I have yet to read a reasoned decision so I am relying on the press release. One line of reasoning seems to have gone as follows: the presiding judge was a member of two organisations operating in the field of intellectual property. Let us say, for the sake of argumen, that the judge’s membership of these organisations showed that he was in favour of the enforcement of intellectual property and would thus be supportive of rights holders. That does not, thought the court, prevent a fair trial because intellectual property rights are legal rights in Sweden as the law stands. Being in favour of them merely means being in favour of the law.

An analogous argument might be used in a case in which a judge who was in favour of private property rights and their enforcement should still be allowed to sit on a case of theft, or for eviction of trespassers.

Having said that the court appears to have thought that information like this (membership of relevant associations)  ought to have been available at the earliest stage, so that it can be properly dealt with then rather than on appeal.

I remain sceptical as to whether the judge (Tomas Norström) really was biased in any way. The Swedish Association for the Protection of Industrial Property and the Swedish Copyright Association do not look (to me) like industry organisations that pursue infringers of intellectual property, but rather more like the sorts of organisations that lawyers routinely get involved in for the better exchange of ideas and study of a subject.

Members are likely to have a lot of different affiliations, work against each other in practice on many occasions and the mere fact that A and B are both members of such an assocaition doesn’t mean they will even like each other. I certainly can’t stand the sight of some people in the same professional bodies as myself.

The trouble is I haven’t seen a good analysis of the two Swedish bodies to be sure. I look forward to reading the full decision of the Court of Appeal (if it becomes available) to make up my own mind.

Where does this leave the Pirate Bay four? If the press release is to be believed, there is no appeal but proceedings in the European Court of Human Rights are sure to follow.

A key point to take away is that operators of SNS are data controllers rather than merely data processors, so that they are more likely to be subject to European data protection law than if they were merely “data processors”.

Who is the working party?

The working party was set up by by the data protection directive as an advisory body. Its opinions are not legally binding, but they are likely to be persuasive and the Commission must respond them.

Key points

The response to the opinion (so far) has concentrated on the view that SNS operators are probably data controllers. I’ll have more to say about that at the end of this post.

For me the most interesting points are:

• SNS operators are usually data controllers
• … and so are many third party application providers
• … as indeed will be many users
• privacy should be the default setting
• release of profile information beyond a user’s selected friends should never be implicit
• third party applications should not by default be given access to all an individual’s profile information, but only what is necessary for that application to work

It seems to me that this signals a tougher line to SNS like facebook which will not be able to get away with, for example, a completely cavalier attitude to third party applications.

There are a couple of specific points of interest.

Users

Almost anything about someone is “personal data” but most individuals using an SNS won’t be subject to the Directive because it excludes processing “by a natural person in the course of a purely personal or household activity”.

The working group notes an increased use of SNS for other purposes such as for businesses or campaigning. Those would fall outside the household exception and such users would need to comply with the Act.

The Working Group makes three recommendations on this point:

- SNS providers provide adequate warnings to users about the privacy risks to themselves and to others when they upload information on the SNS
- SNS users should also be reminded that uploading information about other individuals may impinge upon their privacy and data protection rights;
- SNS users should be advised by SNS that if they wish to upload pictures or information about other individuals, this should be done with the individual’s consent.

Which seems entirely positive. Strictly speaking you don’t always need an individual’s permission to process their data, so the last point is not quite right, though it is good practice. What the Directive does require is that individual’s are notified of the processing, which could be done by a tagging system.

Having said that, the Directive was not (I think) written with uses of SNS in mind. I suspect that more difficulties will follow.

Controller vs Processor

The Directive makes a distinction between “controllers” on the one hand “processors” on the other. A controller is an entity which “alone or jointly with others determines the purposes and means of the processing of personal data.”

In the context of an SNS you might argue that it is the users of the site who decide the purpose and means of processing the data, the operator of the site provides nothing more than an environment for the users to do what they wish (post pictures, disclose information about themselves and so on). In other words, they are just a processor.

The Working Party thinks not. Amongst other things sites like facebook decide what use is to be made of data contributed to the site for the purposes of advertising and marketing.

This matters for two reasons: first because it is on the controller (not the processor) that most of the obligations of the directive are imposed; but second because the location of the controller affects whether or not the directive applies at all.

How far does the Directive reach?

The answer to that question applies in article 4 of the directive which states:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;
(b) the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law;
(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

The first two provisions give little difficult: if your processing is being carried out in/with or by an establishment of yours in a member state (or somewhere else that state’s law applies) then unsurprisingly you have to comply with the Directive.

The odd one is (c). The Working Group have previously in their opinion on search engines said that storing a cookie in a user’s browser amounts to “making use of” equipment (the user’s browser) so that wherever on the plant a data controller might be, if their processing of the data involves cookies they will be subject to the directive.

I am not entirely convinced by that argument. It would require any such site to have a designated representative in every member state from which anyone were to browse them (under article 4(2)). It also seems to me that what the directive means is that if you process the data in question in a member state then the directive applies to the processing of that data in that member state. A cookie will necessarily contain much personal data of itself.

Conclusion

The opinion seems to me to be useful. It is relatively short and an easy read. Let us hope that it contributes to the pressure on sites like facebook to put their house in order.