‘The Right to Be Forgotten’ and the Sui Generis Controller in the Context of CJEU Jurisprudence and the GDPR

The Google Spain judgment established a search engine as a sui generis controller and the related ‘right to be forgotten’ (right to delisting) under data protection legislation, despite the controversies surrounding it primarily on account of the logic of the search engine operator’s functioning and its consequent inability to comply with certain basic data protection requirements. Resulting interpretations, ie the contouring of data protection legislation under CJEU case law (the Google Spain and the GC and Others judgment), are examined in this paper in detail in relation to the currently applicable GDPR provisions, which allows conclusions to be drawn on the substance of the (sui generis) delisting right, the legal standing of data subjects, the assessment of delisting requests, and the related role and responsibilities of search engine operators. While neither removal from the source web page is required nor can delisting be denied exclusively on the basis of the publisher’s right to freedom of information and expression, analysis shows several manifestations of inherent interweavement with concerns of freedom of information and expression, which at the same time intrinsically oppose data protection and privacy rights. The issue is further challenged by a lack of harmonisation in the area of reconciling privacy and data protection rights with the freedom of expression and information. The last section of the paper discusses the rationale behind the recently established duty of adjusting, ie rearranging, search results in certain cases where delisting requests were denied, the implications for the operators, and the future outlook

Videonadzor na radnom mjestu prema hrvatskom Zakonu o provedbi Opće uredbe o zaštiti podataka

The authors critically evaluate the legislation and practice in Croatia on video surveillance in the workplace, focusing in particular on the recently adopted GDPR Implementation Act. This act prescribes rules on the processing of personal data through video surveillance systems, as well as its own maximum administrative fines for violations of some of those rules. Additionally to the new rules on video surveillance of work premises, the authors examine the new general rules on data processing by video surveillance and the related rules on administrative fines, as well as the earlier acts on which the GDPR Implementation Act relies. The goal of this research is to establish if the new rules provide the necessary clarity and legal certainty in relation to existing legislation and practice, as well as compatibility thereof with the GDPR. With the disclaimer that the analysis of the legal bases for processing workers’ personal data and of corresponding case law is excluded from the scope of this paper, the authors also briefly point to GDPR rules which the employers, human resources personnel and legal professionals ought to consider when assessing legal compliance of workplace video monitoring. Concluding critical remarks will also deliver de lege ferenda proposals towards amendment of certain examined rules of the GDPR Implementation Act so as to ensure greater legal clarity and legal certainty as well as consistency with the GDPR.U radu autori kritički ocjenjuju zakonodavstvo i praksu u Republici Hrvatskoj o temi videonadzora na radnom mjestu, a posebno se usredotočuju na nedavno usvojen Zakon o provedbi Opće uredbe o zaštiti podataka. U tom se aktu, naime, utvrđuje više pravila o obradi osobnih podataka putem videonadzornih sustava te najviše upravne novčane kazne za slučaj kršenja pojedinih ondje navedenih pravila. Osim novih odredbi o videonadzoru radnih prostorija, u radu se detaljno ispituju nova opća pravila o obradi osobnih podataka putem videonadzora te povezane odredbe o upravnim novčanim kaznama, kao i raniji propisi na koje se ispitivane odredbe Zakona o provedbi Opće uredbe oslanjaju. Cilj ovog istraživanja je ocjena uvodi li se novim pravilima potrebna jasnoća i pravna sigurnost u odnosu na postojeće zakonodavstvo i praksu te ocjena o njihovoj sukladnosti s odredbama same Opće uredbe o zaštiti podataka (uključujući onima o sankcijama). Autori također ukratko upozoravaju na pravila Opće uredbe o zaštiti podataka koja poslodavci, stručnjaci u području ljudskih resursa i pravni stručnjaci, trebaju razmatrati pri ocjeni pravne usklađenosti prakse videonadzora na radnom mjestu, uz napomenu da je iz opsega rada isključena analiza pravnih osnova za obradu osobnih podataka radnika i pripadajuća sudska i regulatorna praksa. Rezultati cjelokupnog istraživanja osnova su za zaključne kritičke primjedbe s de lege ferenda prijedlozima izmjena pojedinih analiziranih odredbi Zakona o provedbi Opće uredbe kako bi se osigurala veća pravna jasnoća i pravna sigurnost te usklađenost s Općom uredbom o zaštiti podataka

