Posts by JasnaCosabic:

    GDPR Clock Is Ticking For The US Companies As Well

    January 22nd, 2018


    By Jasna Cosabic.



    General Data Protection Regulation is about to be applicable as from 25 May 2018. Its long-arm teritorrial reach brings obligations not only to EU establishements, but to US based companies as well. Global connection through internet especially underlines the likelihood of such broad application and it will impact US businesses. One of the prerequisits for safe transfer of data between the EU and US is already accomplished by the EU-US Privacy Shield agreement. The European Commission has considered this agreement as providing adequate guarantees for transfer of data. Under Privacy Shield scheme companies may self-certify and adhere to principles stated therein. Yet, there is still less then 3000 companies in the US participating in the Privacy Shield. But GDPR safeguards have still to be followed. Below, we shall look at some of the most profound aspects of compliance with GDPR for the US (non-EU) based companies.


    • Data protection officer


    Although it is not obligatory pursuant the GDPR, it is advisable that a company appoints a data protection officer (‘DPO’) or designate that role to a specific position in the company. DPO can also be externally appointed. There may be a single DPO for several companies or several persons designated with DPO role in one company. The position needs not necessarily to follow such a title, but it may be a privacy officer, compliance officer, etc. Such person should possess expert knowledge about the GDPR and data privacy, and may have legal, technical or similar background. GDPR was not specific as to requirements of that person, apart from possesing expert knowledge. Role of DPO is to inform, monitor, advise, the controller, processor or employees, to cooperate with supervisory authority, provide training of staff, help in performing data protection impact assesment.

       .  Data Protection Impact Assesment

    The further step that companies affected by the GDPR including US companies should do in order to evaluate the risk of data breach is to perform a data protection impact assesment (‘DPIA’). DPIA is a thorough overview of the processes of the company, and can be done with the help of data protection officer. It may include a form or a template with a series of questions, which have to be answered for each processing activity. DPIA has to be detailed and cover all operations in the company. The function of DPIA is to predict situations in which data breaches may occur, and which include processing of private data. DPIA should contain, pursuant to Article 35 of the GDPR, a systematic description of the envisaged processing operations and the purposes of the processing, an assessment of the necessity and proportionality of the processing operations in relation to the purposes, an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph, the measures envisaged to address the risks, including safeguards and security measures. DPIA is a very useful way of showing compliance and it is also a tool that would help to company at the first place, to have an overview of processing activities and an indication of where a breach could happen.



    • EU representative


    A US company (non-EU based company) has to appoint an EU representative if its business relates to offering of goods or services to natural persons in the EU, including even free goods or services, or when processing is related to monitoring of behaviour of data subjects in the EU. Behaviour may include monitoring internet activity of data subjects in order to evaluate or predict her or his personal preferences, behaviors and attitudes. EU representative is not obligatory when the processing is occasional or does not include processing on a large scale of special categories of data such as genetic data, biometric data, data concerning health, ethnic origin, political opinions, etc. and when it is unlikely to result in a risk to the rights and freedoms of natural persons.  However, given that the exceptions from the duty of designation of EU representative are pretty vague, in most cases companies whose operations are not neglectable towards persons in the EU would have to appoint a reprsentative. Location of such representative would be in one of the EU Member states where the data subjects are located. Representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities regarding any action taken to ensure compliance with this Regulation, and he/she is also liable and subject to enforcement in case of non-compliance.


    • Consent matters


    GDPR is overwhelmed with one key word of respect the privacy: consent. If companies wish to process data of natural persons that are in the EU, they must first obtain consent to do that. Consent must be freely given, informed, specific and unambigous.

    Freely given consent presupposes that data subject must not feel pressured, or urged to consent, or subjected to non-negotiable terms. Consent is not considered as freely given if the data subject has no genuine or free choice. Data subject must not feel reluctant to refuse consent fearing that such refusal will bring detrimental effect to him/her. If the consent is preformulated by the controller, which is usually the case, the language of the consent must be clear and plain and easily understandable for the data subject. Further, if there are several purposes for the processing of certain data, consent must be given for every purpose separately. Consent must be specific and not abstract or vague. Silence, pre-ticked boxes or inactivity is not to be considered as consent under GDPR.

    Informed consent means that data subject must know what the consent is for. He/she must be informed about what the consent will bring and there must not be any unknown or undetermined issues. It is a duty of controller to inform data subject about scope and purpose of consent, and such information must be in clear and plain language. But, one must be careful that, as today in the world of fast moving technologies we face overflow of consents a person has to give in short period of time, there may be an occurrence of ‘click fatigue’, which would result in persons not reading the information about the consent and clicking routinely without any thorough thinking. So, the controllers would have to make, by their technical design, such form of a consent, that would make the person read and understand his or her consent. It could be a combination of yes and no questions, changing of place of ticking boxes, visually appealing text accompanying consent, etc.

