1. No category

Yulex 2013

Yulex 2013
Dag Wiese Schartum og Anne Gunn B. Bekken (red.)
Yulex 2013
Senter for rettsinformatikk
Avdeling for forvaltningsinformatikk
Postboks 6706 St Olavs plass
0130 Oslo
Henvendelser om denne bok kan gjøres til:
Senter for rettsinformatikk
Postboks 6706 St. Olavs plass
0130 Oslo
Tlf. 22 85 01 01
www. jus.uio.no/iri/
ISBN 9788272261503
ISSN 0806-1912
Utgitt i samarbeid med Akademika forlag
Trykk: AIT Oslo AS
Omslag og layout: Akademika forlag
FORORD
Som tidligere år har vi også i år oppfordret våre forskere til å gi bort en artikkel
til jul. Vi har pakket bidragene inn og sender dem nå som Yulex og julehilsen til
SERIs mange samarbeidspartnere og kontakter.
Flere av årets artikler har enten vært publisert eller fremført som foredrag i
internasjonale fora, noe som viser at forskningen som pågår ved senteret har stor
internasjonal relevans.
Men også i Norge har vi i 2013 bidratt med viktig forskning, spesielt med
rapportene fra det såkalte «Flåtestyringsprosjektet», et samarbeid med FAFO.
To av rapportene er utgitt i CompLex (2/2013 og 3/2013), og er tilgjengelige på
Complexserien.net.
Vi er glade over å kunne se tilbake på et år med forskningsaktiviteter og undervisning over bred front. I Yulex viser vi fram noe av mangfoldet i forskningen
vår, og årets bok er blitt en forundringspakke med et innhold vi håper du får
glede av.
God jul og godt nytt år!
PREFACE
As in previous years, we have encouraged our researchers to give away a paper as
Christmas present. We have wrapped contributions in Yulex 2013 as a Christmas
greeting to the many partners and contacts of the NRCCL.
Dissemination is an important part of research. This past year we have particularly improved dissemination in two ways. Firstly, we have prepared new project presentations on the Centre’s website. The aim has been to describe projects
so that they can create interest both among the general public and experts. In addition, we have established the website Complexserien.net where all publications
in this series are available. The website covers every issue from when the series
was started in 1981. Each work will still be available as book, but we expect that
the site will become main source for this part of our research publications.
We are pleased to look back on yet another year of comprehensive and intense
research and teaching activities. In Yulex 2013 we serve you examples from the
diversity of research issues we work with, and we hope that it has become a surprise package you will enjoy.
Merry Christmas and Happy New Year!
Dag Wiese Schartum (Chair of NRCCL)
Innhold
Olav Torvund
Kan man tukle med julesangene?
Litt om klassikervernet...................................................................................7
Jon Bing
Dramatikeren i den digitale verden...........................................................11
Maria Astrup Hjort
Digital footprints as evidence in civil proceedings.................................35
Olga Mironenko Enerstvedt
Russian PNR system: data protection issues and global prospects......39
Lee A. Bygrave
Privacy as a Cultural Value..........................................................................77
Tommy Tranvik
Kontroll og overvåking i arbeidslivet........................................................81
Samson Yoseph Esayas
Utilizing Security Risk Analysis and Security Testing in the
Legal Domain.................................................................................................99
Arild Jansen and Svein Ølnes
Benchmarking eGovernment Quality
– Whose Quality Are We Measuring?......................................................117
Dag Wiese Schartum
Legal definitions and semantic interoperability in electronic
government ..................................................................................................131
Emily M. Weitzenboeck
The contractual network of the
Domain Name System................................................................................147
Tobias Mahler
Would You Like to Own a Generic
Top Level Domain? .....................................................................................157
Francis Augusto Medeiros
Is ‘.com’ international? The .com gTLD: an analysis of its
global nature through the prism of jurisdiction....................................179
Olav Torvund
Forbrukere og internasjonale nettjenester. Amazon- og
Netflix-avtalene............................................................................................227
Kan man tukle med julesangene?
Litt om klassikervernet1
Olav Torvund
Humanist forlag ga før julen 2012 ut boken «Når nettene blir lange – julesanger
for noen hver». Denne inneholder blant annet en avkristnet versjon av «Deilig er
jorden». I alle fall deler av kristenfolket reagerte. Kan vi gjøre hva vi vil med slike
gamle sanger?
«Deilig er jorden» er, som mange av våre andre julesanger, så gammel at den
har falt i det fri. Det har gått mer enn 70 år siden opphavsmennene døde og
sangen er ikke lenger opphavsrettslig vernet. Også de ideelle rettigheter, retten til
navngivelse og vernet mot krenkende gjengivelser, faller i utgangspunktet bort
når verket faller i det fri. Vi kan gjøre hva vi vil uten å spørre noen om lov.
Men i åndsverkloven § 48 har vi det såkalte klassikervernet. I denne bestemmelsen heter det i første ledd:
«Selv om opphavsrettens vernetid er utløpet, kan et åndsverk ikke gjøres tilgjengelig for almenheten på en måte eller i en sammenheng som er krenkende
for opphavsmannens litterære, vitenskapelige eller kunstneriske anseelse eller
egenart, eller for verkets anseelse eller egenart, eller på annen måte antas å kunne
skade almene kulturinteresser.»
Respektretten består med andre ord likevel, om enn i en noe annen form.
Dette er en bestemmelse som gir Kulturdepartementet hjemmel til å treffe vedtak
om å forby en konkret versjon av et verk, den krever ikke at det må innhentes
samtykke før verket gjøres tilgjengelig. Dette er en vesentlig forskjell fra om verket hadde vært vernet av opphavsretten. Det er også en vesentlig forskjell at det i
praksis er kulturbyråkrater, og ikke en rettighetshaver, som treffer et slikt forbudsvedtak. Men Kulturdepartementet kan forby tilgjengeliggjøring av den omstridte
versjonen av «Deilig er jorden», om de mener den strider mot bestemmelsen.
Det har i noen tilfeller vært lagt ned forbud mot bruk av klassiske verker i
reklame. Dette gjelder blant annet maleri og skulptur av Michelangelo og et maleri
av Theodor Kittilsen. Men slik bruk lar vi ligge.
Departementet har også lagt ned forbud mot konkrete versjoner av musikk,
fordi disse har blitt ansett for krenkende mot opphavsmannen og/eller verket.
Sporene skremmer, selv om de begynner å bli ganske gamle. Man har blant annet forbudt Duke Ellingtons innspilling av Edvard Griegs «I Dovregubbens hall»
1
Også publisert på http://blogg.torvund.net/2012/12/21/kan-man-tukle-med-julesangene-littom-klassikervernet/
7
Yulex 2013
og Arne Domnerus’ innspilling av «Ja, vi elsker». Skal man lete etter krenkende
versjoner av Edvard Griegs musikk, mener jeg personlig at den forflatede og intetsigende versjonen av «Norsk dans no 2» som NRK hver fredag bruker som
kjenningsmelodi til «Norge rundt», er langt verre enn Duke Ellington. Men den
bør ikke forbys av den grunn.
Å forby slike versjoner av verk som har falt i det fri, er et inngrep i ytringsfriheten. Dette er i liten eller ingen grad drøftet i de forbudsvedtak som har vært truffet.
Jimi Hendrix’ versjon av «Star Sprangled Banner» fra Woodstock-festivalen ville
kunne ha ligget tynt an om man skulle ha anvendt de samme reglene på den som på
Arne Domnerus innspilling av «Ja, vi elsker». En nasjonalsang kan fremføres som
en bitende kritikk av det aktuelle landet. Mange vil mene at det var nettopp det Jimi
Hendrix gjorde på Woodstock-festivalen, i en tid da debatten om Vietnam-krigen
raste på sitt mest intense. Noen vil kunne oppleve det som krenkende. Men det ville
være svært problematisk å forby slike ytringer av den grunn. Forbudshjemmelen
bør brukes med den ytterste forsiktighet, om den bør brukes i det hele tatt.
Et litt spesielt, men ikke upraktisk spørsmål, er bruk av gamle melodier som
har fått en annen betydning enn den opprinnelige. «Deilig er jorden» har en tekst
av den danske salmedikteren Bernhard Severin Ingemann og handler egentlig
om en pilegrimsreise. Den er skrevet i en slags trassig optimisme etter en periode
med krig, og er egentlig ikke en julesang. Melodien er en folketone fra Schlesien,
i grenseområdet mellom Polen og Tsjekkia, nedtegnet i 1842. Den melodien må
også andre kunne bruke. Dette gjelder også «Star Sprangled Banner». Melodien
til denne er hentet fra den engelske drikkevisen «To Anakron in Heaven».
Humanists versjon av «Deilig er jorden» kan ses som en religionskritikk, om
enn i mild form. Blasfemiparagrafen er opphevet. Riktignok har heller ikke den
opphevelsen trådt i kraft fordi Justisdepartementet ennå ikke har fått satt i kraft
straffeloven fra 2005. Men den ligger i koma og vil dø når Justisdepartementet
en gang får gjort det som burde ha skjedd for lenge siden. Vi har bak oss en karikaturstrid. Mange i Norge har ment at muslimer må finne seg i at man tegner
Muhammed, selv om de opplever det som en krenkelse. Da må vi også tåle at
noen skriver om våre julesanger og annen symboltung musikk, selv om vi ikke
nødvendigvis liker måten det har skjedd på.
Vi må våge å stole på at de viktige av våre tradisjoner står sterkt nok til å tåle at
noen herjer litt med dem. Den versjonen av «Deilig er jorden» som vi alle kjenner
vil nok vare mye lenger enn Humanists versjon. Så langt jeg har sett har heldigvis
ingen gått så langt som til å kreve at slike omarbeidede julesanger skal forbys.
Kritikk må Humanist forlag tåle, like mye som andre.
Religions– og ytringsfrihet gjelder også i julen. Våre juletradisjoner må tåle at
noen gjør bruk av disse frihetene.
God jul.
8
The contractual network of the Domain Name System
PS.
Det måtte vel komme. Finn Folke Thorp svarte med å skriv en kristen versjon
av Nordahl Griegs “Til ungdommen”. Finn Folke Thorp er et navn som er ukjent
for meg. I følge Vårt Land har han skrevet manus til flere av episodene i «Hotel
Cæsar» og er sognerådsleder i Fagerborg i Oslo. I følge Vårt Land var han “litt
oppgitt” da han fikk høre den avkristnede julesangen og bestemte seg for å “svare
med samme mynt”.
Vi kan mene hva vi vil om slikt. Jeg er enig med Kristin Rosenberg, en av arvingene etter Nordahl Grieg, i at dette er “litt barnslig”. Å besvare en dumhet med å
begå en tilsvarende dumhet selv, er aldri noen god strategi. Finn Folke Thorp har
med dette satt seg selv utenfor enhver diskusjon om disse spørsmålene. Men kan
Finn Folke Thorp fritt herje med Nordahl Grieg?
Svaret er nei. Nordahl Grieg døde i 1943. Opphavsretten varer i 70 år etter utløpet av opphavsmannens dødsår, altså til og med 31. 12. 2013. Finn Folke Thorp
har helt klart laget en bearbeidet versjon av Nordahl Griegs dikt. Det kan han ikke
gjøre uten samtykke fra de som i dag har rettighetene til dette, uansett om man
måtte mene at dette er krenkende eller ikke. Fra 1. januar 2014, da er Nordahl
Griegs verker være fri. Fra da vil det bare være klassikervernet som kan gi dem et
visst vern. Arbeiderbevegelsens symboltekster er ikke noe mer hellige enn andre
symboltekster.
9
Dramatikeren i den digitale verden
En skriftlig versjon av kåseri holdt på årsmøtet til Norske
Dramatikeres Forbund 16.3.2011
Jon Bing
1
Prolog1
Tim Berners-Lee studerte fysikk ved Queen’s College, Oxford og tok sin endelige
eksamen i fysikk 1976, 21 år gammel. I 1980 ble han ansatt i et vikariat som konsulent ved CERN2, det berømte europeiske laboratoriet for partikkelfysikk i
Frankrike nær grensen til Sveits. Han forteller selv3 at han ble frustrert over arbeidet med å holde orden på forbindelser mellom mennesker, maskiner og prosjekter. For å løse dette problemet, skrev han et program han kalte Enquire Within
Upon Everyting. Navnet til programmet var hentet fra en bok med viktorianske
råd. Mitt eksemplar av boken er en faksimile av den 82. utgaven. Da den ble utgitt
i 1890 var 1.910.000 eksemplar solgt.
Boken inneholdt kortfattede råd eller oppskrifter på alt mulig, organisert på en måte
At SINTRAN III
vi nok lett finner forvirrende. Men den er
command level, type
omfattende. Innførsel 2274 «English
Champagne» innledes f eks slik:
@(GUEST)ENQUIRE
«Take fifty pounds of rhubarb and
<params>
thirty-seven pounds of fine moist sugar.
Provide a tub that will hold from fifteen
and the system
to twenty gallons, taking care that it has a
should respond
hole for a tap near the bottom …»
Enquire V x.x
Hello!
Fig 1 - påloggingsbildet for Enquire …
1
2
3
Dette avsnittet bygger på Jon Bing «Building Cyberspace: a brief history of Internet» i Lee
A Bygrave og Jon Bing (red) Internet Governance: Infrastructure and Institutions, Oxford
University Press, Oxford 2009:8-47.
CERN er forkortelse for Conseil Européen pour la Recherche Nucléaire. Organisasjonen har for
lengst skiftet navn, men beholdt kortformen.
Tim Berners-Lee Weaving the Web, HarperBusiness, New York 1999:4-6.
11
Yulex 2013
Oppskriften er på omtrent to spalter, og følges av en oppskrift på «Turnip
Wine». Man ser hvordan skyggen av det engelske kjøkken også faller over sidene
i denne ellers så utmerkede oppslagsboken.
Og boken ble på en måte mottoet for programmet til Tim Berners-Lee.
Programmet ble skrevet i programmeringsspråket Pascal på en Norsk Data
S10 maskin under operativsystemet SINTRAN-III, som karakteriseres av Tin
Berners-Lee som «pretty obscure».4
Men Tim Berners-Lee forlot CERN etter at hans periode som konsulent var
over. Norsk Data gikk konkurs, og Enquire … gikk i glemmeboken.
Heldigvis vendte Tim Berners-Lee tilbake til CERN, og sammen med bl a
Robert Cailliau, klarte han å få godkjent kjøp av en NeXT datamaskin,5 og
i november 1990 hadde Tim Berners-Lee ferdig et program som han kalte
WorldWideWeb. Det første skrittet var tatt.
Flere skritt var nødvendig. WorldWideWeb ble populært, men brukergrensesnittet var beregnet på brukere med programmeringskompetanse. Ved National
Center for Supercomputing Applications ved University of Illinois arbeidet Marc
Andreessen som student. Han laget den første nettleseren med et grafisk brukergrensesnitt, MOSAIC (1993).6
Våren 1995 introduserte selskapet Digital Equipment Corporation7 en mikroprosessor som ble kalt Alpha. Denne gjorde det mulig å operere databaser svært
raskt, og for å demonstrere dette bestemte DECs Western Research at man ville
indeksere hele nettet. Systemet ble kalt AltaVista, og var den første søkemotoren.
Det ble gjort tilgjengelig for allmennheten i desember 1995 med en indeks på 16
millioner dokumenter. Det ble en øyeblikkelig suksess, mer enn 300.000 søk ble
fortatt første dag.8
Ved utgangen av 1995 hadde man de tre hovedelementene som dannet det vi
i dag omtaler som «Internett»:9
• Dokumenter i sidebeskrivningsspråket HTML og med integrerte lenker som
tillot at brukeren «klikket» seg til andre sider.
• En nettleser med et grafisk grensesnitt, hvor man kunne bruker et pekerverktøy (f eks en mus) for å navigere på siden.
4
5
6
7
8
9
Tim Berners-Lee Weaving the Web, HarperBusiness, New York 1999:11.
NeXT ble laget av et selskap grunnlag av Steven Jobs i perioden 1988-1990.
Rettighetene til MOSAIC var eid av universitetet. Marc Andreessen kjøpte en enkel lisens for
å videreutvikle denne nettleseren, det ble til Netscape som igjen ble grunnlaget for Mozilla.
Microsoft kjøpte også en lisens, og det ble det første grunnlaget for Internet Explorer.
DEC dominerte markedet for minimaskiner, men skulle få år senere forsvinne inn i Compaq,
som så ble kjøpt opp av Hewlett Packard.
Ved utgangen av 1996 behandlet AltaVista 19 millioner søk daglig. Tall for Google har jeg ikke
tilgjengelig.
Det er strengt tatt misvisende, men likevel.
12
Dramatikeren i den digitale verden
• En søkemotor som gjorde det mulig å finne frem til et nettsted med opplysninger man var interessert i ved å bruke fritt valgte søkeord som beskrev
interessen, og som ble brukt av nettstedet.
2
Fra varer til tjenester
En av de metatrendene er overgangen fra varer til tjenester. Varer karakteriseres
av at de er fysiske, de er til å ta og føle på. Tjenester er – på en måte – alt annet.
Uten å fortape seg i filosofiske spørsmål om hvor denne grensen går, kan vi nøye
oss med å se på kjente eksempler.
Det mest omtalte er antakelig musikk. Tradisjonelt er musikk blitt omsatt som
varer. I prinsippet kan man gå tilbake til notehefter, men det er selvsagt grammofonplater, lydbånd, kompaktplater osv som er de mest kjente fysiske bærere
av musikk. De har fått konkurranse av lydfiler, som ikke på samme måte har en
fysisk representasjon – en lydfil overføres gjennom nett og lastes ned til et lagringsmedium (som er fysisk) hvorfra den igjen kan lastes opp og overføres på ny.
Dette stiller rettighetshavere overfor utfordringer med hensyn til rettighetsadministrasjon, jfr nedenfor.
Et annet hovedeksempel er film. Grunnen til at film kom etter musikk, er rett
og slett at film – levende bilder – krever mange flere tegn for å bli representert:
Hvert billedelement skal beskrives med en kode for gråtone og tre koder for farge
(RBG-farger – rød, grønn, blå). Billedelementet må være ganske lite for at oppløsningen skal bli tilfredsstillende. Og i tillegg må man representere filmlyden. Da
skjønner man intuitivt at det skal til en strøm med uhorvelig mange tallkoder for
å få en film til å fremføres på skjermen. Det krevde derfor at nettverket hadde en
tilfredsstillende båndbredde. I dag har nettverket det, og dermed fortrenges lett
kassettbånd og kompaktplater.
Tekst burde jo vært det første eksempelet, for bokstaver har en kompakt representasjon sammenlignet med lyd og bilde, det skal tradisjonelt bare åtte bit (en
byte) for å representere en bokstav. Det finnes også gode system for «elektroniske
bøker», mest kjent er kanskje Amazons Kindle. I Norge kan man knapt skryte
av at vi har kommet svært langt, og det er flere grunner til det. Imidlertid har vi
prosjektet Bokhylla.no,10 som drives av Nasjonalbiblioteket på grunnlag av en avtale med Kopinor.11 Dette tillater dels tekster å nedlastes som filer, men for å sikre
rettigheter, tillates de nyeste bøkene bare å strømmes over skjerm.
10Jfr http://www.nb.no/Tilbud/Samlingen/Samlingen/Boeker/Bokhylla.no.
11 Jfr http://www.kopinor.no/brukere/bibliotek/nasjonalbiblioteket/nasjonalbiblioteket-bokhylla.
13
Yulex 2013
Dramatikere berøres også av dette. De berøres direkte av den utviklingen som
skjer for film – filmen vil jo gjerne bygge på et dramatisk verk. Men også ellers
forandrer den tekniske utviklingen omgivelsene dramatikere arbeid i.
3
3.1
Det tradisjonelle vederlagssystemet
Hvordan lage et vederlagssystem?
Ofte diskuterer vi vederlagsnivå. Noe sjeldnere diskuterer vi hvordan man skal
konstruere et vederlagssystem? Hvilke kriterier skal det bygge på? Kriteriene må
være valgt slik at det blir enkelt å beregne det aktuelle vederlaget. Og man vil
gjerne at kriteriene velges slik at økt bruk eller utnyttelse av verket fører til et
tilsvarende høyere vederlag.
Vederlag for dramatikk beregnes på ulike måter. Det finnes også mange variasjoner, i dette avsnittet ser vi bare kort på fire hovedeksemepel.
Noen få ord om terminologi. Når et dramatisk stykke spilles på en scene, så
skjer det en fremføring for allmennheten. I avtalene brukes av og til uttrykket
«oppføring», det må forstås på samme måte. Avtalen bruker også uttrykket «visning» og «visningsrett».12 Det er sikkert lett å tolke dette som «fremføring», men
i opphavsrettslig terminologi er «visning» noe annet enn «fremføring». Et verk
vises når f eks et maleri henges på en vegg eller en skulptur stilles opp ved en gate.
Det er unødvendig å bringe inni avtalene et opphavsrettslig uttrykk som åpenbart
ikke brukes i sammen betydning som i åndsverkloven. Endelig brukes uttrykket
«produsere» eller «produksjonsrett».13 Med dette aksentueres at et teater eller en
annen institusjon har fått rett til å foreta den forberedelse som er nødvendig for
å fremføre verket – men det synes ikke å ha annen betydning enn «fremføring».
Mye kan vel tale for at ved å fjerne de unødvendige uttrykkene, ville avtalene bli
lettere tilgjengelige, om enn med mindre variasjon i språket.
3.2
Fremføringsavtalen
Et dramatisk verk blir gjerne skrevet for at verket skal fremføres, og den tradisjonelle fremføringen skjer på en scene, ved et teater.
For å kunne fremføre et verk, må teateret ha en avtale som gir rett til å gjøre
verket tilgjengelig for allmennheten (åndsverkloven § 2). I tillegg regner man
med at fremføringsavtalen også gir rett til en begrenset eksemplarfremstilling,
leseeksemplar til skuespillere, regi, scenografi, suffli osv. Dette er tradisjonelt
eksemplar fremstilt på en enkel måte (ofte reprografi av originalmanuskript, nå
12 Jfr f eks protokollen pkt A og C-2.
13 Jfr f eks protokollen pkt A.
14
Dramatikeren i den digitale verden
foreligger gjerne manuskriptet i maskinlesbar form, og det kan skrives ut i et
hensiktsmessig format) og innbundet nokså enkelt.
Den gjeldende fremføringsavtalen har en tradisjonell utforming av
vederlagsklausulene.14
Utgangspunktet er en royalty og beregnes av brutto billettinntekt (fratrukket
garderobeinntekter, avgift på fribilletter og avgift til pensjonskassen).15 «Royalty»
betegner en bestemt måte å beregne vederlag på, den angis som en prosent eller
andel av et annet vederlag (royaltygrunnlaget), som i dette tilfellet er brutto billettinntekter. Slik er vederlaget gjort brukssensitivt, jo flere som ser en forestilling, desto høyere vederlag til dramatikeren.
Man kan lett regne seg til at en normalt oppsøkt forestilling med normale
billettpriser, vil gi et beskjedent vederlag til dramatiker. Derfor har normalavtalen innført et «grunnhonorar».16 Dette er for tiden satt til «263 682 for en vanlig
oppføring». Hva som ligger i uttrykket «vanlig oppføring» fremgår ikke av protokollen. Protokollen definerer «helaftens verk».17 Etter vanlige avtalerettslige tolkningsprinsipper vil man anta at «en vanlig oppføring» da er noe annet, ettersom
de definerte termene ikke benyttes. Men det kan naturligvis også være at man har
ment å vise tilbake til definisjonene.
Grunnhonoraret er å regne «som forskudd på royalty».18 Det vil si at inntil
beregnet royalty utgjør 263.682 kr utbetales ikke slikt vederlag. I praksis vil bare
de færreste verk tjene inn så vidt høy billettinntekt at grunnhonoraret passeres
og royalty faktisk kommer til utbetaling. Det betyr også at selv om vederlaget er
utformet slik at det skal stige med økt bruk, vil avtalen i de fleste tilfeller fungere
som en avtale om fast pris, hvor den faste prisen svarer til grunnhonoraret.
Normalavtalen har også en viktig bestemmelse som begrenser retten til fremføring i tid. Den gjelder bare to år regnet fra premièredato.19 Etter dette faller
fremføringsretten bort.20 Rettighetshaver kan da forhandle om fremføringsrettighetene med andre. Dette er med på å sikre at man kan få det fulle økonomiske
utbyttet av verket.
14 Normalkontrakt som regulerer avtaler inngått fra dags dato og frem til 31.12.2013 om bruk av
dramatikeres tekst i sceniske produksjoner ved teatre som er medlem av NTO (Norsk Teater- og
Orkesterforening).
15 Jfr normalkontrakten pkt 5.
16 Normalkontrakten pkt 2, jfr protokoll av 26.10.2012 pkt B-1.
17 Verk for voksne med fremføringstid over 70 minutter, for barn over 60 minutter, jfr protokollen
pkt A.
18 Jfr protokollen pkt A.
19 Jfr protokollen pkt C-2-A.
20 Det er gjort et unntak for de sjeldne situasjoner hvor verket ikke er utspilt ved utgangen av toårsperioden, jfr protokollen pkt C-2-B.
15
Yulex 2013
3.3
Dramatikk i bokform
Dramatikk blir også utgitt i bokform. Etter Den norske Forleggerforenings bransjestatistikk ble det solgt 8.493 eksemplar av kategorien «skuespill» i 2011.21 Det
er derfor et beskjedent salg.
Den tradisjonelle vederlagsformen for salg av bøker baserer seg på royalty,
dvs omsetningsroyalty beregnet med utgangspunkt i utsalgspris – som foreløpig
angis av forlaget. Det gjøres tradisjonelt et fratrekk for «bindets pris», f eks 30 kr.
Det resulterende er royaltygrunnlaget. Tradisjonelt er royalty 15 % for de første
5.000 eksemplar, stigende til 20 % for salg utover dette. Men for verk som faller
inn under Kulturrådets innkjøpsordning for ny, norsk skjønnlitteratur, betales et
vederlag på 20 % royalty fra første solgte bok.22 Dette gjelder også for dramatikk.
I tillegg er det avtalte et minstevederlag. Tradisjonelt utgjør dette 1/3 av royalty
for første opplag.23 For bøker under Innkjøpsordningen får forfatter fullt vederlag
for de innkjøpte 1.000 eksemplar og 1/3 royalty for den del av førsteopplaget som
overskrider de innkjøpte 1.000 eksemplar.
Vi kjenner igjen prinsippene – man finner «noe» som kan indikere utnyttelsen av verket, og har valgt antall solgte eksemplar. Vederlaget relateres til et salg,
og det akkumuleres et totalvederlag ved å summere vederlagene for de enkelte
salg. Dette suppleres med et minstevederlag.
Men det er mange variasjoner og ulike former.24 I vår sammenheng er det imidlertid tilstrekkelig å konstatere at dramatikk i bokform ofte vil være gjenstand for
innkjøp under Innkjøpsordningen. Vederlaget vil da være 20 % royalty fra første
solgte eksempler, inklusive de 1.000 eksemplar som går til Innkjøpsordningen.
Minstevederlaget utgjør vederlag for de 1.000 innkjøpte eksemplar og 1/3 av den
overskytende del av første opplag.
3.4
Dramatikk i radio og fjernsyn
3.4.1 Innledning
Radio og fjernsyn er viktige og tradisjonelle områder for bruk av dramatikk.
Norske Dramatikeres Forbund har avtaler om slik utnyttelse.
Tradisjonelt inngikk man avtale om enten å utvikle et dramatisk verk for radio eller fjernsyn, eller en avtale om å utnytte et verk som allerede var ferdigstilt
21 Bransjestatistikk 2011 Bokgruppe 4.1 norsk skjønnlitteratur for voksne. Året 2011 er det siste
året det foreligger statistikk fra.
22 Jfr avtale mellom Norsk kulturråd, Den norske forlegger- forening, Norsk forleggersamband og
Den norske Forfatterforening om regler for statens innkjøpsordning for ny norsk skjønnlitteratur for voksne § 22, 1.ledd nr 1.
23 Opplag er det antall eksemplar som blir fremstilt samtidig – med moderne trykkemetoder,
karakterisert ved utgivelse på forespørsel, er opplagsbegrepet blitt noe problematisk.
24 En oversikt og diskusjon finner man i Hans Marius Graasvold, Eirik Djønne og Jon Bing Norsk
skribentrett, Universitetsforlaget, Oslo 2006:151-170.
16
Dramatikeren i den digitale verden
ved avtalens undertegnelse. Utnyttelsesformen var vel kjent, variablene få – fortrinnsvis var det et spørsmål om regulering av rett til å sende repriser, det ble
typisk sondret mellom korttids- og langtidsrepriser.
Norske Dramatikeres Forbund har en rammeavtale med Norsk rikskringkasting «vedrørende overdragelse av produksjons- og utnyttelsesrett mv fra forfatter
til NRK for audiovisuelle verk på film- og fjernsynssektoren».25 Også de andre
skribentorganisasjonene har rammeavtaler med Norsk rikskringkasting, men de
har egentlig en litt annen funksjon.
Etter åndsverkloven § 31 etableres en avtalelisens for kringkastere. Det
innebærer at når Norsk rikskringkasting har inngått en avtale med en organisasjon som representerer opphavsmennene på området, kan Norsk rikskringkasting kringkaste utgitte verk uten å innhente samtykke fra opphavsmannen.
