Legal Aspects

From SAM
Jump to: navigation, search

Legal Aspects include legal requirements and concerns along with ethical issues related to privacy and data protection issues that may arise throughout the SAM lifecycle. The main three areas that have to be tackled to ensure compliance with the existing law focus around privacy and data protection, intellectual property rights and issues regarding liability for the user generated content.


Every day public authorities, businesses and individuals handle and transfer vast amounts of personal data not only within the European Union but also across borders. Each country has enacted specific legislation regarding the usage and flow of personal data. Sometimes, the data protection rules of different countries conflict and as a result international exchanges are disrupted. Therefore, the EU has
established common rules (Data Protection Directive) so as to provide a unified framework of high protection for personal data. The Data Protection Directive also foresees specific rules for the transfer of personal data outside the EU.

Relevance to SAM

In the context of SAM project, compliance with the existing law in the area of privacy and data protection regulation is an important objective. In order not to intrude the privacy of End Users, principles of data processing should be implemented, like for example principle of purpose specification or a principle of data minimisation. The former principle entails that data controllers must collect data only as far as it is necessary in order to achieve the specified and legitimate purpose. Moreover, no further processing can be carried out that is incompatible with those purposes. This can be translated into a rule that the data subject must be specifically informed about the purpose of the data collection and that such data cannot be used later for further purposes that are different than the original ones. The latter principle requires that the processing of personal data should be limited to data that are adequate, relevant and not excessive. This means that data controllers are obliged to store only a minimum of data necessary to run their services. The purpose of this principle is to prevent the collection of data, which would not be strictly necessary for the provision of the service. In other words, the principle seeks to limit the collection of data.

An issue of great importance for SAM is the Terms and Conditions of the service. The End Users should be informed regarding their rights and their responsibilities and also the service’s rights and responsibilities. SAM Terms and Conditions should also inform the End Users on what information is collected, how this information is processed, protected and shared and how the End Users can control the information that they share. Moreover, SAM Terms and Conditions should address copyright and ownership issues for the content aggregated and syndicated.

As SAM is going to interact with the existing Social Network Services, gathering and publishing information, the compliance with their Terms and Conditions is a major issue. These Terms and Conditions should be thoroughly examined so that the SAM platform would be aligned with them. This action should be undertaken as early in the project's lifecycle as possible as the T&C’s might have a wide effect on the planned architectures and changes may be required in order to comply with them.

The legal aspects related to SAM are examined in detail in D2.5 Brand and Consumer Integrity deliverable of WP2 2nd Screen, Social Media Vision and Challenges.

Legal Aspects Analysis

Privacy and Data Protection

The Data Protection Directive has anticipated two roles played by the entities involved in processing of personal data: data controller (determines the purposes and means of the processing of personal data) and data processor (processes personal data on behalf of the controller). The distinction between the two roles is crucial as the data controller is liable for violations of the Data Protection legislation, while the liability of the data processor is limited. It is worth mentioning that the applicable national legislation depends in first instance on the location of the data controller’s establishment.

Regarding pseudonyms, they are considered as personal data and thus their collection and processing should be aligned with the data protection legislation. Moreover, when processing personal data, an appropriate legal basis should be defined. In this context, it is foreseen that the processing is allowed only when the data subject has given his/her consent. Another parameter is that the data subject should be informed about the collection and processing of their personal data. This task is not trivial, as this information should be sufficient so as the data subjects understand what they are asked for, but not too much that would overwhelm or confuse them. In the context of the project, fairness and transparency regarding the data processing activities should be ensured: the data are collected for specified, explicit and legitimate purposes, they should be accurate and kept up-to-date, the data processing is carried out in a clear way. Sensitive data (data regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life) can be processed if users have given their explicit consent otherwise it is prohibited.