    Consent must be unambiguous, or clearly given. There must not be space for interpretation whether consent is given for certain purpose or not. As to the form of the consent, it may be by ticking a box, choosing technical settings and similar (Recital 32 GDPR).

    Data subject gives his consent for the processing of his personal data. However, companies have to bear in mind that data concept in the EU is broadly understood, and that it includes all personally identifiable information (PII), ranging from obvious data such as name and postal address, to less obvious data, but still PII covered by GDPR, such as IP address. On the other hand the IP address is not that clearly considered as PII in the US. In that regard, the protection in the US must be stricter, obliging US based companies to also apply broader EU standards.


    • Privacy by design implemented


    Privacy by design is a concept which brings together the legal requirements and technical measures. It is a nice and smooth way of incorporating law into technical structure of business. Privacy by design, if applied properly at the outset, shall ensure the compliance with the GDPR requirements. It should point out to principles of data minimisation, where only data which is necesssary should be processed, storage limitation, which would provide for a periodic overview of storage and automatic erasure of data no longer necessary.

    One of the ways of showing compliance through the privacy by design is ‘pseudonymisation’. Pseudonymization is, according to GDPR, referred to as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. Such additional information must be kept separately, so that it cannot be connected to identified or identifiable natural person. Pseudonymisation is not anonymisation and should not be mixed with it. Anonymisation is a technique which results in irreversible deidentification, and since it completely disables identification it is not subject of data protection under GDPR. Pseudonymisation only reduces the likability of a dataset with the original identity of a data subject, and is accordingly a useful security measure.


    • Binding corporate rules


    Binding corporate rules (‘BCR’) include set of principles, procedures and personal data protection policies as well as a binding clause adopted by the company and approved by competent supervisory authority. Adopting binding corporate rules is not a simple process but means being on a safe track. It is one of the safeguards envisaged by the GDPR. BCR should include according to Article 47 of the GDPR, the structure and contact details of company, categories of personal data, the type of processing and its purposes, application of general data protection principles (such as purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, ..), rights of data subjects, the tasks of data protection officer, complaint procedures, mechanisms for reporting to the competent supervisory authority, appropriate data protection training to personnel, indication that BCR are legally binding. BCR should additionally be accompanied with privacy policies, guidelines for employees, data protection audit plan, examples of the training program, description of the internal complaint system, security policy, certification process to make sure that all new IT applications processing data are compliant with BCR, job description of data protection officers or other persons in charge of data protection in the company.


    • Make your compliance visible


    Well, if your company has performed all of the above, it has to make it visible. Companies, that are covered with the GDPR, not only do they have to comply, they have to show that they comply. GDPR puts an obligation on controllers to demonstrate their compliance.

    From the first contact with the controller, the website must give the impression of compliance. BCR, privacy policies, DPO contact details must be visible in order that data subject may address him in case of data risk or breach. EU representative’s name and contact must be put forward in order to be accessible by the supervisory authority in the EU. Contact form for data subjects with options for access, right to object, erasure, rectification, restriction, should be there. Organisational chart of the company, flow of data transfer demonstrated by data flow mapp.These are only some of the most imporant features that have to be followed.

    Non-compliance is a very costly adventure. The adventure that businesses will try to avoid. With systematic planning and duly analysing the necessity of compliance with GDPR, and with clearly defined processes, US companies can put many benefits for the business and attract and encourage data subjects in the EU to freely entrust their data to them. This is a thorough process, but worth accomplishing.


    Jasna Čošabić, PhD

    Professor of EU and IT law,

    GDPR specialist

    Comments Off on GDPR Clock Is Ticking For The US Companies As Well

    To be or not to be connected: The right to be (dis)connected

    January 13th, 2017




    By Jasna Cosabic.


    From the proclaimed right to be connected to the evolving right to be disconnected, only few years have passed. However in internet sphere, prompted by the fast developing world of technologies, law has to catch up as well.

    As from 1 January 2017, France has made effective the law which provides that companies with more then 50 employees should establish hours when staff should not send or answer emails. The law comes as a response to increasingly present praxis that workers, after leaving their place of work, actually stay at work, but this time, through their various electronic devices, being obliged to check on their mail, respond and eventually work from home, during the time that should be their private time dedicated to their private life and family. Health and psychology experts were very much concerned about the consequences such connectivity may have on health and personality of workers, who were thus not able to close the door of their office completely at the end of their working day.