Selected aspects of proposed new EU general data protection legal framework and the Croatian perspective

Proposed new EU general data protection legal framework profoundly affects a large number of day-to-day business operations of organizations processing personal data and calls for significant effort on their part toward the necessary legal-regulatory compliance. In this paper the author examines key legislative developments towards this new EU frame and impact for the Republic of Croatia as the youngest EU Member State. Following introductory overview, legal analysis of draft EU General Data Protection Regulation as proposed by the European Commission and recently adopted amendments by the European Parliament mainly focuses on selected solutions impacting national data protection supervisory authorities. This is complemented with examination of relevant sources of EU law, including the case law of the Court of Justice of the European Union. Assessment of results of this research is next made with respect to prospects of the data protection legal framework of the Republic of Croatia. The paper is concluded with the author’s critical overview of analyzed EU proposals impacting national data protection supervisory authorities in light of EU pivotal goals, and de lege ferenda proposals to timely address identified obstacles towards more adequate enforcement of data protection legislation in Croatia

EU RIGHT TO BE FORGOTTEN AND GLOBAL INTERNET: ENFORCEMENT OF DELINKING REQUESTS

U radu se ispituju materijalnopravni i proceduralnopravni aspekti presude Suda pravde Europske unije o pravu pojedinaca da pod određenim uvjetima zatraže da davatelj usluge internetskog preživanja (operator pretraživača) prestane uvrštavati njihove osobne podatke, tj. poveznice na mrežne stranice trećih s tim podacima u rezultatima pretrage po njihovu imenu i onda kada se radi o zakonito objavljenom sadržaju, odnosno o sadržaju koji nije uklonjen s izvorišne stranice. Iako se često popularno naziva „presudom o pravu na zaborav“, to je pomalo zavaravajući naziv budući da informacija o kojoj je riječ neće biti obrisana, tj. ostaje na internetu i budući da uz korištenje drugih kriterija pretrage ostaje dostupna korisnicima usluge pretraživača. Prema dostupnim se podacima građani u Europi u velikoj mjeri pozivaju na pravo na prestanak uvrštenja u skladu s presudom. Ipak, od izricanja presude do danas postavljaju se brojna pitanja u vezi s njezinim izvršenjem. Kod donošenja odluka o osnovanosti zahtjeva nerijetko se radi o kompleksnom pitanju balansiranja prava i interesa na internetu. Posebno sporno pitanje danas tiče se načina provedbe obveze uklanjanja poveznica, a koje određuje lokalan tj. regionalan ili globalan učinak prava pojedinca. Ovaj rad predstavlja doprinos tekućim i razvojnim istraživačkim aktivnostima u vezi s presudom te izvršavanjem u njoj tumačenih prava pojedinaca i obveza operatora pretraživača. Daljnja istraživanja u tom smjeru trebala bi uključivati konkretnu praksu operatora pretraživača kao onih koji donose (prvu) odluku o zahtjevu pojedinca, te nadležnih nadzornih tijela i sudova koji ih nadziru, a koja je danas u razvoju. Na općenitijoj razini može se reći da se presudom utvrđuju temelji ekstrateritorijalne regulacije relevantnih aktivnosti internetskih aktera kod pružanja usluga na europskom tržištu, od kojih značajan broj s prevladavajućim udjelom na tom tržištu nema sjedište na europskom teritoriju. U daljnjim se istraživanjima pitanja provedbe prava i obveza tumačenih u presudi u vezi s obradom osobnih podataka pojedinaca u EU-u u globalnom internetskom okruženju trebaju ispitati i rješenja relevantnog novog pravnog okvira EU-a (prijedlog Opće uredbe o zaštiti osobnih podataka) s predloženim vrlo širokim područjem primjene, a koji je trenutno (još uvijek) u zakonodavnom postupku.The author examines material and procedural aspects of the CJEU\u27s judgment on the right of individuals to seek under certain conditions that the search engine operator delists their personal data, i.e. links to third-party web pages containing that data, in results of search based on their name also in cases where content is lawfully published or not removed from the origin web page. Although often popularly referred to as „decision on the right to be forgotten“, that can be a misleading term since relevant data will not be erased from the Internet and remains available to search engine users using different search terms. According to available data citizens in the EU have been exercising the right to request delisting in accordance with the judgment to a great extent. However, numerous issues emerge in relation to its enforcement. Decision-making on individuals’ request often includes a complex balancing of rights and interests on the Internet. Controversial issue today especially relates to the means of executing links removal, which determines a local (regional) or global effect of relevant individuals’ right. This paper contributes to current and developmental research activities in relation to the judgment and enforcement of individuals\u27 rights and duties of Internet search engines as interpreted therein. Further research in that direction will need to include concrete practice of search engine operators as those making the (first) decision on individuals\u27 requests, and of competent supervisory bodies and courts supervising them, which is currently in development. On a more general level it can be said that the judgment establishes the grounds for extraterritorial regulation of relevant activities of Internet actors providing services on the European market, out of which a significant number with a prevailing share on that market is not established on the European territory. Consequently, further research of open issues relating to enforcement, in a global Internet environment, of rights and duties as interpreted in the judgment will also need to include analysis of relevant new EU framework (proposed General Data Protection Regulation) with a very wide scope as currently proposed, and which is at the moment (still) in legislative procedure

