German Law: critical infrastructures and cybersecurity

The frequency and the impact of incidents affecting information systems and services are continuously growing, because of the development of increasingly sophisticated methods.One of these methods consists in creating and using ‘botnets’, namely, the act of establishing remote control over a significant number of computers by infecting them with malicious software through targeted cyber-attacks. Once created, the infected network of computers that constitute the botnet can be activated without the computer users’ knowledge in order to launch a large-scale cyber-attack, which usually has the capacity to cause serious damage.
Cyber-attacks can be really critical to sensitive functions in both the private and public sector, with particular reference to the so-called “critical infrastructures”, namely, facilities and installations, the disruption or destruction of which could seriously affect essential economic and societal activities (e.g. transportation and traffic, IT and telecommunication, water and food, finance and insurance, healthcare).
The most relevant German regulation on the matter is contained in the IT Security Act, which came into effect on July 25, 2015.
The IT Security Act applies to websites operators and others considered as service providers according to the German Telemedia Act, telecommunication companies and operators of critical infrastructures, requiring them to implement security measures and to report security incidents to the Federal Office for information Security - “Bundesamt für Sicherheit in der Informationstechnik” (BSI).  This regulation applies to operators based in Germany, as well as, to foreign operators to the extent they provide infrastructures, products and services in Germany.
The IT Security Act is relevant in particular because of the regulation provided for the operators of critical infrastructures.
The IT Security Act provides a general definition of “critical infrastructures” and it empowers the Federal Ministry of the Interior to specify, in each sector, which operators could be deemed as a critical. At this purpose, the Ministry shall use branch-specific threshold values. The first ordinance, recently issued, covers the following sectors: energy, information technology and communications, water and food. The ordinance for the health, banking and insurance sectors is expected by the end of 2016 and the ordinance concerning the transport and traffic sector is expected by the beginning of 2017.
According to the IT Security Act and the ordinances, critical infrastructure operators must fulfill the following requirements.
First of all, companies shall adopt state-of-the-art technical and organizational measures to protect and ensure the availability, integrity, authenticity and confidentiality of their IT systems and services. IT Security Act does not define what is to be considered as state-of-the-art in each branch. The specification will be provided by the BSI, in cooperation with the representatives of the relevant sectors. Companies and industry associations may also propose branch-specific security standards.
Companies shall adopt the measures provided by the BSI within two years after the above mentioned ordinances has taken effect and they will be also required to demonstrate compliance to the BSI at least every two years (e.g. by security audits, examinations and certifications).
During the transition period, companies shall apply state-of-the-art measures, which are appropriate, technically feasible and commercially reasonable. In order to identify the “state-of-the-art measures”, companies can refer to national and international standards as well as to examples successfully proven in practice for the respective sector.
Within six months, after the above mentioned ordinances, companies shall also define an internal procedure in order to accomplish the reporting obligation to the BSI and they shall identify a person as a single point of contact with the authority. In case of incident, companies shall inform the BSI immediately, providing any relevant information on the disruption (e.g. the suspected or actual cause, the information technology and the facilities involved). The IT Security Act does not ask companies to report cybercrime attacks publicly but, in limited circumstances, the BSI could provide third parties with information on reported incidents.
In case of failure in implementing IT security measures, companies should pay fines up to EUR 100,000. Fines could be lesser in case of failure in complying with reporting obligations to the BSI.
The IT Security Act forestalled the European directive 2016/1140 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive).
The NIS Directive clarifies that Member States may adopt or maintain provisions with a view to achieving a higher level of security of network and information systems. Moreover, the analysis of the rules shows significant similarities between European and German regulation.
Hence, the Directive does not affect the validity of the IT Security Act, but the German legislator should be asked to adjust the current legislation where necessary. Responding effectively to the new challenges in the cyber security sector requires, in fact, a global approach at Union level, covering common minimum capacity building and planning requirements, exchange of information, cooperation and common security requirements for operators.


