Legal and regulation issues, SPICE Service Platform for Innovative Communication Environment - FP6 Integrated Project, D1.6

Executive summary
DESCRIPTION OF THE DELIVERABLE CONTENT AND PURPOSE (MAX 1 PAGE)
SPICE (Service Platform for Innovative Communication Environment) is a Framework 6 research project that aims at the design of an innovative technological infrastructure for the creation and delivery of ICT services (hereinafter "service platform"). The service platform will support the creation, deployment and delivery of various services in the information society. The service platform will also be used to deploy and commercialise new communication services or to distribute (enriched) content.
The service platform's added value lies in the distribution of information that has been adapted to a specific user's needs. This means that the service platform needs to learn about the user's needs and requirements in the first place, notably by collecting and processing the data that are relevant for the user's situation. The information and service can then be tailored to meet the user's needs and requirements and be offered to the user by means of the service platform.
Two legal aspects seem to be particularly relevant for the functioning of the service platform, namely privacy and data protection law on the one hand, and copyright law on the other. Since the service platform will primarily assist commercial service providers in seeking new business opportunities and business models, the regulation on (unsolicited) commercial communication can also be at stake. Those three legal aspects are dealt with in this deliverable.
We focussed on the European legal framework, which has been analysed and applied to the service platform. The relevant legal aspects discussed in this deliverable are mostly regulated by European directives. A directive imposes the Member States to achieve the objectives set out in the directive, but leaves the possibility to the Member States to choose the most appropriate means to achieve these goals. Consequently, the harmonisation of national laws by means of directives remains limited (differences in the national applicable rules continue to exist), and in a particular case, the national legal rules implementing European directives still need to be consulted. For your better understanding, we include a general comment on the nature of European law (Annex).

BRIEF DESCRIPTION OF THE SATE OF THE ART AND THE INNOVATION BROUGHT
a. Legal aspects of privacy and data protection
The importance of privacy and data protection for the service platform is a double one: not only should it be a matter to only develop products that do not violate applicable law, but privacy concerns are also a big issue for the service platform's future customers. As the focus groups interviews showed, concerns over possible privacy violations are the number one reason for possible customers to avoid using the possibilities of a service platform.
The first part of the privacy chapter deals with the European legal framework on data protection. Apart from several international legal documents (binding and non-binding ones), the focus lies on the three directives from the European Community: the General Data Protection Directive 95/46/EC, the E-Privacy Directive 2002/58/EC and the Data Retention Directive 2006/24/EC, which are all introduced in detail. The chapter ends with the key principles on data protection as found in the directives and the constitutions of the Member States.
We have identified three major issues within data protection and the functioning of the service platform: Profiles, Location Based Services and Data Transfer.
Profiling is a key issue. Although a very extensive and detailed user-profile is of major importance for the possibility to deliver personalised services, it also poses a severe risk to the privacy of the end-user. Such profiles will contain detailed information on a variety of aspects of the end-user's personality. Dealing with service platform-profiles can also serve as an example for "normal" processing of personal data.
After explaining the technical basics of how profiling will be done in the service platform, we distinguished three different kinds of data: user-preferences entered by the user, stored data on past user-behaviour and rules derived from the user-behaviour. It is important to realise that all three kinds of data have to be treated as personal, and sometimes even sensitive, data relating to the end-user. Thus, any end-user must have the possibility to view, correct and delete any data stored about him/her. End-users must at all times be in control of their data.
Location Based Services are services whose delivery depends on the context the user is in. They have been thought to become the next killer-application a few years ago. Although nothing like this has happened so far, there is already some regulation on Location Based Services and quite some legal papers were published on this issue.
Since the technical method of localisation has so far not been decided on we introduce all of the important technical methods of localisation. Then we discuss the applicability of the different legal regimes on location data, traffic data and personal data. This issue proves to be one of the most complex in this whole deliverable. It gets further complicated by unclear legal definitions. This chapter closes with technical design proposals to improve end-user privacy.
Data Transfer is the last of the privacy issues. SPICE is not only a European project, but it also aims at delivering services across national state borders. The cooperation with the operator of a foreign domain may require the transfer of personal data relating to an identifiable end-user. Although data transfers should be avoided in general and especially data transfers into countries not providing for an adequate level of data protection, we take a look at the possibilities that exist to legalise data transfers to third countries, outside the European Community and the European Economic Area. Binding corporate rules, standard contractual clauses or joining the safe-harbour agreement are all possibilities allowing for data transfers, even if the data recipient is located in a third country not providing for an adequate level of data protection. This chapter closes with a checklist on how to deal with cross-border data transfers.
b. Legal aspects of copyright and related rights
The services that are deployed within the service platform often involve the creation, the publication and the delivery of 'content' to the platform's end-user. The content that is handled by the service platform could consist of raw data, facts, information, etc., but also of photos, videos, music, multimedia files, etc. Such 'content' will to a large extent consist of material that is protected by copyright and/or other rights related to copyright (hereinafter "related rights").
