Social network, media company, host provider, neutral intermediary… what’s in a name for YouTube?

Social network, media company, host provider, neutral intermediary… what’s in a name for YouTube?

Media companies who call themselves social networks will have to recognize that they, too, have to take on responsibility for the content with which they earn their millions.

-— Markus Breitenecker, CEO of Puls4

Who is to blame, if someone records TV programmes and illegally uploads them to YouTube: YouTube, or the individual? According to the Commercial Court of Vienna, YouTube is jointly responsible for copyright breaches from user-uploaded content. Is this einer Entscheidung, die das Internet revolutionieren könnte – a decision that could revolutionize the Internet?

To date, the unanimous opinion of European case law supports the position that YouTube is only a platform, an intermediary, a service provider, a neutral host, and so on – and therefore could not bear the responsibility for stolen content. That’s no longer true, says the Handelsgericht Wien (Vienna’s Commercial Court).

In its judgement of 6 June, the Court handed Austrian TV broadcaster Puls4 a key victory in its four-year legal battle with Google-owned YouTube. In 2014, Puls4 had sued YouTube for allowing Puls4’s stolen content to appear on the YouTube platform. YouTube responded by asserting the Host Provider Privilege set out in Article 14 of the E-Commerce Directive 2000/31/EC, which in certain situations shields host providers from being held responsible for the actions of its users.

The Americans have a similar provision in the Online Copyright Infringement Liability Limitation Act (OCILLA), which forms part of the Digital Millennium Copyright Act. The OCILLA creates a conditional “safe harbor” for online service providers by shielding them for their own acts of direct copyright infringement, as well as from potential secondary liability for the infringing acts of others. In exempting internet actors from copyright infringement liability in certain scenarios,  both Article 14 and the Safe Harbor rule aim to balance the competing interests of the copyright holders, and those who use the content online.

Where YouTube is simply a host provider, it is the individual who uploaded the video in the first instance who is to blame for the theft of copyrighted material. This time, the Court disagreed with YouTube’s argument, and has found finding the media giant to be jointly responsible for the copyright infringement.

So, why should we care about the Puls4 case? Although Austrian case law is not binding for other European Union member states, the Commercial Court’s judgment sets a precedent for denying Host Provider Privilege to YouTube. This may encourage similar decisions in the future which are based on the same line of argument.

Speaking to German newspaper Der Standard, Puls4’s CEO Markus Breitenecker explained that YouTube had effectively abandoned its neutral intermediary position and assumed an active role, which provided it with a knowledge of or control over certain data. In European legislative parlance, this is known as being a false hosting provider or false intermediary.

For years, many of us have assumed that YouTube is just a inanimate platform to which users upload videos. This case underscores that YouTube can no longer “play the role of a neutral intermediary” because of its “links, mechanisms for sorting and filtering, in particular the generation of lists of particular categories, its analysis of users’ browsing habits and its tailor-made suggestions of content.”

Puls4 and YouTube have until early July to petition the court, before it issues its binding ruling. In a statement to The Local Austria, YouTube said it was studying the ruling and “holding all our options open, including appealing” the decision.  In the meanwhile however, YouTube noted that it takes protecting copyrighted work very seriously.

If the preliminary decision is upheld, YouTube must perform a content check upon upload, instead of simply removing copyright infringing content upon notification. In respect of this, the Viennese court stated that “YouTube must in future — through advance controls — ensure that no content that infringes copyright is uploaded.” It is therefore rather timely that YouTube began beta testing a feature called Copyright Match last month, a tool which allows users to scan the platform to locate full re-uploads of their original videos on other users’ YouTube channels.

Screenshot 2018-06-28 at 10.29.54 PM
some Puls4 content is still available on YouTube (at least, here in the UK).

The European Parliament seems to think the arguments about false hosting providers is best left to the courts to decide. Despite the E-Commerce Directive being more than 15 years old, there is no pressing need for a reform. In a recent report on the matter,  the European Parliament’s Committee on the Internal Market and Consumer Protection stated that while false hosting providers may not have been envisaged at the time of the adoption of the E-Commerce Directive in 2000, “the delineation between passive service providers caught by Article 14 and active role providers remains an issue for the court.”

 

 

Now you’re just somebody that I used to know

Now you’re just somebody that I used to know

The GDPR has been in force for less than two weeks, but Europeans have already started to contact companies left, right and centre to exercise their newly enshrined statutory “right to be forgotten.”