Cybersecurity: the relevant European regulation

Network and information systems and services play a vital role in society. Their reliability and security are essential to economic and societal activities as well as to the functioning of the internal market.
However, the frequency and the impact of security incidents are continuously increasing and they represent the major threat to the functioning of information systems and services, as well as to the protection of the personal data.
Furthermore, the different approach of the Member State has led to fragmented regulations across the Union.
Responding effectively to the new challenges in the cyber security sector requires a global approach at Union level, covering common minimum capacity building and planning requirements, exchange of information, cooperation and common security requirements for operators.
In order to accomplish this purpose, the European Union issued, inter alias, the following acts:
- Directive 2013/40/EU of 12 august 2013, on attacks against information system.
- Directive 2016/1148 of 6 July 2016, concerning measures for a high common level of security of network and information systems across the Union.
- Regulation 2016/679 of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Directive 2013/40/EU of 12 august 2013, on attacks against information system
The objectives of this Directive are to approximate the criminal law of the Member States in the area of attacks against information systems by establishing minimum rules concerning the definition of criminal offences and the relevant sanctions and to improve cooperation between competent authorities, including the police and other specialised law enforcement services of the Member States, as well as the competent specialised Union agencies and bodies, such as Eurojust, Europol and its European Cyber Crime Centre, and the European Network and Information Security Agency (ENISA).
In fact, there is evidence of a tendency towards increasingly dangerous and recurrent large-scale attacks conducted against information systems which can often be critical to particular functions in the public or private sector. There is also a relevant number of “critical infrastructures” (infrastructures which are essential for the maintenance of vital societal functions like health, safety, security and transport), the disruption or destruction of which would have a significant cross-border impact.
Furthermore, it is really relevant the development of increasingly sophisticated methods, such as the creation and use of so-called ‘botnets’, namely, the act of establishing remote control over a significant number of computers by infecting them with malicious software through targeted cyber-attacks. Once created, the infected network of computers that constitute the botnet can be activated without the computer users’ knowledge in order to launch a large-scale cyber-attack, which usually has the capacity to cause serious damage.
Hence, the Directive aims to introduce criminal penalties for:  (i) illegal access to information systems, (ii) illegal system interference, (iii) illegal data interference, (iv) illegal interception.
In all cases, the criminal act must be committed intentionally. Instigating, aiding, abetting and attempting to commit any of the above offences will also be liable to punishment.
The Member States will have to make provision for such offences to be punished by effective, proportionate and dissuasive criminal penalties.
Where an offence is committed in the context of a criminal organisation and causes substantial loss or affects essential interests, this will be considered an aggravating circumstance. The same applies if an offence is committed using another person's identity and causes harm to this person.
The Directive also introduces the liability of 'legal persons' and sets out sanctions that may apply if they are found liable.
Each EU country will assume jurisdiction at minimum for offences committed on its territory or by one of its nationals outside its territory. Where several countries have jurisdiction over an offence, they must cooperate to decide which one will conduct proceedings against the author of said offence.
In order to fight cybercrime effectively, it is also necessary to increase the resilience of information systems by taking appropriate measures to protect them more effectively against cyber-attacks. Member States should take the necessary measures to protect their critical infrastructure from cyber-attacks, as part of which they should consider the protection of their information systems and associated data. Ensuring an adequate level of protection and security of information systems by legal persons, for example in connection with the provision of publicly available electronic communications services in accordance with existing Union legislation on privacy and electronic communication and data protection, forms an essential part of a comprehensive approach to effectively counteracting cybercrime. Appropriate levels of protection should be provided against reasonably identifiable threats and vulnerabilities in accordance with the state of the art for specific sectors and the specific data processing situations. The cost and burden of such protection should be proportionate to the likely damage a cyber-attack would cause to those affected. Member States are encouraged to provide for relevant measures incurring liabilities in the context of their national law in cases where a legal person has clearly not provided an appropriate level of protection against cyber-attacks.
To fight cybercrime better, the Directive also calls for greater international cooperation between judicial and law enforcement authorities.