Begrunnelsen er behovet for en smidig og rask mekanisme for rettighetsklarering. Dette var den første bestemmelsen om avtalelisens i norsk åndsverklov, senere har den fått følge av mange andre.
I forhold til f eks skjønnlitteratur for voksne, har Norsk rikskringkasting
en avtale med Den norske Forfatterforening. Ønsker Norsk rikskringkasting å
kringkaste opplesning fra en roman eller novelle, kan man altså gjøre dette uten å
kontakte forfatteren (utover at avtalt vederlag overføres).
Denne bestemmelsen har mindre betydning for dramatiske verk. Jeg utelukker ikke at bestemmelsen kan komme til anvendelse, f eks om man ønsker å sende
et skuespill utgitt i bokform. Men skuespillet må være utgitt for at bestemmelsen
kommer til anvendelse, dvs at «et rimelig antall eksemplar av verket med samtykke av opphavsmannen er brakt i handelen» (åndsverkloven § 8). Selv om et
skuespill er offentliggjort26 ved fremføring, vil det sjeldnere være utgitt. Av denne
grunn spiller åndsverkloven § 31 mindre rolle.
Men også selve avtalesituasjonen gjør at åndsverkloven § 31 glir i bakgrunnen. Avtale om et dramatisk verk for fjernsyn eller radio blir gjerne forhandlet
frem i samarbeid mellom dramatiker og kringkaster – ikke uvanlig er det at man
går veien om et synopsis, og ikke uvanlig er det at man avtaler en rett til å avbryte
samarbeidet, f eks hvis synopsis ikke godkjennes.
For dramatiske verk i radio eller fjernsyn vil altså avtalen regulere et verk som
ennå ikke er ferdig utarbeidet, eller i alle fall ikke ennå offentliggjort på annen måte.
3.4.2 Norsk rikskringkasting og annen kringkasting
Det foreligger en nokså omfattende avtale mellom Norske Dramatikeres Forbund
og Norsk rikskringkasting. Vederlaget bygger på et regnestykke hvor et grunn25 Radioteater faller altså utenom rammeavtalen.
26 Jfr definisjonen i åndsverkloven § 8.
17
Yulex 2013
beløp27 multipliseres ned «antall bestilte minutter».28 Dette gir et grunnhonorar
(GH). Det skjer en ytterligere regulering for reprise mv.
Denne vederlagsstrukturen forsøker å ta vare på prinsippet om at økt utnyttelse skal føre til økt bruk. Men mens man for fremføring i teater teller betalende
tilskuere, og beregner en royalty etter dette, vil man for kringkasting betale per
minutt utfra den nærliggende tanke at jo lengre spilletiden er, jo større er utnyttelsen av verket.
Men bak dette spøker fastsettelsen av grunnbeløpet. Jeg er ikke kjent med
hvilke argument som benyttes ved denne fastsettelsen. Men det er nærliggende å
anta at antallet seere – faktiske seertall om slike skulle foreligge, eller potensielle
seere – vil spille en rolle. Det samme vil Norsk rikskringkastings økonomi.
Åndsverkloven § 31 gjelder ikke bare Norsk rikskringkasting, men også andre som har «bevilling til å drive kringkastingsvirksomhet». Lenge hadde Norsk
rikskringkasting et monopol på kringkasting til allmennheten, men det er nå
historie. I denne perioden hadde dramatikere (og andre rettighetshavere) bare
en mulig motpart for kringkasting, og denne motparten var direkte underlagt
Kulturdepartementet. I forhandlinger om vederlag var det nærliggende for rettighetshaverne å trekke inn kunstnerpolitiske argument. Norsk rikskringkasting
vedsto seg da også et kulturpolitisk ansvar. Dermed ble vederlagene fastsatt slik
at de skulle være «rimelige», selv om partene nok kunne ha ulike syn på hva et
rimelig vederlag utgjorde.
Etter at åndsverkloven § 31 åpnet for at også andre kunne benytte avtalisensen, er det – så vidt meg bekjent – ingen andre kringkastere som har benyttet
denne muligheten. Disse kringkasterne forhandler altså i hvert enkelt tilfelle med
rettighetshaverne, og det er ikke noen rammeavtale som regulerer vederlaget. I
en viss utstrekning vil avtalen inngås med et produksjonsselskap som så i sin tur
inngår avtale med kringkasteren.
Rammeavtalen pkt 3.2 angir den rett Norsk rikskringkasting erverver til å
gjøre verket tilgjengelig for allmennheten. Hvilke former for tilgjengeliggjøring
som Norsk rikskringkasting erverver, skal i hvert enkelt tilfelle avtales med forfatteren. Etter rammeavtalen pkt 3.2, 3.-5. avsnitt reguleres også utnyttelse i digitale
media:
«NRK kan kringkaste hele eller deler av verket i fjernsynssendinger og formidle
verket via andre teknologiske plattformer, herunder Internett, bredbånd,
mobiltelefoni.
NRK kan etter avtale gjøre hele eller deler av verket tilgjengelig for
allmennheten i andre formater og/eller gjennom andre distribusjonsformer enn
27 Det er i og for seg unødvendig å ha valgt en betegnelse som svarer til ett av de sentrale begrepene
i folketrygden, men noen praktiske problemer skaper dette knapt.
28 Rammeavtalen av 6.9.2006 pkt 3.3 (satsene er regulert per 1.5.2011).
18
Dramatikeren i den digitale verden
nevnt i forrige avsnitt. Til slike formater/distribusjonsformer hører for eksempel
eksemplarfremstilling og salg av video, DVD og POD (publishing on demand).
NRK kan etter avtale også gjøre hele eller deler av verket tilgjengelig for brukere
på individuelt bestemt sted og tidspunkt (som on demand-tjeneste) i nærmere
fastsatt tidsrom på teknologiske plattformer så som – men ikke begrenset til –
Internett, bredbånd og mobil.»
Bestemmelsen innledes med at Norsk rikskringkasting «kan» utnytte verket i
disse formene. Det må leses i sammenheng med rammeavtalen pkt 3.2, 2.ledd,
hvor det – som nevnt overfor – fremgår at partene kan «avtale nærmere hvilke
former» for tilgjengeliggjøring som avtalen skal omfatte. Slik jeg tolker rammeavtalen, må det altså en eksplisitt tilleggsavtale med dramatikeren for å utløse disse
rettighetene.
Etter rammeavtalen pkt 3.2, 3.ledd kan verket formidles på andre «teknologiske plattformer» enn tradisjonelt fjernsyn. Som eksempel nevner «internett, bredbånd, mobiltelefoni». Det kan vel diskuteres om alle disse tre er «plattformer», i
alle fall er det ingen motsetning mellom «internett» og «bredbånd».
Etter rammeavtalen pkt 3.2, 4.ledd kan Norsk rikskringkasting gjøre – etter
særskilt avtale – verket tilgjengelig i «andre formater» eller ved «andre distribusjonsformer» enn nevnt i pkt 3.2, 3.ledd. Som eksempel nevnes eksemplarfremstilling og salg av kompaktplater («video, DVD») og formidling ved «POD
(publishing on demand)». Det siste er ikke helt klart, «podcasting» er en form
for formidling som bygger på overføring av en fil til bruker. Det er derfor ikke
noe eksempel på salg av en løsøregjenstand, som f eks kompaktplate, men en
ren formidling av en digital fil over nettet. Muligens har avtalen lagt til grunn en
annen forståelse, men noen kjente former for publisering på forespørsel av kringkastingsprogrammer kjenner jeg ikke til.
Endelig kan Norsk rikskringkasting etter rammeavtalen pkt 3.2, 5.ledd gjøre
«hele eller deler av verket tilgjengelig for brukere på individuelt bestemt sted og
tidspunkt (som on demand-tjeneste) i nærmere fastsatt tidsrom på teknologiske
plattformer så som – men ikke begrenset til – Internett, bredbånd og mobil».
Dette omtales gjerne som interaktive tjenester.
Denne utbyggingen av de tjenester som avtalen kan omfatter, viser tydelig at
avtalen omfatter mer enn vanlig kringkasting. Kringkasting – slik det er definert
i kringkastingsloven29 § 1, 1.ledd litra a:
«Kringkasting: utsending av tale, musikk og liknende via elektroniske
kommunikasjonsnett, ment eller egnet til å ses eller høres direkte og samtidig av
allmennheten …»
29 Lov om kringkasting og audiovisuelle bestillingstjenester (1992:127).
19
Yulex 2013
Kringkastingsbegrepet har lenge stått under press av den teknologiske utviklingen, og det kan vel være at grensen mot tjenester som ikke skal regnes for kringkasting, ikke er helt klar etter loven. I vår sammenheng spiller det liten rolle.
Etter rammeavtalen pkt 3.2, 6.ledd kan Norsk rikskringkasting overdra rettigheter etter pkt 3.2 til «tredjemann i Norge og i utlandet». Jfr også rammeavtalen
pkt 3.5 som gjelder overdragelse av «kringkastingsrett mv». Denne siste overdragelsesretten gjelder for «kringkasting eller på andre medieplattformer i Norge og
utlandet». Imidlertid forutsetter rammeavtalen at det er inngått særskilt avtale
med dramatikeren om hvilke former for tilgjengeliggjøring som overdras.30
Bestemmelsen innfører også en vederlagsmodell. Hvis Norsk rikskringkasting mottar særskilt vederlag for en overdragelse etter rammeavtalen pkt 3.4, har
dramatiker sammen med de øvrige rettighetshaverne rett til 50 % av nettovederlaget.31 Denne rettighetshaverandelen fordeles forholdsmessig i forhold til det
opprinnelige vederlaget, dramatikerens andel svarer til andelen av det opprinnelige vederlaget.
Det er lett å hefte seg ved utformingen av denne bestemmelsen, f eks at dramatiker ikke har innflytelse på det vederlag Norsk rikskringkasting forhandler
seg frem til. Men man må ha i bakhodet at det forutsetter særskilt avtale med
dramatikeren, som må sørge for å utnytte sin avtaleposisjon.
Som nevnt har Norske dramatikeres forbund en rammeavtale med Norske
film- og tv-produsenters forening (NFTVPF) av 4.3.2009.32 Avtalen er i større
grad tilpasset den fremgangsmåte som gjerne følges når et manuskript utvikles, bl
a ved at man både har med «forfatter» og «manusforfatter». Forfatter overdrar en
«produksjonsrett» til produsenten, jfr rammeavtalen pkt 4.3. I tillegg overdras det
som kalles «visningsrett» og som omfatter «eksemplarfremstilling og tilgjengeliggjøring», rammeavtalens pkt 4.4. Tilgjengeliggjøring omfatter «vising»33 etter
avtale med en kringkaster eller formidling fra
«… øvrige tekniske plattformer kringkasteren benytter, herunder ved uendret
streaming av Verket, vising på Internett etter tilsvarende nett».
Det er i rammeavtalen forutsatt at annen utnyttelse kan være aktuelt, og rammeavtalen pkt 4.6 nevner spesielt som eksempel salg som videogram. Litt upresist
nevner man samtidig «visning på pay-TV eller mobiltelefon mv.»34
30 Jfr ovenfor, rammeavtalen pkt 3.2, 1.ledd.
31 Nettovederlaget utgjør Norsk rikskringkastings bruttoinntekt ved overdragelsen minus 30 % til
dekning av omkostninger.
32 Avtalen er justert 1.5.2011.
33 Som nevnt ovenfor menes her det som i åndsverkloven kalles fremføring.
34 Avtalen viser til Lov om film og videogram (1987:21) som definerer i § 1, 3.ledd: «eit elektronisk
signal for lagring og attgiving av levande bilete som er skrive inn på eit medium eller ein infor20
Dramatikeren i den digitale verden
Man formelig ser hvordan den utnyttelsen digital teknologi gjør mulig, spiser
seg inn i avtalen. Man kan nok ønske seg større stringens i avgrensning av rettigheter og utnyttelsesformer, men i dagens situasjon skaper nok ikke praktisering
av avtalen synderlig tvil.
3.5
Film
3.5.1 Hovedprinsipper
Det historiske utgangspunktet for avtalene diskutert i pkt 3.4.2 om kringkasting,
er filmavtalen. Norske dramatikeres forbund har også inngått en rammeavtale
om «film-, produksjons- og visningsrett» av 15.9.200535 med Norske film- og tvprodusenters forening. Avtalen har stort sett samme utforming som rammeavtalen for kringkasting. I rammeavtalen defineres «filmrett» og «produksjonsrett».36
I rammeavtalen § 10 reguleres minstevederlag for synopsis, filmfortelling og
filmmanus (i alt 335.173 kr), for filmretten (kr 332.109).37
I tillegg utgår et vederlag for filmretten av filmens overskudd, et royalty-basert
vederlag (jfr rammeavtalen § 10 litra d sml § 11). Hvordan filmens overskudd
beregnes, omhandles ikke av rammeavtalen.38
3.5.2 Eksemplarfremstilling - videogrammer
Etter rammeavtalen § 2 litra j overdras til produsenten rett til å fremstille eksemplar og gjøre det tilgjengelig for allmennheten ved spredning av eksemplar
og fremføring av verket. Eksemplarfremstilling er en nødvendig forutsetning for
fremføring på lerret. Tradisjonelt blir et begrenset antall eksemplar av produsent
(eller importør på vegne av produsent) tilbudt leid av kinoer. Kinoene får deretter det fysiske eksemplaret, som fremføres på lerret – tradisjonelt ved projisering.
Digitale skjermer kan fremføre bilder ved at billedelementene («pixels») styres av
en datamaskin. Vederlag til produsent vil typisk være en andel (royalty) av billettinntektene, og bidrar til filmens eventuelle overskudd. Av overskuddet betales
så en andel (royalty) til dramatiker mv, jfr rammeavtalen § 10 litra d sml rammeavtalen § 11.
35
36
37
38
masjonsberar». Hverken betalfjernsyn eller formidling over mobiltelefon forutsetter at signalet
lagres på et lokalt medium for å fremføres på skjerm.
Avtalen er justert 1.5.2012.
Det synes ikke å være stor forskjell på disse rettighetene slik de er definert i rammeavtalen § 2
litra g og h, men det har kanskje liten betydning..
Kommer til anvendelse hvor rettighetshaver til det litterære forelegg er forskjellig fra forfatter av
filmmanuskript, jfr rammeavtalen § 10 litra c.
Men det kan godt fremgå av Norsk filmfonds forskrifter, som det er vist til i rammeavtalen § 11
litra a. Imidlertid synes ikke dette å fremgå av forskrift for føring av regnskap for audiovisuelle
produksjoner (2010:359), og andre forskrifter finner ikke jeg i databasen for sentrale forskrifter.
21
Yulex 2013
Tradisjonelt har altså filmavtalen omfattet en overdragelse av rett til eksemplarfremstilling, men da i den sammenheng som er skissert ovenfor – som en
nødvendig forutsetning for fremføring på lerret i kino.
Men med ny teknologi fikk eksemplarfremstilling en helt annen betydning.
En dramatisk del av den tekniske historien er formatkrigen mellom Betamax39
og VHS.40 Utviklingen av systemer for å lagre video på magnetbånd, er lang – og
er først og fremst en beretning om kampen om å lese og skrive data til bånd raskt
nok. Omkring 1970 var flere japanske industrikonsern rede til å levere utstyr for
opptak og avspilling av videogram til hjemmebruk, blant disse var Sony ledende.
Det hevdes at Sony inviterte JVC til å lisensiere Betamax-teknologien i 1974, og
ble overrumplet da det ble oppdaget at JVC var svært langt kommet i utviklingen
av en egen løsning.
Likevel hadde Sony markedet nærmest for seg selv i begynnelsen, og solgte
i 1975 30.000 Betamax-maskiner bare i USA. Året etter lanserte JVC sitt VHSformat. Dermed gikk startskuddet for ”formatkrigen”.
JVCs system hadde omtrent dobbelt så lang spilletid som Sonys, og denne
forskjellen ble antakelig avgjørende. I 1977 fikk JVC følge av fire andre japanske
elektronikkprodusenter, som alle tok utgangspunkt i VHS. Dette fikk Sony til å
forlate sin restriktive politikk ved lisensiering av egen teknologi. JVC fikk imidlertid amerikanske RCA med på laget. Pris var først ikke en dominerende faktor
i konkurransen, men i 1977 ble prisen på VHS-maskiner redusert til 300 dollar. I
1982 var priskrigen i full gang.
Gjennom det amerikanske rettssystemet seilte samtidig saken som i 1984 sluttet med en høyesterettsdom (”Betamax-dommen»).41 I dommen fikk Universal
Studio og Disney ikke medhold i at Sonys videospiller i seg selv representerte
en krenkelse av rettighetene til produsenter av film og fjernsynsprogrammer.42
Snarere enn å kjempe mot den nye teknologien, valgte man derfor å utvikle forretningsmodeller for å høste økonomiske fordeler av det gryende markedet.
Det er uklart om dommen fikk innflytelse på salget, men Sonys andel i markedet var i 1978 sunket til 19,1 % sammenlignet med RCAs andel på 36 %. Samtidig
begynte tilbudet av ferdiginnspilte kassetter å vokse, og allerede i 1981 utgjorde
39 Betamax-kassetten har en halv tomme bredt magnetbånd og signalet lagres analogt. Formatet
er utviklet på grunnlag av det tidligere 0,75 tommers brede, profesjonelle systemet U-matic som
fremdeles er i bruk. Navnet ”Betamax” hevdes å være avledet av den japanske frasen beta gaki (rå
+ skriv), men for spøk inneholder varemerket den greske bokstaven beta. Sanyo markedsførte
sin versjon opprinnelig som ”Betacord”, men dette ble også referert til som ”beta”-format.
40 Video Home System. Kassettens magnetbånd er en halv tomme bredt, signalet lagres analogt
41Sony v Universal Studios, 464 US 417 (1984).
42 Argumentet var at spilleren gjorde det mulig, eller til og med lett, å fremstille ulovlige eksemplar.
Man vil finne argumenter av lignende karakter i mange andre sammenhenger, bl a i den norske avgjørelsen om DVD-Jon (RG-2004-414), ettersom det program han var med på å lansere,
gjorde det mulig å omgå beskyttelsesmekanismer for DVD. Jfr nedenfor under pkt 3.5.3.
22
Dramatikeren i den digitale verden
Betamax-formatet bare 25 % av markedet, og man forventet at antallet titler tilgjengelig i VHS-format ville bli større.
Teknisk sett var formatene sammenlignbare, selv om Sony stort sett ledet
an i forbedringer (f eks av lydgjengivelse), kom VHS-produsentene raskt etter.
Maskiner for Betamax-format var faktisk ved utgangen av 1985 billigere enn tilsvarende VHS-maskiner.
Kampen om formatene endte i 1987 da tidsskriftet Rolling Stone forkynte ”The
Battle is over”.43 VHS-spillere utgjorde 95 % av markedet. Sony lanserte sin egen
VHS-spiller i september 1988. Ett år senere var andelen av Betamax i forbrukermarkedet sunket til 1 %.
Utnyttelse av mulighetene i markedet for videogrammer forutsatte at det
ble fremstilt kassetter – senere kompaktplater – for utleie eller salg til forbruker.
Rettighetshaverne argumenterte for at denne retten ikke var overdratt til produsentene ettersom denne formen for utnyttelse ikke var kjent da filmavtalene ble inngått. Dette prinsippet er i dag del av rammeavtalen § 3.3 hvor det angis at «rettigheter som ikke eksplisitt er overdratt … beholdes uinnskrenket av» dramatiker mv.
Tvisten fant sin løsning innen rammen av det som den gang var en nokså
ny forvaltningsorganisasjon, Norwaco, opprettet i 1983. Organisasjonen danner
ulike forvaltningssektorer, og en av disse ble filmsektoren. Her var rettighetshavernes organisasjoner representert, og vederlag for utnyttelse av eldre spillefilmer
i form av videogram ble overført til Norwaco som gjennom forhandlinger innen
filmsektoren kom frem til en fordeling mellom organisasjonene. I 2006 ble ca 2
millioner kroner fra produsentene fordelt mellom andre grupper som etter følgende tabell:44
Gruppe
Manusforfattere
Regissører
Filmarbeidere
Skuespillere
Musikere
Dansere og koreografer
Andel
29 %
29 %
10 %
23 %
7%
2%
Viderefordeling i gruppe
Individuelt vederlag
Individuelt vederlag
Kollektivt via fond
Kollektivt via fond
Kollektivt via fond
Kollektivt via fond
Etter hvert ble selvsagt utnyttelse som videogram innarbeidet i filmavtalene,
og rammeavtalen § 12 henviser til at forpliktelsene ved fremstilling av «videogram og lignende» reguleres av en overenskomst mellom Norwaco og Norske
film- og tv-produsenters forening. Imidlertid utløp slike avtaler 31.12.2010,
43 Rolling Stone 15.1.1987:43.
44 Norwaco Årsmelding 2006 :12.
23
Yulex 2013
og det siste vederlaget ble fordelt i 2011. Norwaco karakteriserer selv sektoren
som «inaktiv».45
Kassettene har etter hvert veket for kompaktplater.46 Sett fra rettighetshaverens synspunkt er dette ikke noen prinsipiell forskjell fra videokassetter, de omsettes som fysiske enheter, og vederlaget som genereres, dels etter bestemmelsene i
filmavtalen.47 Imidlertid er det lagt ekstra beskyttelse på platene. Dels har det vært
operert med en soneinndeling, en inndeling av markedet i ulike soner. Spillere
«autoriseres» for én eller enkelte soner, og vil ikke avspille plater for andre soner.
3.5.3 Fildeling
Den digitale utnyttelsen av filmer er tradisjonelt knyttet til fildeling. Det innebærer at et eksemplar av filmen lastes opp til et nettsted, og derfra tilbys til allmennheten for lokal eksemplarfremstilling. Dette kan gjøres av rettighetshaver,
som f eks nettstedet til Norsk rikskringkasting gir mange eksempel på. Men mest
blest har det vært omkring ulovlig fildeling, gjerne i forbindelse med løsninger for
fildeling som Napster, Gnutella og BitTorrent.48
Etter åndsverkloven § 53a er det forbudt å fjerne eller endre et teknisk beskyttelsessystem. Om sonekontrollen på kompaktplater sier imidlertid forarbeidene
at «de regionskoder som anvendes på DVD-filmer for å dele opp markedet for
filmverk geografisk og tidsmessig [vil ikke] være tekniske beskyttelsessystemer i
lovens forstand.49
Det er imidlertid også andre beskyttelsestiltak som bl a skal hindre at en kompaktplate avspilles av en spiller som ikke er autorisert. Dette kom på spissen i
den mye omtalte saken om «DVD-Jon».50 Han var tiltalt for å ha gjort tilgjengelig et program som gjorde det mulig å bryte kopibeskyttelsen på kompaktplater
og avspille verkene på «ikke-autoriserte» spillere. Av forskjellige grunner ble han
frikjent.
I den senere tid er den svenske saken om nettstedet Pirate Bay fått stor oppmerksomhet. Nettstedet la forholdene til rette for at brukere kunne dele seg
imellom filmverk ved hjelp av et BitTorrent-system. Svea hovrett dømte bakmennene for medvirkning til opphavsrettskrenkelse i en avgjørelse av 21.11.2010.51
45 Norwaco Årsmelding 2011:18.
46 CD-ROM (Compact Disc – Read only Memory) eller Blue-Ray (som har navn etter den blåfiolette laserstrålen som brukes ved avlesning), det kommer sikkert også media basert på USBpinner..
47 Men, som nevnt ovenfor, der denne reguleringen ikke fullstendig.
48 Jfr Jon Bing Ansvar for ytringer på nett – særlig om formidlerens ansvar, Universitetsforlaget, Oslo
2008:241-248.
49 Jfr Ot prp nr 46 (2004-2005). Om lov om endringer i åndsverkloven m.m pkt 3.5.1.5.1.
50 Borgarting lagmannsrett dom av 22.12.2003, LB-2003-00731.
51 Saken ble nektet fremmet for Högsta domstolen.
24
Dramatikeren i den digitale verden
Naturligvis er det først og fremst de som benytter seg av tilbudet og laster opp
eksemplar av verket for fildeling uten samtykke av rettighetshaver, som krenker opphavsretten. Et eksempel på dette finner vi i Fredrikstad tingretts dom
av 12.3.2007.52 Tiltalte hadde Start.no som nettleverandør, og hadde fått tilbud
om en slags «førpremière» på filmen, som ble strømmet til vedkommendes maskin med noe redusert kvalitet i forhold til en film på leid plate.53 Vedkommende
brukte et program som avledet strømmen og lagret filmen som en fil på lokalt
medium. Den siktede ble dømt for opphavsrettskrenkelse, men også til å betale
erstatning til rettighetshaver etter «vederlagsprinsippet», dvs at man legger til
grunn vederlaget rettighetshaver ville ha krevd. På grunn av den reduserte kvaliteten satte retten vederlaget til 40 kr per nedlastning, og la til grunn at filmen
var nedlastet 2.771 ganger, som utgjorde et tap på 110.840 kr. I tillegg kom tap på
grunn av markedsforstyrrelser mv, og retten fastsatte skjønnsmessig det samlede
tap til 150.000 kr. Dette ble imidlertid redusert etter prinsippene i skadeserstatningsloven (lov av 13.6.1969 nr 26) § 5-2.54 Selv om erstatningen ble redusert, er
den ikke ubetydelig. Den som krenker opphavsretten ved ulovlig fildeling risikerer ikke bare straff, men også et betydelig erstatningsansvar.
Det bør understrekes at teknologien for fildeling i seg selv ikke er ulovlig.
Tvert imot er rettighetshavere avhengig av effektiv fildeling der rettighetshaver
velger å gjøre verket tilgjengelig for allmennheten på denne måten, som f eks
mange kringkastere gjør.
3.5.4 Strømming55
Antakelig hører videogrammene allerede til den nære fortid. I fremtiden vil
sannsynligvis strømming dominere. Strømming bygger på at det opplastes et eksemplar av verket til et nettsted, og at brukere kan overføre verket fra nettstedet
til egen arbeidsstasjon som en strøm av data, styrt av et program som ikke tillater
nedlastning på lokal magnetplatestasjon mv. I og for seg er verket like tilgjengelig
som om det var lagret lokalt, men det er altså lagret i nettet. Denne løsningen vil
sannsynligvis innebære større kontroll med verket enn den løsningen hvor ulovlig fildeling er et stikkord for manglende kontroll.
52 TFRED-2006-177576.
53 Filmen ble strømmet med en kvalitet på 1.350 kb/s sammenlignet med en leiefilm som hadde en
kvalitet tilsvarende 6.000 kb/s,
54 Den aktuelle bestemmelsen lyder: «Erstatningsansvaret kan lempes når retten under hensyn
til skadens størrelse, den ansvarliges økonomiske bæreevne, foreliggende forsikringer og forsikringsmuligheter, skyldforhold og forholdene ellers finner at ansvaret virker urimelig tyngende for den ansvarlige.»
55 Det varier litt om man bruker formen «strømming» eller «strømning». Jeg fortrekker «strømming», «strømning» er fortrinnsvis sur, svensk og på boks.
25
Yulex 2013
Strømming forutsetter at nettet har tilstrekkelig kapasitet. I internettet sendes
data i pakker av lik størrelse, hver pakke finner i prinsippet sin egen vei gjennom
nettet – fra avsender til mottaker. Pakken har et serienummer som gjør det mulig
å sette et stort antall av pakker sammen i riktig rekkefølge hos mottaker. Systemet
for strømming vil begynne å fremføre filmen før alle pakkene er mottatt. Det kan
derfor være at det mangler pakker når fremføringen kommer så langt at de burde
vært på plass. Dette vil i så fall redusere filmens kvalitet.
Kapasiteten i nettet må være tilstrekkelig for å tillate strømming, og det er
ikke lenge siden vi fikk et bredt nok bånd. I dommen om «DVD-Jon» (se ovenfor) angis det at hastighetene som var tilgjengelig på i 1999, ville det ta omtrent
12 dager å overføre en spillefilm gjennom nettet med en ISDN-forbindelse. Dette
forbyr selvsagt strømming som tjeneste.
Det er i og for seg nokså komplisert å beskrive strømming i opphavsrettslige
termer.56 Men løsningen forutsetter en eksemplarfremstilling for at verket skal
lagres på en slik måte at strømmingsprogrammet kan generere den nødvendige
datastrømmen til brukerens maskin. Opphavsmannens enerett omfatter dette eksemplaret, og det må derfor foreligge en avtale med rettighetshaver. Det samtykke
rettighetshaver gir, vil normalt være betinget av vederlag. Rammeavtalen for film
regulerer ikke dette, man må anta at denne retten er blant dem rettighetshaver
har i behold etter rammeavtalen § 3.3.
Også hos brukeren dannes et midlertidig eksemplar i arbeidsstasjonens sentralenhet. Man må anta at denne eksemplarfremstillingen faller utenfor rettighetshavers enerett etter åndsverkloven § 11a. Fremføringen vil typisk ikke skje offentlig, men privat.57 Derfor faller også fremføringen utenfor rettighetshavers enerett.
