Legal Brief #1: “ACTA 2” And First GDPR Penalty In Poland

Article written by Jan Marczyński and Jędrzej Brzykcy of JWMS Law Firm and legal partner of Foundation Supporting #OMGKRK.

Two important issues have occurred that have an impact on the legal regulation of business in Poland: “ACTA 2” and the first GDPR penalty.

“ACTA 2”

First, the Directive of the European Parliament and of the Council on copyright in the Digital Single Market was adopted on 26 March 2019. This long name is not often used – in Poland it is mostly know as “ACTA 2”, but worldwide as “Article 13”. Although its original purpose was to adapt the existing law to the current level of technological development, the two articles of the Directive aroused large controversial public perception. Big enough that demonstrations were organized in many European cities. 

Article 17 (former article 13 – after which it takes its common name) forces Internet service providers to preventively monitor content posted by users in terms of possible infringement of copyright. To meet the requirements of the new Directive, web portals will have to develop technologies for the automatic recognition and filtering of content. The current ‘notice and take down’ procedure, involving the removal of materials as a result of reporting their unlawful use by the rights owner, will be replaced by their preventive verification by the web portal owners.

The websites will be responsible not only for the lack of response to the notification but also for the lack of prior detection of unlawful content. First of all, they will have to:

– make every effort to obtain the right to legally use the content,

– act with high standards of diligence in a specific industry to prevent the dissemination of unlawful content.

While it is not directly regulated, in practice, this may mean forcing to use automatic content filters. For this reason, many expect that in fear of penalties, all content that algorithms of a specific internet portal will consider as legally doubtful will be blocked.

Controlling publications even before they are made available, may cause so-called overblocking, i.e. removal of lawful content, but recognized by systems as potentially violating intellectual property rights.

The Directive does not apply to:

– internet encyclopedias (e.g. Wikipedia),

– scientific and educational archives,

– passive platforms, i.e. cloud services for individual users (e.g. Dropbox),

– sales platforms like Ebay or Amazon,

– platforms under open access (e.g. GitHub),

– as well as all platforms whose main purpose is not to store or access copyrighted content (e.g. dating sites).

Article 17 does not apply in full to entities which:

– provide online content sharing services in the European Union for less than three years, and

– their annual turnover is less than EUR 10 million and

– have an average monthly number of unique users of less than 5 million (calculated for the previous calendar year).

All the above conditions must be met simultaneously.

These entities still have more duties than under the current rules – however, they are not required to apply the ‘high standards’ in force in the given industry. They will still have to show that they have made every effort to obtain the appropriate permits to use the protected content, and to prove that in the case of receiving reports of violations, they have taken immediate action to remove them from their platform. Article 11, on the other hand, introduces new related rights for press publishers. 

Under the new law, internet search engines and information aggregators have to pay fees for using, even in part, digital press publications. In theory, this is to prevent use of protected content for profit, without sharing a proper part of the revenue with creators (platforms will be required to pay copyright holders for materials published by users or delete them immediately). This rule is supposed to limit abuse of the dominant position by such players as Facebook or Google.

However, the effect may be exactly the opposite. It is said that these Internet giants will promote publishers who will give up such fees (this is exactly what happened in Germany, where the headlines published by the publishers of articles have disappeared from the search results, which resulted in a significant drop in internet traffic on their websites). Most likely, big firms will negotiate with organizations of press publishers in order to set fixed amounts for right to publish the headlines. 

At the same time, the new regulations do not apply to the private and non-commercial use of press texts by users, including the inclusion of hyperlinks along with short extracts from the article (“snippets”). The countries belonging to the European Union now have 2 years to change their regulations to comply with the Directive.

First GDPR Penalty In Poland

On March 25, media published information about the first fine in Poland for violation of the GDPR – the amount was almost one million PLN.

To summarise the case:

1. there are companies that collect personal data from publicly available registers (such as National Court Register, Central Register and Information on Economic Activity or land and mortgage registers) for various purposes (most often marketing purposes).
2. this is doubtful from legal point of view, because the purpose of the above-mentioned registers is not commercial use of the data contained in them (in particular to trade in these data), but only to information public.
3. those companies have practical problems with the fulfilment of the obligation to inform persons whose personal data they download from such public records. The punished company had 6 million of such records.
4. GDPR allows exceptional situations in which we do not have to inform about the processing of personal data. One of the exceptions is when the doing so is impossible or would require a disproportionately large effort.
5. the punished company acted just on the exception described above and decided that it would not inform all the 6 million people in the company’s database
6. the company has just sent emails to those few people whose addresses were in the National Court Register or Central Register and Information on Economic Activity – for all the other, the company just put information on its own company website.
7. however, the Personal Data Protection Office had a different view. It decided that the exception allowing not to inform person whose data is processed does not apply in this case.
8. The result is a fine of PLN 943,000 and the obligation to notify about the processing of data of all interested persons.
9. the Personal Data Protection Office has announced that further penalties will be imposed much more frequently than once a year.
10. Many proceedings are currently underway, but simply have not finished yet. The office even announced a plan of systematic controls.

While the amount of the penalty was obviously result of the number of people whose data has been processed by the company and the fact that the data was collected without their knowledge, this case shows that Polish GDPR auditing authorities will not hesitate when it comes to giving fines to entrepreneurs whose behaviour they will believe as incorrect.