    So what happened between the right to be connected and the right to be disconnected?

    Back in 2010, it was a great breakthrough into the freedom of expression in ‘online’ context when Finland, being a pioneer, provided its citizens with the legal right to access a 1 Mbps (megabit per second) broadband connection. It led to broadband access being included in basic communications servers, like telephone and postal services, and making Finland first country to provide for such a right.

    Soon thereafter, in May 2011, the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, in his Report, made a step further towards the protection of right to expression online, acknowledging that ‘the Internet has become a key means by which individuals can exercise their right to freedom of opinion and expression, as guaranteed under Article 19 of the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights’. A huge step was made in the new digital era when the classic human rights instruments have spread their effects to ‘online’ sphere as well.

    The above Report pointed out two segments of the right to internet which would enable individuals to exercise their right to internet:

    • Access to online content, and
    • Availability of the necessary infrastructure and information communication technologies

    The problem of access to internet would include arbitrary blocking or filtering of content, with the exception of legitimate grounds of state interference, criminalization of legitimate expression, imposition of intermediary liability, disconnecting users from internet access, cyber attacks and inadequate protection of the right to privacy and data protection.


    Countries worldwide have provided for the access to fast internet, and the technology has adequately responded with the storming of devices that provide such access.

    Internet may be one of the most important instruments of the 21st century. It appears that in 2016, there were 46.1% of internet users globally.. The United Nations Human Rights Council has in 2016 passed a resolution for the promotion, protection, and enjoyment of human rights on the internet, as a logical sequence to its resolution on internet access in 2012 and 2014.  It provided that the same rights that people have offline must also be protected online, which in particular concerned the freedom of expression, that is applicable regardless of frontiers and through any media of one’s choice. It has recognized the global and open nature of the Internet as a driving force in accelerating progress towards development in its various forms.

    However, the globally prevailing access to internet raised some legal concerns of being constantly online. They concern, in particular, the work-home balance, and relying back to some long ago established principles such as work hours, absence, annual leave etc.

    A year ago, the European Court of Human Rights (‘the ECtHR’), in the case of Barbulescu v. Romania, has dealt with the question of whether an employer is entitled to look into his employee’s private messages at Yahoo Messenger, written during the working time. The employer monitored and made transcript of messages made at the Yahoo Messenger account that was created at the employer’s request for the purposes of contacts with clients, but the transcript also contained five short messages that Mr. Barbulescu, the employee, exchanged with his fiancée using a personal Yahoo Messenger account. The ECtHR found no violation of the right to respect the private life by such actions of the employer, having in mind, inter alia, that the company did adopt internal rules according to which it was strictly forbidden to use computers, photocopiers, telephones, telex and fax machines for personal purposes.

    This case alerted employees and employers worldwide, as to the right of the employers to monitor private messages made using the internet during work hours in certain circumstances, and employees at the same time, to abstain from it.

    However the issue which exists vice-versa, and which was not addressed at that time, is the question of whether an employer has the right to request his employee to be connected, and to stay online, outside of working hours. If so, does that time count as overtime? Is it to be considered as ‘work from home’? Does that interfere with the right to leave / rest between two working days. What may be the psychological effects of being constantly ‘on call’? How that affects the health?

    The first act on labour standards that International Labour Organization adopted was the Convention Limiting the Hours of Work in Industrial Undertakings to Eight in the Day and Forty-eight in the Week (Entry into force: 13 Jun 1921). The international labour standards, such as the need to protect workers’ health and safety by providing adequate periods of rest and recuperation, including weekly rest and paid annual leave, may appear affected by the overuse of internet technologies. Some companies adopted flexible working hours and flexible place of work. But one should be concerned that these temporal flexibility and spatial flexibility, does not diminish workers’ rights that took so long to be established.

    So first came the right to internet, or the right to be connected. Later, followed by the development of technologies, social online interactions, came the right of employers to review employees private messages and correspondence during work hours. Then, starting in France, came finally the right not to be connected. If a person cannot communicate privately during work hours, then he should not communicate for work, during private hours.

    The ratio work/private life, has its long history and was cause of many social revolutions which have resulted in decrease of working hours, right to free time between two working days, right to annual leave, and the scope of overtime. France is the best example of when we should say stop to technologies, for the preservation of basic human rights.

    The new French law means a small but important victory of human rights over IT, and a victory of workers’ rights and rights to privacy over IT technologies and smart communications. How that victory will influence further developments in labour law when speaking of its online element, remains to be seen.