The legal rules determining, inter alia, how to distinguish between legally protected and unprotected content, which excusive rights are granted and to whom, are presented in the chapter on the European legal framework on copyright and related rights.
In this chapter we describe the main copyright implications of SPICE.
Copyright protects the formal expression of original "works of art and literature", a very broad and open concept, that even includes computer programs and databases. Moreover, neighbouring rights protect the performances of artistic performers (such as singers, musicians, actors and dancers), of phonogram, film and database producers and of broadcasting organisations.
Copyright grants a number of rights to copyright holders, both moral and economic rights. These rights give the holder the right to authorise and to prohibit certain uses of protected works (i.e. protected content).
With regard to the service platform, two moral rights are particularly relevant: the right to be recognised as the author [or performer] of a work (the 'paternity'-right), and the right to oppose to any modification of the work [or performance] that might be prejudicial to the honour or reputation of the author [or performer] (the 'integrity'-right). The service platform certainly threatens the existence and enforcement of the moral rights: protected content is easily communicated to the public without mentioning the authors [and performers] or cut, mixed, adapted or otherwise modified in disregard of the right of integrity.
Furthermore, the economic rights which are relevant for the platform are: the exclusive right of reproduction (including adaptation) and the exclusive right of communication to the public. When content is uploaded to the repository, a permanent reproduction is made. The process of technologically protecting the content also implies reproductions and often even modifications. Reproductions are also made during the process of delivering the content to the users. All those reproductions are covered by the author's exclusive reproduction right.
The exclusive right of communication to a public also needs to be taken into account, and in particular the exclusive right of making a work available to the public which specifically refers to digital on-line interactive forms of distribution. The service platform offers content to the end-users by broadcast or on demand (e.g. by streaming or downloading). Depending on how the services operate, the acts can be qualified as a communication to the public and, as the case may be, more specifically, as a making available to the public.
When the processing of works within the service platform is covered by an exclusive right (and if no exceptions are applicable), the prior authorisation of all right holders is required. Hence, the process of acquiring all the necessary licences can be problematic. Due to the territorial aspect of copyright (and of the reciprocal agreements between sister societies for the collective management of copyright and neighbouring rights), licences need to be obtained for each country, where the service providers wish to provide their services. The multitude of rights covering the same content and the multitude of right holders, even on the same work, complicate the licensing processes even more.
European copyright legislation also specifically addresses "technological measures" by granting protection to these technological measures and against their circumvention. Since the technological protections may hamper some specific legitimate use of the protected content, the European legislation provides some means to restore the balance between the (absolute) technological protection measures and the interests of the beneficiaries of exceptions. However, the legislation allows overriding the application of these exceptions in case of a contract for all on-line interactive forms of providing services (i.e. those available on demand). The question arises whether the service platform is under any obligation to provide the beneficiaries of the copyright exceptions with the means of benefiting from such exceptions.
Furthermore, the service platform imposes several modifications to the content, during the compression and encoding in the DRM scheme and during the reformatting of the multimedia files, changing the content modality or resolution. Those content modifications are undertaken within the service platform itself, and raise the question whether such modifications are covered by the exclusive right of reproduction and/or the exclusive right of adaptation.
Finally, the service platform gives the end-user the possibility of interacting with the content and enriching it. The user can tag the content, annotate, write reviews, or otherwise modify the content, and create and upload new content. Since user generated content and user interaction have become increasingly important for the online distributors of digital content, a separate section is devoted to the analysis of the copyright status of user created content.
c. Legal aspects of commercial communication
As the service platform aims at supporting commercial activities, this deliverable also presents the general rules on commercial communication and their importance for the development of new business models in the ICT-sector. In that respect the main question is the legality of commercial communications: an opt-in system for unsolicited communications, possible sanctions for spamming, and methods of handling unsolicited commutation by intermediaries.
Finally, we address the question whether technical anti-spam measures are legal. Since they are not 100% successful, non-commercial messages could be deemed as commercial and wanted commercial communication could be deemed as unwanted. These so called "false positives" could then lead to criminal and civil liability. To avoid this, users of the message must be informed about activated technological-based anti-spam measures and thus have the possibility to opt-out.