However, this right is not absolute, and only applies in certain circumstances. Let’s look at the balancing act between a data subject’s right to have their data erased on the one hand, and an organisation’s need to maintain data for legitimate purposes, on the other.

Organisations (data controllers and processors) are obliged to only collect and use personal data in a lawful manner, as set out in Article 6. There are several types of “lawful processing,” including in instances where an individual grants his or her explicit and informed consent. But lawful processing also covers the use of data for a controller’s legitimate interests, the performance of a contract, or legal obligations, such as fraud prevention. For more on lawful processing, check out my earlier post – Lights, camera, data protection?

With this in mind, it’s important to note that only in certain scenarios does an individual have the right to be forgotten. Under Article 17(1), their data must be either:

  1. no longer necessary for the original purpose
  2. processed based on consent, which is now withdrawn
  3. processed based on the organisation’s legitimate interests, which the individual objects to;
  4. processed for direct marketing purposes, which the individual objects to;
  5. processed unlawfully (in contravention of Article 6);
    or
  6. erased to comply with a legal obligation.

But before an organisation hits “delete” it must see if any purposes for retention apply. In pre-GDPR days gone by, data subjects had to prove they had the right for their data to be erased. The burden now lies with the controller to prove that they have a legal basis for retaining the data. If so, the organisation has a lawful reason to refuse the erasure request. In fact, deleting data when an exemption does apply could be a breach of the law!

The purposes for retention under Article 17(3) are:

  1. the right of freedom of expression and information;
  2. complying with a legal obligation, or for performing a task in the public interest;
  3. for reasons of public health;
  4. for archiving in the public interest, including scientific or statistical research; or
  5. for the establishment, exercise or defence of legal claims.

Additionally, “manifestly unfounded” or “excessive” requests may be refused outright.

From what I’ve seen in practice over the last few days, most erasure requests are made because an individual no longer wants to receive marketing emails. Fair enough: in shifting responsibility onto corporate controllers, the right to be forgotten strengthens individual control. It also signifies public disapproval of entities which process – and, in some instances abuse – enormous quantities of personal information without the explicit consent or knowledge of the individuals concerned.

For those of us interested in the societal and human rights implications (I’m telling you – data protection isn’t just for the techies amongst us!) it’s worthwhile to consider how journalism fits into the picture.

As Oxford’s International Data Privacy Law summarises rather eloquently: The nebulous boundaries and susceptibility to misuse of the right to be forgotten make it a blunt instrument for data protection with the potential to inhibit free speech and information flow on the Internet.

As early as 2012, Reporters Without Borders (formally, Reporters Sans Frontières) criticized the right to be forgotten – then in early draft stages – as a generalised right that individuals can invoke when digital content no longer suits their needs. This runs the risk of trumping the public interest in the information’s availability. RSF also contends that the demand for complete erasure of online content, or the “right to oblivion”, could place impossible obligations on content editors and hosting companies.

EU Commissioner Viviane Reding responded to the criticism from RSF by explaining that the [GDPR] provides for very broad exemptions to ensure that freedom of expression can be fully taken into account.

Note – this post covers the statutory Right to Erasure under Article 17 of the GDPR. Although related, it is distinguished from the recent high-profile cases against Google, in which the English Supreme Court held that a defendant convicted of a crime was entitled to the right to be forgotten, and therefore delisted from Google search results. A more serious offence, with fewer mitigating circumstances, did not attract the same right.

photo © Cassidy Kelley

American Copyright law to get 21st century remix

American Copyright law to get 21st century remix

In my previous post, I wrote about the European Union’s sweeping new Directive on Copyright in the Digital Single Market, which is currently in draft stages. But copyright legislation is getting an update on the other side of the pond, too.

Since 1909 — before recordings of music even existed — Section 115 of the Copyright Act has regulated the licencing of musical works. Many songwriters and music publishers have trouble collecting royalties for the use of their songs played via digital streaming services. Amongst other things, the proposed Music Modernisation Act will modernise how compensation for mechanical licenses, which include digital streaming, is determined.

Last week, The United States House Judiciary Committee voted unanimously (32-0) to approve House Bill 4706, “to provide clarity and modernize the licensing system for musical works under section 115 and to ensure fairness in the establishment of certain rates and fees.” More commonly known as the Music Modernization Act (“MMA”), the bill now heads for consideration by the full House of Representatives. The MMA has received wide bipartisan support from Democrats and Republicans alike, and appears to be “on the fast track” for approval.