Man må altså sikre vederlag og eventuell kontroll med utnyttelsen av verket
ved den avtalen som tillater at verket tilbys til allmennheten for strømming.
Man kan kanskje merke seg at åndsverkloven avgrenser eneretten for
eksemplarfremstilling og fremføring på litt forskjellig måte. Eneretten
for eksemplarfremstilling omfatter etter åndsverkloven § 2 enhver
eksemplarfremstilling, men etter åndsverkloven § 12 avgrenses det mot
eksemplarfremstilling til privat bruk. For fremføring gjelder imidlertid eneretten
etter åndsverkloven § 2 bare offentlig fremføring. Grensen for hva som er offentlig
etter åndsverkloven bygger på et skjønn – men det skal ikke så mange til før
det anses for å være en offentlig fremføring. For privat eksemplarfremstilling
utreder staten et privateksemplarvederlag (jfr åndsverkloven § 12, 1.ledd) som
administreres av Norwaco og fordeles mellom de berørte organisasjonene. Men
kunne argumentere for at etter hvert som strømming blir mer vanlig, burde det
også utgå et privatfremføringsvederlag.
56 Et forsøk er Jon Bing «Strømming av åndsverk. Noen opphavsrettslige aspekter ved en tenkt
maskin», Noridiskt Immateriellt Rättsskydd 3/2008:191-200.
57 Jfr «Smartkortdommen», HR-1995-2-A – Rt-1995-35.
26
Dramatikeren i den digitale verden
4
4.1
Elektroniske spill
Interaktive romaner
I 1982 – samme år som IBM solgte sin første ”personal computer” – ble jeg bedt
av OECD om å skrive en artikkel om edb-spill.58 Disse var i sin vorden, men jeg
ga nokså hemningsløst uttrykk for min begeistring.
Begeistringen hadde tynt grunnlag.
Jeg hadde riktignok deltatt på turneringer i interaktiv tennis som ble arrangert av ungdommelige forskere i mitt eget miljø. Jeg tviler på at noen i dag klarer å
opparbeide fascinasjon over to prikker (”baller”) som strengt følger reglene for at
”innfallsvinkel er lik utfallsvinkel» der de tegner langsomme striper over en rektangulær bane. Og hvor man med fjernkontrollen kan flytte to racketer i form av
streker for å intervenere og sende ballen i en ny retning. Men regler og teknologiens begrensninger var nok til å gjøre det til et spill sammen med pizza og øl. Selv
om jeg ikke fikk noen følelse av å spille på Wimbledon, så var det morsomt nok.
En helt annen opplevelse var erfaringene med interaktive romaner. Den første
som fikk noen utbredelse i Norge, ble spilt på Universitetet i Oslos sentrale DEC10-anlegg. Dette var et spill med et tekstuelt grensesnitt, som en vanlig bok. Men
teksten sluttet plutselig, og fortellingen stanset opp. Da måtte leseren gripe fatt i
hovedpersonen og foreslå hva som nå skulle skje. Slik ble fortellingen til i samarbeid mellom spillets regler og leserens fantasi.
Det kom en hel mengde slike interaktive romaner. En av dem jeg husker
best, var Trinity.59 En situasjon der kan kanskje forklare noe av fascinasjonen.
Hovedpersonen befinner seg i Kensington Gardens en ettermiddag da denne parken er – som vi alle vet – fylt av barnepiker med barnevogner. Det er lek langs
stiene, noen vogner står tomme mens barnepikene steller med smårollingene.
Det blåster i sterke vindkast, og noen av barnepikene slår opp paraplyer som rives
bort av vinden. Hovedpersonen vet at han eller hun må komme seg over plenen
og ned til sjøen midt i parken. Det er bare det at når man skritter ut på plenen
– der advarende skilt sier ”Trå ikke på gresset» – så fanges anklene av strå som
slynger seg rundt dem og gjør det umulig å komme videre.
Løsningen? Det ligger en forlatt ball på en av grusgangene, det får hovedpersonen vite ved å ”se seg om”, det vil si at han eller hun ber spillet beskrive hvordan
det ser ut rundt seg. Han eller hun tar ballen og kaster den mot en paraply som er
fanget i en trekrone. Paraplyen faller ned, hovedpersonen setter seg opp i en av de
forlatte barnevognene, slår opp paraplyen – og vinden kommer gufsende og fører
den improviserte seilfarkosten over gressplenen og ned til vannet.
58 ”The electronic game gambit”, Impact 4/1982:425-431.
59 Infocom 1986.
27
Yulex 2013
Gir dette eksempelet en slags følelse av hva slags eventyr som interaktive romaner kan romme?
Og en dramatiker ser straks at de interaktive romanene er en form for dramatikk. Det er en scene, scenografi og en dramatisk fortelling. Forskjellen er imidlertid at det inne i denne dramatiske fortellingen vaser det rundt en spiller som
forårsaker at situasjoner oppstår, ofte situasjoner som skaperen av romanen aldri
hadde tenkt at ville finne sted.
4.2
Spillenes dramaturgi
Det er langt fra disse tidligere eksemplene til dagens spill. Jeg tror vi er kommet
over den tiden da datamaskinbaserte spill først og fremst ble assosiert med slagsmål og kappløp med raske biler, hvor spillerens oppgave var å eliminere så mange
motstandere som mulig med våpen eller fantasifulle slag og spark, samtidig som
spilleren selv skulle unngå å bli drept. Dette var spill som bokstavelig talt var basert på en korridormodell: Spilleren startet i den ene enden av korridoren, og slo
seg så fremover mot mål.
Men det kan likevel være med på å eksemplifisere at spill har en dramaturgi.
Korridormodellen er enkel: Spillerens oppgave er å bevege seg i korridorens
retning, riktignok kan det være omveier gjennom sidegrener, men stort sett er det
rett frem. Samtidig blir korridoren en tidslinje som spillet utvikler seg langs, det
minner litt om en film. Spillerens kontroll er redusert til å løse oppgavene langs
veien. Og det kan være spennende nok.
Men Trinity gir et eksempel på en litt annen modell, forummodellen. Spilleren
plasseres i en situasjon og får så selv velge hva som er neste skritt. Det blir som å
stå på et torg med boder – så lenge man bare står det, skjer nesten ingen ting. Men
må selv ta det første skrittet inn i en bod, snakke med dem man finner der, se hva
som måtte skjule seg der inne. Her har ikke spillmakeren samme lineære kontroll.
For å illustrere det: La oss tenke oss at det er en mordgåte, og at det avgjørende
beviset er et brev fra den avdøde. Det ville være kjedelig om spilleren bestemte
seg for å gå inn i avdødes arbeidsrom, åpne skrivebordet, finne brevet og avslutte
spillet i tre trekk. Spillmakeren må sørge for at hvis spilleren begynner slik, så
mangler brevet i skrivebordsskuffen: Spilleren hindres av spillets logikk i å lese
den siste siden først, det avgjørende skrittet kan først tas når andre og nødvendige
skritt er tilbakelagt. Det er betydelig mer utfordrende å lage et spill etter forummodellen enn etter korridormodellen.60
Og dette er bare en antydning av de dramaturgiske utfordringene og mulighetene i spillene. Et annet viktig element er at spillene ikke bare befolkes av de
60 Selv har jeg faktisk forsøkt å lage et spill etter forummodellen, jfr Savnet i Lokaya – Human Quest
I, Universitetsforlaget og Norges Røde Kors, Oslo 1996 – jeg bidro bare med et første utkast.
28
Dramatikeren i den digitale verden
personer og vesener som spillmakeren har utformet. Spillene tillater at spilleren
selv trer inn i spillets virkelighet. Spilleren velger seg gjerne en avatar – et uttrykk
som er lånt fra sanskrit avatāra, som betyr ”inkarnasjon”, og opprinnelig refererte
til hvordan et guddommelig vesen viste seg i vår verden. Spilleren kan velge fra
et galleri av avatarer, men spillet kan også la spilleren utforme sin egen avatar.
Slik fremstår spilleren som en del av spillet, han eller hun er synlig for de andre
spillerne. Og spillet tillater selvsagt også at avataren har en viss frihet til å gjøre
valg, til å kommunisere med andre avatarer og – selvsagt – utfordre dem til kamp.
Det kan være mange spillere samtidig til stede i disse spillverdenene. I ”massive, direktekoblede multispillerrollespill”61 er kompleksiteten svært høy. Avatarene
blir dyktigere etter hvert som spillerne lærer om mulighetene. Hjelpemidler kan
konstrueres. Et sverd som brukes flittig, lar avataren oftere seire i dueller.
Eksempelet antyder at dette er beslektet med rollespill som Dungeons and
Dragons,62 hvor spilleren inviteres inn i et fantasiland med drager, trollmenn og
andre eventyrskikkelser – ofte i omgivelser som minner om de JRR Tolkien har
gjort berømte i sin trilogi om Ringenes herre.63 Noen av de mest populære spillene
tilhører nettopp denne kategorien, som f eks World of Warcraft. Denne fantasiverdenen ble først introdusert av Blizzard Entertainment i 1994 (Warcraft: Orcs
& Humans), og senere er nye utgaver kommet. Det anses for å være verdens mest
populære i sitt slag, med ca åtte millioner abonnenter64 over hele verden. Det vil
altså si at det ”bor” omtrent dobbelt så mange mennesker i denne liksomverdenen enn i Norge. Til enhver tid er det hundretusener av spillere koblet til spillet,
spillerne danner forbund og legger planer for å mestre nye utfordringer.
Men omgivelsene kan være ganske annerledes alminnelige. Et eksempel er
Second Life, en tredimensjonal verden som ble lansert av Linden Labs i 2003.
Dette er nærmest en datamaskinbasert kopi av hverdagens verden. Her har IBM
kontorer, Sony butikker – valutaen er konvertibel, og man kan f.eks. kjøpe seg
en tomt og bygge et hus (da må man selvsagt kjøpe materialer og finne de nødvendige ressursene for å konstruere huset). Og så kan man forsøke å selge eiendommen til andre ”innbyggere”. Ailin Graef ble den første millionæren på denne
måten. Avataren hennes kjøpte billige virtuelle tomter, utviklet dem, delte dem
opp, og hun solgte dem med fortjeneste i virkelighetens verden.65 Riktig så stort
som WoW er ikke dette spillet, men det har mer enn fem millioner brukerkonti.
Med slike brukertall kan man liksom ikke skyve spillene til side. De er viktige
deler av moderne kultur, på linje med musikk, tradisjonelt drama og film. De
61 MMORPG (”massively multiplayer online role-playing games”).
62 D&D var opprinnelig et rollespill støttet av et brettspill, utviklet av E Gary Gyax og Dave
Arneson, først utgitt i 1974.
63 The Lord of the Rings, 1954-55.
64 August 2007.
65 Anna Raciti “Fantasiens rikdom”, Lov&Data 91/2007:22-24.
29
Yulex 2013
har da også etter hvert fått oppmerksomhet, nye spill bli anmeldt og vurdert.
Dramaturgi og pedagogikk i spillene er komplekse og sofistikerte. Virkemidler
kan vurderes i flere perspektiv – kunstnerisk, teknisk, forretningsmessig.
Opplevelsene er svært forskjellige.
Disse perspektivene i spillene kan jeg bare så vidt antyde, og på ingen måte yte
rettferdighet. Spillmakeren blir en dramatiker – eller rettere sagt vil spillene lages
av en gruppe som utvikler et spill eller holder spill vedlike, gjerne innen rammer
som skal sikre koordinering og konsistens. Det blir som en dramatisk serie, men
med den viktige forskjellen at handlingen aldri helt blir den samme fordi spillerne blander seg inn og utnytter den fleksibilitet og de valgmuligheter spillene
gir. Som nevnt ovenfor vil spillene være spillmakerens åndsverk, men når en eller
flere spillere deltar, vil det audiovisuelle uttrykket som glir over skjermen bli et
(flyktig) verk hvor også spillerne bidrar – de kan være medopphavsmenn. Og det
forekommer at det oppstår en slags kultur rundt et spill, der deltakerne «tar opp»
selve spillforløpet og gjør det tilgjengelig for andre, dvs allmennheten. Et eksempel er spillet Minecraft. Det er utviklet et eget program for å ta opp skjermbildene,
Ezvid.com, og man kan se resultatene av spillernes innsats flere steder, f eks på
YouTube. Her bruker spillerne de mulighetene Minecraft stiller til disposisjon for
å lage forbløffende nye versjoner, hvor det er spillernes, snarere enn spillmakernes, oppfinnsomhet som tiltrekker seg oppmerksomheten.66
4.3
Grensesnitt mot nettet
Spill – som f eks Second Life – kan også oppfattes som et grensesnitt mot nettet.
Noen av oss husker da grensesnittet var tegnbasert. En kommandolinje med
grønne eller gule tegn mot en svart skjerm, eller hvite tegn mot blå bakgrunn.
Slik var grensesnittet for Trinity, det fungerte for interaktive romaner. Men heldigvis har vi nesten glemt dette. Apple introduserte et grafisk grensesnitt for sin
Macintosh i 1984, etter hvert fikk også andre operativsystem grafisk grensesnitt.
Også nettet fikk et grafisk grensesnitt.
Det er nettopp det grafiske grensesnittet til World Wide Web og nettlesere
de fleste av oss kjenner og daglig bruker. Et øyeblikk kan vi kanskje tenke etter
hvor forskjellig skjermbildet er fra de boksidene vi vokste opp med: Ikke bare er
det forskjeller i variert typografi, grafikk med farger og bevegelser – det er også
hyperlenker og søkemuligheter som får fotnoter eller bak-i-boken-registre til å
virke nokså puslete. Også dette er et nytt medium, og forstås av brukere helt forskjellig fra en bokside.
66 Takk fil førsteamanuensis Tobias Mahler som gjorde meg oppmerksom på Minecraft og kulturen rundt spillet.
30
Dramatikeren i den digitale verden
Men likevel er mange begrensninger velkjente. Skal vi kommunisere, sender
vi et e-brev, ikonet er ofte et lite bilde av en konvolutt med et frimerke, som om
dette skulle forklare hva som skjer – det er i virkeligheten en referanse til en fordums virkelighet, som om vi skulle forklare et fjernsyn med å vise et lite bilde av
en teaterscene. Vi kommuniserer også med lyn- og tekstmeldinger. Bruken av et
lite kamera for toveis billedkommunikasjon har ikke helt slått gjennom.
Poenget er at vi bruker separate tjenester. Vi sender et brev, vi søker ved hjelp
av en søkemotor, vi slår opp i en nettavis. I Second Life henger alt sammen på en
annen måte. Vi er selv til stede som en avatar i den virtuelle virkeligheten som
nettet representerer. Det er som om vi har sendt en agent inn i verdenen bak
skjermen. Den virtuelle virkeligheten er noe mer enn tekst, grafikk og lyd – den
er blitt sammenhengende, kontinuerlig og oppleves av vår avatar. William Gibson
fant opp ordet ”cyberspace» for å beskrive dette.67
Men det er likevel bare en begynnelse.
Tenk deg et mulig sluttbrukerutstyr.
Først høyttalerne, en for hvert øre, full stereolyd.
En mikrofon limt på kinnet.
Glem skjermen. Tenk i stedet på en forbedret utgave av Virtual Retina
Display,68 utviklet ved University of Washington Human Interface Technology
Lab i 1991. Laserstråler projiseres direkte gjennom pupillene på netthinnen og
danner høyoppløselige fargebilder som dekker hele synsfeltet. Venstre og høyre
bilde er litt forskjellig, en forskjell som av hjernen tolkes som tre dimensjoner:
Man ser ikke et bilde på en skjerm, man ser inn i et tredimensjonalt rom.
Glem tastaturet. Tenk i stedet på en forbedret datahanske. Slike finnes i virkeligheten, ”Data Glove» er for eksempel et varemerke for Sun Microsystems.
Følere registrerer bevegelser til fingrene. Haptisk tilbakekobling lar deg oppleve
berøring. Forbedrede utgaver vil kunne ha hydraulisk styrte nupper innvendig
som imiterer enhver tekstur – fra myk hud til grov grus. Mikroklima lar deg føle
om det er varmt og fuktig eller kaldt og tørt. Hansken kan stivne i enhver stilling,
og gi illusjonen av at du stryker noen over kinnet eller griper om et jernrør.
Med stemmen kan du gi kommandoer. Vi forutsetter ikke at stemmegjenkjenning eller forståelse av naturlig språk er kommet stort lenger enn i dag. Men
allerede kan vi gi kommandoer som styrer systemer: ”Ring hjem!”, ” Lys på!” og
så videre. Noe tastatur har vi ikke. Vi har heller ikke en berøringsskjerm. Si: ”Vis
tastatur!”, så dukker det et tastatur opp i vårt tredimensjonale synsfelt, vi kan
skrive på det med våre hanskekledde hender. Hvis vi skulle trenge det. For det er
nok av andre ting vi kan gjøre i den virtuelle verdenen uten tastatur. I vår vanlige
67 I romanen Neuromancer (1984), som han faktisk presenterte ved sin atavar på et foredrag i
Second Life august 2007. Boken er oversatt av Torgrim Eggen, til norsk som Nevromantiker
(Aschehoug , Oslo 1999).
68Se http://www.cs.nps.navy.mil/people/faculty/capps/4473/projects/fiambolis/vrd/vrd_full.html.
31
Yulex 2013
hverdag klarer vi jo oss godt uten. Vi kan åpne en dør, vinke til en venn, klappe
en katt …
Forresten har hanskene vokst. De er blitt til en tettsittende kroppsdrakt med
innvendige nupper hele veien rundt, direkte i kontakt med naken hud. Nå kan
du føle varmen av solen i ansiktet, spruten fra bølgene langs stranden, de skarpe
klørne til katten som maler i armene dine. Og du kan flytte deg i landskapet ved
ganske enkelt å gå, eller late som om du går. Kanskje hoppe på en virtuell trikk for
å komme fortere frem. Eller kjøre en virtuell bil …
Kanskje det også er små sonder som fører til munn og nese, og som blander
bittert og søtt, syrlig og salt og lar deg smake på et eple eller kjenne duften av
nybakte vafler?
Dette er en skisse av fremtidens grensesnitt.
Det finnes ikke i dag. Men de fleste komponentene finnes. De er bare ikke satt
sammen til forbrukerelektronikk.
Men tenk deg at du hadde en slik kroppsdrakt med trådløs bredbåndstilknytning til nettet. Tenk deg da at du trådte inn i World of Warcraft. Du dukker opp
i skikkelsen til din avatar, håndhilser på de av dine kamerater som akkurat nå er
logget inn. Tar deg tid til litt småprat, ser deg om – den friske luften fra den susende furuskogen, tjernet som glitrer nedenfor bakken. Du veier spydet i hånden,
skygger for solen med det skjoldet …
Mulighetene er like mange som fantasien tillater. Med andre ord ubegrensede.
Gjennom speilet og hva Alice fant der69 er tittelen på den andre fortellingen
om Alice av Lewis Carroll. Eventyrene ga speilet omtrent samme funksjon om en
skjerm, det reflekterte ikke bare ansiktet til den som så i det, speilet kunne også
brukes til kommunikasjon og gi svar på spørsmål – hvem husker vel ikke den
onde dronningens i eventyret om Askepott som spør sitt magiske speil: ”Hvem er
vakrest i landet her?”
Og Lewis Carroll røpet i sin andre fortelling om Alice hvordan hun klatret
opp på kaminhyllen, og hvordan speilet liksom smeltet til en tåke av sølv, og Alice
plutselig var på den andre siden, i den speilvendte verden, nesten lik vår egen,
men likevel ”så forskjellig som det går an” – et ”second life”.
Det ville være fåfengt å forsøke med en oppregning av hva en slik teknologi
kan brukes til. Man kan tenke seg at man har sett den første flimrende filmen av
svarte og hvite bilder i begynnelsen av det 20. århundre, og så forsøker å forklare
det nye mediets potensial – ikke bare som eventyr og kunst, men som dokumentasjon, reportasje og undervisning. Men det er åpenbart at potensialet til den
virtuelle virkelighetsteknologien er enda større for drama, romantikk og pedagogikk. Man kan ikke bare parallellforskyve filmens muligheter, den store forskjel69 Through the Looking-glass and what Alice found there (1871).
32
Dramatikeren i den digitale verden
len blir at til filmen er man bare tilskuer, mens man i den virtuelle virkelighet er
deltaker gjennom sin tilstedeværende avatar. Ikke bare vil andre spilleres avatarer kunne trenge seg inn i handlingen, spillmakerens figurer styres av autonome
datamaskinprogrammer og vil samhandle med avatarene. Og naturligvis alle de
andre mulighetene – din avatar er menig soldat i Vietnams jungel, din avatar er
en smart rakettbombe på vei mot en bunker i Irak, din avatar står ved siden av
kirurgen og rekker ham skalpellen idet han skal gjøre det første snittet for å blottlegge et feilfungerende hjerte …
Som sagt, det er fåfengt å regne opp mulighetene.
Men det er lett å tenke seg at ”virkelighetsflukt” får et nytt innhold.
”De evige gleders palass” forekommer i en fortelling av Will Worthington.70
Palasset minner om en drueklase, hver drue er fylt av en næringsvæske som det
flyter mennesker i, knyttet til kybernetiske systemer av slanger og kabler. Rundt
palasset er byen falt i ruiner, men menneskene drømmer videre hjulpet av maskiner som får energi fra solstrålene. Det er en ekkel, forførende visjon. Og den varsler hvordan mange vil reagere på den virtuelle verdensteknologien. Vi vil advare
mot den, frykte de nye opplevelsene – på samme måte som vi tidligere reagerte på
film. På tegneserier. På fjernsyn. På interaktive spill. På selve nettet.
I 1972 landet Apollo 17 på Månen. I dag er det over førti år siden et menneske
satte fot på en annen klode. Men 1972 var også året da de rutinene som gjorde
elektronisk post mulig, ble integrert i det rudimentære Internettet.71 På en måte
kan man si at mens reisen til det ytre rom ble avviklet, konstruerte man de verktøy som skulle gjøre det mulig å reise i det indre rom – det univers av kunnskap,
innsikt, drømmer og fantasier som mennesker selv har skapt. Et univers som er
like ubegrenset, og like raskt ekspanderende, som selve verdensrommet.
Dette er spennende perspektiv for en dramatiker. Men det kommer mer i det
århundret vi nå har tatt en tiendedel av.
Det kommer kanskje som en overraskelse at man nå snakker om ”Adaptable
Brain Interface» (ABI), som gjør det mulig å kontrollere en datamaskin med tankene. Kjernen er et nevralt nettverk som er integrert med brukeren, som selv
bærer et portabelt EEG-system. Dette analyserer variasjonene i rytmene til flere
av hjernens områder, og lærer hvordan disse skal tolkes. Tenk ”start bilen”, og uten
fjernkontroll åpnes bilen og motoren startes. Eller mer realistisk: Integrasjon med
en jagerpilot og flyet som selv ikke glir lik en fugl gjennom luften, men snarere
lik en stein kastet over himmelen av jetmotorene, og som derfor er avhengig av
lynraske reaksjoner fra piloten. Ved å koble piloten direkte til flyet, slipper man å
gå omveien om hender eller fingre, piloten styrer flyets funksjoner som om de var
hans eller hennes egne kroppsdeler.
70 Will Worthington ”Plentitude» (1960), gjengitt som ”Det søte liv» i Bing & Bringsværd Tider
skal komme, Gyldendal, Oslo 1968:169-178.
71 Programmene SNDMSG og READMAIL, utviklet av Ray Tomlinson, MIT.
33
Yulex 2013
Det finnes en novelle av Anne McCaffry – ”The Ship who Sang” (1969) – som
igjen er blitt et slags symbol for meg. En kvinne blir utsatt for en alvorlig ulykke,
kroppen hennes er ikke til å redde, men hjernen kan holdes i live. Og hjernen
blir overført til et stjerneskip, nervebanene knyttet til skipets systemer, skipet blir
kvinnen nye kropp, med veldige rakettmotorer kontrollert av nervene til bena. Er
dette umenneskelig – eller en frigjøring fra en skjebne som en slags menneskelig
plante, en skjebne vi vet at mennesker ønsker seg bort ifra: Våren 2002 fikk to
pasienter i England rettens kjennelse for at de selv skal kunne få bestemme når
de maskinene som holder dem i live, skal slås av. Mon tro om de ikke ville sett en
ny tilværelse som kjernen i et stjerneskip – eller kanskje bare et kampfly – som et
reelt alternativ?
Kyborgene kommer – og du blir kanskje en av dem!
34
Digital footprints as evidence in civil
proceedings1
Maria Astrup Hjort
This paper concerns digital footprints. Since the literature regarding digital footprints is mainly aimed at criminal proceedings, my task will be to present use
of digital footprints as evidence in civil litigation. I have to emphasize that I will
concentrate on Norwegian law, but I will make some comparisons with English,
Swedish and Danish law.
First, some brief keywords to describe the difference between Norwegian civil
and criminal procedure. Criminal procedure is closely connected to criminal law
and the purpose is to punish those who have committed a crime, and make the
punishment a reality. Civil procedure covers case management in all cases not
involving questions of punishment. In Norway, there is no third procedural track
for administrative matters, like in Sweden, or for family matters, like in England
and Wales. This means that the civil procedure rules in the Norwegian Dispute
Act covers a heterogeneous group of legal issues, where the need for use of digital
footprints can vary significantly.
Another key difference between Norwegian criminal and civil procedure is
the role of the police. In criminal proceedings, the police have virtually all possibilities to obtain digital footprints and present them as evidence in court. In
civil cases, however, there are two conflicting parties who basically want to know
everything about the other party, including what they might have stored electronically. In the absence of an authority, like the police in criminal proceedings,
it is basically up to the parties to locate relevant evidence and to decide what to
present to the judges. Without a general understanding of digital footprints, such
evidence is easily overlooked or less highlighted in civil proceedings – one might
erroneously be left with the impression that digital footprints are not as useful in
civil litigation as in criminal proceedings.
“Digital footprints” can be defined as automatically generated data. Because
the data is generated without any specific permission from the person generating
them, it varies whether one is aware of the footprints. Examples can be GPS information from your cell phone tracking your route to your office, the data you leave
entering the office with an access card, metadata generated while you are working
on your computer, data from the RFID chip when you borrow a book from the
1
Paper presented at Nordic Conference in ICT law, «The proof is in the digital pudding», Oslo,
November 14th 2013.
35
Yulex 2013
library, or information registered when validating your bus ticket on your way
home. There is basically no reason why this information should only be used in
criminal proceedings. Why should there be a greater opportunity to clarify the
facts in criminal cases than in civil matters?
Two basic principles in Norwegian civil procedure are important in this respect; one is the right of unrestricted presentation of relevant evidence and second is the principle of unrestricted evaluation of the evidence. This means that,
as a starting point, there are no restrictions as to what kind of evidence the parties may present, or how this evidence shall be considered and evaluated. The
Norwegian civil procedure does not, to the same extent as the English; categorize
evidence in hearsay evidence, circumstantial evidence and so on, depending on
the nature of the evidence. The court must evaluate all possibly relevant evidence
presented and reach a conclusion on the basis of a comprehensive assessment.
The crucial issue, from a practical point of view, is therefore not what the parties
may present, but what they get access to for the purpose of presenting the evidence
to the court. The question of access has a particular significance when it comes to
digital footprints, because access to this kind of evidence in most cases requires
assistance from an IT expert and a budget for such investigation. This might be a
challenge when it comes to the principle of proportionality.
A starting point for the question of access to evidence, is the general rule in
the Dispute Act sec. 21-4 first paragraph, saying that
“The parties shall ensure that the factual basis of the case is correct and complete.
They shall provide such explanations and summaries of evidence as are required to
fulfil this obligation, and they have a duty to give testimony and access to evidence
pursuant to section 21-5”.2
This obligation is extended in the second paragraph:
“A party shall also disclose the existence of important evidence of which such
party has reason to believe that the opposite party is not aware. This shall apply
irrespective of whether such evidence is in favour of such party itself or in favour
of the opposite party”.
These sections might remind you of the English disclosure rules, and in fact, the
provision is inspired by the English system.3 On the other hand; Norwegian civil
procedure is also based on a principle that it is the parties’ duty to take care of
their presentation of evidence; each party has a responsibility to present the evi2
3
NOU 2001: 32, p. 1083.
NOU 2001: 32, p. 465.
36
Digital footprints as evidence in civil proceedings
dence that he or she will rely on.4 As you can see, these principles are in conflict
with each other and that is probably the reason why the obligation to disclose
evidence in favor of the opposite party is rarely sanctioned. Danish and Swedish
civil procedure has not incorporated an Anglo-American inspired provision like
the Norwegian rule, and the presentation of evidence is fully based on the principle of the parties’ right and responsibility to present the evidence they rely on.5
The Norwegian civil procedure seems to balance between the Anglo-American
tradition and the Scandinavian tradition in this respect.6 The balance is difficult
because of the conflicting principles, and it’s not certain there is a distinct line in
balancing between these two principles.
In case of non-compliance of the disclosure rule, the party will have to request
a court order for allowing access to the evidence. Without specific knowledge of
the evidence, it is difficult for the requesting party to convince the court that the
evidence is relevant, and that the disclosure costs are proportional to the issue at
stake. This is especially a challenge when it comes to digital footprints, because
this evidence usually appears as circumstantial evidence, and the court needs convincing reasons to order a party to give access to evidence of less important to the
subject matter. Therefore, the court might conclude that evidence, like digital footprints, are not considered necessary in reaching the correct conclusion. In many
cases this view might be correct; however, when this guideline is applied to digital
footprints, this might also lead to an unwarranted exclusion of such evidence.
