for disabled persons, while other services, such as operation of public payphones, publishing of directories and provision of a directory enquiry service, are financed through the special fund. The proposal stipulates that all costs of the universal service will be borne by the state starting in 2010. This change is not expected to be an extra burden for the state budget because the scope of universal service should be reduced in the future. Extended powers of the Czech Telecommunication Office The Czech Telecommunication Office will be able to request that a provider of public electronic communications services amend its terms and conditions for the provision of such services if such terms and conditions contain any provisions contrary to the Electronic Communications Act or any related

20

Issue 49 ⏐ December 2008

implementing acts. Further, the Czech Telecommunication Office will be empowered to request a change in the terms and conditions on the grounds of consumer protection and, in particular, to counter unfair, misleading or aggressive business practices and consumer discrimination. Under certain circumstances, the Czech Telecommunication Office will now be authorised to enter into negotiations between operators regarding changes and/or amendments to existing access and/or interconnection agreements and settle related disputes. Currently, the Czech Telecommunication Office has such rights only in situations where a new access and/or interconnection agreement is to be concluded. Better management of the spectrum and spectrum trading The Czech Telecommunication Office will be able to amend or revoke the allotment of radio frequencies: (a) if the holder of the radio frequency no longer fulfils the conditions for the allotment of the radio frequency; (b) on specified statutory grounds; or (c) upon request of the radio frequency holder. In addition, new rules will be enacted to make spectrum trading easier. The purpose of these changes is to enable the Czech Telecommunication Office to improve its management of the radio spectrum, and at the same time, to clearly and comprehensively set out the rights and obligations of radio frequency holders. Less administration for operators Operators providing public electronic communications services are currently obliged to inform the Czech Telecommunication Office of any changes to its price lists without delay. This requirement will be relaxed so that operators will only need to provide information on such changes electronically and upon the request of the Czech Telecommunication Office. Measures against malicious calls Due to an increase in the number of malicious calls received at emergency call centres, new measures will be introduced including a new statutory definition of a malicious call. Operators of emergency phone lines will be authorised to request the respective network operator to disconnect the line from which the malicious calls have been made. The subscriber concerned would then have to apply to the Czech Telecommunication Office to have the line reconnected. Penalties doubled Finally, the proposal increases the maximum fine by 100 per cent in two cases. Serious infringements under the Electronic Communications Act will be subject to administrative fines of up to CZK 20 million (approximately €800,000) while less serious infringements will have fines of up to CZK 10 million (approximately €400,000). Only the third and last penalty threshold concerning minor infringements will be capped at its current maximum of CZK 2 million (approximately €80,000). Technology Media & Telecommunications

21

By Zuzana Viktorinová, Kinstellar, v.o.s., advokátní kancelář, Prague Kinstellar is the leading premium regional law firm focused on serving the needs of global corporations in the emerging European countries. Operating from offices in Bucharest, Budapest, Bratislava and Prague, Kinstellar’s team has been involved in some of the biggest transactions in the region. Kinstellar is a spin-off from Linklaters, one of the world’s leading law firms, and maintains the Linklaters legacy through a ‘best friends’ relationship. For further details, see www.kinstellar.com.

22

Issue 49 ⏐ December 2008

Poland Functional Separation On The Table For the last few months there has been an open discussion about functional separation of the largest Polish telecom operator – Telekomunikacja Polska S.A. (“TP S.A.”). The President of the Office of Electronic Communications (“UKE”), Anna Streżyńska, commissioned a report on the possibility of the functional division of TP S.A. and its possible effects on the telecoms market. Her current view is that functional separation will guarantee fair competition in the telecoms market by giving all operators equal access to TP S.A.’s infrastructure at equal prices. Legal basis for functional separation The UKE’s enthusiasm for functional separation is, however, not universal and there have been doubts expressed about the use of functional separation. This is basically the division of one telecommunications operator into at least two operational units, one of them involving only the provision of wholesale services and the other providing retail services. It has been suggested that the Polish Telecommunications Law does not provide a legal framework for the use of functional separation by UKE. The President of UKE disagrees on the basis that functional separation is provided under Article 8 of the Access Directive (2002/19/EC) in conjunction with Article 44 of the Polish Telecommunications Law that allow for the application of other regulation instruments than those specifically named in the statutory provisions. At the end of November an independent consultants’ report, commissioned by the UKE, was published jointly by KPMG, the Communications Institute and the law firm Grynhoff, Woźny, Maliński. The independent experts decided that functional separation is a proper regulatory remedy to eliminate anti-competitive behaviour by TP S.A., but functional separation will not help to improve the poor quality of the infrastructure or be able to eliminate inappropriate fees for wholesale services. Following the report, according to the current legal system there is a possibility, based on paragraphs 3 and 4 of Article 8 of the Access Directive, of applying functional separation. However, it is not entirely clear if this remedy would be upheld by the Polish courts because of ambiguities in Polish law. Additionally, this measure will require the consent of the European Union Commission and the Commission’s agreement that it is adequate, reasonable and proportionate. Finally, there is a risk that there are no executive instruments in place to make TP S.A. act to properly implement functional separation. Will functional separation take place? “Judging by the opinion of the experts, it appears that TP S.A. will probably be divided”, said Anna Streżyńska. However, the final decision of the UKE Technology Media & Telecommunications