As far as the storage of the data is concerned, they should be stored only for the period necessary for the purposes of the project and always in consistency with the data subject. The data subjects have rights upon their data: the right to be informed regarding their processing, the right to access them and the right to object to the processing. These rights are in accordance with the data protection legislation and should be respected by the data controller. Lastly, the confidentiality of the data processing should be ensured and also the data should not be transferred to third countries unless these countries provide an adequate level of protection.

Terms and Conditions

Developers’ Terms and Conditions

In many cases, organisations or individuals leverage content from different Social Networks (Facebook, Twitter, Google+,FlickR, MySpace, Youtube, Dailymotion, Instagram) through their API (Application Programming Interface). These APIs are accompanied with some rules concerning this content mining, called Terms and Conditions (T&C). Every project should not only be interoperable with these APIs but also should follow their Terms and Conditions. Compliance with the Terms and Conditions of every SNS (Social Networking Service) is not an easy task, as the rules are drafted unilaterally, and they are also subject to the exclusive interpretation of the platform provider. In a nutshell, the platform provider is not interested in considering any interpretation of its rules that would differ from their perspective. Their view, however, is usually not presented to the public. Some explanation might be provided but it seldom is exhaustive enough to clarify all the doubts. This can be particularly problematic in case of provisions that are phrased in a vague manner.

To sum up, the goal of Terms and Conditions, after all, is ensure that the business model of the platform provider is not threatened by another business model that might take advantage of the freely available content of this specific SNS. Another factor complicating any attempts of compliance is the frequency of changes to the T&C’s. As shown above, platform providers reserve themselves a right to rewrite the given conditions anytime, and any way, they feel it is required. This means the rules can change from one day to another, possibly without any warning. Additionally, possible future changes are very difficult to predict. They reflect the business interest of the platform providers which are the most urgent to protect, but there is no possibility to foresee their nature or the extent of thereof.

Users’ Terms and Conditions

The Terms of Service (ToS), Terms of Use (ToU) or Terms and Conditions (ToC) are rules, which an end user must agree to comply with in order to use a specific service. First of all, the Terms of Use define the rights and responsibilities of the user regarding the proper usage of the service and the actions that the service provider may take in case of non-compliance with these Terms. In case of a social networking service where the user has the possibility to submit his/ her own content, the Terms of Service foresee the copyright licensing of this content. The content must also abide with the Terms of Service. In general, the provider reserves the right to remove any content from the service, at its sole discretion, including unacceptable content.

As far as the copyright and ownership are concerned, the Terms and Conditions usually mention that the service provider owns intellectual property rights to any protectable part of the Service that may not be copied or modified. Furthermore, the Terms of Use include topics concerning representations and warranties, indemnification, disclaimers, Limitation of Liability and Damages.

Part of the Terms and Condition of every service is the Privacy Police, a statement that refers to the ways this service gathers, uses, discloses and manages the users data. With their Privacy Policies, the Services notify the users about what information is collected (information that the users provide and information that is collected automatically), information that third parties collect, with whom this information is shared. What is more, the users learn how they can control the information that is collected, used and shared and how this information is protected.

Liability of the Intermediaries

The term “intermediaries” refers to the type of entity that is placed between parties to intermediate: Internet service providers (ISPs), hosting providers, search engines, e-commerce intermediaries, Internet payment systems and participative Web platforms. Their role is to "provide access to, host, transmit and index content originated by third parties on the Internet; facilitate interactions or transactions between third parties on the Internet; or provide other Internet-based services to third parties".[1] As this entity plays a crucial role in Internet communications, it is considered be a natural point of control for online content and thus eliminate anything illegal.

The European Union adopted the E-commerce Directive 2000/31 that “establishes harmonised rules on issues such as the transparency and information requirements for online service providers, commercial communications, electronic contracts and limitations of liability of intermediary service providers”.[2] The Directive specifies that intermediary service providers shall not be liable for actions that qualify as ‘mere conduit’ (article 12), ‘caching’ (article 13) or ‘hosting’ (article 14). In these cases, according to Article 15 of the E-Commerce Directive service providers are neither obliged to monitor information they transmit or store, nor to actively seek facts or circumstances indicating illegal activity. Lastly, as far as the search engines are concerned, it seems that there is a legal vacuum as they constitute a special type of intermediary, which nominally is neither mere-conduit, nor caching, nor hosting.