When requesting access to digital footprints, or electronic evidence in general,
there are a couple of recurring challenges connected to such evidence. One important question is how to obtain the relevant information - and only that. There
are currently no guidelines in Norwegian civil procedure regarding this question.
This lack of regulation is particularly apparent when a party requires access to
evidence secured by the court. The Norwegian Dispute Act offers an opportunity
to request a pre-action disclosure called “securing of evidence”. With reference to
this provision, the court may order the enforcement officer to arrange for forensic
images of hard discs, servers and other storage devices. The specific evidence the
party wants, is often to be found in-between enormous amounts of other information that is, at best, irrelevant. The material may also include personal information, trade or business secrets, privileged attorney – client communication etc.
The relevant information needs to be sorted out, and for that purpose, regularly
technical expertise is needed.
4
5
6
NOU 2001: 32, p. 1100.
Ulrik Rammeskow Bang-Pedersen and Lasse Højlund Christensen, Den civile retspleije (2010),
p. 487 and p. 84-85, Bengt Lindell, Civilprocessen (2012), p. 110-111, 471-472 and 492-496.
On the Scandinavian legal tradition, see Konrad Zweigert and Hein Kötz, Introduction to
Comparative Law (1998), p. 276 f.
37
Yulex 2013
The Norwegian securing orders may resemble the English search orders, formerly known as Anton Piller orders,7 but unlike these search orders, securing of
evidence is frequently used to secure electronically stored information, including
digital footprints. In Denmark and Sweden this kind of order can only be given
in proceedings regarding intellectual property rights.8
The actual use of electronic evidence in civil cases in Norway has not yet
been brought to a very sophisticated level. Lawyers still prefer to search for, read
and present evidence that appear on a piece of paper. But we generate enormous
amounts of electronic information, and the digital medium offers new, unimagined possibilities to search for relevant evidence. Digital footprints have become
a new tool in the lawyer’s toolbox and this possibility should not be reserved for
criminal proceedings. Parties and their lawyers need to be reminded of this treasure chest of evidence in our digital era. My prediction is that digital footprints
will be more important in future civil litigation in Norway, with all the options
and challenges that will imply for the parties, their lawyers and the court.
7
8
Paul Matthews and Hodge M. Malek Q.C., Disclosure (2012), p. 37-39.
Bang-Pedersen and Højlund (2010), p. 505-512 and Ot.prp. no. 33 (2003-2004), p. 3.
38
Russian PNR system: data protection issues
and global prospects1
Olga Mironenko Enerstvedt
Abstract
The usage of Passenger Name Record (PNR) for security purposes is growing
worldwide. At least six countries have PNR systems; over thirty are planning to
introduce them. On 1 December 2013, a Russian PNR system will be implemented. But enhanced collection of personal data leads to increased surveillance and
privacy concerns. Russian authorities state that passengers’ rights will be respected, but a closer look at the Russian regime reveals a number of critical points.
From a global perspective, the Russian regime is only one of many PNR systems, including new ones to come in the future. Apparently, for the majority of
them, similar challenges and problems will apply. At the same time, for the EU,
with its strict data protection requirements, PNR requests by third countries (i.e.
non-EU countries) create conflicts of laws. In order to resolve them, the EU concludes bilateral PNR agreements. However, the current deals, especially the one
between the EU and the USA, involve a number of weaknesses. Accepting the latter, and having a pending proposal on the EU PNR system, the EU has weakened
its position in negotiations with third countries. How will the EU deal with the
Russian as well as with all the future requests for PNR?
This paper provides legal analysis of the Russian PNR regime, pointing out
common problems and giving prognosis on the global situation.
Keywords:
PNR, Passenger Name Record, Russia, privacy, data protection, security, aviation,
personal data
1
Under publication in Computer law and security report ([2014] 30 CLSR p.?)
39
Yulex 2013
1
Introduction
Today, security experts agree that aviation security requires a risk-based, pro-active
rather than reactive approach, and this is already reflected in international and national policies.2 This strategy implies, among other things, advanced collection and
analysis of personal data: since the vast majority of passengers pose no threat to
civil aviation, information is critical to assess the risk. The goal is to find meaning
in enormous amounts of data and then see connections and make predictions.3
A special role in these processes is played by Passenger Name Record (PNR).4
PNR are used by the state authorities for security purposes, to combat terrorism
and crime. Moreover, the analysis of PNR data is valuable for threat and risk assessment and management; it may help not only to identify passengers who are a
known threat, but to identify potentially dangerous persons who are an unknown
threat. According to IATA, as of 2013, access to PNR for security purposes is required in six countries and in the works in thirty more.5
At the end of 2013, a Russian PNR system is planned to be implemented. All
airlines operating domestic or international flights or passing Russia will have to
hand over passenger data to Russian security authorities. With the largest territory in the world, the Russian Federation is a natural boundary and a natural
bridge between Europe and Asia as well as one of the fastest growing markets for
international air travel. Many foreign airlines, including EU airlines, carry out
flights into and out of Russia;6 in addition, around 53,000 European flights transit
over Russia to Asia each year.
The key point for this paper is that usage of PNR for security purposes has a
serious impact on the rights to privacy and data protection, so that these rights
may be interfered with, limited or violated. Enhanced collection of passenger personal data leads to increased surveillance of mostly innocent and unsuspicious
people. “Security versus privacy” has become a common expression. This dilemma generally implies balancing of these two values and definite trade-offs, usually
at the price of privacy: it is obvious that security in the air must be provided, and
that security, which is vital to survival, is more important than privacy. But in
short, the dilemma does not necessarily imply that security needs and data protection interests cannot co-exist. Both are important for society; what is needed
is to find a way to ensure both values, without loss to either. Is it possible to use
PNR for security purposes and at the same time respect the passengers’ rights?
2 See, e.g. Standard 3.1.3 of ICAO’s Annex 17;
3Schneier Schneier on security (2008) p. 7
4 PNR data will be elaborated on in Section 2.
5 IATA. Facilitation and Passenger Data http://www.iata.org/whatwedo/security/facilitation/
Pages/index.aspx (data accessed: 19.08.2013).
6 Currently, foreign air carries do not have access to the Russian domestic aviation market.
40
Russian PNR system: data protection issues and global prospects
Similar to other states justifying the introduction of PNR regimes, the Russian
authorities explain that the new measure is warranted by the need to improve
aviation security. As for the protection of passenger personal data, they state that
Russia ratified the Council of Europe Convention No 108 and adopted law implementing the Convention into national law, thus, that the passengers’ rights will
be respected.
But despite these assurances, the EU Commission expressed concerns regarding the new Russian PNR regime. First of all, the EU became worried about the
unilateral nature of the proposal. Since the EU was not familiar with the details
of proposed measures and could not evaluate the impact (according to the EU
officials, they raised the issue in Moscow early in 2013 and sent a letter in March,
but never got a response),7 the EU asked Russia to postpone implementation of
the PNR measures and to provide additional information on the regime.8
Secondly, according to the EU officials, the situation with human rights in
Russia creates a potential for data abuse.9 For instance, in 2012 the EU was concerned about measures taken against members of the opposition, media freedom, the situation in the North Caucasus, the children’s rights issues and issues of
discrimination and racism, etc.10 With such a background, it will undoubtedly be
difficult for the EU to believe that, in contrast to the above-mentioned issues, the
PNR system will respect the rights of air passengers.
Moreover, pursuant to the EU data protection legislation, transfer of PNR to
Russian authorities by EU airlines will be illegal since the Russian Federation
is not considered as a country providing an adequate level of data protection.
Therefore, if the situation does not change, the EU airlines will find themselves in
a difficult situation: to fly to or over Russia, they will need to comply with either
EU or Russian law. They can either refuse to transmit the data, thereby becoming
subject to Russian authorities’ sanctions, or they can deliver the data in violation
of the EU law.
The International Civil Aviation Organization (ICAO) Guidelines on PNR11
stipulate in §§2.4.3-5 that air carrier must comply with the laws of the state of
departure and the state destination. If the laws of the state of departure do not
allow an air carrier to comply with the requirements of the state of destination,
both countries should settle the conflict of laws. Prior to the settlement, states are
7Nielsen EU tells Russia to drop air passenger data law (2013)
8 See Nielsen Russia blames EU for airline data fiasco (2013)
9 Nielsen (2013)
10 Council of the EU. EU Annual Report on Human Rights and Democracy in the World in 2012
(Country Reports). Brussels, 21 May 2013.
11 Document 9944 - Guidelines on Passenger Name Record (PNR) data of 2010 (ICAO PNR
Guidelines)
41
Yulex 2013
advised to apply no fines or other sanctions against air carriers taking into account the specific circumstances of the case.
Although, in a response to the EU concerns, Russia stressed that the full text
of the Order was published in September 2012 and the EU had sufficient time
to prepare,12 as a reaction, taking into account international agreements and the
need for additional time for foreign and Russian carriers to prepare,13 the term
was postponed from 1 July 2013 as planned initially to 1 December 2013.
In 2003, when a similar problem arose for the EU carriers flying to the USA,
most EU airlines chose to provide PNR to the US authorities, being unable to
simply stop flying across the Atlantic.14 However, later, this was regulated by a series of bilateral EU-US PNR agreements laying down the legal basis for the transfer. To date, the EU has such agreements with the USA, Canada and Australia. On
the one hand, formally, the agreements state that they ensure an adequate level
of data protection. On the other hand, data privacy advocates argue that these
agreements, especially the EU-US one, fail to ensure appropriate data protection
standards and contain a number of serious deficiencies and disturbing points.
Clearly, compromises were made due to political and commercial needs: flights
must go on. In addition, it is quite arguable whether the EU’s strict data protection requirements can be achieved in the security field.
What will be the case for Russia? Will the dilemma for the EU airlines indicated above be solved, or postponed again, or will the EU carriers have to choose
which law to follow? Apparently, the time leading up to1 December 2013 can be
used to try to settle the conflict of laws. However, it depends greatly on how effective the time is spent and whether the parties are open and willing to dialog.
If an EU-Russian dialog is established, what will the EU expect from Russia:
compliance with the strict but practically unrealistic requirements of the EU data
protection law, establishing compromise solutions similar to the current bilateral
agreements, or requiring some additional, specific safeguards and guarantees, taking into account particular circumstances? In contrast to the USA, Canada and
Australia, Russia is a non-Western state. It is a question whether data protection
weaknesses accepted by the EU in the EU-US PNR agreement will be accepted
for the EU-Russian deal.
Another question is the Russian authorities’ ability to make the rules work in
case guarantees are provided. In theory, Russian regulators may adopt rules on
PNR which would formally satisfy to the EU data protection standards, but will
they be implemented? The problem law-in-books versus law-in-action is particu12 See Nielsen (2013)
13 The Ministry of Transport of the Russian Federation, News, 2.07.2013 http://www.mintrans.ru/
news/detail.php?ELEMENT_ID=20434 (date accessed: 03.07.2013).
14 See: Ntouvas. Air Passenger Data Transfer to the USA: the Decision of the ECJ and latest developments. In: International Journal of Law and Information Technology. Vol. 16 (2008).
42
Russian PNR system: data protection issues and global prospects
larly relevant for states like Russia, with relatively newly established democratic
regimes and democratic values, where many legal rules are written on paper but
are not fully enforced in reality, where the laws simply do not work.
At the same time, the US regime raises doubts about the proper enforcement
and lack of abuses as well (e.g. recent cases about the secret collection and use of
personal data pursuant to NSA domestic surveillance programs). Who can stop a
sovereign state if it suddenly decides to enhance security measures violating its previous promises on data privacy? This makes the problem even more complicated.
Without going into political considerations, this paper will provide a legal
analysis of the newly established Russian PNR regime. In order to see the broader
picture, it will also discuss Russian general data protection regulation as well as
current problems of its enforcement and realization. Further, it will analyze the
selected elements of the PNR regime from a data protection point of view, taking
into account the ICAO recommendations on PNR transfer (where applicable),
the EU data protection requirements and current bilateral EU-US PNR agreement which is officially acceptable to the EU.
A more global point is that surveillance is increasing worldwide. Russia is not
the only state demanding or planning to demand PNR, and the number of states
is growing. At the same time, the list of states with “adequate data protection
level” (according to the EU) includes the vast minority. The majority may suffer
similar challenges and problems as those suffered by Russia, both with regard to
the lack of legislation and the fact that the laws do not work. All this creates global
possibilities for abuses and violations of air passengers’ data privacy rights. The
Russian regime can thus be considered as only one example of many regimes, including future regimes. The paper hence endeavors to outline some prospects on
the global development as well, pointing out possible common problems.
2
What is PNR?
According to §2.1.1 of ICAO PNR Guidelines, PNR is the common name given to
records created by aircraft operators or their authorized agents for each journey
booked by or on behalf of any passenger. These data are used by aircraft operators
on commercial and operational purposes while providing air transportation services. PNR are contained in operators’ computer reservation systems (CRS), departure control systems (DSC), or equivalent systems providing similar functionality.
PNR are created every time a traveler makes a reservation. Technically, they
are not deleted from CRS and can be viewed even if a person never bought a
ticket or cancelled the reservation. The basic record may contain multiple passengers within the same record. But each entry, even for one passenger, contains
data on other people as well: the passenger, the travel arranger or requester, the
43
Yulex 2013
travel agent or airline employee, a person paying for the ticket, etc. The PNR
system contains all passenger data of the whole airline company, thus, the system
is not restricted to a specific flight. Most travel agencies also use the CRS as their
primary customer database and accounting system and store all customer data
in CRS profiles. Thus PNR also contain data on individuals who never travel by
air at all, since lots of travel services, such as car rental and hotel reservations, are
made through CRS.15
PNR can be captured up to 360 days in advance of flight; hence, PNR data
are dynamic and are subject to change. The range of PNR is very wide and may
constitute up to 106 elements of data. Although different systems provide varying
facilities, and the number and nature of fields vary from airline to airline and even
among individual PNRs from the same airline, all PNRs contain at least passenger name(s), itinerary, and contact information.16
The Annex to ICAO PNR Guidelines provides a list of possible PNR data
elements. They can be categorized in the following groups: (i) Machine Readable
Travel Document (MRTD) details (names, date of birth, etc.), (ii) contact details, (iii) passenger details; (iv) payment details; (v) other information (name of
person making the booking, travel agent information); and (vi) data related to
aircraft flight.
Passenger details include OSI - Other service related information, SSI Special Services Information, SSR - Special Service Requests, and General remarks. Through OSI/SSI/SSR, PNR may include requests for special medical service or special dietary meals, that is, they may contain details of travelers’ physical
and medical conditions, indications of travelers’ religious practices, that is, data
of a sensitive nature. General remarks may contain data on internal conversations
and contacts between airline company’s employees and agents, including various
comments and abbreviations.17
As for the completeness or accuracy, two types of information can be distinguished. The first group includes MRTD details (also known as API (Advance
Passenger Information) which derives from travel documents information. These
data are official and validated, spellings and dates are transcribed accurately, offering objective and permanently valid information. Such information may be used
to check against watch lists, that is, to identify already known persons. The second
group includes the information that the passenger submits to the CRS himself or
herself, thus, these data cannot be guaranteed in completeness or accuracy; such
data may not be fully updated on the date of departure.
15 See Hasbrouck What’s in a Passenger Name Record (PNR)? (2009)
16 IATA. Passenger Services Conference Resolutions Manual (PSCRM). 01Jun2007-31May2008
27th Edition
17 §2.1.6 of ICAO PNR Guidelines
44
Russian PNR system: data protection issues and global prospects
Nevertheless, overall, PNR provides a comprehensive and extremely detailed record of every entry and include data on the basis of which aspects of the
passenger’s history, conduct and behavior can be deduced. PNR can thus be used
in profiling, offering information on the background of the individuals and their
possible relationship to other persons being investigated. As such, PNR may be
very useful for intelligence in identifying both known criminals and potentially
dangerous persons who are not yet known from databases.
3
Usage of PNR
The Chicago Convention (1944) rests on the notion that states are sovereign over
their land and air space.18 The principle of state sovereignty constitutes the legal
basis for the national security of the state. Moreover, Article 13 of the Chicago
Convention stipulates that the laws and regulations of a state as to the admission
to or departure from its territory of passengers shall be complied with by or on
behalf of such passengers upon entrance into or departure from, or while within
the territory of that state. Therefore, the state itself determines which information
it requires from persons entering, departing or staying in this state.19
Taking into account the growing importance of PNR data transmission for
aviation security purposes, the ICAO urges states to use PNR as an aid to aviation
security.20 In order to harmonize the PNR usage worldwide, the ICAO issued
PNR Guidelines which establish uniform measures for PNR data transfer and the
subsequent handling by the states; IATA - Recommended Practice PNRGOV.21
In §2.2.2, ICAO PNR Guidelines provide a list of purposes for PNR analysis: improve aviation security; improve national and border security; prevent acts
of terrorism and other serious crimes of transnational character, including organized crime, and fight against them; protect vital interests of passengers and
population, including health; improve border controls at the airports; facilitate
passenger flow.
The principles of PNR transfer are as follows: minimization of costs of the
industry; accuracy of the information; completeness; protection of personal data;
timeliness; effectiveness and efficiency of data management / risk management.22
The Guidelines and PNRGOV provide other details as well. But the ICAO and
18 Art. 1-2 of Chicago Convention signed 7 December 1944, ICAO Doc 7300/6. The Convention is
now in its ninth edition.
19 §1.2. of ICAO PNR Guidelines
20 ICAO, 37th Assembly (2010) Resolutions.
21 IATA Recommended Practice 1701a, 2012 (PNRGOV)
22 §2.3.2 of ICAO PNR Guidelines
45
Yulex 2013
IATA’s documents are not binding to the states, thus, it is up to the latter to establish concrete requirements and guarantees.
In reality, different states establish different and sometimes conflicting PNR
demands, and full harmonization is not achieved. The problems include various
data exchange requirements (e.g. formats and methods of transfer), requests for
data elements beyond existing international standards; absence of common objectives and clear agreement on process among states.23 As a result, air carriers
may face legal, technical and financial problems.
For instance, according to IATA, a part of the data required in Russia (such as
passport numbers), do not take into account international reservation systems.24
There appears a problem of collecting data on passengers flying over the territory of Russia: the CRS contains data on airports of departure and arrival, but
no lists of countries whose air space is crossed by the plane during the flight.25
Further, according to the aviation industry, the composition and structure of passenger data protocol do not coincide with PNR and API files currently used in air
transport, and some items cannot be filled because of lack of information.26 The
requirement to transfer data in real time no later than 30 minutes after entering
the data into the information systems does not take into account the fact that CRS
provides passenger data to airlines in certain intervals.27
Data protections problems emerge as well. First of all, some states (e.g. the
USA) use PNR for data mining and profiling - techniques which use statistical
methods that cross-index randomly selected information from large databases
and provide risk assessment of individuals or predict their future behavior. 28 In
profiling, the core idea is to record, store, process and retrieve personal data to
create profiles in searchable databases in order to indicate potentially dangerous
persons.29 According to many security experts, profiling, combined with use of
intelligence, offers a huge potential for preventing terrorist acts.30
However, these techniques are not very accurate, with high number of false
negatives and false positives,31 while the increased and unlimited use of personal
data, with long-term or unlimited storage, creates enormous risks for data protec23PNRGOV
24Elkova Russian sky will be closed to the lock (2013)
25 Elkova (2013)
26Sirena-Travel Problems of realization of the Order of the Ministry of Transport N243 (2013)
27 Elkova (2013)
28Poullet. Data protection legislation: What is at stake for our society and democracy? In: Computer
Law & Security Review. Vol. 25 (2009). p. 214
29Lyon Surveillance studies: An overview (2007) p. 5
30Yehoshua. Terrorist profiling: analysing our adversaries personalities. In: Aviation Security
International. Vol. 17 (2011). p. 23
31Solove. Data mining and the security-liberty debate. In: The University of Chicago Law Review
(2008). p. 353
46
Russian PNR system: data protection issues and global prospects
tion. Hence, privacy advocates argue that PNR data should not be used for data
mining or profiling and its use must be limited to specific crimes or threats on a
case-by-case basis.32
There are different views on how effective the use of PNR can be. Opponents
(mostly data protection advocates and researchers) state that no substantial evidence is provided to prove that collection of PNR is necessary and proportionate
and supports the fight against terrorist offences and serious crime.33
Proponents (mostly, security experts and law enforcements agencies) argue
that PNR, if properly used for targeted passenger profiling, are extremely valuable, with a potential to reveal “clean skin” terrorists.34 According to British
Conservative MEP Timothy Kirkhope, PNR data was “instrumental” in capturing collaborators of the 7 July 2005 London bombers and the 2008 Mumbai
terror attackers, and “led to the capture of dozens of murderers, pedophiles and
rapists” and “95% of all drug captures in Belgium and 85% in Sweden are caught
using PNR data.”35
Nevertheless, no matter how this can be viewed, the collection and use of
PNR for security purposes is already a reality worldwide and common practice.
The countries which currently use PNR for law enforcement purposes include
the USA, Canada, Australia, New Zealand, South Korea and the UK; Japan,
Saudi Arabia, South Africa and Singapore, France, Denmark, Belgium, Sweden,
the Netherlands and others have either enacted relevant legislation and/or are
currently testing potential uses of PNR data; others are considering setting up
PNR systems.36 According to Dutch Liberal MEP Sophie in ‘t Veld, the countries also planning to implement PNR regimes include India, Malaysia, Qatar
and the United Arab Emirates, and it is only a matter of time before China does
the same.37 As mentioned previously, the Russian system will be implemented in
December 2013.
32 European Parliament resolution of 5 May 2010 on the launch of negotiations for Passenger
Name Record (PNR) agreements with the United States, Australia and Canada.
33 E.g. see Article 29 Working Party on data protection: Letter to the Civil Liberties Committee
of the European Parliament, Brussels, 6 January 2012. Ref. Ares(2012)15841 - 06/01/2012;
Brouwer. The EU Passenger Name Record System and Human Rights: Transferring Passenger Data
or Passenger Freedom. In: CEPS Working Document (2009).
34Wolff. Are We Ignoring the “Risk” in Risk Based Screening? In: Aviation Security International.
Vol. 18 (2012). p. 4
35 BBC News Europe, MEPs back deal to give air passenger data to US, 19 April 2012, http://www.
bbc.co.uk/news/world-europe-17764365 (date accessed: 30.04.2012).
36 Communication from the Commission On the global approach to transfers of Passenger Name
Record (PNR) data to third countries, COM(2010) 492 final, Brussels, 21.9.2010, p.4.
37 See Nielsen (2013)
47
Yulex 2013
Apparently, all these states provide different data protection guarantees (if
any), and have different opportunities to enforce them in reality. The data protection perspectives will be considered below.
4
PNR transfer: data protection perspective globally
From the data protection perspective, the problem is that PNR contain personal
data about air passengers, who are protected by law both nationally and internationally.38 Accordingly, if the security measures have an impact on the right to
data protection, they need to be accompanied by strong and adequate safeguards.
This is already reflected in international recommendations: the ICAO, for instance, urges the states using passenger data for security purposes to ensure the
protection of passengers’ privacy.39 §2.6.2 of ICAO PNR Guidelines contain minimum requirements on data protection: the states receiving PNR should:
•
•
•
•
•
•
use the data only for the purpose for which they were collected,
limit access to the data,
limit retention of data,
ensure the data subjects’ rights of access, rectification,
ensure redress,
ensure presence of data protocols and appropriate automated systems to access or receive data in a manner that is consistent with ICAO’s recommendations.
General principles of PNR data protection are as follows: (i) the state should ensure that every state authority having access to PNR ensures the appropriate level
of data protection; (ii) in the absence of national data protection legislation, states
should establish procedures, develop laws or rules for protection of PNR data; and
(iii) there should be a reasonable balance between the need to protect PNR data
and right of the state to require the disclosure of passenger data. Therefore, states
should not be overly restrictive concerning the transfer of PNR data by air carri38 International instruments include: the OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data of 23.09.1980; United Nations Guidelines Concerning
Computerized Personal Data Files of 14.12.1990; Article 8 of the European Convention on
Human Rights, Articles 7 and 8 of the Charter of Fundamental Rights of the EU, Article 16 of the
Treaty on Functioning of the EU; the Council of Europe (CoE) Convention for the Protection
of Individuals with regard to Automatic Processing of Personal Data of 28.01.1981 (known as
Convention No 108; it is open for ratification by states other than members of CoE); APEC
Privacy Framework of 2005, etc.
39 High-Level Conference on Aviation Security (HLCAS, September 2012) as well as ICAO
Document 9944 Guidelines on Passenger Name Record (PNR) data of 2010.
48
Russian PNR system: data protection issues and global prospects
ers to foreign authorities, and states should ensure the protection of PNR.40 Since
PNR often involves transborder data flow, governments are encouraged to reach
an agreement with each other in order to provide protection of personal data.41
But as mentioned above, the ICAO’s Guidelines are not binding: ultimately, it
is up to the states to establish concrete requirements and guarantees. Some national regimes or bilateral agreements already provide quite satisfactory guarantees.
For instance, according to the EU-Australian Agreement, PNRs are stored five
and a half years; the use of sensitive data is prohibited; persons have the right
to access his or her PNR data on request to the Australian Customs and Border
Protection Service; the list of governments entitled to access PNR data is exhaustive; etc.42 But as said before, capabilities of various states are different. The EU
plays a special role in this respect since data protection requirements are stricter
and much higher than in other countries.
First of all, it should be remembered that in the EU, the Directive 95/46/EC of
1995 (DPD)43 is the most comprehensive legal instrument on data protection.44
The transfer of personal data from the EU to the countries lacking adequate level
of protection is prohibited. Pursuant to the DPD, determinations of adequacy
which are binding on EU member states are made by the European Commission
with input from Article 29 Working Party, the Article 31 Committee, and the
European Parliament.45 Analysis of adequate protection comprises two basic elements: the content of the rules applicable and the means for ensuring their effective application.46 To date, only a few countries have met the criteria,47 and Russia
is not on the list.
40 §§2.12.1-3 of ICAO PNR Guidelines
41 IATA. Facilitation and Passenger Data. http://www.iata.org/whatwedo/security/facilitation/
Pages/index.aspx (date accessed: 19.08.2013).
42 Agreement between the European Union and Australia on the processing and transfer of
Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border
Protection Service, 29.09.2011. (L 186/4, 14.7.2012).
43 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement of data.
44 For overview, see Bygrave Data protection law: approaching its rationale, logic and limits (2002)
45 Council Decision 1999/468/EC of 28.6.1999 laying down the procedure for the exercise of implementing powers conferred on the Commission (OJ L 184, 17.7.1999, 23).
46 Further, see Article 29 Working Party Opinion 12/98 of 24.07.1998 Transfers of personal data
to third countries. Applying Articles 25 and 26 of the EU Data Protection Directive as well as
Article 29 Working Party opinions on concrete national regimes.
47 Andorra, Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guernsey, State of Israel,
Isle of Man, Jersey, United States (Transfer of Air Passenger Name Record Data and Safe
Harbour), New Zealand, and Uruguay. http://ec.europa.eu/justice/data-protection/document/
international-transfers/adequacy/index_en.htm (date accessed: 19.08.2013).
49
Yulex 2013
In the case of PNR, if an airline transfers personal data of EU passengers to
a country lacking an adequate level of protection, it violates EU data protection legislation and risks incurring liability in the form of fines established by
national legislation of EU member states. To avoid this result and create a legal
basis for the transfer, the EU followed the practice of concluding bilateral agreements between the EU and the states in question. Accordingly, it was sought
to solve the problem of inadequacy by ensuring an adequate level of data protection in the agreements.
The history of bilateral PNR agreements between the EU and non-member
countries started in early 2000s, after the US requests for access to PNR data
of European passengers flying to the USA came into conflict with the EU data
protection principles. As of the present, the EU has three bilateral agreements on
PNR, including an agreement with the USA (the first agreement was concluded
in 2004.48 It was then ruled invalid by the European Court of Justice,49 and in
2006, an “Interim Agreement”50 was signed, followed by 2007 agreement;51 on
19 April 2012, the European Parliament gave its consent to a new agreement52),53
with Canada (the first one concluded in 2005, with a new one being negotiated),54
and with Australia (the first one of 200855 and a new one of 2011).56 The agre48 Agreement between the European Community and the USA on the Processing and Transfer of
PNR Data by Air Carriers to the United States Department of Homeland Security and Bureau of
Customs and Border Protection of 28 May 2004.
49 ECJ Judgment of 30 May 2006 on joint cases C-317/04 European Parliament v. Council of the
European Union and C-318/04 European Parliament v. Commission (OJ C 228 of 11 September
2004), paragraphs 61, 70.
50 Agreement between the European Union and the United States of America on the processing and
transfer of passenger name record (PNR) data by air carriers to the United States Department of
Homeland Security, 2006 O.J. (L 298) 29. This agreement was valid until 31 July 2007.
51 Agreement between the European Union and the United States of America on the processing and
transfer of Passenger Name Record (PNR) data by air carriers to the United States Department
of Homeland Security (DHS) of 29 June 2007. 4.8.2007. (L 204/18).