To this end, EU countries must: (i) have an operational national point of contact, (ii) use the existing network of 24/7 contact points (iii) respond to urgent requests for help within 8 hours to indicate whether and when a response may be provided, (iv) collect statistical data on cybercrime.
This Directive has been implemented by national laws across the Union.
Directive 2016/1148 of 6 July 2016, concerning measures for a high common level of security of network  and information systems across the Union.
The Directive requires minimum IT security requirements and a reporting scheme for security incidents to digital service providers as well as operators of essential services, so called “critical infrastructures”.
Within the meaning of the Directive, digital services are: (i) online marketplace; (ii) online search engine; (iii) cloud computing services. The Directive does not apply to: (i) undertakings providing public communication networks or publicly available electronic communication services, within the meaning of Directive 2002/21/EU, which are subject to the specific security and integrity requirements laid down in that Directive; (ii) trust service providers within the meaning of Regulation 910/2014/EU which are subject to the security requirements laid down in that Regulation.
Digital service providers should identify and take appropriate and proportionate technical and organisational measures to ensure the security of network and information systems which they use in the context of offering their services within the Union, as well as to prevent and minimise the impact of incidents affecting their systems.
Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed, and shall take into account the following elements: (i) the security of systems and facilities; (ii) incident handling; (iii) business continuity management; (iv) monitoring, auditing and testing; (v) compliance with international standards. They also should notify the competent authority without undue delay of any incident having a substantial impact on the provision of a service. In order to determine whether the impact of an incident is substantial, the following parameters in particular shall be taken into account: (i) the number of users affected by the incident, in particular users relying on the service for the provision of their own services; (ii) the duration of the incident; (iii) the geographical spread with regard to the area affected by the incident; (iv) the extent of the disruption of the functioning of the service; (v) the extent of the impact on economic and societal activities.
For the purposes of the Directive, a digital service provider should be deemed to be under the jurisdiction of the Member State in which it has its main establishment, namely, the head office. If the digital service provider is not established in the Union but offers services within the Union, should designate a representative in the Union.
Operators of critical infrastructure are subject to rules slightly different. Each Member State will determine which operators in their jurisdiction could be considered as critical infrastructures. The criteria for the identification should be as follows: (i) an entity provides a service which is essential for the maintenance of critical societal and/or economic activities; (ii) the provision of that service depends on network and information systems; and (iii) an incident would have significant disruptive effects on the provision of that service.In order to establish if an incident could have significant disruptive effects, the Member States should take into account the following factors: (i) the number of users relying on the service provided by the entity concerned; (ii) the dependency of other sectors referred to in Annex II on the service provided by that entity; (iii) the impact that incidents could have, in terms of degree and duration, on economic and societal activities or public safety; (iv) the market share of that entity; (v) the geographic spread with regard to the area that could be affected by an incident; (vi) the importance of the entity for maintaining a sufficient level of the service, taking into account the availability of alternative means for the provision of that service. It is also possible that some entities provide both essential and non-essential services. Therefore, the operators should be subject to the specify security requirements only with respect to those services which are deemed to be essential. Furthermore, for the purpose of the identification process, when an entity provides an essential service in two or more Member state, those Member States should engage in bilateral or multilaterals discussions with each other. The Directive underlines the importance of an international cooperation within the Union, considering that services and incidents could have cross-border impact.In order to facilitate cross-border cooperation and communication, each Member State should designate a national single point of contact responsible for coordinating issues related to the security of network and information systems and cross-border cooperation at Union level. EU countries will have 21 months from the date the directive comes into force to implement the new EU legislation into national laws, and have a further six months to identify the operators of critical infrastructures.
Regulation 2016/679 of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data. Furthermore, technological developments and globalisation have brought new challenges for the protection of personal data. Hence, those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement. In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States.
With particular reference to the security of personal data, the Directive provides that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk, including as appropriate: (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. This Regulation shall apply from 28 May 2018.