Intellectual Property Rights

Intellectual Property Rights constitute a very important factor for every application that allows users to find content created by other people. Many complications are posed by the fact that the intellectual property law is not harmonised across the EU. In other words, different criteria for protection are required in different member- states. Regarding originality, that is demanded in order for a creation to be protected, the requirements vary from low level of “skill and labour” met in the UK, through the medium level of “the individual character and personal stamp of the author in France and Belgium to the demanding level of the “print of the author’s personality that rises above average” met in Germany. Another issue that poses limitations is the fact that there is not always the ability to recognize the author of the content. There is no technical way to assess if the uploader of the content is also the author, unless the real rightholder appears and complains about infringement of his rights.

In general, the intellectual property rights task is not trivial as many legal issues may arise from not taking under consideration all the posed limitations. In many cases, the development of tools that deal with the intellectual property issues are out of the scope of the various applications that syndicate content. For this reason, the applications providers should be protected by addressing these issues in the Terms and Conditions section, so as to make clear their approach regarding the ownership, the storage the uploading of the content and the rights of the end users.

Standards and Policies

Data Protection Directive

The Data Protection Directive (Directive 95/46/EC) is a European Union directive which controls the processing of personal data within the context of the European Union. The processing of personal data is acceptable only if the following principles are met: transparency, legitimate purpose and proportionality. In particular, according to Article 7 of the Data Protection Directive, "personal data may be processed only if:

  1. the data subject has unambiguously given his consent; or
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
  3. processing is necessary for compliance with a legal obligation to which the controller is subject; or
  4. processing is necessary in order to protect the vital interests of the data subject; or
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1)".[3]

Regarding legitimate purpose, Article 6(b) states that "personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards".[4]

As far as proportionality is concerned, "the data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. Moreover, they must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified"[5]

The data should not be transferred to third countries (countries outside the EU) unless these countries provide an adequate level of protection.

E-Commerce Directive

"The Electronic Commerce Directive, adopted in 2000, sets up an Internal Market framework for electronic commerce, which provides legal certainty for business and consumers alike. It establishes harmonised rules on issues such as the transparency and information requirements for online service providers, commercial communications, electronic contracts and limitations of liability of intermediary service providers. The proper functioning of the Internal Market in electronic commerce is ensured by the Internal Market clause, which means that information society services are, in principle, subject to the law of the Member State in which the service provider is established. In turn, the Member State in which the information society service is received cannot restrict incoming services.

In addition, the Directive enhances administrative cooperation between the Member States and the role of self-regulation. Examples of services covered by the Directive include online information services (such as online newspapers), online selling of products and services (books, financial services and travel services), online advertising, professional services (lawyers, doctors, estate agents), entertainment services and basic intermediary services (access to the Internet and transmission and hosting of information). These services include also services provided free of charge to the recipient and funded, for example, by advertising or sponsorship".[6]

Related Projects

  1. SocIoS (Exploiting Social Networks for Building the Future Internet of Services)[7]
  2. OPTIMIS (Optimized Infrastructure Services) [8]
  3. RADICAL (Rapid Deployment for Intelligent Cities and Living)[9]
  4. +Spaces (Positive Spaces) [10]


  1. The Economic and Social Role of Internet Intermediaries,
  2. E-Commerce Directive,
  3. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
  4. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
  5. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Article 6
  6. E-Commerce Directive
  7. Exploiting Social Networks for Building the Future Internet of Services
  8. Optimized Infrastructure Services
  9. Rapid Deployment for Intelligent Cities and Living
  10. Positive Spaces