Applicability of ePrivacy Directive to national data retention measures following invalidation of the Data Retention Directive

The paper analyses rules pertinent for examination of national data retention measures regulating data processing activities of providers of electronic communication services following invalidation of the Data Retention Directive in 2014, on which subject the CJEU issued a total of five judgments up until June 2021. Focus of this analysis is the issue of applicability of EU law as interpreted in the CJEU case law, most specifically Article 15, paragraph 1 of the ePrivacy Directive containing legal safeguards for the restrictions of rights and obligations in that directive on the confidentiality of communications as well as the processing of traffic and location data. Such restrictions are as a rule manifested in different national data retention measures, which may pursue law enforcement and public security, as well as national security objectives. This examination is supported also by analysis of rules on the scope of ePrivacy Directive and its relationship with the general personal data protection framework. Overall findings in the paper provide a frame for further detailed research on the topic of future regulation of retention measures at national/EU level (Proposal for ePrivacy Regulation, possible new EU data retention legislation) and a comparative assessment of relevant CJEU jurisprudence with that of the European Court of Human Rights in respect of compatibility of retention measures with the guarantees of fundamental rights and freedoms and allowed restrictions thereof in the European legal system

DPA powers toward effective and transparent GDPR enforcement: the case of Croatia

The paper identifies and explores the solutions to certain underdeveloped and lacking legislative solutions and issues in the practice of the national data protection authority (CPDPA), which affect the aims of effective GDPR enforcement and transparency. On a broader level it contributes to the EDPB initiatives toward the harmonization of certain procedural provisions and overcoming the differences in the conduct of cross-border proceedings. Most of the research considerations are supported by a study of the case that received much public attention and involves the first administrative fine in Croatia. Arguments are provided toward prescribing time limits for the resolution of data protection administrative disputes and toward appropriate addressal of the closely related issues of publishing CPDPA rulings, with the concerns of their accessibility worked out through a comprehensive policy. This includes also the particular considerations on the corrective measures issued to public authorities, which cannot be fined, and on the underdeveloped fine-limitation rule for certain other public sector bodies. Public interest concerns should be closely examined in the assessment of communicating information on relevant data protection cases and CPDPA decisions, as well as the interrelation with the freedom of information requests. The publishing of non-anonymous final rulings should be recognized as a form of additional sanction and power of the data protection authority and as such further explored also at the EU level. In terms of more efficient CPDPA functioning it is argued that the prescribed time limits for issuing expert opinions are extended. At the same time resources should be utilized toward better inclusivity and accessibility of relevant information, primarily rulings, on its website

Data protection for the digital age: comprehensive effects of the evolving law of accountability Senior assistant -lecturer Ph