Importantly, the MMA will create an American agency or “mechanical licensing collective” that would house all music publishers under one roof. It is expected that the agency will have a database of ownership information, which will increase transparency and help identify music creators who are owed royalties.

Once established, the digital streaming services will pay the mechanical licensing collective, which in turn tracks and collects royalties on behalf of the artists. As explained by Committee Chairman Bob Goodlatte (a Republican from Virginia), the MMA “boosts payments for copyright owners and artists by shifting the reasonable costs of a new mechanical licensing collective onto digital music services, who themselves benefit from reduced litigation costs as a result of other provisions in the bill.”

Speaking to ABC news, John Simson noted that Americans “…have a 1909 statue trying to govern 2018 technology, and it doesn’t work.” Mr Simson is a professor at the American University and founding member of Sound Exchange, a non-profit organisation set up to collect and distribute performance royalties.

Intellectual Property Subcommittee Vice Chairman Doug Collins (a Republican from Georgia) noted that “the current music licensing landscape undervalues music creators and under-serves music consumers. Outdated copyright laws have produced unnecessary liabilities and inefficiencies within the music licensing system, and stakeholders across the music industry have called for reform. This bill moves the music industry towards a freer and a fairer market, enabling it to leverage the present and future benefits of the digital age.”

  • The first section of the bill concerns how modern digital music services operate, and will create a “blanket licensing system” to quickly license and pay for musical work copyrights. A key aim includes discouraging lawsuits in favour of simply ensuring that artists and copyright owners are paid in the first place without such litigation (see “No lawsuits over unpaid royalties after 1 January 2018?” below).
  • The second section, “Compensating Legacy Artists for their Songs, Service, and Important Contributions to Society (CLASSICS) Act” will focus on public performance rights for pre-1972 recordings. In particular, musicians with pre-1972 recordings will receive royalty payments when their tracks are played on the radio, online, or on television.
  • The third section, “Allocation for Music Producers (AMP) Act,” will ensure that record producers, sound engineers, and other creative professionals also receive compensation for their work.

No lawsuits over unpaid royalties after 1 January 2018?
Of course, the MMA is not without its detractors who are quick to point out several key issues. Firstly, the bill sets out a broad limitation of liability clause which essentially shuts down any potential lawsuits filed after January 1st 2018. That’s not a typo – Section 2(10)(A), the MMA really does apply a retrospective restriction on legal action.

Without the possibility of litigation, songwriters (and other copyright holders) who have unpaid royalties have one sole and exclusive remedy: they must go through the process set out in the legislation, governed by the dispute resolution committee of the mechanical licensing collective.

And while the mechanical licensing collective created by the MMA will have a board of directors, that board will be comprised of ten music publishers (record labels) together with only four songwriters! Furthermore, as currently written, the MMA provides no grievance process for excluded writers and those who receive unjust treatment. Is this likely to hit the right note with independent artists and smaller record labels?

 

Featured image – Francis Barraud, His Master’s Voice.

The Six Principles of Data Protection: Facebook fails

The Six Principles of Data Protection: Facebook fails

Facebook may believe that dubious data collection and security practices justify a more connected audience: the incoming General Data Protection Regulations say differently.

Once again, data privacy is in the headlines. But this time, it isn’t a credit agency or department store that has fallen short of consumer expectations: instead, it’s Facebook. Much credit is due to Carole Cadwalladr and her team at The Guardian, who first broke the the Cambridge Analytica story.

#DeleteFacebook was trending on Twitter for a while, and I myself was considering ditching my account – not least because I simply don’t use Facebook often. While I’ve decided against deletion, I was genuinely saddened – although, in retrospect, not surprised – to come across the leaked 2016 “Ugly Truth” Memo from a Facebook executive Andrew “Boz” Bosworth. You can see the Memo in full at Buzzfeed, but the part that hit me hardest reads as follows:

We connect people. Period.

That’s why all the work we do in growth is justified. All the questionable contact importing practices. All the subtle language that helps people stay searchable by friends. All of the work we do to bring more communication in. The work we will likely have to do in China some day. All of it.