    Comments Off on To be or not to be connected: The right to be (dis)connected

    IT law – a challenge of dispute resolution

    August 11th, 2016

    By Jasna Cosabic.


    IT law or cyber law or internet law, is evolving in giant steps. On its way, it has many challenges to meet and a lot of burdens to cope with. Being a part of international law, it is though specific in its nature, mode of implementation and protection. While the classic international law deals with classic state territories, state jurisdictions, with a clear distinction between national laws, the IT law is uncertain about the state jurisdiction, earthbound borders, rules and proceedings regarding any dispute arising on internet.

    However, with a fast development of information technology, the number of legal contracts and businesses on internet rises, requiring the fast response by legal order in terms of regulating and protecting it.

    From the time internet emerged, each entity operating on internet provided for its own rules. With the IT becoming more complex and demanding so were the rules. We therefore say that internet is self-regulated, with no visible interference by state, apart from criminal activities control.

    Some authors even call the internet private legal order where stateless justice apply. Justice usually needs a state, which is a supreme authority, having the monopoly of violence, or the legitimate use of physical force. But speaking in internet terms, self-regulation has evolved, with the state interference being mainly excluded.

    The form of entering into online contracts gets simplified, mainly requiring just a mouse click by ‘I agree’ or ‘I accept’. The quantity of such legal interactions increases. It is often simpler and more convenient to purchase goods via internet, e-commerce blumishes. Parallely to Single Market, the European Commission, the Junker’s Commission, has started to boost a Digital Single Market in 2015, which would provide growth of digital economy.

    It’s aim is to provide the EU citizens equal online access to goods and services, making a parallel world to a conventional or a non-digital one. The Commission has just, on 25 May 2016, presented a package of measures in that regard with the objectives of advancing EU data protection rules, reform of telecoms rules, copyright, simplyfying consumer rules for online purchases, providing the same online content and services regardless of EU country, etc.

    However, what happens if a dispute arises from an online legal interaction. Which court is in charge? In which state? Under what fees?

    The law has always provided for a procedural protection of obligations entered into by various types of contracts. The usual protection belongs to courts. Court proceedings may sometimes be time-consuming, barry expensive fees, and are usually non-voluntary for at least one party to the proceedings. That usually brings the use of multi-level proceedings, recourse to remedies and ends in compulsory enforcement proceedings.

    With the development of trade, especially of trade which crossed the state borders, there emerged a system of solving disputes before a non-judicial bodies, arbitration. Arbitration became a convenient way of solving disputes arising from contracts that involve a cross border element. The very important segment, which was not present in conventional court proceedings, is voluntarity of parties which agree even prior to any dispute that might arise, about an arbitration body which would be in charge, in case a dispute happens.

    The arbitration become institutionalised, like the Paris ICC Arbitration, New York International Arbitration Center, etc.. However, many forms remain non-institutionalised, which include impartial experts in the area of dispute, who with the help of parties, and implementing various forms of mediation and arbitration, aim to resolve the issue.

    This way of settling cases became very well accepted, as the parties voluntarily agree to arbitration rules and therefore enforcement of any such decision becomes more acceptable to parties and usually deprived of a compulsory element. So not many arbitration awards face compulsory enforcement by courts, which is otherwise provided by the New York Convention.

    However, with the emergence of online trade, there also came a question of solving any such dispute that might arise from online trade, whether the subject of such trade are goods or services. It is more natural for parties who enter into their contract online, to solve the dispute online.

    In February 2016 the European Commission has launched an Online Dispute Resolution Platform (ODR) in order to provide for the structured and institutionalized recourse to resolving legal disputes arising on internet. It is designed to bring together the alternative dispute resolution (ADR)  entities by member states, which fulfill certain quality conditions,  provided in the Directive on consumer ADR.

    The European Parliament and the Council of the EU have adopted two key documents in respect of online dispute resolution (2013), i.e. the Directive on alternative dispute resolution for consumer disputes and Regulation on online dispute resolution for consumer disputes.

    The parties to the proceedings are a consumer, being a natural person, acting for purposes which are outside his trade, business, craft or profession, and resident in the Union, and a trader, a natural or legal person, privately or publicly owned acting for purposes relating to his trade, business, craft or profession.

    The fees of the proceedings are supposed to be minimal or none. The length of proceedings should not exceed 90 days. Comparing to court proceedings, which are often lengthy and costly, this makes a good alternative.

    Each trader is obliged to make visible the link to ODR platform, informing and enabling thus the consumers to initiate the proceedings in case of dispute.