23

has not been made as yet. If the UKE decides to divide TP S.A., the separation process will probably start in 2009. TP S.A. rejects the suggestion that functional separation would not distort competition in the Polish telecom market and, according to Ireneusz Piecuch, the executive director of TP S.A., there are no legal principles or substantial reasons for such a split. Also, TP S.A. believes that the cost of this functional division will be over PLN 600 million (approximately €150 million) within the first three years and will take two more years to complete, so that the costs of the separation could be even greater than the costs of dividing British Telecom, which exceeded €100 million. However, in the opinion of the experts, the financial benefits to Polish consumers after the split of TP S.A. will be over PLN 704 million (approximately €190 million) in the first five years alone.

Brussels Linklaters LLP Rue Brederode 13 B - 1000 Brussels Tel: (+32) 2 501 94 11 Fax: (+32) 2 501 94 94

Finally, the decision to introduce functional separation pre-empts the current European proposals to introduce functional separation as an explicit SMP remedy in the Access Directive. The amendments to the Access Directive would, however, include a number of safeguards such as a requirement that existing SMP remedies are insufficient and that there be no prospect of infrastructure competition within a reasonable timeframe. It will be interesting to see if the Commission applies similar reasoning if it receives a request for functional separation from Poland.

London Linklaters LLP One Silk Street London EC2Y 8HQ Tel: (+44) 20 7456 2000 Fax: (+44) 20 7456 2222 Madrid Linklaters, S.L. Calle Zurbarán, 28 E-28010 Madrid Tel: (+34) 91 399 60 00 Fax: (+34) 91 399 60 01

By Ewa Kurowska-Tober, Warsaw

Paris Linklaters LLP 25 rue de Marignan 75008 Paris Tel: (+33) 1 56 43 56 43 Fax: (+33) 1 43 59 41 96 Shanghai Linklaters LLP Shanghai Office 16/F Citigroup Tower 33 Hua Yuan Shi Qiao Road Pudong New Area Shanghai 200120 People's Republic of China Tel: (+86) 21 2891 1888 Fax: (+86) 21 2891 1818

Editor: Peter Church Email: [email protected] This publication is intended merely to highlight issues and not to be comprehensive, nor to provide legal advice. Should you have any questions on issues reported here or on other areas of law, please contact one of your regular contacts, or contact the editors.

Warsaw Linklaters C. Wiśniewski i Wspólnicy Spółka Komandytowa Warsaw Towers ul. Sienna 39 7th floor PL-00-121 Warsaw Tel: (+48) 22 526 5000 Fax: (+48) 22 526 5060

© Linklaters LLP. All Rights reserved 2008 Please refer to www.linklaters.com/regulation for important information on our regulatory position. We currently hold your contact details, which we use to send you newsletters such as this and for other marketing and business communications. We use your contact details for our own internal purposes only. This information is available to our offices worldwide and to those of our associated firms. If any of your details are incorrect or have recently changed, or if you no longer wish to receive this newsletter or other marketing communications, please let us know by emailing us at [email protected] Linklaters converted to Linklaters LLP on 1 May 2007. References in this document to Linklaters for the period following 1 May 2007 accordingly refer to Linklaters LLP and, where relevant, its affiliated firms and entities around the world. Linklaters LLP is a limited liability partnership registered in England and Wales with registered number OC326345. The term partner in relation to Linklaters LLP is used to refer to a member of Linklaters LLP or an employee or consultant of Linklaters LLP or any of its affiliated firms or entities with equivalent standing and qualifications. A list of the names of the members of Linklaters LLP together with a list of those non-members who are designated as partners and their professional qualifications is open to inspection at its registered office, One Silk Street, London EC2Y 8HQ or on www.linklaters.com and such persons are either solicitors, registered foreign lawyers or European lawyers

24 //