52 Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security Council
of the EU (17434/11), adopted by Council 26.04.2012, on 19.04.2012, the European Parliament
gave its consent. The agreement entered into force on 1.06.2012.
53 For overview of EU-US PNR agreements 2004-2007, see Mironenko Air passenger data protection: Data transfer from the European Union to the United States (2010)
54 Agreement between the European Community and the Government of Canada on the processing of Advance Passenger Information and Passenger Name Record data. 21.3.2006. (L 82/15).
55 Agreement between the European Union and Australia on the processing and transfer of
European Union-sourced passenger name record (PNR) data by air carriers to the Australian
Customs Service, 8.8.2008. (L 213/51).
56 Agreement between the European Union and Australia on the processing and transfer of
Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border
Protection Service, 29.09.2011. (L 186/4, 14.7.2012).
50
Russian PNR system: data protection issues and global prospects
ements were supposed to establish, ensure and guarantee an adequate level of
protection for PNR transfer.
The problem arose that EU PNR agreements were concluded on a case-bycase basis, and despite the fact that all the agreements addressed the same issues,
the provisions were not identical, leading to different rules for air carriers and for
data protection. Data privacy advocates still argue that the EU PNR agreements,
especially the American one, fail to ensure an adequate level of data protection or
proof that they are necessary and proportionate.57
In order to harmonize the PNR transfer and establish common requirements,
in 2010, the European Commission published a strategy on the global approach
to transfers of PNR to non-EU countries (the EU Strategy).58 Two basic elements
are in place: first, basic principles for the protection of personal data for any PNR
agreement with a non-EU country, secondly, the means for ensuring their effective application. However, for the longer term, if many more countries become
involved with PNR, the Strategy declared the EU’s aim to set these standards on
an international level.59
On the one hand, as Newman argues, although Europe does not always prevail in international regulatory debates, in the data privacy field it has acquired
“regulatory capacity”, creating and expanding rules in Europe and around the
world.60 It is a fact that during the past decades many countries, such as Russia,
have established regimes based on the EU model (at least on paper) and the list
of “adequate” states is slowly growing. On the other hand, with reference to particularly PNR transfer, where the interests of national security are involved, and all
the states are sovereign to impose requirements on their own, the EU can hardly
possess economic or political powers to impose the EU standards.
In addition, in reality, the complete compliance with the rules on global data
transfer seems to be very difficult, as in the case of the EU PNR agreements. It is a
question of whether it is possible to provide adequate safeguards at all. Moreover,
there are some views which question whether the EU data protection requirements on global transfer are adequate at all. It is argued that some features of the
current regime are “unrealistic, overly bureaucratic, costly, and inefficient.”61 As a
result, the restrictions on data transfer were (and probably are?) ignored by many
57 E.g. Article 29 Working Party on data protection: Letter to the Civil Liberties Committee of the
European Parliament, Brussels, 6 January 2012. Ref. Ares(2012)15841 - 06/01/2012.
58 Communication from the Commission On the global approach to transfers of Passenger Name
Record (PNR) data to third countries. Brussels, 21.9.2010, COM(2010) 492 final
59 Page 10 of Communication from the Commission On the global approach to transfers of
Passenger Name Record (PNR) data to third countries. Brussels, 21.9.2010, COM(2010) 492
final
60Newman Protectors of privacy: regulating personal data in the global economy (2008) p. 8-9
61 See Article 29 Data Protection Working Party Opinion 3/2010 on the principle of accountability”, 13.07.2010, paragraphs 55-57.
51
Yulex 2013
organizations.62 It is proposed that data transfer should be governed by accountability and ongoing responsibility, rather than arbitrary barriers and bureaucratic
form filing.63
Finally, the enhanced surveillance and increased collection of personal data for
security purposes, including PNR, reflects the worldwide tendencies. The Russian
request raised concern that it may be followed by other states outside Europe. By
2012, eleven countries had filed a request at the European Commission for PNR
data,64 and apparently, the number will continue to grow. All of them can be encouraged to act unilaterally; the EU may be faced with the same problems while
dealing with each of them. The request also drew attention to the disputable and
recently rejected (although not cancelled) proposal on a European PNR system,65
which circulation and possible adoption may further weaken the EU’s position
(already weakened by accepting the EU-US terms) on any negotiations on PNR.
The problem is, therefore, much wider than the EU-Russian relations regarding PNR transfer, and involve all the countries, both those requiring PNR and
those which airlines have to provide PNR.
5
Russian PNR system: overview
In 2007, the Ministry of Transport of the Russian Federation was required to
create a unified state information system of transport security (USISTS), with automated centralized databases of personal data on passengers (ACDPDP) being
its integrated part.66 The corresponding provisions were included into the Russian
Air Code67 and other regulation. However, only in 2012, the concrete provisions
on ACDPDP were stipulated by an order of the Ministry of Transport (Order).68
With respect to air transport, initially, the Order was supposed to enter into force
from 1 July 2013, but then was postponed until 1 December 2013.
62Grant. Data protection 1998-2008. In: Computer Law & Security Report. Vol. 25 (2009). p. 48
63Tene. Privacy: The new generations. In: International Data Privacy Law. Vol. 1 (2011). p. 22
64 European Parliament. Committee on Civil Liberties, Justice and Home Affairs. Draft
Recommendation on the draft Council decision on the conclusion of the Agreement between
the United States of America and the European Union on the use and transfer of Passenger
Name Records (PNR) to the United States Department of Homeland Security. 30.01.2012.
65 In the meantime, EU PNR proposal was rejected in April 2013 by MEPs in the civil liberties
committee.
66 The Federal law On Transport Security of 09.02.2007 N16-FZ (Article 11).
67 The Air Code of Russian Federation of 1 April 1997, Article 85(1).
68 Order of the Ministry of Transport of the Russian Federation of 19.07.2012 N 243 On approval
of the formation and maintenance of automated centralized databases of personal data on passengers, as well as providing the data they contain.
52
Russian PNR system: data protection issues and global prospects
In contrast to other PNR schemes covering air transport only (e.g. the EUUS system), the Order covers all modes of transport: domestic and international
air transport (including flights into, out of, and over Russia), long-distance rail
transport, international transport by sea, inland waterway and road transport.
In addition to participants of transport infrastructure69 and carriers (“Suppliers
of information”), the data will be provided by federal executive bodies as well as
foreign governments and organizations in the framework of international cooperation on transport security.
Suppliers of information incur liability for non-compliance with the transport
security requirements pursuant to legislation of RF,70 namely, administrative and
criminal liability, depending on the consequences of the violation. If the carrier
simply did not transfer the PNR data, the penalty is a fine or grounding of the
aircraft.71 If there are serious consequences of violation (e.g. large-scale damage,
grave injury to human health, death of persons) then the carrier may incur criminal liability, including imprisonment up to seven years.72
Accordingly, if foreign carriers flying to/from Russia or over Russia to Asia
choose not to transfer PNR to Russia due to prohibition by EU data protection
rules, they risk being grounded, being subject to fines or more serious sanctions
if non-compliance caused serious injuries or damages.
As for the data protection issues, according to the Russian authorities, the
right to data protection will be respected since, as mentioned before, Russia ratified the Council of Europe Convention No 108,73 and in order to implement the
latter into national law, adopted Personal Data Law74 which is applicable to PNR
transfer. The Order also declares in §3 that ACPDPD will be formed and operated
according to the following principles: compliance with the constitutional rights of
citizens, technological independence of the ACPDPD’s structure and its functioning from administrative, organizational and other changes in the activity of participants of information exchange; ensuring the confidentiality of information;
ensuring the integrity and reliability of the data transferred.
All these declarations sound fine, but what about concrete, more detailed
data protection guarantees? This requires closer consideration: first, regarding
69 Defined as legal and natural persons who are the owners of transport infrastructure objects and
vehicles or use them on a different legal basis (Federal law On Transport Security of 09.02.2007
N16-FZ Article 1(9).
70 Article 12(3) of the Law on Transport Security.
71Shadrina. Will not go far: From July next year it will not be possible to buy a ticket for a single mode
of transport without a passport. In: Rossiyskaya Gazeta 26.09.2012 2012.
72 Article 263.1 of the RF Criminal Code.
73 Federal Law of 19.12.2005 N 160-FZ On Ratification of the Council of Europe Convention for
the Protection of Individuals with regard to Automatic Processing of Personal Data.
74 Federal Law on Personal Data of 27.07.2006 N 152-FZ.
53
Yulex 2013
Russian general data protection law, secondly, regarding specific elements for
PNR transfer.
6
Overview of Russian data protection law
In the Russian Federation, historically, in contrast to the western traditions, the
public interests prevailed over private during many centuries. According to official Soviet ideology, personal data was considered solely as an information resource necessary for the state. In the absence of legal regulation mechanisms,
various abuses occurred: duplication of powers of state and other bodies in the
collection and processing of personal data, excessive collection, etc. The need to
ensure the confidentiality of personal data was not even considered.75
In the 1990s, the spread of computer technology made the situation worse.
Poor control over the use of personal data without establishing liability led to
of the emergence of an illegal market for various personal databases76 and other
abuses.77 The need to provide appropriate protection to personal data became
clear. Moreover, the processes of European integration and globalization dictated
the need to bring Russian legislation and practice into line with international
standards: otherwise, Russia could be isolated from other countries in the data
protection field.
Today, the Russian Constitution recognizes the rights of privacy, data protection and secrecy of communications.78 Russia is a member of the Council
of Europe and signed Convention No 108 on 7 November 2001. However, the
process of ratification and implementation took years, and the Convention was
ratified with several reservations, among other things, that it will not be applied
to personal data constituting state secrets. Russia reserved the right to impose
restrictions on the right of data subject to have access to his/her personal data
in order to protect national security and public order. 79 The final stage of the
Convention ratification was completed in 2013, when necessary amendments
were made into federal laws.80
75Petrykina Legal regulation of personal data flow. Theory and practice. (2011) p. 4
76 See Beroeva. Who and how do they steal databases? In: Komsomolskaya Pravda 2006.
77 Petrykina (2011) p. 4
78 Articles 23-25 of the Constitution of the Russian Federation of 12.12.1993.
79 Federal Law of 19.12.2005 N 160-FZ On Ratification of the Council of Europe Convention
for the Protection of Individuals with regard to Automatic Processing of Personal Data. The
Convention is in force in Russia from 1.09.2013.
80 Federal Law of 7.05.2013 N 99-FZ On Amendments to certain legislative acts of the Russian
Federation in connection with the adoption of the Federal Law On ratification of the Council
of Europe Convention for the Protection of Individuals with regard to Automatic Processing of
Personal Data, and Federal Law On Personal Data.
54
Russian PNR system: data protection issues and global prospects
The Personal Data Law was designed to fulfill Russia’s obligation to implement the Convention No 108 into national law and to build Russian data protection law according to European and international standards. This would enable
Russia to come closer to equal cooperation with foreign countries in the field of
personal data protection and to solve internal problems in ensuring the right to
data protection.81 National data protection rules are also contained in other acts82
and sector-specific federal laws.83
The Personal Data Law generally protects personal data from being collected
and processed illegally and without consent of data subject. In comparison with
the past, many positive changes are in place, and the law is constantly updated.
For instance, substantial amendments were adopted in 2011, clarifying many
important terms (e.g. personal data, controller, anonymization of personal data,
etc.), updating responsibilities of the controller to secure the data, etc. However,
there are still some deficiencies in the regulation; some provisions are not fully
implemented in reality and are not effective.
Pursuant to the Personal Data Law Article 23, the Federal Service for
Supervision in the Sphere of Telecom, Information Technologies and Mass
Communications (Roskomnadzor) is the authorized body in the sphere of personal data protection responsible for supervising to ensure that respective activities
are carried out in compliance with the Personal Data Law. However, in contrast to
European data protection authorities which are independent bodies, the Russian
counterpart was established under the Ministry of Communications84 and it
is a body structurally subordinated to the latter. In addition, the Government, the
Federal Security Service of the RF (FSB), and other executive agencies acquired
substantial powers in the personal data field. Thus Roskomnadzor cannot be considered fully independent.
One of the most critical points is that the Personal Data Law gives many exemptions to the state authorities on the basis of a wide range of grounds. In the
context of PNR transfer, the applicable grounds will be transport security and
security needs in general. Pursuant to these needs, the right of the data subject
to access to his/her personal data may be restricted; the controller can be released from the obligations to notify Roskomnadzor about the processing and to
obtain data subject’s consent even when processing sensitive data. As a result,
81Tsadykova The constitutional right to privacy (2007)
82 Federal Law On Information, Information Technologies, and the Protection of Information of
27.07.2006 N 149-FZ, Order of President of RF of 06.03.1997 № 188 on Approval of the list of
confidential information (stipulates that the latter covers personal data, with a few exceptions),
Resolutions of Governments, etc.
83 E.g. Labor Code (Chapter 17), Tax Code (Art. 84), Federal Law On Mass Media of 27.12.1991 N
2124-1, Federal Law On Operational-search activities of 12.08.1995 N144-FZ, etc.
84 §2 of Resolution of Government of RF of 16.03.2009 N 228 About Federal Service for Supervision
in the Sphere of Telecom, Information Technologies and Mass Communications
55
Yulex 2013
data subjects can hardly know which state organs and officials are working with
their data.85
Another critical point is that the legislation mainly focuses on technical requirements to personal data processing rather than on protection of data subjects.86
The data security requirements are very comprehensive and detailed, differing
greatly from the respective rules of other states. For instance, both the EU and the
USA do not provide any technical standards. The laws indicate that the methods
of data protection must be reasonable and sufficient, leaving the implementation
of these principles to the controller, who will take full responsibility if the measures taken are insufficient.
In Russia, controllers must provide technical measures according to the security levels determined by the RF Government.87 The choice of means of protection of personal data is carried out by the controller in accordance with the
regulations adopted by the FSB and the Federal Service for Technical and Export
Control of the RF (FSTEC). In practice, concrete methods and techniques appear to be excessive and expensive: expenses for security equipment (which must
be produced by companies licensed by the FSTEC and the FSB) constitute up
to 200% of annual turnover and then 10-15% of the cost for the annual maintenance.88 But in reality, personal data in Russia are usually stolen by bribery of
responsible employees rather than by breaking the security systems, so all these
requirements may have no sense at all.
Other problems are poor administration and failure of controllers to comply
with the law.89 The annual report of Roskomnadzor of 201290 noted that leakages of personal data are caused by the failure of data controllers to ensure the
confidentiality and security. The most typical violations of data protection requirements are violation of confidentiality in the processing of personal data, inappropriate form of data subject’s written consent, failure of the controller to ensure
security of personal data and exclude unauthorized access to it, notification to the
85 Modern Telecommunications Russia The Council of Federation adopted Personal Data Law
(2011)
86Chernova. We protect personal data through multi-stakeholder approach. In: Personal data
(2013).
87 Requirements for the protection of personal data during their processing in information systems
of personal data approved by Resolution of RF Government of 01.11.2012 № 1119
88 Modern Telecommunications Russia (2011)
89 Modern Telecommunications Russia (2011)
90 The Ministry of Communications of Russian Federation. The Federal Service for Supervision
in the Sphere of Telecom, Information Technologies and Mass Communications. Report on
the work of the Authorized body protecting rights of personal data subjects for the year 2012.
Moscow, 2013. Available at http://rkn.gov.ru/docs/Otchet_2013_UZPSPD_RSPECTR.doc (date
accessed: 26.09.2013). Pages 6, 11-15.
56
Russian PNR system: data protection issues and global prospects
authority about the processing of personal data containing incomplete and (or)
false information.
Further, the researchers note that Roskomnadzor is concentrating on checking whether the controllers comply with the formal requirements of law instead
of checking actual leakages of data; the controllers are punished for violating
the rules rather than for causing damage to the citizens.91 At the same time,
Roskomnadzor faces a number of difficulties: according to experts, it possesses
insufficient resources and personnel; it cannot initiate administrative proceedings
and does not receive help from other organs such as the Ministry of Internal
Affairs which considers data protection offences as not serious.92
One more challenge is the relatively low amount of fines. Today, sanctions
for failure to observe the data protection requirements include administrative,
civil, disciplinary, and criminal liability. However, the penalties are insufficient:
for instance, fines for violation of collection, storage, use or distribution of personal data for legal entities amount to 5–10 000 rubles.93 Accordingly, it is more
profitable for the controllers to pay the fines rather than implement the data protection legislation.94 Moreover, a large number of administrative cases are closed
due to the expiration of the limitation period which lasts only three months. In
the meantime, it is proposed to substantially increase the amount of fines95 and
the limitation period.
As a result of all the mentioned factors, constant attempts to make the law
stricter in reality do not necessarily achieve the aims, but create additional problems, significantly complicating the life of controllers (many of them prefer
simply not to follow the law, and are more concerned with avoiding problems
with the authorities rather than with actually protecting personal data), the end
users (who will be ultimately payers), and create opportunity for abuses and corruption.96 There are still cases of unauthorized disclosure of personal data on the
Internet as well as thefts of databases from various public and social institutions,
mobile operators, and other owners.97
91 Chernova (2013)
92Kovrigin Total non-compliance with data protection law in Russia (2012)
93 RF Code of Administrative Offences Article 13.11.
94 From the explanatory note to the draft of Federal Law On Amendments to the Code of
Administrative Offences posted on the Ministry of Economic Development website. Buh 1C
Protection of personal data: The results of the control (2012)
95 ConsultantPlus. Roskomnadzor suggests to substantially increase the amount of fines for violation of personal data processing. 14.09.2012. http://www.consultant.ru/law/review/fed/nw201209-14.html (date accessed: 27.09.2013).
96 Modern Telecommunications Russia (2011)
97 See Palamarchuck. Supervision over the implementation of the legislation on personal data on the
Internet. In: Zakonnost. Vol. 12 (2010). p. 3-5
57
Yulex 2013
Consequently, at present, the level of legal protection of personal data in
Russia falls behind the Western countries where the legislation was passed decades earlier. Many factors make the right to data protection particularly vulnerable in Russia: historical traditions, a relatively short period of legal regulation,
lack of an appropriate theoretical framework, weaknesses of legislation and lack
of enforcement mechanisms, and lack of judicial practice.98 The aim to reach the
data protection level of the EU and international standards is still to be achieved.
Among proposed improvements, commentators suggest the establishment of
a new independent data protection authority, to include provisions in law for
control of personal data at all stages, 99 to substantially increase penalties for data
protection offenses and impose more serious criminal sanctions, etc. But some
problems cannot be solved by improving data protection law only. For instance,
the problem of the illegal database market is mainly caused by first the economic reasons (low salaries of state officials) and secondly lack of legal methods to
obtain information, for example via special private firms such as in the USA.100
Therefore, a broader, complex approach to the solutions is needed: from education and propaganda to repairing civil society systems and combating corruption
(which is a never ending process).
7
Analysis of data protection elements
In this section, the paper will analyze the concrete data protection elements of the
Russian PNR regime as it is per date, taking into account the EU data protection
requirements on PNR, the ICAO recommendations (where applicable), and current EU-US PNR agreement.
For the analysis, the author used legislation and documents available from open
sources, correspondence with the Ministry of Transport and conversation with the
Operator of the ACDPDP (however, the latter stressed that the Operator is responsible for the technical issues only and does not deal with data protection issues).
It should be noted that a representative of the Ministry of Transport, in response to the author’s questions, informed that according to §§23-24 of the Order
of the Ministry of Transport of 04.07.2008 N86, “the characteristics of the processing, storage, transmission and protection of data in the ACDPDP and USISTS
as a whole, including personal data, are restricted information and can only be
provided on the basis of a reasoned request from the organization, agency or enterprise, indicating the reasons for the need for the data, methods for their further
98Izmailova Privacy in civil law: the law of the UK, the USA and Russia. (2009)
99 Izmailova (2009)
100 See Beroeva (2006)
58
Russian PNR system: data protection issues and global prospects
use and the measures to be taken by the receiver to protect them.” 101 Nevertheless,
some answers were received.
The list of considered elements is not exhaustive and present selected items
which, in the opinion of the author, constitute the most critical and disputable ones.
7.1
Use of data
According to the EU Strategy, the scope of the use of the data by a third country
must be determined clearly and precisely and should be no wider than what is
necessary for the aims to be achieved. The purposes for PNR data should include
only law enforcement and security purposes to fight terrorism and serious transnational crime. Moreover, the terms terrorism and serious transnational crime
should be defined based on the EU regulation.
In the EU-US Agreement Article 4, PNR data are be used to prevent, detect,
investigate and prosecute terrorism and serious transnational crimes. Serious crimes are defined as crimes punishable by 3 years of imprisonment or more under
US law. But the definition of transnational serious crime is very wide and, covering all crimes where more than one jurisdiction is involved.102 Additionally, PNR
may be used “on a case-by-case basis where necessary in view of a serious threat
and for the protection of vital interests of any individual or if ordered by a court”
as well as “to identify persons who would be subject to closer questioning or examination.” This means that PNR can be used for other cases as well, (e.g. minor
immigration or customs offences), and may be used for profiling of passengers.
According to the European Parliament, PNR may in no circumstances be used
for data mining or profiling.103 As a result, data privacy advocates argue that the
purpose limitation is too broad and disproportionate.104
In Russia, §63 of the Order stipulates that processing of passenger data in
ACDPDP is carried out in accordance with Article 5(2) of Personal Data Law
which provides that the processing of personal data should be limited to the
achievement of specific, pre-defined, and legitimate purposes. The processing of
personal data that is incompatible with the purpose of collection of personal data
101 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal
Support and Legislative Activities, Ministry of Transport of RF.
102 Article 29 Working Party on data protection Letter to the Civil Liberties Committee of the
European Parliament (2012)
103 European Parliament resolution of 5 May 2010 on the launch of negotiations for Passenger
Name Record (PNR) agreements with the United States, Australia and Canada.
104 European Data Protection Supervisor Opinion of the European Data Protection Supervisor on the
Proposal for a Council Decision on the conclusion of the Agreement between the United States of
America and the European Union on the use and transfer of Passenger Name Records to the United
States Department of Homeland Security (2011)
59
Yulex 2013
is not allowed. The purpose of PNR processing is “to implement measures to ensure transport security.”105
From the EU perspective, it can be argued that the purposes are not indicated
clearly or precisely, for example, no specification is made that the security purposes are restricted to combating terrorism and serious transnational crime. In
practice, “measures to ensure transport security” can include a very broad category of activities, including profiling.
Moreover, different statements made by officials in the press may raise questions as well. For instance, according to Chertok, Deputy Head of the Ministry of
Transport and Federal Service for the Oversight of Transport (Rostransnadzor),106
although the main purpose of the database is transport security, protection
against acts of unlawful interference, probably, in the future, information from
the database will be used for such cases as a passenger losing a ticket, or to recover
damages from the carrier on request of the court.107 Clearly, these purposes may
ensure passengers’ consumer rights, but what about narrow purpose limitation?
In an interview of Smirnov, the suggestion was made that a database should
not be used for other purposes, for example that it must not allow law enforcement agencies to take untargeted people (for instance those who avoid child support, etc.) from the flight.108 The rules of the Personal Data Law mentioned above
prohibit the use of personal data incompatible with the purpose of collection,
but will the security organs follow without any exceptions similar to the US case?
It can be concluded that the Russian PNR system does not fully follow the
purpose limitation principle as prescribed by the EU Strategy. However, by signing the EU-US PNR Agreement, the EU accepted that this principle can be
compromised.
7.2
Data scope
The EU Strategy requires that the exchange of data should be limited to the minimum and should be proportionate. There should be an exhaustive list of the
categories of PNR data to be transferred; PNR containing sensitive data cannot
not be used unless under exceptional circumstances. The ICAO PNR Guidelines
contain the list of possible PNR elements.
The EU-US Agreement contains 19 PNR Data Types. In field 17, it contains
SSR/OSI/SSI, which may include sensitive information. Moreover, a closer look
reveals that many data fields contain multiple data. See, for example, line 7: “All
available contact information (including originator information).” The same
105 Article 11(1) of the Federal law On Transport Security.
106 Federal organ which will oversee the transfer of data to the database by transport companies.
107 Shadrina (2012)
108Smirnov All the world has long been collecting the data this way (2007)
60
Russian PNR system: data protection issues and global prospects
applies to other lines. According to the opinion of EDPS, the list of data to be
transferred to the DHS is disproportionate and contains too many open fields; it
should be narrowed and exclude sensitive data.109
In Russia, there is a common list of data for all transport modes and provides
additional fields on every transport mode, hence, many data fields are repeated
several times and the list looks much longer than the American one. As mentioned above, some technical problems arose with the composition and structure
of the proposed protocol of passenger data and some items. However, in developing the rules of information exchange between a specific carrier and Operator of
USISTS, some data elements may be excluded from the list or included, depending on technical possibilities.
An essential point is that in contrast to the EU-US list, the Russian system does
not require any PNR data which may contain sensitive data. This was confirmed to
the author in a letter from the Ministry of Transport.110 No collection of sensitive
data means no problem with their processing. This fact makes the Russian list
more proportional and reasonable in comparison with the EU-US regime.
7.3
Data Security
Both ICAO and the EU Strategy state that PNR data must be protected against misuse and unlawful access by all appropriate technical, security procedures and measures to guard against risks to the security, confidentially or integrity of the data.
The EU-US Agreement stipulates the technical measures and organizational
arrangements in Article 5(1-2). Additionally, in Article 5(3-4) it provides notifications of affected individuals in the case of a privacy incident and in the cases
of “significant privacy incidents” involving PNR - relevant European authorities.
The EDPS suggested that the recipients of the notification be clarified, to notify a competent US authority; to define what constitutes a “significant privacy
incident”; to specify the content of the notification to individuals and to authorities.111 But obviously, there are no claims regarding security standards.
As mentioned above, the Russian regulator provides detailed and comprehensive security requirements. The Order follows this line. Security of personal data
is provided by organizational measures and means (including cryptography), and
information technologies. The Operator of USISTS is responsible for data security of ACDPDP.112 Accordingly, he is obliged to use security equipment deter109 European Data Protection Supervisor (2011)
110 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal
Support and Legislative Activities, Ministry of Transport of RF.
111 European Data Protection Supervisor (2011)
112 The Operator is Federal State Unitary Enterprise “ZashshitaInfoTrans,” an enterprise subordinated to the Ministry of Transport.
61
Yulex 2013
mined by the FSB and the FSTEC and produced by companies licensed by the
FSB and the FSTEC. According to the information of the Operator, all necessary
attestation and certificates for securing data in ACDPDP have been obtained.113
The Ministry of Transport specifies that providing data to ACDPDP is carried
out electronically via secure channels (VPN-channels of Internet or channels of
protected branch networks).114
Formally, it can be argued that the Russian PNR system’s provisions on data
security fall within the requirements of the international and EU requirements.
But all the positive moments may be neglected, since, as mentioned before, personal data in Russia are usually stolen by bribery of responsible employees rather
than by breaking the security systems.
7.4
Oversight and accountability
According to the EU Strategy, a system of supervision by an independent public
authority responsible for data protection with effective powers of intervention
and enforcement must exist to exercise oversight over those public authorities
that use PNR data.
According to EU-US PNR Agreement Article 14, compliance with the privacy
safeguards shall be subject to independent review and oversight by Department
Privacy Officers, such as the DHS Chief Privacy Officer. In addition, independent
review and oversight is conducted by the DHS Office of Inspector General, the
Government Accountability Office, and the U.S. Congress. However, the Chief
Privacy Officer is appointed by and report to the head of the DHS, thus cannot be
considered independent. Lack of independent supervision was indicated as one
of the weaknesses of this Agreement.115
As mentioned above, pursuant to Personal Data Law, the authorized body
in the sphere of personal data protection is Roskomnadzor. The status, role and
powers of Roskomnadzor are closer to European data protection authorities than
any of the US organs mentioned above. However, it cannot be considered as a
fully independent body. This point may constitute the similar weaknesses in the
EU-US scheme.
113 Telephone conversation with the Operator’s employee 4.07.2013.
114 Ministry of Transport. Information for entities of the transport infrastructure and carriers in
connection with the entry into force of the Order of Ministry of Transport of Russia № 243.
20.06.2013. http://www.mintrans.ru/news/detail.php?ELEMENT_ID=20360 (date accessed:
2.07.2013)
115 Article 29 Working Party on data protection (2012)
62
Russian PNR system: data protection issues and global prospects
7.5
Transparency and Notice
The EU Strategy provides that every individual shall be informed at least as to
the purpose of processing of personal data, the persons who will be processing
that data, under what rules or laws, the types of third parties to whom data is
disclosed and how and from whom redress can be sought. The ICAO suggests
a typical form of such notification and stipulates that air carriers or their agents
must properly notify passengers (for example, at the time of booking of flight or
ticket purchase) that the carrier may be required to provide any or all of its available data PNR to the authorities of the state of departure, arrival or transit, and
that this information may be shared with other authorities.
The EU-US Agreement Article 10 contains corresponding provisions. The
Russian Personal Data Law provides that data subject has the right to be informed about processing of his/her personal data, including information about the
legal basis, purposes of processing, the controller, terms of processing and storage period, etc. (Article 14(7). Accordingly, the controller must, upon request of
the data subject, inform him/her of processing of personal data (Article 18(1)).