Italia: Privacy ed invio di spot pubblicitari mirati

Con provvedimento del 13 luglio 2016, il Garante si e' pronunciato sulla richiesta di verifica preliminare presentata da Sky in merito alla possibilita' di veicolare messaggi pubblicitari mirati a spettatori di un medesimo programma.
Destinatari della pubblicità i nuclei familiari in possesso di uno specifico apparecchio per la ricezione da satellite o via internet, raggruppati in appositi cluster in base a caratteristiche relative al servizio fruito (ad es., tipologia del "pacchetto" tv, durata dell'abbonamento, modalità di pagamento) e ad altre informazioni (fascia di età,  luogo di residenza).
Piu' in dettaglio, il progetto presentato da Sky si presenta suddiviso in quattro fasi: a) creazione di una banca dati anonimizzata, partendo dai dati (gia' pseudoanonimizzati)  in possesso di Sky, in conformta' con gli standard contenuti nel parere Parere n. 5/2010 del Gruppo di lavoro Articolo 29. L'anonimizzazione avverrebbe dunque tramite l'eliminazione di ogni riferimento univoco a singolo abbonamento/smart card, inclusa l'anagrafica cliente; b) definizione delle regole di segmentazione volte ad enucleare (da parte di personale appartenente ad una divisione della società cui è inibito l'accesso al database contenente i riferimenti anagrafici) segmenti di interesse, composti da almeno 5.000 clienti (cd. cluster) risultanti dalla combinazione di più attributi, e trasmissione in broadcast di tali "regole" ai STB; c) applicazione delle regole e, conseguentemente, associazione a ciascun cluster di determinati spot mirati, memorizzati sugli hard disk dei STB "My Sky HD" in base agli attributi presenti sulla smart card. Al momento del passaggio dello spot, e' il STB a veicolare, in base a informazioni inserite nel flusso video, la pubblicità in onda ovvero quella mirata precedentemente memorizzata sull'hard disk. Mediante un algoritmo, i sistemi producono per ogni slot pubblicitario identificato come sostituibile una lista di possibili campagne selezionabili dai STB per la sostituzione; la scelta, effettuata dal STB, non è determinabile a priori; d) trasmissione via Internet, da parte dei soli dispositivi abilitati (i soli STB connessi a Internet), in forma aggregata, dei feedback relativi agli spot oggetto di sostituzione e senza cambio di canale per fini statistici e di rendicontazione relativa all'analisi sulle performance delle campagne pubblicitarie. 
Il Garante si e' pronunciato positivamente sul progetto, aggiungendo tuttavia alcune prescrizioni intese ad elevare il livello di protezione degli utenti.
In particolare, gli utenti dovranno essere messi in condizione di opporsi agevolmente all'invio degli spot mirati, digitando "no" sul telecomando, opppure spuntando una apposita casella nella sezione dedicata agli utenti registrati nel sito della società, o ancora inviando una comunicazione, anche via email, alla società ovvero interagendo con il call center. 
Sky dovra', inoltre, informare gli utenti delle finalità che intende perseguire con questo progetto (marketing sulla base della profilazione); spiegare loro le modalità impiegate per assicurare l'uso dei dati in forma aggregata,  tali da non essere riconducibili ai singoli abbonati; avvisarli della possibilità di esercitare i diritti riconosciuti dalla normativa in materia di protezione dei dati (accesso ai dati, rettifica, cancellazione, opposizione al trattamento).
L'informativa potrà essere resa in forma sintetica mediante un cartello che apparirà a video alla prima accensione dopo l'aggiornamento del software e che dovrà rimandare ad una pagina web, reperibile facilmente e in ogni momento. Nell'informativa, oltre a fornire le informazioni sui diritti degli utenti, Sky dovrà descrivere il progetto nel dettaglio. Il messaggio dovrà essere ripetuto più volte e con modalità tali da assicurarne la visibilità a più componenti della stessa famiglia.