Abstrac

Mandatory Data Retention and Privacy

Autori u radu analiziraju pravno uređenje sustava obveznog preventivnog zadržavanja podataka koji se generiraju, odnosno obrađuju u vezi s pružanjem javno dostupnih elektroničkih komunikacijskih usluga ili javnih komunikacijskih mreža u pravu EU-a i RH. Brojna otvorena pitanja u vezi s uvođenjem i provedbom tog sustava ispituju se s obzirom na osjetljivost i poseban tretman koji podaci u elektroničkim komunikacijama imaju u pravu EU-a općenito, a osobito s obzirom na veliku mogućnost zadiranja u temeljna prava i slobode korisnika usluga – građana, posebno kada je riječ o poštovanju privatnog života i tajnosti dopisivanja, tj. komunikacije, te pravu na zaštitu osobnih podataka. U radu se analiziraju i najnoviji događaji u vezi s provedbom Direktive o zadržavanju podataka u EU-u, njezinom ocjenom te postupcima pokrenutim pred Sudom pravde Europske unije. Autori također ispituju i analiziraju rješenja koja su, radi usklađivanja našeg zakonodavstva s acquisom, tj. Direktivom o zadržavanju podataka, predviđena u domaćem pravnom okviru, kao i ona koja su otprije na snazi (neovisno o Direktivi) te iznose prijedloge rješenja de lege ferenda gdje to nalaze potrebnim. Prilikom uređenja ovlaštenja za pristup relevantnim podacima, među ostalim, upozorava se i na nužnost dosljedne provedbe kriterija za iznimno ograničavanje zajamčenih prava građana u opravdanim, jasno utvrđenim slučajevima te na nužnost osiguravanja što preciznijih i jasnijih zakonodavnih rješenja radi sprečavanja mogućih zloporaba.The authors analyze the regulation of the system of mandatory (preventive) retention of data in electronic communications in European Union law and the law of the Republic of Croatia. Many questions and issues of contention concerning blanket data retention regulation at EU level, especially after the adoption of the Data Retention Directive and its implementation in EU Member States, are examined in terms of sensitivity and special regulation of processing user data in electronic communications, and the severe impact of retention on guaranteed rights and freedoms of all users. The paper focuses on the impact of data retention on the right to respect for private life and communications and the right to personal data protection. The authors also analyze recent developments in the implementation of the Data Retention Directive in the EU and its evaluation by the European Commission. Procedures initiated following the implementation of this Directive in certain EU States, aimed at challenging the constitutionality and legality of relevant domestic law, point to the sensitive nature of the introduction of mandatory data retention systems on account of its interference with guaranteed rights of citizens. Furthermore, the authors also point out cases which were, until today, referred to the Court of Justice of the European Union by national courts of certain EU Member States in order to evaluate compatibility of the Directive with human rights and fundamental freedoms. The authors research and analyze solutions implemented in the domestic legal system on the subject of mandatory retention of data in electronic communications. Among other things, they call attention to the need for assessing these issues in line with the necessity and proportionality requirements, observing both European Union and international law, notably the European Convention for the Protection of Human Rights and Fundamental Freedoms and the case law of the European Court of Human Rights. Moreover, the authors emphasise the need for consistent implementation of relevant criteria in cases where guaranteed rights of citizens are interfered with, and for precise and clear legislative solutions especially with a view to preventing abuse. Finally, the authors provide a comparative overview of this measure with expedited preservation of stored data (data preservation, quick freeze), prescribed by the Council of Europe Convention on Cybercrime. They also provide an assessment of this measure as a potential alternative to mandatory data retention, including models developed in certain states on the basis of data preservation (quick freeze plus), taking into account recent relevant developments in the EU

Verantwortung der Vermittler für Verletzung von Urheberrecht und verwandten Rechte im Internet