However, the new PNR system does not provide any specific rules about the air
passenger notification. Clearly, the general rules obliging the controller to provide data “upon request of the data subject” cannot ensure proper notification
of every individual involved. This constitutes a weakness in comparison with the
EU-US scheme and the ICAO and the EU’s recommendations. The legislation
should oblige the authorities to ensure that the passengers are informed about the
data processing at the earlier stages mentioned above.
7.6
Access, rectification and deletion
The EU Strategy and ICAO PNR Guidelines suggest that an individual shall be
provided with access to his/her PNR data, and where appropriate, with the right
to seek rectification and deletion of his/her PNR data.
The EU-US Agreement Articles 11-12 state that any individual, regardless of
nationality, country of origin, or place of residence will have the right to access
their PNR data, correct or rectify the PNR, including the possibility of erasure
or blocking, if the information is inaccurate. But some “reasonable legal limitations” under US law apply. As a result, the Working Party expressed doubts as to
whether US law and the Agreement provide for the respective rights in line with
requirements of the EU law.116
Articles 14, 20 and 21 of Russian Personal Data Law stipulate the rights of the
data subject to obtain information related to the processing of his/her personal
data, to access it, to cure breaches of personal data processing, to correct, block or
116 Article 29 Working Party on data protection (2012)
63
Yulex 2013
destroy personal data. However, §5 of Article 14(8) of Personal Data Law provides that the right of the data subject to access to his/her personal data may be restricted according to federal laws if processing of personal data is carried out according to the legislation on transport security, in order to ensure the stable and
secure functioning of the transport system, to protect the interests of individuals,
society and the state in the transport sphere against acts of unlawful interference.
Personal data collected according to the Federal law On Transport Security
constitute elements of transport security information, thus, §5 of Article 14(8)
restricts the data subject’s right to access.117
In contrast to the EU-US Agreement, this is a general rule rather than exception. However, the risk of broad application of the restrictions and limitations in
the US case makes the regimes quite similar. Taking into account the acceptability of the EU-US regime for the EU, it could be argued that the Russian regime
should be acceptable too.
7.7
Redress
The EU Strategy stipulates that every individual shall have the right to effective
administrative and judicial redress where his or her privacy has been infringed or
data protection rules have been violated, on a non discriminatory basis regardless
of nationality or place of residence.
Article 5(5) of the EU-US Agreement states that administrative, civil, and criminal enforcement measures are available for privacy incidents under US law.
Article 13 provides redress for individuals regardless of nationality, country of
origin, or place of residence. Administrative and judicial redress in accordance
with US law is provided.
The EDPS noted that Article 21 explicitly states that the agreement “shall not
create or confer, under US law, any right or benefit on any person,” hence, even if
a right to redress is granted in the US under the agreement, such right may not be
equivalent to the right to redress in the EU.118
In Russia, the data subject’s rights are protected according to Personal Data
Law,119 stating that if the data subject believes that the data controller infringes his/
her rights and liberties, he/she is entitled to contest controller’s actions or failure to
act with the authorized data protection body or in court. The data subject has the
right to protect his/her rights and legal interests, including the right to require compensation for losses and/or compensation for moral damage, in court (Article 17).
117 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal
Support and Legislative Activities, Ministry of Transport of RF.
118 European Data Protection Supervisor (2011)
119 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal
Support and Legislative Activities, Ministry of Transport of RF.
64
Russian PNR system: data protection issues and global prospects
Formally, although this is not stipulated with reference to the PNR system,
according to the principle of equality of individuals before the law, the right to
administrative and judicial redress under the Russian law may apply for individuals regardless of race, origin, nationality, etc. However, it is unknown whether
effective enforcement measures will be available for privacy incidents involving
PNR as long as there are problems with human rights enforcement in general. It is
hence questionable if redress mechanisms correspond to the standards of the EU
law. Accordingly, the problem of failure to provide the right to effective judicial
redress may appear. However, the EU accepted this risk in the EU-US case.
7.8
Retention of data
Both the ICAO and the EU recommend that the period of retention of PNR should
not be longer than necessary for the performance of the defined tasks. The EU
Strategy notes that the period of retention should take into account the different
ways in which PNR data are used and the possibilities of limiting access rights over
the period of retention, for example by gradual anonymization of the data. ICAO
adds that the state should, in accordance with national laws or regulations, have a
system for monitoring, ensuring appropriate deletion of the PNR data.
Under the EU-US Agreement, US authorities will keep PNR data in an active
database for up to five years. After the first six months, all information which
could be used to identify a passenger would be “depersonalized.” After the first
five years, the data will be moved to a “dormant database” for up to ten years, with
stricter access requirements for US officials. Thereafter, data would be fully “anonymized” by deleting all information which could serve to identify the passenger.
Data related to any specific case will be retained in an active PNR database until
the investigation is archived.
According to the EDPS and the Working Party, the storage of all data for up
to 15 years is excessive and disproportionate. Moreover, after 15 years, only anonymization of the data is provided. Taking into account the difficulty of truly
anonymizing data and the lack of explaining why the anonymized data is needed,
it should be deleted. 120 The EDPS goes even further and suggests that the data
should be anonymized (irreversibly) or deleted immediately after analysis or after
a maximum of 6 months.121
In Russia, Article 5(7) of the Personal Data Law states that personal data shall
be stored in a way that allows verification of the identity of the data subject no
longer than it is necessary for processing purposes, if the retention period of personal data is not set by federal law or the treaty a party (or beneficiary, guarantor)
120 Article 29 Working Party on data protection (2012)
121 European Data Protection Supervisor (2011)
65
Yulex 2013
to which is the data subject. Processed personal data shall be destroyed or anonymized upon achieving the set purposes or in the case if such purposes cease to be
relevant, unless otherwise provided by federal law.
In case of the PNR data processing, the retention periods are not determined,122
providing options for unlimited storage. Clearly, this contradicts international
and the EU recommendations on data protection, and is weaker overall than the
(although controversial) EU-US scheme.
7.9
Domestic sharing
The EU Strategy states that PNR data should only be disclosed to other government authorities with powers to combat terrorism and serious transnational
crime, and which afford the same protections as those afforded by the recipient agency under the agreement in accordance with an undertaking to the latter.
PNR data should never be disclosed in bulk but only on a case-by-case basis.
According to ICAO PNR Guidelines §2.12.1, the state must take steps to ensure
that every public authority having access to PNR must provide the appropriate
level of data management and data protection.
The EU-US Agreement provides corresponding provisions in Article 16.
However, according to the Working Party, the agreement is not specific on how
compliance with the safeguards can practically be ensured, particularly with respect to retention periods; the agreement does not provide that transfers shall be
done on a case-by-case basis only.123 The EDPS believes that the list of authorities
that might receive PNR should be specified, and the DHS should not transfer the
data to other agencies unless they guarantee an equivalent level of protection.124
In Russia, according to Article 11(4) of the Federal law On Transport Security,
information resources of the USISTS are restricted information. The Order in
§13 provides that federal executive bodies authorized by the Government of the
Russian Federation to carry out functions in the field of transport security, the
Russian Interior Ministry, and the Federal Security Service (FSB) (“consumers of
information”) use the data contained in the ACDPDP.
But what actually are the “federal executive bodies authorized by the
Government of the Russian Federation to carry out functions in the field of transport security”? Logically, it should be found in the Government’s resolutions.
122 This was also stated in the Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A.,
Head of Department of Legal Support and Legislative Activities, Ministry of Transport of RF.
123 Article 29 Working Party on data protection (2012)
124 European Data Protection Supervisor (2011)
66
Russian PNR system: data protection issues and global prospects
As for aviation security, the development and implementation of the state policy in aviation security is fulfilled by the Federal Air Transport Agency.125 But
actual aviation security activities –providing measures to protect civil aviation
against acts of unlawful interference - are performed by this agency in cooperation with the Federal Security Service of the Russian Federation (FSB), Ministry
of the Interior, Ministry of Defense, Ministry of Foreign Affairs, Federal Customs
Service of the Russian Federation.126 In addition, according to the Program of
Civil Aviation Security of the Russian Federation, some functions are carried out
by the Ministry of Transport and Federal Service for the Transport Oversight
(Rostransnadzor), as well as other interested federal organs of the executive
branch.127 It can be seen that the list can hardly be exhaustive.
Moreover, for other transport modes, additional organs may be relevant.
Taking into account that the database is common for all transport modes and
that all the organs authorized to carry out security functions on other transport
modes (rail, sea, etc.) also will have access to the data, the scope of organs having
access to the data is quite broad.
At the same time, according to the information of the Operator,128 the organs
authorized to use the data contained in the ACDPDP are limited to the Interior
Ministry, FSB, and security department of the Ministry of Transport (i.e. not
even the whole ministry, but a special department), while a representative of the
Ministry of Transport, in response to the author’s request, noted that the list of
organs authorized to access data from the ACDPDP is contained in the Order129
- see above.
Since the information is quite controversial, it is not possible to draw any
certain conclusions. Apparently, the same problems as those indicated with reference to the EU-US scheme above may be relevant. It would be helpful if the
regulator provided an exhaustive list of authorized agencies and obliged them to
provide safeguards.
7.10
Onward transfers to third countries
The EU Strategy stipulates restrictions on use and further dissemination of PNR
data to another third country. Such onward transfers shall be subject to appro125 §7, Resolution of Government of RF of 30.07.1994 N 897 About Federal System of Protection of
Civil Aviation from Acts of Unlawful Interference.
126 §8, Resolution of Government of RF of 30.07.1994 N 897 About Federal System of Protection of
Civil Aviation from Acts of Unlawful Interference.
127 Program of Civil Aviation Security of the Russian Federation, Order of the Ministry of Transport
RF of 18.04.2008 N 62 (with amendments of 10.03.2011).
128 Telephone conversation with the Operator’s employee 4.07.2013.
129 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal
Support and Legislative Activities, Ministry of Transport of RF.
67
Yulex 2013
priate safeguards. In particular, the receiving third country should transfer this
information to a competent authority of another third country only if the latter
undertakes to treat the data with the same level of protection as set out in the
agreement and the transfer is strictly limited to the purposes of the original transfer of the data. PNR data should be disclosed only on a case-by-case basis.
The EU-US Agreement provides rules on third countries transfer in Article
17(1). They refer to the terms of the agreement, but the latter does not specify
how compliance with these terms can be ensured; the agreement does not provide that transfers shall be done on a case-by-case basis only.130 The EDPS recommends that data transfers to third countries should be subject to prior judicial
authorization; the DHS should not transfer the data to third countries unless they
guarantee an equivalent level of protection.131 Other comments include the following: there is no obligation to make sure that third countries do not forward
the information to other parties/countries; no penalty if the third country uses
the data for something else; no obligation to ensure that the onward transfer is
proportionate; no need to keep records of the transfer; no role for any data protection authority.132
The Russian Order does not contain any terms and provisions on the other
countries’ transfer. The Personal Data Law Article 12 contains general rules:
cross-border transfer of personal data to foreign countries that are parties to the
Convention No 108, as well as to other foreign countries providing adequate data
protection is carried out in accordance with this federal law, and may be prohibited or limited in order to protect the foundations of the constitutional system
of the Russian Federation, morality, health, rights and lawful interests of citizens,
national defense and state security. The list of foreign countries that are not parties to Convention No 108 and provide adequate data protection is adopted by the
authorized body (Roskomnadzor).
The Ministry of Transport did not provide to the author any further details on
the possibilities of onward transfer of PNR referring to restricted information.133
According to the information of the Operator, the PNR data will not be transferred from Russia to other countries.134 No transfer means no problems similar to
those indicated for the EU-US scheme. However, lack of concrete provisions does
not constitute grounds for concluding that there will be no transfer for sure; additional legal guarantees are needed.
130 Article 29 Working Party on data protection (2012)
131 European Data Protection Supervisor (2011)
132 Amberhawk Training Limited A review of some important aspects of the EU-USA PNR agreement
(2011)
133 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal
Support and Legislative Activities, Ministry of Transport of RF.
134 Telephone conversation with the Operator’s employee 4.07.2013.
68
Russian PNR system: data protection issues and global prospects
7.11
Methods of transfer
The EU Strategy and PNR Guidelines of ICAO suggest that to safeguard the data
in the databases and to maintain airlines’ control thereof, data should be transmitted using the “push” system.135 The Strategy adds that the number of times that
data is transferred before each flight should be limited and proportionate.
Article 15(1) of EU-US Agreement states that data will be transferred using
the “push” method. However, Article 15(5) requires carriers to “provide access”
to PNR data in exceptional circumstances. The Working Party argued that if the
pulling of data remains technically and legally possible, there should be rigorous independent monitoring (of the log files).136 EDPS suggested prohibiting the
“pull” system. 137
Article 15(3) requires carriers to transfer PNR to DHS initially at 96 hours
before the scheduled flight departure and additionally either in real time or for a
fixed number of routine and scheduled transfers as specified by DHS. This provision fails to determine the frequency of PNR transfers clearly.138
According to the Russian Order, the suppliers of information provide data to
ACDPDP in electronic form automatically on a schedule on a time scale close to real
by selecting the required data from their information systems and unloading them
into the exchange file of agreed format. This means that the “push” method is used.
Data transfer mode is 24 hours a day/7 days a week. The suppliers must provide data to ACDPDP no later than 30 minutes after entering the data into their
information systems (unless otherwise provided by the regulation of passenger
data transfer of a particular mode transport). For air carriers, API and PNR data
collected before the passenger check-in at the airport must be transferred to
ACDPDP 36 hours before passenger check-in at the airport of departure.
Transfer of API data received during check-in at the airport is done in interactive regime (if such regime is available) or 15 minutes before the departure of
the aircraft. Transfer of PNR data obtained in the course of boarding of the passengers on the aircraft and after the departure of the aircraft is done immediately
after fixing these events in the air carrier’s systems.
It can be seen that the, in contrast to the EU-US scheme, frequency of PNR
transfers is defined, and only the “push” method is used, thus, stronger protection
is given.
135 The “push” method of transfer implies that the data are selected and transferred by airlines to the
authorities upon request of the latter. The “pull” method means that the authorities have direct
and immediate access to airlines’ databases.
136 Article 29 Working Party on data protection (2012)
137 European Data Protection Supervisor (2011)
138 Article 29 Working Party on data protection (2012)
69
Yulex 2013
8
Conclusion
It is clear that PNR exchange is becoming worldwide practice. Not only Russia,
but many other countries are using or planning to impose PNR regimes. The
international community represented by such organizations as ICAO and IATA,
realizing that this process will grow, is endeavoring to establish common rules
which would standardize and harmonize PNR collection for security purposes,
including data protection standards. However, their recommendations are not
obligatory and there are no enforcement mechanisms.
The EU, with its strict data protection regulation, also endeavors to establish
common standards for PNR transfer to third countries, but the EU hardly possesses economic or political powers to enforce these standards in the rest of the
world. It is also questionable whether the EU requirements are realistic at all: the
already concluded bilateral agreements show that full compliance with the EU
data protection requirements has not been achieved.
The analysis of the Russian PNR regime discovers that many elements of the
system are based on the ICAO PNR Guidelines. As for the data protection, the
Russian Personal Data Law is applicable, which is based on the international and
the EU standards. Some data protection guarantees, at least formally, are provided. The positive features are non-processing of sensitive data and usage of only
the “push” method of transfer (both of which constitute better protection if compared with the EU-US PNR regime) and strict requirements to data security.
Some elements are provided, but various weaknesses remain: The purposes of
transfer are established, but they are broad. Provisions on oversight and accountability are contained in the Personal Data Law, but the data protection authority
is not completely independent. Rules on redress are provided, but in practice they
may be weaker than the EU level of protection. The list of organs authorized to access the data is provided, but its exhaustiveness is questionable. The data subject’s
right to access to his/her personal data is restricted on the grounds of transport
security needs. However, these weaknesses are quite similar to the EU-US system.
The points which are weaker than the EU-US scheme are the lack of terms
on transparency and notification and the fact that the retention periods are not
determined. Finally, terms of onward transfer to other countries (if any) are restricted information.
Some of the indicated weaknesses could be repaired if the Russian regulators
provided further legal rules on this matter, that is, more specified and concrete
provisions and guarantees regarding the PNR system in addition to general rules
of the Personal Data Law. This concerns in particular the redress mechanisms,
oversight and accountability, transparency and notification. Other weaknesses
concern mainly the security demands and needs (the purposes of processing, the
right to access, retention period, the list of organs, and transfer to other countri70
Russian PNR system: data protection issues and global prospects
es). Apparently, for any change, balancing between data protection and security
interests is required.
But the analysis of Russian PNR rules “on paper” is not enough. One more
challenge relates to specific Russian realities. Historical background as well as
the situation with human rights and civil society in Russia in general make data
protection rights particularly vulnerable. The problems indicated with reference
to general data protection law, if not solved, may be applicable to the PNR regime
as well. Providing effective law enforcement mechanisms depends greatly on the
whole system, including legal, judicial and other systems and integral parts of the
civil society, and the weaknesses of these parts may play a negative role. Thus,
simply establishing legal norms to protect passengers’ data protection rights may
not be enough.
Overall, no matter if the Russian PNR system is considered to be better, worse
or same as the EU-US one, from the EU’s perspective, Russia is not a country providing an adequate level of data protection; thus, transfer of PNR by EU airlines
to Russian authorities would be illegal. From 1 December 2013, if the situation
does not change (by settlement of the conflict of laws, or if the new measure is
cancelled or postponed again), the EU airlines will find themselves in a difficult
situation: to fly to or over Russia, they will need to comply with either EU or
Russian law.
Therefore, a dialog between Russia and the EU is expected. Of course, the
conflict of laws can be approached with the help of political or economic pressure.
For example, the review of the visa facilitation deal with Russia could be used “as
leverage” to counter Russia’s demands.139 There are a number of other pending
issues which could be used as well, but it is quite doubtful that they may help the
EU to “cancel” the Russian PNR regime or solve the data protection problems.
Another solution could be a bilateral EU-Russian PNR agreement. Apparently,
it will be problematic to resolve all the data protection problems discussed above
by a contractual solution. In addition, the EU, accepting the EU-US PNR scheme,
weakened its position in the negotiation with Russia (as well as other countries requiring PNR data): it would be the politics of double standards to deny to
others what was accepted to the USA. Moreover, the EU’s own proposed PNR
regime raises similar questions and disputes; if adopted, the data protection positions will be further weakened. But an agreement could at least create a legal
basis for the transfer, not leaving the EU airlines alone with the dilemma, thus, it
is preferable to have an agreement than not to have one. However, the author cannot exclude the possibility that the EU-Russian negotiations might be pending for
an unknown period of time.
139 The Portugal News Euro MPs raise grave concerns over Russia’s demand for EU air passengers’
data (2013)
71
Yulex 2013
But again, no matter what will be stipulated in the Russian law and/or in a
contractual solution (if any) between the EU and Russia, a separate question will
be whether Russia is capable in reality of ensuring the established rules, safeguards and guarantees.
From a global perspective, the Russian PNR regime is not the only one to
emerge – as stated, many states require or will require PNR data. The majority
of states will be considered as failing to provide an adequate level of data protection in EU terms. For a part of them, the dilemma of law-in-books versus lawin-action will be relevant. Consequently, similar challenges and difficulties may
concern any state.
Further, no state is guaranteed from more and more enhanced surveillance
and possible abuses by law enforcement authorities in the name of security. Even
within the established and negotiated with the EU PNR frameworks, who can
guarantee that the USA will keep its promises, and that abuses and violations will
not happen? The recent cases of the NSA’s secret use of personal data-pursuant
surveillance programs do not add optimism to the picture.
As a result, the question formulated above - Is it possible to use PNR and
at the same time respect the passengers’ rights? – cannot be answered in a simple way. Clearly, globally, the PNR case, upon closer look, reveals a number of
critical issues: the security versus privacy dilemma, privacy and data protection
concerns, problems of internal regulation and law enforcement, enhanced and
unlimited surveillance, underdevelopment of democratic values, etc.
How to deal with these problems? Further dialogs between the states, including discussions on the international level, could be helpful. The ICAO PNR recommendations are already used as models for PNR transfer, but deficiencies remain, and there are no enforcement mechanisms. Bilateral agreements, although
providing a legal basis for transfer, fail to resolve all the problems. The point is
that PNR processing is a part of national security strategies, where the powers of
the international community or other states are limited. The majority of the problems have internal, national roots. Thus, national endeavors constitute the key
factors, and a broader, complex approach is needed.
Olga Mironenko Enerstvedt ([email protected]) Ph.D. Research Fellow,
Norwegian Research Center for Computers and Law (NRCCL), University of
Oslo, Norway
The author would like to thank Prof. Dag Wiese Schartum and Prof. Lee Andrew
Bygrave for their valuable comments to an earlier version of this article.
72
Russian PNR system: data protection issues and global prospects
9
References
Amberhawk Training Limited (2011) Amberhawk Training Limited. A review of
some important aspects of the EU-USA PNR agreement, 2011.
Article 29 Working Party on data protection (2012) Article 29 Working Party
on data protection. Letter to the Civil Liberties Committee of the European
Parliament. Brussels, 2012.
Beroeva (2006) Nigina Beroeva. Who and how do they steal databases? In: Komsomolskaya Pravda 2006.
Brouwer (2009) Evelien Brouwer. The EU Passenger Name Record System and
Human Rights: Transferring Passenger Data or Passenger Freedom. In: CEPS
Working Document (2009).
Buh 1C (2012) Buh 1C. Protection of personal data: The results of the control
http://buh.ru/document.jsp, 2012.
Bygrave (2002) Lee A. Bygrave. Data protection law: approaching its rationale,
logic and limits. Kluwer Law International, The Hague / London / New
York, 2002.
Chernova (2013) Aleksandra Chernova. We protect personal data through multistakeholder approach. In: Personal data (2013). http://www.privacy-journal.
ru/article/122/2/1516.
Elkova (2013) Olesya Elkova and Sergey Kolobkov. Russian sky will be closed to
the lock. http://www.rbcdaily.ru/industry/562949987318547, 2013.
European Data Protection Supervisor (2011) European Data Protection Supervisor. Opinion of the European Data Protection Supervisor on the Proposal
for a Council Decision on the conclusion of the Agreement between the
United States of America and the European Union on the use and transfer
of Passenger Name Records to the United States Department of Homeland
Security. Brussels, 2011.
Grant (2009) H. Grant. Data protection 1998-2008. In: Computer Law & Security Report. Vol. 25 (2009). p. 44-50.
Hasbrouck (2009) Edward Hasbrouck. What’s in a Passenger Name Record
(PNR)? . http://hasbrouck.org/articles/PNR.html, 2009.
Izmailova (2009) N.S. Izmailova. Privacy in civil law: the law of the UK, the USA
and Russia. Moscow, 2009.
73
Yulex 2013
Kovrigin (2012) V.V. Kovrigin. Total non-compliance with data protection law in
Russia. http://can-work.ru/index.php/neews/press-tsentr-kompanii/145law-on-personal-data-if-it-works, 2012.
Lyon (2007) David Lyon. Surveillance studies: An overview, 2007.
Mironenko (2010) Olga Mironenko. Air passenger data protection: Data transfer
from the European Union to the United States. Oslo, 2010.
Modern Telecommunications Russia (2011) Modern Telecommunications
Russia. The Council of Federation adopted Personal Data Law. http://www.
telecomru.ru/article/?id=606, 2011.
Newman (2008) Abraham Newman. Protectors of privacy: regulating personal
data in the global economy, 2008.
Nielsen (2013) Nikolaj Nielsen. EU tells Russia to drop air passenger data law.
http://euobserver.com/justice/120387, 2013.
Nielsen (2013) Nikolaj Nielsen and Andrew Rettman. Russia blames EU for
airline data fiasco. http://euobserver.com/justice/120450, 2013.
Ntouvas (2008) Ioannis Ntouvas. Air Passenger Data Transfer to the USA: the
Decision of the ECJ and latest developments. In: International Journal of
Law and Information Technology. Vol. 16 (2008). p. 73-95.
Palamarchuck (2010) A.V. Palamarchuck. Supervision over the implementation
of the legislation on personal data on the Internet. In: Zakonnost. Vol. 12
(2010). p. 3-5.
Petrykina (2011) N.I. Petrykina. Legal regulation of personal data flow. Theory
and practice. Moscow, 2011.
Poullet (2009) Y. Poullet. Data protection legislation: What is at stake for our society and democracy? In: Computer Law & Security Review. Vol. 25 (2009).
p. 211-226.
Schneier (2008) Bruce Schneier. Schneier on security. Indianapolis, Ind., 2008.
Shadrina (2012) Tatiana Shadrina. Will not go far: From July next year it will not
be possible to buy a ticket for a single mode of transport without a passport.
In: Rossiyskaya Gazeta 26.09.2012 2012.
Sirena-Travel (2013) Sirena-Travel. Problems of realization of the Order of the
Ministry of Transport N243. http://www.ato.ru/content/problemy-realizaciiprikaza-mt-rf-no243-formirovanie-i-vedenie-avtomatizirovannyh, 2013.
Smirnov (2007) Oleg Smirnov. All the world has long been collecting the data this
way. http://www.aviaport.ru/digest/2007/04/09/118983.html, 2007.
74
Russian PNR system: data protection issues and global prospects
Solove (2008) D. J. Solove. Data mining and the security-liberty debate. In: The
University of Chicago Law Review (2008). p. 343-362.
Tene (2011) Omer Tene. Privacy: The new generations. In: International Data
Privacy Law. Vol. 1 (2011). p. 15-27.
The Portugal News (2013) The Portugal News. Euro MPs raise grave concerns
over Russia’s demand for EU air passengers’ data. http://www.theportugalnews.com/news/euro-mps-raise-grave-concerns-over-russias-demand-foreu-air-passengers-data/28637, 2013.
Tsadykova (2007) Elvira A. Tsadykova. The constitutional right to privacy. Moscow, 2007.
Wolff (2012) Steve Wolff. Are We Ignoring the “Risk” in Risk Based Screening? In:
Aviation Security International. Vol. 18 (2012).
Yehoshua (2011) Sagit Yehoshua. Terrorist profiling: analysing our adversaries
personalities. In: Aviation Security International. Vol. 17 (2011).
75
Privacy as a Cultural Value1
Lee A. Bygrave
“Part philosophy, some semantics, and much pure passion”! These are the words
that Alan Westin once famously used to describe privacy.2 As many of you
know, Westin, who died earlier this year, was one of the seminal and most influential policy entrepreneurs in the regulation of privacy and data protection
matters. As professor of public law and government at Columbia University, he
was also one of the first academics to explore deeply the various dimensions of
privacy. His description of privacy as a mixture of philosophy, semantics and passion speaks volumes about privacy. Most importantly for our discussion today,
it highlights the inherent diffuseness of privacy at the same time as it indirectly
connects privacy to a broader cultural context. For philosophy, semantics and
passion tend to be culturally conditioned. And as soon as we move from a discussion of privacy as a state or condition of being – for instance, a state of limited
accessibility – to a discussion of privacy as a desired or valued state of being, the
cultural is implicated. Our views of privacy as a value and, hence, our views of
how much privacy ought to be permitted, are intimately tied to culture. This is
really rather trite. More difficult is to define precisely what culture is. If privacy is
a nebulous concept, culture is equally so. It can potentially embrace a great deal.
And distinguishing cultural factors from other factors – biological, technological,
economic to name a few – is difficult. I do not have time today to delve into these
distinctions and related definitions. It suffices to emphasise that the analytical parameters for our discussion today are far from sharp: neither privacy nor culture
are firm, easily defined concepts.
Nonetheless, I would venture to claim that all of us here today appreciate – intuitively at the very least – that culture matters in discussions of privacy and data
protection. When we compare, for instance, the number of video surveillance
cameras in the public spaces of Warsaw with the number of cameras in the public spaces of London, we readily appreciate that the difference bespeaks, at least
partly, a cultural difference. Yet it is far from easy to identify precisely what that
cultural difference is. And making valid generalisations on the basis of culture
is also fraught with difficulty. It is further fraught with disagreement. Take, for
example, attempts to explain why judges in the USA so readily recognised a tort
for breach of privacy yet English judges did not, despite the fact that each of the
jurisdictions concerned had a common law heritage. Some analysts have claimed
1
2
Address given to the opening plenary session of the 35th International Conference of Data
Protection and Privacy Commissioners, Warsaw, 25th September 2013.
A F Westin, Privacy and Freedom (Atheneum 1967) p. x.
77
Yulex 2013
that the English are more constrained than Americans by protocol and codes of
behaviour to respect individuals’ privacy, and that it was a lack of such “taste”
that precipitated the American judges’ embracement of a tort for breach of privacy.3 Other analysts, though, claim that the different judicial directions taken
reflect English judges’ inherent conservatism, narrow-mindedness and distaste
for nebulous rights.4 Whatever the case, we lack a large body of systematically
collected empirical data about cultural attitudes to privacy – data which can lift
us well beyond explanations in which anecdote and popular cultural stereotypes
play a considerable part.5
Of course, collecting such data is not going to lift us beyond disagreement
over what causes what, nor will it make explanation easy. This is partly because
concern for privacy within a given culture or country is often uneven. In the
UK, for example, proposals to introduce multi-purpose Personal Identification
Number (PIN) schemes similar to those in Scandinavia have traditionally been
met with great antipathy, yet video surveillance of public places in the UK seems
to be considerably more extensive than in Scandinavian countries and, indeed,
the rest of the world.