The natural state of the world is not connected. It is not unified. It is fragmented by borders, languages, and increasingly by different products. The best products don’t win. The ones everyone use win.

“Questionable contact importing practices”? By Bosworth’s own admission, “the ugly truth is that we believe in connecting people so deeply that anything that allows us to connect more people more often is de facto good.”

The General Data Protection Regulations (GDPR) say differently. With less than two months to go until the implementation date of 25 May (!) I’ve set out a little refresher on the main responsibilities for organisations below.

Article 5 of the GDPR contains Six Principles of personal data collection and processing. The data controller (the company collecting or otherwise controlling the data) are responsible for, and must be able to demonstrate, compliance with these principles.

(A) Processed lawfully, fairly and in a transparent manner.
A company collecting data must make it clear as to why the data are being collected, and how the data will be used. The company must provide details surrounding the data processing when requested to do so by a person whose data is collected (the “data subject”). “Questionable practices” are likely neither fair nor transparent!

(B) Collected for specified, explicit and legitimate purposes.
Have you ever filled in a form, only to think, “why am I being asked this question?” This principle states that organisations should not collect any piece of personal data that doesn’t have a specific purpose, and a data subject must give explicit consent for each purpose. A lawful purpose could mean fulfilling a contract: for example, your address is required for shipping something you bought online.

(C) Adequate, relevant and limited to what is necessary.
Companies strive to understand customer buying behaviours and patterns based on intelligent analytics, but under this principle, only the minimum amount of data required may be stored. Asking for one scanned copy of a drivers’ licence may be adequate, but asking for a drivers’ licence, passport, and birth certificate might be more than necessary.

(D) Accurate and, where necessary, kept up to date.
Controllers must ensure personal data is accurate, valid and fit for purpose. Accordingly, data subjects have the right under Article 16 (Right of Rectification) to rectify any personal data held about themselves.

(E) Kept for no longer than is necessary.
This principle limits how data are stored and moved, and for how long. When data is no longer required, it should be deleted. This is closely related to the Right of Erasure (“Right to be Forgotten”) under Article 17, which I previously wrote about in respect of the Google case in England.

(F) Processed in a manner that ensures appropriate security.
This principle is perhaps what most people think about when they think of data protection. It means that IT systems and paper records must be secure, and the security must be proportionate to the risks and rights of individual data subjects. Negligence is no longer an excuse under GDPR!

In 2016, a Gallup study found that Millennials (those of us born between 1981 and 1996) are generally aware of potential data security risks, but less likely to be concerned about them. Prior to familiarising myself with these principles, I simply thought data protection was another phrase for “IT security”. I thought it was just about firewalls, encryption, and outsmarting hackers.

But in the months I’ve been helping clients to get ready for the GDPR, I’ve realised that compliance is about more than just having strong passwords: it really is a mindset. That’s what’s so disappointing about Facebook’s apparent attitude towards the end consumer, in which people are seen only as a series of clicks or “likes” which can be analysed, predicted, and manipulated – at any cost. My Facebook account may remain active, but I for one will certainly be less engaged.

Photo credit – Book Catalogue

From Stockholm to Stock Market: Sweden’s Spotify set to list on NYSE

From Stockholm to Stock Market: Sweden’s Spotify set to list on NYSE

Music streaming giant Spotify recently filed its application to put shares on the New York Stock Exchange. The 264 page document details the company’s key risks and challenges: I’ve read them so you don’t have to!

The Securities Exchange Act of 1933, often called the Truth in Securities law, requires that investors receive financial and other significant information concerning financial securities. To avoid misrepresentations and other fraud, any company wishing to place its shares on an American market must submit a prospectus, formally known as an SEC Form S-1 (or an F-1 for foreign companies).

Sweden-based Spotify filed their prospectus for the New York Stock Exchange on 28 February.  Prospectuses are heavily regulated, and accuracy is vital: it is a lawyer’s job to fact-check these documents in a process known as “verification.” To allow investors to make informed decisions, a company must be honest about its particular commercial situation, and explain how share prices may decline. Spotify’s estimated valuation is nearly $20 billion, but it has never made a profit and reports net losses of €1.2bn (£1.1bn).

Spotify clearly needs a capital injection,
but given the risks below, would you invest?