Razvoj elektroničkih komunikacija i na njima temeljenih online servisa i novih mrežnih tehnologija i usluga omogućio je unaprjeđenje postojećih poslovnih procesa, kao i nastanak novih poslovnih modela. Njihovo masovno korištenje dovelo je do sve šire ponude, prezentacije i distribucije različitih digitalnih sadržaja, među kojima posebno mjesto imaju oni koji uživaju autorskopravnu zaštitu. U takvim uvjetima postavlja se pitanje uloge, odgovornosti i obveza davatelja usluga informacijskog društva za povrede autorskog i srodnih prava, posebno kada je riječ o davateljima usluga – posrednicima čijim se posredstvom ostvaruje komunikacija korisnika mrežnih usluga. Zbog toga se u radu analiziraju pravni aspekti njihova djelovanja, njihova prava i obveze prema relevantnim odredbama prava Europske unije, kao i prema odgovarajućem pravnom okviru Republike Hrvatske, koji se u ovom području pretežito razvijao i prilagođavao u skladu s acquisom. Težište analize čine pitanja odgovornosti i obveza davatelja posredničke mere conduit usluge pristupa internetu zbog građanskopravne zaštite autorskog i srodnih prava koja krše korisnici njihove usluge razmjenom datoteke sa zaštićenim djelima. Posebna pozornost pridaje se ispitivanju dopuštenosti određivanja sudskih mjera protiv ovih posrednika u parničnom postupku, sukladno sudskoj praksi Europskog suda i propisima, koje podrazumijevaju opći preventivan nadzor nad korisnicima njihovih usluga u svrhu sprečavanja povreda autorskog i srodnih prava na internetu.In this paper, the authors consider the relevant EU law and the current Croatian regulations and analyse the issues of liability, obligations and rights of information society service providers - intermediaries in relation to breach of copyright and related rights on the Internet, for the purpose of suppression and prevention of such breaches. The development of information society, which based on high technologies, has resulted in the use of electronic communication becoming a fundamental need. High technologies generate numerous possibilities for both individuals and business entities, thus facilitating economic growth based on networking and new online business models, content and services. The creative industry, and particularly activities concerned with copyright and related rights, has displayed a logical interest in the creation of legal and other conditions enhancing the protection of intellectual property on the Internet. The paper focuses on breaches of copyright and related rights on the Internet through unpermitted exchange of files containing protected property, usually carried out by peer-to-peer network technology, and on the issues of liability, obligations and rights of Internet service providers (mere conduit) within the context of the protection of civil law rights. Due to certain particular features of this service, its providers have been under increasing pressure from associations for collective protection of copyright and related rights, even if they only act as intermediaries in a transfer of information not initiated by themselves. In accordance with the practice of the Court of Justice of the EU, the paper questions the acceptability of imposing measures on intermediaries through a civil procedure forcing them to filter and block traffic of its users as a means of preventive supervision over the users and their communications over the Internet, with a view to preventing breach of copyright and related rights. What needs to be considered are the essential characteristics of Internet intermediary services, such as the mere conduit service, and the conditions aimed at securing freedom for the development of such services, which cannot tolerate imposition of general supervision over its users and the information they transfer over the network. EU law does not permit particularly repressive measures in that sense for the purpose of protecting copyright and related rights on the Internet within the domain of private law. Such measures may have an adverse effect not only on free enterprise of Internet intermediaries, but also on the development of IT, freedom of speech and information, and user privacy in terms of information and communication.In dieser Arbeit werden durch relevantes Recht der Europäischen Union und positives Recht der Republik Kroatien die Fragen der Verantwortung, Pflichten und Rechte von Dienstanbieter der Informationsgesellschaft – Vermittler in Zusammenhang mit Verletzungen von Urheberrecht und verwandten Rechte im Internet analysiert, mit dem Ziel der Bekämpfung und Verhinderung ihrer Verletzung. Entwicklung von Informationsgesellschaft, deren Grundinfrastruktur hohe Technologien sind, hat dazu gebracht, dass Benutzen von elektronischen Kommunikationen mehr und mehr zu Grundbedürfnis des Menschen wird. Hohe Technologien generieren zahlreiche Begünstigungen für Bürger und Unternehmen, indem sie das Wachstum der auf Netzverbindungen und neuen online Geschäftsmodellen, Inhalte und Dientsleistungen basierenden Wirtschaftsaktivitäten ermöglichen. Verständlich ist deshalb das Interesse der kreativen Industrie,besonders Tätigkeiten, die sich auf Urheberrecht und verwandten Rechten basieren, dass sich in online Umfeld solche rechtliche und andere Bedingungen sichern, die wirksamen Schutz von geistigem Eigentum sichern. In Arbeit konzentrieren wir uns auf Verletzungen von Urheberrecht und verwandten Rechten im Internet durch unerlaubtem Tausch von Dateien mit geschütztem Eigentum, meistens erreicht durch Benutzung von peet-to-peer Netzwerktechnologie, und auf Fragen der Verantwortung, Pflichte und Rechte von Dienstanbieter von Vermittlungsleistung der Internetzugang (mere conduit) in Kontext des bürgerlichrechtlichen Schutzes dieser Rechte. Nämlich, wegen besonderen Eigenschaften dieser Leistung sind die Anbieter unter immer größerem Druck von Vereine für gemeinsame Verwirklichung von Urheberrecht und verwandten Rechten, auch wenn sie nur Vermittler sind in Übermittlung von Benutzerinformationen, den sie nicht selbst initiiert haben. In Übereinstimmung mit relevanter Gerichtspraxis der Europäischen Gerichtshof, in der Arbeit beschäftigen wir uns primär mit Erforschung von Erlauben der Bestimmung solcher Maßnahmen, mit denen den Vermittlern in Rahmen von Prozessordnung der Pflicht angedrängt wird, Verkehr ihrer Benutzer zu filtrieren und zu blockieren als allgemeine präventive Aufsicht von Benutzer und ihrer Kommunikation in Netzwerk, mit dem Ziel der Verhinderung von Verletzung von Urheberrecht und verwandt Rechte, die wir in der Arbeit betrachten. Dabei muss man die wichtigen Merkmale der vermittelten Internetleistunen in Betracht nehmen, wie zum Beispiel mere conduit Leistung der Internetzugang, die in der Arbeit betrachtet wird, und die Bedingungen, mit denen man die Freiheit der weiteren Entwicklung solcher Dienstleistungen, sichern will. Solche Dienstleistungen leiden keine Auferlegung von Durchführung der allgemeinen Aufsicht über ihren Benutzer und Informationen, die sie in der Netzwerk übermitteln. Besonders repressive Maßnahmen in der Bedeutung, mit der Ziel des privatrechtlichen Schutzes von Urheberrecht und verwandten Rechte im Internet, sind durch der EU-Recht nicht erlaubt, und sie können, außer auf Freiheit des Unternehmertums von Internet-Dienstanbieter, auch negative Folgen auf Informationsentwicklung, Freiheit der Sprache und Informierung, und auch auf Informations- und Kommunikationsprivatbereich der Benutzer von vermittelten Internetleistungen haben