Levels of privacy across nations and cultures, and across broad historical periods, are in constant flux – a point I shall come back to at the end of my talk. At
the same time, desire for some level of privacy appears to be a panhuman trait.
Even in societies in which apparently little opportunity exists for physical or spatial solitude, human beings seem to adopt various strategies for cultivating other
forms of social distance. I refer here particularly to Barrington Moore’s study of
the Siriono Indians in Bolivia,6 and to David Flaherty’s study of colonial society
in New England.7
While we may acknowledge or intuitively appreciate the cultural dimension
of privacy and data protection, I would venture to claim that many of us here
today forget it in the routine of our jobs. I am a lawyer; many of you here are too.
As such, we work with legal texts, typically in the form of Acts on privacy and
data protection. Many of you – lawyers or otherwise – administer these texts’
requirements. They are texts that, remarkably, appear as largely abstract, technical codes filled with largely procedural norms and divorced from any obviously
cultural context. Scratch at them, though, and that context quickly emerges, often
in the form of a cultural bias or premise. This is most obvious with provisions
3
4
5
6
7
See eg J Martin and A R D Norman, The Computerized Society (Prentice-Hall 1970) p. 468; W F
Pratt, Privacy in Britain (Bucknell University Press 1979) p. 16.
See eg B W Napier, “International Data Protection Standards and British Legislators”, Informatica
e diritto, 1992, vol. 1, p. 83, 85.
See too C J Bennett and C D Raab, The Governance of Privacy (2nd edn, MIT Press 2006) p. 6.
B Moore, Privacy: Studies in Social and Cultural History (M E Sharpe 1984).
D H Flaherty, Privacy in Colonial New England (University Press of Virginia 1972).
78
Privacy as a Cultural Value
that single out particular kinds of data as especially sensitive and subject them
to more stringent rules than otherwise apply. Article 8 of the EU Data Protection
Directive is a prominent example. Those provisions caused some consternation in
Scandinavian countries inasmuch as they include data on trade union membership – an inclusion that was grounded in the political realities of southern Europe
but had little relevance for northern Europe.
The cultural bias of privacy and data protection rules is often under-communicated by lawmakers. This might be due partly to ignorance or forgetfulness but
also to a reluctance to take greater account of the cultural dimension. Culture, as
I said before, is slippery, hard to measure, and thus hard to operationalise with
legal certainty. Yet I suggest that lawmakers need to take greater account of it. We
need to keep our eyes more open to the extra-legal dimension of privacy and data
protection law. And we ought to think very carefully before we allow formalistic,
rigid legal requirements to bludgeon their way across cultural divides.
This is particularly pertinent in relation to rules in data protection laws dealing with sanctions and remedies. There is no necessary link between tougher enforcement powers and better compliance. Compliance levels are a function of
numerous factors of which enforcement powers and the ability to use such powers are just two. Other factors include the seriousness with which a given community generally takes privacy and data protection matters, the extent to which the
administrative and corporate cultures of a given jurisdiction inherently respect
data protection ideals, and the talents of the data protection commissioners and
their personnel. In some jurisdictions, social mores are particularly important.
For example, Miyashita observes that while the formal sanctions for breaches of
data protection rules in Japan are weaker than those in Europe,
“it is crucially important to understand that a data breach in Japan means the
disruption of social trust and the intimate relationship with customers. In Japan,
the risk of loss of social trust and business reputation is regarded as much more
significant than paying a fine”.8
Similarly, it cannot be assumed that a data protection authority with strong formal powers will necessarily have greater success in fulfilling its objectives than
one with weaker formal powers. Experience from Germany, for instance, indicates that, given a particular constellation of the sorts of factors listed above, a significant degree of compliance can be achieved without a data protection authority
8
H Miyashita, “The evolving concept of data privacy in Japanese law”, International Data Privacy
Law, 2011, vol. 1, p. 229, 233.
79
Yulex 2013
having the power to issue legally binding orders (eg prohibiting certain forms of
data processing).9
Finally, I want to return to the point about cultural flux. We need to be very
careful about painting particular cultures into a corner out of which they cannot escape. This is particularly pertinent in respect of societies which putatively
embrace collectivist rather than individualist ideals – that is societies that seem
to place primary value on securing the interests and loyalties of the group at
the expense of the individual. African and Asian countries are often lumped in
this category. However, these are not static societies. One of the most remarkable developments in the field of privacy and data protection is the emergence
of organisations in the Asia-Pacific and Africa as policy-brokers in the field.
Examples are the Asia-Pacific Economic Cooperation (APEC) and, even more
significantly, the Economic Community of West African States (ECOWAS). Just a
decade ago, these organisations scarcely figured as policy-brokers in the field. The
situation today is very different, particularly in Africa where some of the most
ambitious and normatively prescriptive data protection initiatives have been recently launched. I refer here especially to the Supplementary Act on Personal
Data Protection within ECOWAS, adopted in 2010.10 Further, the East African
Community (EAC)11 has issued a recommendation that its member states adopt
data protection laws in line with best international practice.12
These events show not just the shifting character of privacy as a cultural value
but underline also that privacy is very much a generational value.
D H Flaherty, Protecting Privacy in Surveillance Societies (University of North Carolina Press
1989).
10 Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS, adopted
16 February 2010. The ECOWAS states are Benin, Burkina Faso, Cape Verde, Cote d’Ivoire,
Gambia, Ghana, Guinea, Guinea Bissau, Liberia, Mali, Niger, Nigeria, Senegal, Sierra Leone and
Togo.
11 Composed of Tanzania, Rwanda, Kenya, Uganda and Burundi.
12 Legal Framework for Cyber Laws (Phase 1) November 2008, formally adopted 7 May 2010.
However, unlike the ECOWAS instrument, the EAC recommendation does not set out
substantive data protection rules nor is it legally binding.
9
80
Kontroll og overvåking i arbeidslivet1
Tommy Tranvik
Innledning
I dette kapitlet drøftes utfordringer knyttet til kontroll og overvåking i arbeidslivet,
nærmere bestemt bruken av feltteknologi: elektroniske systemer for registrering
og behandling av opplysninger om ansatte som jobber utenfor fast arbeidssted.
I første del av kapitlet drøftes grunnleggende forhold knyttet til arbeidsgiveres anvendelse av feltteknologi for kontroll og overvåking av arbeidsutførelsen:
Hvordan kan feltteknologi utfordre de ansattes personvern, hvordan feltteknologiprodukter er oppbygd og fungerer, hvilke lover og regler gjelder ved bruk av
feltteknologi i arbeidslivet og hvilke personverninteresser kan komme i spill når
denne typen elektroniske systemer anvendes i arbeidslivet?
I andre del av kapitlet oppsummeres erfaringer med innføring og bruk av feltteknologi i 50 virksomheter fordelt på sju forskjellige bransjer. Her drøftes spesielt
erfaringer med selve innføringen av feltteknologi, hvilke argumenter for og imot
innføring som ble brukt (av arbeidsgivere og arbeidstakere) og rapporter om misbruk av opplysninger om ansatte. Til slutt drøftes virksomhetenes overholdelse av
rettslige regler ved innføring av feltteknologi og ved den senere behandlingen av
opplysninger om ansatte.
Drøftelsene i andre del vil vise at de 50 virksomhetene som deltok i studien
stod overfor viktige utfordringer, både når det gjaldt å balansere hensynene til
arbeidsgivers kontrollbehov og de ansattes personvern, og overholdelsen av de
lover og regler som regulerer innføring og bruk av feltteknologi.
Del I – Grunnleggende spørsmål
Definisjon av problemet – et eksempel
Elektroniske systemer for kontroll og overvåking av ansatte utenfor fast arbeidssted har vært i bruk – og skapt kontroverser – i noen år allerede. Det var en sak fra
renovasjonsbransjen i Nord-Troms som i 2010 for alvor brakte disse problemstil-
1
Drøftelsene i dette kapitlet er basert på Tranvik 2013.
81
Yulex 2013
lingene inn i offentlighetens søkelys.2 Utgangspunktet var at det interkommunale renovasjonsselskapet Avfallsservice AS i Nord-Troms hadde tatt i bruk flåtestyringssystemet GPS Realtime Waste Management på sine renovasjonsbiler.3
Systemet ble blant annet brukt som et navigasjonsverktøy for selskapets sjåfører
og til registrering av opplysninger om sjåførenes arbeidsutførelse. Det siste foregikk ved at sjåførene sendte inn en elektronisk kvitteringsmelding til selskapets
datamaskiner for hvert tømmingspunkt de var innom på ruten.4 De elektroniske
meldingene ble påført et tidsstempel og lagret i en tømmingslogg. Dermed kunne
ledelsen i selskapet sjekke når sjåførene hadde vært innom de ulike tømmingspunktene og hvor lang tid de hadde brukt mellom hvert tømmingspunkt.
De to typene opplysninger skulle i utgangspunktet brukes til to forskjellige
formål: dokumentasjon av arbeidsutførelsen (den elektroniske tømmingsloggen)
og utbetaling av lønn (de manuelt førte timelistene). Ledelsen mente imidlertid
at den hadde grunn til å mistenke at én av sjåførene førte opp for mange timer
på sine timelister. Ledelsen sjekket derfor tidspunktene for tømming registrert i
tømmingsloggen og sjekken viste at sjåføren hadde brukt uvanlig lang tid mellom mange av tømmingspunktene på kjøreruten. Likevel hadde han ført opp
dette som arbeidstid i timelistene. På denne bakgrunn mente selskapet at sjåføren
hadde fått lønn for arbeid han ikke hadde utført, og sjåføren ble oppsagt fra stillingen. Dette godtok ikke sjåføren. Han krevde at oppsigelsen ble kjent ugyldig og
forlangte erstatning fra selskapet som følge av urettmessig oppsigelse og ulovlig
behandling av personopplysninger.
Instansene som fikk saken på sitt bord – Datatilsynet,5 Personvernnemnda,6
Hålogaland lagmannsrett7 og Høyesterett8 – mente at selskapet hadde brutt
viktige bestemmelser i arbeidsmiljøloven og i personopplysningsloven. Likevel
fikk ikke sjåføren medhold av domstolene på noen punkter, verken i lagmannsretten eller i Høyesterett.
Nedenfor skal vi se at renovasjonssaken i Nord-Troms ikke er et isolert tilfelle.9 Elektroniske systemer for overvåking eller kontroll av ansatte utenfor fast
arbeidssted tas i bruk av stadig flere arbeidsgivere i mange forskjellige yrker og
bransjer. Det er derfor ingen overdrivelse å hevde at innføring og bruk av elek2
3
4
Saken drøftes blant annet i Borchgrevink 2011: 33-35, Edvardsen 2011 og Nedberg 2011.
Systemet leveres av selskapet Norsk Navigasjon, se http://www.norsknavigasjon.no/.
Sjåførene kunne også sende inn avviksmeldinger, for eksempel at søppelbeholdere ikke kunne
tømmes fordi de hadde veltet, ikke var satt ut eller ikke stod der de skulle.
5Se http://www.datatilsynet.no/Regelverk/Personvernnemda/Klagesaker/2011/Ulovlig-bruk-avGPS/.
6Se http://www.personvernnemnda.no/vedtak/2011_04.htm.
7Se www.lovdata.no, LH-2011-155315.
8 Se Rettstidende 2013, side 143 eller www.lovdata.no, HR-2013-234-A.
9 Samtidig ble en tilsvarende sak behandlet i Datatilsynet i løpet av våren 2013, se http://www.
datatilsynet.no/Nyheter/2013/Overtredelsesgebyr-for-ulovlig-bruk-av-gps-data-fra-yrkesbil/.
82
Kontroll og overvåking i arbeidslivet
tronisk kontroll og overvåking er et av de viktigste teknisk-organisatoriske utviklingstrekkene i de delene av arbeidslivet som omfattes av denne rapporten.
Teknologien
Renovasjonssaken dreide seg om at elektroniske kontroll- eller overvåkingssystemer ble brukt til å samle inn opplysninger om sjåførene. Slike systemer betegnes
vanligvis som feltteknologi. I tillegg til flåtestyring, finnes det en rekke andre typer feltteknologi. De mest vanlige er elektroniske kjørebøker, håndholdte dataenheter (smarttelefoner, PDA, bærbar pc, osv.), strekkodesystemer, ulike typer
sensorer, radiofrekvensidentifisering (RFID), digitale fartsskrivere, bompengebrikker og bensinkort.
Det disse feltteknologiene tilbyr arbeidsgiverne, er tilstedeværelse uten fysisk
nærhet. Den vanligste måten dette gjøres på er at opplysninger om ansatte i felten visualiseres på dataskjermer som lederne (eller annet personell på kontoret)
følger med på. Lederne kan dermed vite om forhold de tidligere var uvitende om
eller som de først fikk kjennskap til i ettertid, for eksempel hvor de ansatte befinner seg, hvor lang tid de bruker hos ulike kunder, hvor ofte de tar pauser, hvilke
kjøreruter de velger, hvor fort de kjører, osv. Denne typen feltteknologi kan derfor
sies å ha følgende kjennetegn:
• Synliggjøring: Feltteknologi kan synliggjøre forhold som tidligere var helt eller delvis skjult for arbeidsgiver.
• Sentralisert oversikt: Feltteknologi kan gi oversikt over ansattes bevegelser og
aktiviteter fra én sentral lokasjon (for eksempel kjøresentralen, driftssentralen, ressursstyringssentralen eller trafikkledersentralen).
• Fjernstyring i sanntid: Feltteknologi kan gjøre det mulig for lederne på kontoret (eller personell på sentralen) å gripe inn i eller dirigere arbeidsutførelsen
mens arbeidet fortsatt pågår.
• Desentralisert tilgang: Feltteknologi kan gi ansatte tilgang til interne datasystemer og informasjonsressurser mens de befinner seg utenfor kontoret (for
eksempel ordre- og fakturasystemer, pasientjournaler, kundehistorikk, håndbøker og rutinebeskrivelser, osv.).
Ikke all feltteknologi har alle disse kjennetegnene. Noen produkter er for eksempel bygd opp slik at opplysninger om ansatte gjøres tilgjengelige for arbeidsgiver
lenge etter at de er registrert i felten. Andre produkter har en oppbygning som
gjør det vanskelig eller upraktisk for lederne (eller annet personell) på kontoret å
følge med på hva ansatte til enhver tid bedriver, men opplysningene kan likevel
bli gransket i ettertid.
83
Yulex 2013
Lovgivningen
Innføring og bruk av feltteknologi er rettslig regulert på flere måter. Dersom bruken av feltteknologi defineres som et kontrolltiltak, gjelder reglene i arbeidsmiljølovens kapittel 9.10 Her stilles det vilkår for innføring av kontrolltiltak (feltteknologi) og det kreves til at innføringsprosessen skal foregå i henhold til visse
saksbehandlingsregler.
Den elektroniske behandlingen av opplysninger om ansatte (personopplysninger) som skjer etter at kontrolltiltaket (feltteknologi) er satt i drift, reguleres
av reglene i personopplysningsloven med forskrift. Etter disse reglene har arbeidsgiverne en rekke plikter når opplysninger om ansatte behandles elektronisk.
Samtidig har de ansatte en rekke rettigheter i forhold til arbeidsgivers behandling
av opplysninger om dem selv. Innføring og bruk av kontrolltiltak i arbeidslivet,
feltteknologi inkludert, kan også være regulert i tariffavtaler og i egne avtaler/
protokoller mellom partene på virksomhetsnivå.
Drøftelser av de rettslige reglene som gjelder ved innføring og bruk av feltteknologi, kan leses i Dag Wiese Schartum (2013): Rettslige aspekter ved feltteknologi
i arbeidslivet.
Personvernet
Hvorfor skal ansatte som benytter feltteknologi og som jobber utenfor fast arbeidssted, ha forventninger om personvern? Mange av dem jobber jo i det offentlige rom, for eksempel bussjåfører, vektere eller trikkeførere, og de kan i tillegg
være lett synlige av andre grunner, for eksempel at de kjører biler med firmalogo
eller bærer arbeidsantrekk som gjør at de skiller seg ut. Så hvorfor skal ikke arbeidsgiver kunne følge med på hva egne ansatte gjør når vi andre kan observere
dem i løpet av dagen?
Spørsmålet om personvern for ansatte utenfor fast arbeidssted handler ikke
om at arbeidsgiver ikke kan få vite det vi andre observerer i det daglige. Det handler heller ikke om at arbeidsgivere ikke skal kunne følge med på eller følge opp
egne ansatte. Det handler isteden om hvor systematisk, rutinemessig og fokusert
behandlingen av opplysninger om ansatte skal være: i hvilken grad skal ansatte
være synlige for og bli gransket av personer de er underordnet og står i et avhengighetsforhold til? Når blir synligheten og granskingen av en slik karakter at autonomien og selvstendigheten – den individuelle sfæren – forvitrer eller forsvinner?
Personvern for ansatte utenfor fast arbeidssted kan derfor forstås som en måte
å regulere forholdet mellom to parter hvor den ene (arbeidstakere) er underordnet den andre (arbeidsgiver). Det betyr at spørsmål om personvern er nært sam10
Hva som menes med kontrolltiltak defineres ikke i selve lovteksten eller i forarbeidene til loven. Se Ot.
prp. nr. 49, 2004-2005, Om lov om arbeidsmiljø, arbeidstid og stillingsvern mv., kapittel 12 (http://www.
regjeringen.no/nb/dep/ad/dok/regpubl/otprp/20042005/otprp-nr-49-2004-2005-.html?id=396602).
84
Kontroll og overvåking i arbeidslivet
menvevd med spørsmål om makt. Arbeidsgiver styrker sin makt når ansatte blir
synlige på ledelsens dataskjermer eller gjenstand for detaljert gransking i virksomhetens datasystemer. Maktskjevheten kan utjevnes noe dersom de ansatte får
innflytelse over hvordan ledelsen håndterer opplysninger om dem, for eksempel
hvilke opplysninger som vises på dataskjermene eller registreres i datasystemene.
Personvern defineres derfor som graden av kontroll som ansatte har med arbeidsgivers bruk av opplysninger som gjelder dem selv. I faglitteraturen beskrives dette
som informasjonsmessig integritet.11
I renovasjonssaken hadde sjåførene en viss, men begrenset informasjonsmessig integritet (kontroll med registreringen av opplysninger i flåtestyringssystemet). Det var de selv som sendte inn elektroniske kvitteringsmeldinger og de
kunne selv vurdere hvilke avvik som burde rapporteres. Samtidig hadde de liten
kontroll med arbeidsgivers bruk av opplysningene etter at de var mottatt av renovasjonsselskapet. Sjåførene hadde for eksempel ingen mulighet til å sjekke om
opplysningene i flåtestyringssystemet ble sammenholdt med opplysninger hentet
fra andre datakilder (timelistene).
Utbredelse og tidligere forskning
Det finnes ikke gode tall som viser utbredelsen av feltteknologi i de bransjene/
yrkene som deltok i denne undersøkelsen. Det finnes heller ikke gode tall på den
totale utbredelsen av feltteknologi i arbeidslivet som sådan. I en spørreundersøkelse gjennomført av Forskningsstiftelsen FAFO i 2010, svarte sju prosent av
arbeidstakerne at flåtestyring ble brukt på deres arbeidsplass. Det ble ikke spurt
om utbredelsen av andre typer feltteknologi.12
Opplysninger fra de leverandører, tillitsvalgte og virksomhetsledere som deltok i denne studien, tyder imidlertid på at bruken vokser raskt, og at veksten har
vært særlig stor siden 2009-10. Veksten ble blant annet forklart med at prisen på
mange av produktene er synkende slik at også små og mellomstore virksomheter
har råd til å kjøpe produkter av typen GPS Realtime Waste Management.
Det er ikke gjort tidligere studier av årsakene til eller konsekvensene av innføring og bruk av feltteknologi på virksomhetsnivå. Det er imidlertid gjort noe
tidligere forskning på betydningen av informasjons- og kommunikasjonsteknologi for overvåking, kontroll og personvern i arbeidslivet, både internasjonalt og
i Norge.13 Men også her er det gjennomført få empiriske studier på virksomhetsnivå. Det er derfor relativt lite hjelp og veiledning å hente fra tidligere forskning.
11 Forståelsen av at vern av opplysninger om den enkelte er en sentral del av personvernet ble første
gang formulert i Westin 1967: 7. Se også Schartum og Bygrave 2011: kapittel to og Blekeli 1977.
12 Se Bråten 2010.
13 Se for eksempel Allmer 2012, Bråten og Tranvik 2012, Swell 2012, Swell et al. 2012, Ball 2010,
Bråten 2010 og 2008, Øvstedal et al. 2010, Berkvens 2009, Bing 2009, Bodie og Estreicher 2007,
Hansson og Palm 2005 eller Ravlum 2004. Slike spørsmål behandles også i den generelle or85
Yulex 2013
Del II: Erfaringer med feltteknologi i sju bransjer
Bransjene og datagrunnlaget
Disse problemstillingene diskuteres med utgangspunkt i studier av 50 virksomheter i sju forskjellige bransjer eller yrker. Følgende bransjer/yrker deltok i studien:
• Elektrobransjen. De viktigste feltteknologiene var elektroniske kjørebøker,
flåtestyring og håndholdte dataenheter (smarttelefoner, PDA eller bærbar pc).
• Renhold. De viktigste feltteknologiene var håndholdte dataenheter (smarttelefoner eller PDA), radiofrekvensidentifisering (RFID) og elektroniske kjørebøker.
• Den kommunale hjemmetjenesten. Den viktigste feltteknologien var håndholdte dataenheter (smarttelefoner eller PDA) integrert mot interne datasystemer, for eksempel elektroniske journaler.
• Sikkerhet (vekterselskaper). De viktigste feltteknologiene var håndholdte dataenheter (smarttelefoner eller PDA), strekkodesystemer og elektroniske kjørebøker.
• Kollektivtransport (buss og trikk). Den viktigste feltteknologien var avanserte
flåtestyringssystemer. Elektroniske billettsystemer med satellittsporing og
sanntidsinformasjonssystemer var også i bruk.
• Godstransport. De viktigste feltteknologiene var flåtestyring, digitale fartsskrivere, håndholdte dataenheter (PDA) og strekkodesystemer
• Veivedlikehold. De viktigste feltteknologiene var satellittbaserte systemer for
innsamling av produksjonsdata og håndholdte dataenheter (smarttelefoner
eller PDA).
Totalt deltok 50 virksomheter fordelt på de sju bransjene nevnt ovenfor.
Virksomhetene som deltok var ikke representative for sin bransje eller for det
norske arbeidslivet som sådan. For det første fordi store og mellomstore virksomheter var overrepresentert i utvalget. For det andre fordi det store flertallet
av virksomheter var preget av ordnede partsforhold, for eksempel at det fantes
tillitsvalgte og verneombud i virksomhetene. Dette gjør at erfaringene som drøftes nedenfor trolig gir et mer positivt bilde av tilstanden i de sju bransjene (og i
arbeidslivet for øvrig) enn vi ville fått dersom flere mindre virksomheter og virksomheter uten ordnede partsforhold hadde vært inkludert i studien.
I tillegg til de 50 virksomhetene, deltok også 16 leverandører av feltteknologi
og representanter for ulike ekspertgrupper, primært bransjekonsulenter og forskere, som informanter i studien.
ganisasjons- og arbeidssosiologisk litteratur. Se for eksempel Grint 2005, Holman et al. 2003,
Sennett 2003 og 1999 eller Zuboff 1988.
86
Kontroll og overvåking i arbeidslivet
Alt i alt ble det gjennomført 97 intervjuer med leverandører, virksomhetsledere, tillitsvalgte, verneombud og eksperter, hovedsakelig i perioden oktober 2011
til og med november 2012. Representanter for de ansatte (tillitsvalgte og verneombud) ble intervjuet i større grad enn representanter for virksomhetsledelsen.
Tilstanden – hovedtendenser
Det er liten tvil om at innføring og bruk av feltteknologi, og den økende behandlingen av opplysninger om de ansatte som dette innebærer, var en av de viktigste
teknisk-organisatoriske endringene som virksomhetene i studien hadde gjennomført (eller var i ferd med å gjennomføre) i løpet av de siste årene. I mange
av virksomhetene kan utviklingen beskrives som til dels dramatisk, det vil si at
innføring av feltteknologi førte til at det ble registrert langt flere og mer detaljerte
opplysninger om de ansatte nå enn for bare to, tre eller fire år siden.
Funnene indikerer at spørsmål om arbeidsgivers rett til å innsamle disse opplysningene og hensynet til de ansattes personvern stod høyt på agendaen når feltteknologi ble innført – dette er det viktigste stridstemaet i de 50 virksomhetene
som deltok i studien. Funnene indikerer også at bruken av feltteknologi var mer
problematisk enn antallet tvistesaker som ble rapportert inn til sentralapparatet
i arbeidstaker- og arbeidsgiverorganisasjonene skulle tyde på (organisasjonene
rapporterte at de sjelden fikk inn slike saker fra sine medlemmer). Isteden ble
sakene liggende på lokalt nivå – i hver enkelt virksomhet – hvor de ble forsøkt løst
av partene i virksomhetene, eller sakene forble uløste og bidro til et mer anstrengt
forhold mellom arbeidsgivere og arbeidstakere.
Flertallet av de som deltok i studien – representanter for leverandørbransjen,
virksomhetsledere, tillitsvalgte og verneombud – mente at bruken av feltteknologi reiste vanskelige utfordringer knyttet til hvor grensen mellom legitim kontroll av ansatte og personvernkrenkende overvåking skal trekkes. Det var ikke
overraskende at de ulike aktørene hadde forskjellige og til dels motstridende
oppfatninger av hvor grensen burde trekkes. Det var heller ikke overraskende at
leverandører og virksomhetsledere jevnt over hadde en høyere toleransegrense
for bruk av feltteknologi – og la større vekt på arbeidsgivers rett til å behandle
opplysninger om ansatte enn på hensynet til personvernet – enn hva tillitsvalgte
og verneombud gjorde. Likevel hadde ledelsen i et mindre antall virksomheter
(5-6) gjort en betydelig innsats for å hindre at innføring og bruk av feltteknologi i
for stor grad skulle skje på bekostning av de ansattes personvern.
Anvendelse av feltteknologi
Ulike typer feltteknologi ble anvendt i elektroyrkene (energiforsyning og elektroinstallasjon), den kommunale hjemmetjenesten, sikkerhet (vekterbransjen),
87
Yulex 2013
renhold, kollektivtransport (buss og trikk), varetransport og veidrift. De mest
avanserte feltteknologiproduktene kunne både øke synligheten til ansatte i felten,
legge til rette for sentralisert styring av arbeidsinnsatsen og tilby desentralisert
tilgang til virksomhetenes datasystemer.
Selv om noen typer feltteknologi hadde vært brukt i mange år i enkelte av
bransjene, var det vanligste at bruken var av nyere dato, alt fra tre-fire år til noen
få måneder (enkelte virksomheter var i ferd med å innføre feltteknologi da studien ble gjennomført). De mest typiske feltteknologiprodukter som var i bruk, registrerte opplysninger om de ansatte ved hjelp av satellittposisjonering og sporing
(elektronisk kjørebok og flåtestyring) eller ved bruk av håndholdte dataenheter
(PDA, for eksempel strekkode- eller RFID-skannere, smarttelefoner eller bærbar
pc). Produktene kunne inneholde tekniske funksjoner som bevegelsessensorer
(g-sensorer), integrasjoner mot datanettverk i kjøretøy eller digitale fartsskrivere, kommunikasjon mellom ansatte og ledere, m.m. Mange av produktene var i
tillegg integrert mot interne datasystemer i virksomhetene, for eksempel ordrehåndtering, HR-systemer, økonomi/regnskap, journalsystemer, planleggingsverktøy, lager- og delebestillingsmoduler, osv.
Synliggjøring, styring og tilgang
Synliggjøring av ansatte i felten karakteriserte bruken av feltteknologi i alle bransjene. Dette var imidlertid mest fremtredende i virksomheter hvor ulike former
for satellittposisjonering og sporing (elektroniske kjørebøker eller flåtestyring)
ble benyttet. Spesielt i elektroyrkene, hvor virksomhetene ønsket å bruke elektroniske kjørebøker for å styrke kontrollen med privat kjøring av firmabiler, var
synliggjøring av atferd viktig. Synliggjøring var også viktig innenfor renhold og
i vekterbransjen, hvor håndholdte dataenheter ble brukt til å dokumentere arbeidsutførelsen. Det samme kan i noen grad sies for kollektivtransport, spesielt
rutebilselskaper, og veidrift. Her ble det rapportert at synliggjøring av arbeidsutførelsen gjennom dokumentasjon av blant annet punktlighet, tomgangskjøring,
brøyting og salting var viktig i forhold til oppdragsgiverne (for eksempel fylkeskommunale kollektivtransportbestillere).
Sentralisert styring av ansatte i felten var særlig fremtredende i bransjer og
virksomheter hvor flåtestyring (av typen GPS Realtime Waste Management) ble
anvendt. Dette gjaldt i første rekke innenfor elektroyrkene og i varetransport.