    The online dispute proceedings are to be led by key principles that ADR must fulfil including expertise, independence and impartiality, transparency including listing of ADR entities, natural persons in charge of ADR, the average length of ADR procedure, the legal effect of the outcome of ADR procedure including penalties for non-compliance, the enforceability of the ADR decision, if relevant. ADR proceedings must be effective, available and accessible with duration of up to 90 days except in highly complex disputes.

    But the question which arises after every dispute is solved, is the enforcement of its outcome.

    While the EU has just recently put forward the ODR platform, creating common principles of procedure for alternative dispute resolution entities joining the platform, there are already some good examples of self-regulated dispute resolution bodies. Some of the most succesful models include Pay Pal, CyberSettle, and Domain dispute resolution-UDRP.

    CyberSettle, the world’s first online claim settlement company which was launched in late 90’s and  pattented in 2001, invented the ‘double-blind bid’ dispute resolution process, which includes two parties each making three offers and three demands in dispute resolution, in separate ‘blind’ submissions.

    The CyberSettle automatically choses the closest middle solution. PayPal profiled a system of chargeback, upon the complaint by the customer to his credit card issuer, in case, for example, of not receiving the ordered goods. PayPal holds the funds until the issue is resolved. UDRP (Uniform Domain-Name Resolution Policy) was designed to protect Trademarks from registering the same or similar domain names by non-owners of Trademarks, or cybersquatting.

    The common ingredient of these success stories is that the above ODR bodies themselfes provided for an efficient system of enforcement, i.e. the self-enforcement. The self-enforcement is considered to be the simplest and best way of enforcing a decision arising from an online dispute. Self-enforcement is possible with the support of technology.

    Another good incentive for enforcement is a trust the trader enjoys in the digital market. The impairment of the trust in the trader, would automatically scale down his position in the digital market. If a trader holds a Trustmark, as a guarantee of his quality, losing it for not complying with an online dispute resolution decision, would put him in a disadvantaged position, and would certainly make him obey the decision.

    Moreover, disclosure of list of traders not complying with ADR/ODR decision might be detrimental to their reputation, which speaking of online traders, plays very important role in geting trust from the consumers in digital market. Furthermore, social networking on internet enable the information to spread fast, which as a result may lead to a drop of trader rating.

    The trust is, speaking of online business, of utmost importance. Digital market is more sensitive and depending upon acceptance by the public then regular market. It responds quicker and any flaw is easily transmitted via internet. It lacks the physical assesment and therefore it is more reliable on written information. The market rules will certainly define that it is better for a trader to comply with the ODR decision, then to get an unfavourable reputation. E-commerce and e-business relies significantly on trust that it has built towards the custommers. A custommer is much more careful when entering an online shopping site then entering a real shopping mall.

    It is still early to have a case-law resulting from running of the ODR platform, as it has just been  released in February 2016. However the move by the European Commission to bring the self-regulation and self-enforcement under certain unified rules, shall certainly bring results. The platform is currently applicable in EU member states, except for Croatia, Luxemburg, Poland, Romania and Spain. The remaining 23 member states reported to the Commission a wide list of ADR bodies, which may operate under different names, ombudsman, mediator, arbitrator, etc. This is a huge step in moving from the conventional court system, in cases that originated in online interactions. That gives another unified form to the online legal order that has been creating spontaneously and hectically from the time the  internet spread as a tool. The European Commission, representing the key governing functions of the EU, made a move towards bringing online system of running businses, especially B2C, more secure and more convenient for the consumers.

    The enforcement of ADR decision should therefore not be uncertainty of online dispute resolution proceedings. In that regard, it should be stressed that a milestone judgment of the European Court of Human Rights, Hornsby v. Greece (1997), provided that it would be ‘illusory of a Contracting State’s domestic legal system allowed a final, binding judicial decision to remain inoperative to the detriment of one party’. Accordingly, all procedural guarantees would be purposeless without protecting for the implementation of the result of the proceedings.

    Although the ODR proceedings are not judicial proceedings, often being left without state control, ammounting thus to stateless justice as referred to above, it would be unimaginable that the decision ending the online dispute resolution, remains with no effect in praxis. It would make the whole concept of online dispute resolution useless and deprived of its advantages, such as availability, fast resolution, small or no fees, and would eventually bring parties to the court, with all the shorcomings when online disputes are at stake, such as long proceedings, high fees, time-consuming, duty of appearing of parties in person, but with a certain enforcement. Accordingly, in order for the online dispute resolution to endure and evolve, as a breakthrough in IT law, the enforcement of its outcome, must not be compromised.

    Comments Off on IT law – a challenge of dispute resolution