CITIZENS\u27 FUNDAMENTAL RIGHTS IN THE CONTEXT OF LEGAL PROTECTION OF INTELLECTUAL PROPERTY ON THE INTERNET

U radu se kroz pravo EU-a i Republike Hrvatske ispituje međuodnos prava korisnika usluga pristupa Internetu i nositelja prava intelektualnog vlasništva, u kontekstu privatnopravne zaštite intelektualnog vlasništva, koje se krši na Internetu. Povrede o kojima je u radu riječ odnose se na nedopuštenu razmjenu djela zaštićenih pravom intelektualnog vlasništva od strane internetskih korisnika. Osobito uzimajući u obzir praksu Suda pravde EU-a, autori analiziraju jamstva temeljnih prava koja dolaze u odnos prilikom privatnopravne zaštite prava intelektualnog vlasništva u vezi s razmatranim povredama. Autori ukazuju i na posebnosti razvoja prava na zaštitu osobnih podataka u pravu EU-a, kao i na pitanja primjene relevantnih propisa EU-a i RH s obzirom na podatke koji se odnose na korisnike usluga pristupa Internetu, uključujući prometne podatke poput IP adresa. Rezultati istraživanja potvrđuju postojanje delikatnog i složenog međuodnosa navedenih prava i u skladu s time autori zaključno upozoravaju na potrebu pridavanja posebne pažnje prilikom razmatranja i reguliranja tih pitanja u domaćem pravu i praksi.Authors examine the relationship between rights of Internet access service users and intellectual property rights holders, under EU and Croatian law, in the context of private law protection of intellectual property violated on the Internet. Relevant violations committed by internet users consist of the disallowed sharing of work protected by intellectual property rights. Authors analyze the guarantees of fundamental rights that interconnect in relation to examined violations and in the course of private law protection of intellectual property, especially taking into account the case-law of the Court of Justice of the EU. They also point to distinctive features in the development of the right to personal data protection under EU law, and they discuss applicability of relevant EU and Croatian laws as regards the data relating to users of Internet access services, which include traffic data such as IP addresses. Results of research support the finding of existing delicate and complex relationship between stated rights and, consequently, authors conclude the paper with a cautionary note on the need to pay special attention during assessment and regulation of these questions in domestic law and practice