Hitting the right note with listeners.
Spotify’s unique features include advanced data analytics systems and proprietary algorithms which predict music that users will enjoy. These personalised streams rely on Spotify’s ability to gather and effectively analyse large amounts of data, together with acquiring and categorising new songs that appeal to “diverse and changing tastes.” If Spotify fails to accurately recommend and play music that customers want, the company may fail to retain or attract listeners.

Screenshot 2018-03-02 at 11.16.33 PM.png
Spotify knows that 71% of my recent tunes are energetic, upbeat, and suitable for a fitness enthusiast. Touché!

Licensing and royalties.
To make its 35 million tracks available for listeners, Spotify requires licenses from the musicians and record labels who own the songs. Additionally, Spotify has a complex royalty payment scheme, and it is difficult to estimate the amount payable to musicians under their license agreements. Even if Spotify secures the necessary rights to sound recordings from record labels and other copyright owners, artists may wish to discontinue licensing rights, hold back content, or increase their royalty fees. In 2014, Taylor Swift removed her songs from the streaming service in protest, although she later added it back.

Technical glitches and data protection.
Spotify’s software and networks are highly technical and may contain undetected bugs or other vulnerabilities, which could seriously harm their systems, data, and reputation. Growing concerns regarding privacy and protection of data, together with any failure (or appearance of failure) to comply with data protection laws, could diminish the value of Spotify’s service. This especially worth noting as Europe nears the General Data Protection Regulation (GDPR) implementation date of 25 May.

spotify nyc.jpg
Spotify’s NYC offices

Innovation and skilled employees.
Rapid innovation and long-term user engagement is prioritised over short-term financial gain. Spotify admits “this strategy may yield results that sometimes do not align with the market’s expectations.” The company also depends on highly skilled personnel to operate the business, and if they are unable to attract, retain, and motivate qualified employees, the ability to develop and successfully grow the company could be harmed.

International regulation and taxation.
As Spotify expands into new territories, it must adhere to a variety of different laws, including those in respect of internet regulation and net neutrality. Spotify even admits that language barriers, cultural differences, and political instability can bring share prices down! Furthermore, public pressure continues to encourage governments to adopt tougher corporate tax regimes, and tax audits or investigations could have a material adverse effect on the company’s finances.

Image result for bloomberg spotify

Method of offering.
While Spotify may not be able to successfully overcome each challenge listed in its prospectus, many of the risks are relatively common amongst international technology and media companies. But as an additional risk, Spotify has chosen a relatively unconventional method known as a direct public offering (DPO) to bring its shares to the stock market. Unlike a traditional IPO, in a DPO a company will not use an investment bank to market or underwrite (insure) its offering. While this avoids bank fees, uncertainty can result in a discounting of share prices. This is a really technical point and somewhat nuanced (it gave me headaches in law school!) but a risk worth noting.

I’ve written previously about Spotify’s copyright challenges, as well as its controversial privacy policy

Cisco v Arista: what next for computer programs and copyright?

Cisco v Arista: what next for computer programs and copyright?

Computer programs are functional, but they are also “literary works” that may be protected under copyright law. In December 2016, Arista Networks defended itself against a $335 million copyright infringement lawsuit from Cisco Systems. Cisco is now appealing the decision.

Cisco Systems, the largest networking company in the world, is trying to prevent Arista Networks from building ethernet switches which partially rely on technology copied from Cisco. Now on appeal before Federal Court in California (9th Circuit), the legal question is whether aspects of the particular technology deserves copyright protection in the first place.

ethernet switches connect devices together on a network

Copyright protects creative expressions of an idea, but not the idea itself. This “idea–expression dichotomy” therefore limits the scope of copyright protection. In an earlier blog post, The Copyright Between Oceans, I explained how the scène à faire doctrine was used as a successful defence in a copyright lawsuit regarding the novel The Light Between Oceans, and its subsequent film adaptation. When scène à faire (French for “essential scene”) is applied, common or typical plot developments are denied copyright protection. This means that broad themes, storylines and ideas which are common in a particular genre remain free for use by authors, screen writers, and other artists.

In the United States, computer programs are considered “literary works” under the Copyright Act, 17 U.S.C. § 101. Accordingly, scène à faire may be applied to preclude copyright protection from aspects of a computer program which are common or otherwise “dictated by practical realities.” Practical realities include hardware compatibility, manufacturer design, and industry practice. Arista’s defence turns on this concept.

Continue reading “Cisco v Arista: what next for computer programs and copyright?”