Germany: the legitimacy of the parody under the EU law

On 28th July, 2016, the Federal Supreme Court ruled that the section 24, subsection 1 of the Copyright Act, relating to the free use of a copyright protected work in order to realize a parody, must be interpreted in accordance with the Art. 5 (3) lit. k of the Directive 2001/29/EC.
In this regard, it is relevant the decision issued by the CJEU on 3td, September, 2014 (C-201/13). The CJEU said that concept of ‘parody’, which appears in a provision of a directive, that does not contain any reference to national laws, must be regarded as an autonomous concept of EU law and interpreted uniformly throughout the European Union.
That interpretation is not invalidated by the optional nature of the exception mentioned in Article 5(3)(k) of Directive 2001/29. An interpretation according to which Member States that have introduced that exception are free to determine the limits in an unharmonised manner, which may vary from one Member State to another, would be incompatible with the objective of that directive (see, to that effect, judgments in Padawan, paragraph 36, and ACI Adam and Others, C‑435/12 , paragraph 49). 
In the opinion of the CJEU, the article 5(3)(k) of Directive 2001/29 must be interpreted as meaning that the essential characteristics of parody, are, first, to evoke an existing work, while being noticeably different from it, and secondly, to constitute an expression of humour or mockery. On the contrary, the concept of ‘parody’, within the meaning of that provision, is not subject to the conditions that the parody should display an original character of its own, other than that of displaying noticeable differences with respect to the original parodied work; that it could reasonably be attributed to a person other than the author of the original work itself; that it should relate to the original work itself or mention the source of the parodied work.
Moreover, the application of the exception for parody, within the meaning of Article 5(3)(k) of Directive 2001/29, requires a fair balance between, on the one hand, the freedom of expression of the user of a protected work who is relying on the exception for parody, and on the other,  the interests and rights of persons referred to in Articles 2 and 3 of that directive.



Italia: come tutelare un Format Televisivo

Se abbiamo un'idea che sia originale ed innovativa, è nostro diritto e nostro dovere tutelarla.
Spesso sento ripetere che non vale la pena di depositare un Format perchè non è tutelabile.
Questa affermazione contiene solo una piccola parte di verità.
Certamente depositare un format presso la SIAE non ha la stessa efficacia del registrare un marchio, ma rappresenta comunque uno strumento di tutela a mio avviso non rinunciabile.
Depositare un Format significa infatti vedere tutelata la priorita´della propria idea e, ove si consideri che la procedura è estremamente semplice e poco onerosa sul piano economico, puo' rappresentare davvero un'utile risorsa.
Vediamo, di seguito, come procedere concretamente.
1. Caratteristiche del Format
Ai fini della tutela, occorre che il Format presenti alcune caratteristiche. Infatti, e' indispensabile che esso: (i) abbia una struttura originale esplicativa dello spettacolo; (ii) abbia una struttura compiuta nell'articolazione delle sue fasi essenziali e tematiche; (iii)presenti i seguenti elementi qualificanti: titolo, struttura narrativa di base, apparato scenico e personaggi fissi. 
In linea generale, quando il tema centrale non ha di per sé carattere di assoluta originalità, il format si puo' comunque considerare sufficientemente preciso (e quindi tale da costituire una elaborazione originale) anche quando, pur senza giungere ad una esposizione minuziosa ed analitica, fornisce elementi sufficienti a caratterizzare in modo definitivo almeno la natura e lo svolgimento degli eventi.
2. Modalita' di deposito
a. Se tu o un altro dei coautori e' iscritto alla sezione DOR della SIAE:
- la procedura di deposito è gratuita
- dovete depositare il Bollettino di Dichiarazione (il cd. Modello 91 più eventuali allegati) compilato e firmato da tutti voi.
-dovete inoltre depositare un esemplare del copione originale firmato su tutte le pagine, sempre da tutti gli autori.
b. Se né tu né un altro degli autori del format è iscritto alla SIAE:
- la procedura è a pagamento. In questo caso dovete versare a titolo di diritti di segreteria € 25,00 + IVA (per un totale di € 30,50), mediante POS pagamento o presso lo sportello UNICREDIT BANCA presente in Direzione Generale, o tramite versamento su bollettino di c/c postale n. 84294008 intestato alla Società Italiana degli Autori ed Editori – Viale della Letteratura n. 30 – 00144 Roma, con la causale: “diritti di procedura per deposito format”.
- dovete compilare il Bollettino di Dichiarazione (questa volta il Modello 91bis più eventuali allegati) compilato e firmato, sempre, da tutti gli autori,
- dovete depositare un esemplare del copione originale firmato su tutte le pagine, sempre da tutti gli autori.
3. Moduli
Cliccando su questo link puoi accedere ai Moduli e stamparli direttamente dal sito web della SIAE: Moduli da compilare. La compilazione, per i format è piuttosto semplice perchè non occorre inserire tutte le dichiarazioni relative alle opere radiotelevisive, né ovviamente compilare i campi relativi alle opere elaborate. Allo stesso modo non dovrebbero riguardarti gli allegati che si riferiscono all’impiego di brani musicali e testi letterari.
Per la compilazione, comunque, ogni caso è a sé stante e richiede delle considerazioni diverse.
4. Consegna della documentazione
Il deposito lo si puo' fare inviando una raccomandata a: SIAE - sez. DOR - Ufficio Documentazione - Via della Letteratura 30 - 00145 Roma, oppure recandosi allo sportello della SIAE a Milano (o in altre città in cui sia presente).
5. Validità del deposito
Il deposito ha validità tre anni e, prima della scadenza, si puo’ chiedere il rinnovo pagando lo stesso importo.
6. Variazioni del format e del titolo
Se successivamente al deposito, decidi di cambiare alcuni elementi del format, devi procedere con un nuovo deposito inviando i testi come modificati.
Se invece decidi di cambiare il titolo del format già depositato, è sufficiente inviare una comunicazione scritta agli uffici della SIAE.


Italia: Garante Privacy, ai blogger si applicano le stesse regole del giornalista

Con provvedimento del 27 gennaio 2016, il Garante ha enunciato il principio per il quale i blogger che svolgono un'attivita' di informazione sono soggetti alle medesime regole e alle medesime garanzie cui sono soggetti i giornalisti.
Il provvedimento nasce dal ricorso di un noto personaggio pubblico finalizzato alla rimozione di un articolo, pubblicato su un blog, e avente ad oggetto le proprie vicende sentimentali e giudiziarie. Secondo la ricorrente, infatti, la diffusione dei suoi dati personali avrebbe violato la disciplina del Codice Privacy, essendo avvenuta in assenza di consenso; e cio' stante l'inapplicabilita' delle eccezioni connesse alla liberta' di manifestazione del pensiero.
Il Garante Privacy, tuttavia, ha rigettato il ricorso, ritenendo che fosse infondato.
Infatti, il blog che svolge attivita' di informazione e' del tutto assimilabile all'attivita' giornalistica in senso stretto e, per l'effetto e' soggetto all'applicazione dell'articolo 136 del Codice che estende le garanzie riguardanti l'attività giornalistica ad ogni altra attività di manifestazione del pensiero, anche se non effettuata da giornalisti professionisti o pubblicisti.
Cio' significa che, in ossequio alla liberta' di informazione, il blogger puó divulgare attraverso la propria pagina informazioni e notizie contenenti dati personali di terzi senza la necessita' di acquisire preventivamente il consenso degli interessati. Naturalmente, tale liberta' va ogni volta bilanciata con il rispetto dei diritti e delle libertä' fondamentali di questi ultimi.



Germany: Youtube is not responsible for the IP violations by third parties

On 28th January, 2016, the Oberlandesgericht of Munich established that Youtube is not responsible for the IP violations made by third parties through the platform.
GEMA, the German collecting society, asked Youtube to pay the royalties for the utilization of music in some Videos uploaded by the users.
However, Youtube refused to accept the charges, given its role as a provider of a technical service.
As a consequence, lawyers said, Youtube don't have any influence on the publication of the Contents.
The Oberlandesgericht of Munich accepted these argumentations and ruled that GEMA schould address its
compliants against the users and not against YouTube.
The decision is not definitve and GEMA announced that it will bring an appeal before the Bundesgerichtshof.