Spesielt innenfor varetransport var styringsambisjonene store. Det kom blant
annet til uttrykk ved at opplysninger i flåtestyringssystemene ble sammenstilt
med opplysninger registrert ved bruk av andre typer feltteknologi, for eksempel digitale fartsskrivere og temperatursensorer. Liknende ambisjoner gjorde seg
gjeldende innenfor kollektivtransport og veivedlikehold, men uten at systemene
ble brukt like aktivt til styring av de ansatte og arbeidsutførelsen. I bransjer hvor
88
Kontroll og overvåking i arbeidslivet
det primært ble anvendt håndholdte dataenheter, for eksempel i renhold og vekterbransjen, hadde arbeidsgiverne få ambisjoner om sterkere styring av egne ansatte. Her var det mer aktuelt å benytte registrerte opplysninger til kontroll av
arbeidsutførelsen opp mot vilkår i kontrakter eller tjenestestandarder, det vil si å
dokumentere overfor kundene av jobben var utført slik som avtalt.
Desentralisert tilgang til interne datasystemer karakteriserte bruken av feltteknologi i bransjer og virksomheter hvor håndholdte dataenheter (PDA eller
smarttelefoner) ble anvendt som arbeidsverktøy av de ansatte. Den kommunale
hjemmetjenesten er typeeksemplet på denne bruken av feltteknologi. Her var tilgang til interne datasystemer – arbeidslister, brukeropplysninger, journalnotater,
rutinebeskrivelser og medisinske håndbøker – kjernefunksjonaliteten. Liknende
bruk av håndholdte dataenheter var også vanlig i elektroyrkene.
Overvåking og misbruk
De ansattes opplevelse av å bli overvåket og episoder med misbruk av opplysninger om ansatte, spesielt formålsutglidning eller brudd på regler i lokale avtaler/
protokoller (som regulerte virksomhetenes behandling av opplysninger om ansatte), varierte en del mellom bransjene. Nedenfor følger en kort oppsummering
av de viktigste brukererfaringene.
Overvåking og episoder med misbruk ble rapportert å være størst i bransjer
hvor produkter basert på satellittposisjonering og sporing – elektroniske kjørebøker eller flåtestyring – ble mest brukt. Dette gjaldt i første rekke innenfor elektroyrkene og i varetransport. Spesielt i elektroyrkene ble det rapportert om stor
motstand mot elektroniske kjørebøker og flåtestyring. Det ble samtidig meldt om
en del tilfeller hvor opplysninger ble brukt til å kontrollere de ansattes arbeidsutførelse/arbeidstiden, blant annet ved å sammenholde opplysninger fra ulike datakilder (spesielt med tanke på å kontrollere de ansattes egenrapporterte arbeidstid
eller hvor lenge de hadde oppholdt seg hos ulike kunder). I varetransport var
skepsisen mot feltteknologi også markant, særlig etter som flere av virksomhetene registrerte mange ulike typer opplysninger om sjåførene, og fordi det ble
rapportert om få begrensninger på hva ledelsen kunne bruke opplysningene til.
Motstanden var imidlertid mindre organisert enn i elektrofagene. Den virket i
hovedsak å eksistere som frustrasjoner på sjåførnivå, og ble i liten grad løftet opp
på partsnivå i virksomhetene. I rutebilbransjen ble det rapportert om færre tilfeller av påstått misbruk av opplysninger, men enkelte tillitsvalgte og verneombud
mente at sjåførene kunne oppleve overvåkingen som ubehagelig.
I disse bransjene – elektro, varetransport og rutebil – var mistanker om misbruk av opplysninger mer utbredt enn forekomsten av konkrete eksempler på
misbruk. Årsaken til dette var sannsynligvis at tillitsvalgte eller ansatte vanligvis
hadde få muligheter til å sjekke hvordan ledelsen håndterte opplysninger regis89
Yulex 2013
trert i elektroniske kjørebøker eller i flåtestyringssystemer. Det kan derfor hevdes
at mistankene trolig fikk næring av at den informasjonsmessige integriteten var
forholdsvis lav, det vil si at de ansattes kontroll med registreringen og den videre
behandlingen av egne opplysninger var begrenset. Det virket som begrenset kontroll med egne opplysninger førte til at enkelte tillitsvalgte (og verneombud) hadde begynt å tvile på at ledelsen håndterte opplysningene på en akseptabel måte.
Trikk og veidrift avvek fra tendensene i de tre nevnte bransjene. Også i disse
bransjene var systemer for satellittposisjonering og sporing i bruk, men erfaringene ble hevdet å være relativt positive: få (eller ingen) rapporter om at ansatte
opplevde seg overvåket eller episoder med påstått misbruk av opplysninger. Dette
hang trolig sammen med flere forhold, blant annet at opplysningene ble oppfattet
som lite personlige og at de ansatte så seg tjent med at bruken av feltteknologi
styrket virksomhetens kontroll med eksterne kontraktører.14
Opplevelsen av å bli overvåket og antallet episoder med misbruk av opplysninger om ansatte, virket generelt sett å være minst i bransjer hvor håndholdte
dataenheter ble brukt til registrering av opplysninger om de ansatte: renhold,
den kommunale hjemmetjenesten og vekterbransjen. Til forskjell fra satellittposisjonering og sporing, som ble oppfattet som ledelsens verktøy, ble håndholdte
dataenheter i større grad oppfattet som de ansattes arbeidsredskap. Den informasjonsmessige integriteten kan derfor sies å være større enn ved bruk av systemer for satellittposisjonering og sporing: de ansatte hadde mer kontroll med
hvilke opplysninger som ble registrert om dem. Men til tross for at håndholdte
dataenheter førte til at de ansatte fikk større kontroll med selve registreringen
av opplysninger, var kontrollen med hva som skjedde med opplysningene etter
at de var overført til arbeidsgivernes datasystemer likevel begrenset. Tillitsvalgte
og verneombud kunne derfor ikke være sikre på hva ledelsen faktisk anvendte
opplysningene til, hvem som hadde tilgang til opplysningene eller hvor lenge de
ble lagret. I vekterbransjen ble det i tillegg rapportert om episoder hvor ledelsen
ønsket å innhente opplysninger fra ansatte registrert hos kunder og oppdragsgivere (tredjeparter, se diskusjon nedenfor).
I den kommunale hjemmetjenesten virket det som bruken av håndholdte dataenheter ikke ble tolket som et kontrolltiltak. Dette til tross for at de tillitsvalgte
mente at enhetene kunne brukes til kontroll, blant annet av de ansattes tidsbruk.
Enkelte tillitsvalgte hadde eksempler på dette, men det ble ikke rapportert om
14 Det var innenfor veidrift at eksterne kontraktører – virksomheter som utførte oppgaver på vegne
av hovedentreprenøren – ble oppfattet som et problem. Her ble det hevdet at eksterne kontraktører hadde en tendens til å overrapportere produksjonsdata, for eksempel brøyting eller salting
av veistrekninger. Dette fikk eksterne kontraktører til å fremstå som mer effektive enn ansatte
hos hovedentreprenøren, men med innføring av feltteknologi kunne rapporterte produksjonsdata kontrolleres opp mot faktisk utført arbeid. Forventningen som ble uttrykt var at dette ville
vise at hovedentreprenørens ansatte ikke var mindre effektive enn den innleide arbeidskraften.
90
Kontroll og overvåking i arbeidslivet
at de ansatte følte seg overvåket av ledelsen. I andre bransjer, primært vekterbransjen, var holdningene til håndholdte dataenheter mer kritisk. Her var tillitsvalgte og verneombud opptatt av at dette arbeidsredskapet også kunne bli brukt
til kontroll og overvåking, og viste til flere eksempler på at dette hadde skjedd.
Det samme kan i noen grad sies innenfor renhold. Her var det enkelte tillitsvalgte
som meldte at de var bekymret for økende tidsregistrering og at dette kunne føre
til høyere arbeidspress for de ansatte.
Tredjepartskontroll
Innføring av feltteknologi kunne føre til større innslag av tredjepartskontroll, det
vil si at andre enn arbeidsgiver registrerte eller hadde tilgang til opplysninger om
de ansatte. Dette var i særlig grad tilfelle der hvor oppgaver ble satt ut på anbud
eller ansatte utførte arbeid hos kunder, spesielt i rutebilnæringen, varetransport,
trikk, veidrift og vekterbransjen. Tredjepartskontroll forekom også innenfor elektroyrkene og renhold.
I rutebilnæringen, trikk, veidrift og renhold ble tredjepartskontroll i liten grad
problematisert. Det ble for eksempel ikke referert til episoder hvor arbeidsgiver
ønsket at tredjeparter (kunder eller oppdragsgivere) utleverte opplysninger om
ansatte (registrert i kameraovervåknings- eller adgangskontrollsystemer) til arbeidsgiverne. I varetransport, vekterbransjen og elektroyrkene ble det imidlertid rapportert om at tredjepartskontroll kunne være en ekstra belastning for de
ansatte, det vil si enda en aktør (i tillegg til arbeidsgiver) som registrerte eller
hadde tilgang til opplysninger om dem. Her ble det rapportert om episoder hvor
arbeidsgiver ba om tilgang til opplysninger om ansatte registrert hos kunder/oppdragsgivere, eller at kunder/oppdragsgivere selv brukte opplysningene til kontroll
av arbeidsgivers ansatte. Det kunne for eksempel skje ved at kunder/oppdragsgivere sjekket egne overvåkingskameraer for å kontrollere den innleide arbeidskraftens jobbutførelse, eller ved at kundene/oppdragsgiverne fikk tilgang til arbeidsgivers flåtestyringssystem (egen webinnlogging og tilgang til utvalgte deler
av systemet). Tillitsvalgte og verneombud mente at de hadde liten innflytelse over
omfanget av tredjepartskontroll, og at dette skapte usikkerhet om hvordan tredjeparter (i samarbeid med arbeidsgiverne) anvendte opplysninger om de ansatte.
Begrunnelser og motargumenter
Virksomhetenes begrunnelser for innføring av feltteknologi varierte avhengig av
hvilke produkter det var snakk om og hvilke bransjer de ble anvendt i. Bruken
av enkelte typer feltteknologi kunne for eksempel være frivillig (valgt av virksomhetene selv), mens bruken av andre typer feltteknologi var lovpålagt, for
eksempel digitale fartsskrivere i yrkestransport eller temperatursensorer ved
91
Yulex 2013
termotransport. Enkelte typer feltteknologi hadde få og spesifikke formål, for eksempel elektroniske kjørebøker (etterlevelse av skatteregler), mens andre typer
feltteknologi kunne ha mange og til dels upresise formål, for eksempel flåtestyring (rasjonalisering, effektivisering, kvalitetsforbedring, personellsikkerhet, arbeidsdokumentasjon, miljøhensyn, drivstoffreduksjon, osv.). Det var likevel fire
begrunnelser (eller formål) som pekte seg ut som særlig viktige på tvers av produkter og bransjer.
De viktigste begrunnelsene
Den viktigste (og hyppigst forekommende) begrunnelsen av rasjonalisering og
effektivisering av driften. Dette skulle i første rekke oppnås gjennom mer sentralisert planlegging og styring av arbeidsutførelsen, for eksempel ved at kjøretider
og kjøreruter kunne legges opp på bedre måter enn tidligere, eller ved at responstiden ved hasteoppdrag kunne reduseres. Det samme formålet skulle også oppnås
ved at ansatte fikk tilgang til og registrerte viktig informasjon om oppdrag (eller
kunder/brukere) i interne datasystemer uten at de trengte å komme tilbake til
kontoret. Økt kvalitet på tjenesteytingen, mer nøyaktig dokumentasjon på utført
arbeid og mer fornøyde kunder/oppdragsgivere var andre formål som ble nevnt i
tilknytning til rasjonaliserings- og effektiviseringsbegrunnelsene.
Bedre dokumentasjon av arbeidsutførelsen var en begrunnelse som ble
nevnt i de fleste bransjene. Dette var imidlertid spesielt viktig der hvor arbeidet
ble utført på kontrakt og hvor det lett kunne oppstå tvil om jobben var utført.
Dokumentasjon av arbeidet var derfor spesielt avgjørende innenfor renhold, vekterbransjen og veidrift, men ble også nevnt som viktig i elektroyrkene, rutebilnæringen, varetransport og hjemmetjenesten. Dokumentasjonen kunne i noen
grad være lovpålagt, for eksempel kjøre- og hviletider i varetransport, men var i
hovedsak selvvalgte og «defensive tiltak», det vil si opplysninger som var «kjekt å
ha» i tilfelle klager/spørsmål fra kunder eller oppdragsgivere.
Økt personellsikkerhet var et formål som ble nevnt i de fleste bransjene, men
med et visst unntak for renhold og hjemmetjenesten. Sikkerhetsbegrunnelsen
bestod i at det skulle bli enklere å lokalisere ansatte dersom de ble utsatt for ulykker, voldsepisoder eller andre typer nødsituasjoner. Det skulle i tillegg føre til at
assistanse kunne tilkalles og sendes ut raskere enn tidligere.
Bedre regeletterlevelse var en begrunnelse som i særlig grad ble vektlagt der
hvor kjøretøy (firmabiler eller lastebiler) inngikk som en del av arbeidsutførelsen. Elektronisk kjørebok ble for eksempel anvendt innenfor flere av bransjene
for å dokumentere overholdelse av firmabilreglene i skattelovgivningen, og i varetransport ble flere systemer anvendt for å overholde lovpålagte krav (spesielt
digitale fartsskrivere, temperatursensorer og alkolås). I hjemmetjenesten kunne
elektronisk registrering av direkte brukertid (antallet minutter som brukerne av
92
Kontroll og overvåking i arbeidslivet
tjenestene hadde krav på iht. kommunale vedtak) ses på som en form for regeletterlevelse – dokumentere at brukerne fikk den vedtatte hjelpen.
De viktigste motargumentene
De viktigste motargumentene knyttet seg til overvåking og misbruk av opplysninger om ansatte. Ovenfor har vi sett at styrken som tillitsvalgte og verneombud
fremsatte disse motargumentene med varierte noe mellom de ulike produktene
og bransjene. I tillegg til overvåking og misbruk av opplysninger, ble følgende
motargumenter hyppigst nevnt:
• Maktforskyvning: Dette handlet om at registrering av opplysninger om ansatte ved hjelp av feltteknologi kunne føre til at den sterke parten (arbeidsgiveren) styrket sin posisjon vis-a-vis den svakere parten (arbeidstakerne). Her
ble det nevnt at ansatte og tillitsvalgte kunne bli mer engstelige eller tilbakeholdne med å fremsette kritiske synspunkter overfor ledelsen når de visste
at ledelsen hadde tilgang til detaljerte opplysninger om hvordan de utførte
arbeidet sitt. Bekymringen bestod dels i at opplysningene kunne bli brukt til
å straffe kritiske røster i virksomheten, og dels i at ledere kunne bruke opplysningene til å kvitte seg med ansatte som de av andre grunner oppfattet som
problematiske eller brysomme.
• Redusert tillit: Dette handlet om at økt registrering av opplysninger av ansatte
ble opplevd som mistillit, det vil si at ledelsen ikke lenger stolte på at de ansatte gjorde jobben sin. Flere tillitsvalgte og verneombud mente dessuten at
bruk av feltteknologi hadde ført til at de ansatte fikk mindre tillit til ledelsen.
Dette gjeldt spesielt i virksomheter hvor det hadde forekommet episoder med
misbruk av opplysninger om ansatte, eller der hvor innføringsprosessen ble
beskrevet som problematisk.
• Endret arbeidssituasjon: Dette handlet om at bruken av feltteknologi, spesielt
dersom den ble brukt til økt kontroll med og styring av arbeidsutførelsen,
ville påvirke måten jobben ble utført på – og den enkeltes opplevelse av eget
arbeid – på en negativ måte. Flere tillitsvalgte og verneombud mente at autonomien og selvstendigheten til de ansatte ville bli mindre, mens andre fryktet
mer tidspress og høyere arbeidstempo. Fellesnevneren var bekymringen for at
de ansatte i mindre grad enn før ville ha innflytelse over innholdet i sin egen
arbeidshverdag.
• Mindre trivsel: Dette handlet om at redusert innflytelse over egen arbeidshverdag kunne føre til større mistrivsel i jobben (eventuelt høyere sykefravær).
Større mistrivsel kunne dels gå ut over de ansattes produktivitet og dels kvaliteten på det arbeidet som ble utført. Det kunne også føre til at de ansatte ble
mindre lojale overfor arbeidsgiveren, det vil si at de ikke lenger var like villige
til å gjøre en ekstra innsats dersom det var behov for det.
93
Yulex 2013
Ikke alle tillitsvalgte og verneombud sa seg enige i disse motargumentene, men
hevdet at bruken av feltteknologi i liten grad hadde påvirket maktforhold, tilliten, arbeidssituasjonen eller trivselen i særlig grad. De mente også at feltteknologi
neppe hadde ført til rasjonalisering eller effektivisering av driften. Slike synspunkter ble spesielt fremmet av tillitsvalgte og verneombud i virksomheter hvor forholdet til ledelsen ble beskrevet som meget godt, hvor det ikke hadde vært kjente
episoder med misbruk av opplysninger og hvor bruken av feltteknologi var en
forutsetning for å vinne anbud og sikre arbeidsplassene. Men også disse røstene
var skeptiske til feltteknologi og registrering av opplysninger dersom bruken ikke
var regulert gjennom lokale avtaler/protokoller som ble overholdt av begge parter.
Lover og avtaler
Omkring halvparten av virksomhetene som deltok i studien hadde ikke – eller
hadde i begrenset grad – fulgt reglene i arbeidsmiljøloven (kapittel ni) om informasjon til de ansatte og drøfting med tillitsvalgte forut for innføringen av feltteknologi. Den vanligste mangelen var at drøftinger med de tillitsvalgte enten ikke
hadde blitt gjennomført eller hadde skjedd på et såpass sent tidspunkt at deres
muligheter for påvirkning hvordan feltteknologien skulle brukes var begrenset.
Det ble rapportert at drøftelser vanligvis hadde kommet i stand etter press eller
krav fra den lokale klubben. Bare i noen få virksomheter ble det rapportert om at
ledelsen hadde tatt initiativet til dette.
Dette gjaldt imidlertid bare ved innføring av produkter basert på satellittposisjonering og sporing (primært elektroniske kjørebøker og flåtestyring). Langt
færre virksomheter hadde overholdt arbeidsmiljølovens saksbehandlingsregler
ved innføring av håndholdte dataenheter (selv om enhetene registrerte opplysninger som kunne bli anvendt til kontroll av ansatte). Det innebar at mange av
de virksomhetene som hadde fulgt reglene ved innføring av elektronisk kjørebok eller flåtestyring likevel ikke hadde gjort det samme ved innføring av annen
type feltteknologi. Det var bare i vekterbransjen at virksomhetene hadde lagt arbeidsmiljølovens kapittel ni til grunn ved innføring av håndholdte dataenheter.
I de andre bransjene hadde bare noen relativt få virksomheter gjort tilsvarende.
Samtidig virket behovet for lokale avtaler/protokoller å bli oppfattet som mindre presserende ved bruk av håndholdte dataenheter, trolig fordi dataenhetene i
mindre grad ble assosiert med kontroll og overvåking enn hva tilfellet var med
systemer for satellittposisjonering og sporing.
I det store flertallet av virksomhetene hadde innføring av feltteknologi og behandlingen av opplysninger om ansatte sitt grunnlag i styringsretten: arbeidsgivers
oppfatning om at de hadde en ensidig rett til å iverksette kontroll av de ansattes
arbeidsutførelse. Styringsretten hadde enten blitt brukt ved å instruere de ansatte
om å ta teknologien i bruk, eller ved at den ble brukt som «trumfkort» der hvor de
94
Kontroll og overvåking i arbeidslivet
ansatte motsatte seg innføring av feltteknologi. I noen virksomheter ble det henvist
til at tilsvarende systemer var innført i konkurrerende virksomheter, og at bruken
derfor både var lovlig og nødvendig for å sikre bedriftenes fremtid. Bare i noen få
virksomheter hadde feltteknologi (primært elektroniske kjørebøker) blitt innført
med grunnlag i samtykke fra de ansatte. Flertallet av de tillitsvalgte foretrakk mer
bruk av samtykke fra de ansatte. Ledere mente derimot at styringsretten – og deres egne vurderinger av tiltakenes saklighet og forholdsmessighet – fortsatt burde
være grunnlaget for innføringen og behandlingen av opplysninger om ansatte.
Avtaler eller protokoller som regulerte ledelsens behandling av opplysninger
om de ansatte forelå i omkring hver tredje av de virksomhetene som deltok i
studien. Flertallet av avtalene/protokollene omfattet produkter basert på satellittposisjonering og sporing. Avtaler som omfattet opplysninger registrert ved hjelp
av håndholdte dataenheter fantes primært i vekterbransjen.
Forskjellene i avtaleinnholdet var relativt store.15 To punkter gikk imidlertid
igjen: formålsangivelse (ofte med forsikringer om at opplysningene ikke skulle
brukes mot de ansatte) og tilgangsstyring (angivelse av hvilke ledere/personell
som kunne sjekke registrerte opplysninger). Selv om flere av avtalene var forholdsvis kortfattede, kan det likevel sies at der hvor avtaler/protokoller eksisterte
var virksomhetene noe bedre skikket til å overholde reglene i personopplysningsloven med forskrift enn i virksomheter hvor avtaler/protokoller ikke fantes.
Generelt sett virket avtalene/protokollene å ha en trippel verdi i virksomhetene.
For det første ga det de ansatte noe større sikkerhet for at opplysninger om dem
ble behandlet på en akseptabel måte. For det andre ga det virksomhetene noe
større sikkerhet for at behandlingen av opplysninger om ansatte til en viss grad
var i overensstemmelse med regulatoriske krav (personopplysningsloven med
forskrift). For det tredje virket det som forhandlinger om avtaler/protokoller
hadde bevisstgjort og styrket begge parters kompetanse på spørsmål knyttet til
overvåking, kontroll og personvern.
Til tross for at både ledere, tillitsvalgte og verneombud vanligvis var tilfredse
med at avtaler/protokoller var inngått, fantes det skeptikere, spesielt blant de tillitsvalgte. Her ble det påpekt at tillitsvalgte og ansatte hadde få muligheter til å sjekke
om lederne overholdt reglene i avtalene, og enkelte tvilte på at eventuelle overtramp ville få særlige konsekvenser for vedkommende leder. Disse røstene mente
derfor at avtalene/protokollene kunne vise seg å være lite verdt for de ansatte.
Oppsummering
Funnene som er drøftet i dette kapitlet indikerer at arbeidslivet er i ferd med
å bli mer gjennomsiktig: ansatte kan i økende grad observeres, kontrolleres og
15 For nærmere drøftelser, se Schartum 2013.
95
Yulex 2013
styres på dataskjermer. Studien indikerer også at ansatte som jobber utenfor fast
arbeidssted trolig er minst like utsatt for elektronisk kontroll og overvåking som
ansatte med fast arbeidssted. Dette er en viktig observasjon. For dersom det er
noen arbeidstakergrupper som man i utgangspunktet skulle tro var skjermet mot
arbeidsgivers «granskende blikk», så er det ansatte som er utenfor arbeidsgivers
fysiske kontroll i løpet av arbeidsdagen. Når også disse arbeidstakergruppene er
gjenstand for til dels omfattende elektronisk kontroll og overvåking, forsterkes
bilde av et arbeidsliv som er blitt mer gjennomsiktig.
Litteratur
Allmer, Thomas (2012): Towards a Critical Theory of Surveillance in International Capitalism. Frankfurt am Main: Peter Lang.
Ball, Kristie (2010): «Workplace Surveillance: an Overview.» I Labur History,
Vol. 51, Issue 1, s. 87-106.
Berkvens, Jan (2009): “The Role of Trade Associations: Data Protection as a Negotiable Issue.” I Serge Gutwirth et al. (red.): Reinventing Data Protection?
Milton Keynes: Springer.
Bing, Jon (2009): «Samtykke til behandling av personopplysninger i arbeidsforhold.» I Helge Aune et al. (red.): Arbeid og rett. Festskrift til henning
Jakhellns 70-årsdag. Oslo: Cappelen Akademiske Forlag.
Blekeli, Ragnar D. (1977): “Hva er personvern?” I Ragnar D. Blekeli og Knut S.
Selmer (red.): Data og personvern. Oslo: Universitetsforlaget.
Bodie, Matthew og Samuel Estreicher (2007): Workplace Discrimination, Privacy and Security in an Age of Terrorism. The Hague: Kluwer Law.
Borchgrevink, Mette (2011): Om avgrensning av arbeidsgivers styringsrett på
grunn av arbeidstakers personvern. Complex 5/11. Oslo: Unipub.
Bråten, Mona (2010): Kontroll og overvåking i arbeidslivet. Oslo: Fafo-rapport nr. 22.
Bråten, Mona (2008): Personvern under press – hvor går grensene i arbeidslivet?
Oslo: Fafo-rapport nr. 34.
Bråten, Mona og Tommy Tranvik (2012): Kontroll med ansatte utenfor fast arbeidssted. Ansattes erfaringer med feltteknologi. Oslo: Fafo-rapport nr. 50.
Edvardsen, Kjetil (2011): «Kommentar til innlegg om overvåking i arbeidslivet.»
I Juristkontakt nr. 7, s. 53-54.
Grint, Keith (2005): The Sociology of Work. Cambridge: Polity Press.
96
Kontroll og overvåking i arbeidslivet
Hansson, Sven O. og Elin Palm (red.) (2005): The Ethics of Workplace Privacy.
Brussels: P.I.E. Peter Lang.
Holman, David et al. (red.) (2003): The New Workplace. A Guide to the Human
Impact of Modern Working Practices. Chichester: Wiley.
Nedberg, Mari H. (2011): «Fra krysspress til illusorisk vern av arbeidstakers rettigheter?» I Juristkontakt nr. 6, s. 48-49.
Neyland, Daniel (2009): «Surveillance, Accountability and Organisational Failure: the Story of Jean Charles de Menezes.» I Benjamin J. Goold og Daniel
Neyland (red.): New Directions in Surveillance and Privacy. Cullompton:
Willian Publishing.
Ravlum, Inger-Anne (2004): Makt, beslutninger og integritet. IKT og personvern i transport. Oslo: TØI-rapport 703/2004.
Schartum, Dag W. (2013): Rettslige aspekter ved feltteknologi i arbeidslivet.
Complex 3/13. Oslo: Unipub.
Schartum, Dag W. og Lee Bygrave (2011): Personvern i informasjonssamfunnet.
En innføring i vern av personopplysninger. Bergen: Fagbokforlaget.
Sennett, Richard (2003): Respect. The Formation of Character in a World of
Inequality. London: Allen Lane.
Sennett, Richard (1999): The Corrosion of Character. The Personal Consequences of Work in the New Economy. New York: W. W. Norton.
Swell, Graham (2012): «Organizations, Employees and Surveillance.» I Kirstie
Ball et al.: Routledge Handbook of Surveillance Studies. London: Routledge.
Swell, Graham et al. (2012): “Working Under Intensive Surveillance. When does
‘Measuring Everything That Moves’ Become Intolerable?” I Human Relations, 65 (2), s. 189-215.
Tranvik, Tommy (2013): Det gjennomsiktige arbeidslivet. Erfaringer med feltteknologi i utvalgte yrker. Complex 2/2013. Oslo: UniPub.
Westin, Alan (1967): Privacy and Freedom. New York: Atheneum.
Zuboff, Shoshana (1988): In the Age of the Smart Machine. The Future of Work
and Power. Oxford: Heinemann.
Øvstedal, Liv et al. (2010): Personvern og trafikk: Personvernet i intelligente
transportsystemer (ITS). Trondheim: SINTEF.
97
Utilizing Security Risk Analysis and Security
Testing in the Legal Domain1
Samson Yoseph Esayas
Norwegian Research Center for Computers and Law, University of Oslo
{[email protected]}
Abstract. In recent years, businesses have faced large regulatory fines as a result
of information security breaches. This signifies the need for businesses to account for legal issues when addressing their information security risks and to
ensure that their day-to-day business operations do not violate legal norms of
relevance to information security, such as data privacy laws. This paper offers a
twofold contribution to this issue. First, it purposes that organizations’ security
risk analysis should be accompanied by an assessment of the legal implications
of identified security risks. This enables organizations understand the associated
legal risks they would face if the identified security risks were to materialize and
prioritize the risks accordingly. Second, the paper underlines the need for security testing to support compliance checking. Particularly, the use of conformance
testing would enhance organizations’ level of assurance regarding their compliance with legal norms of relevance to information security.
Keywords: legal risk analysis, compliance checking, testing, security testing, security risk analysis
1
Introduction and Motivation
The interaction of law and technology has been a subject of substantial research
for some time, particularly since the creation of the Internet. Lawrence Lessig’s
“Code is Law” [1] and Reidenberg’s “Lex Informatica” [2] are prominent works
on how technology affects law and vice versa. The underlying idea behind such
works is that there can and should be an understanding between the law and
technology. It is not the aim of this paper to grapple with such a vast field of
research and, thus, discussions are limited only to the area of risk management.
1
This paper is presented at the 1st International Workshop on Risk Assessment and Risk-driven
Testing (RISK) in Istanbul. The paper will be published by Springer in the LNCS series.
99
Yulex 2013
Conventionally, legal services are often sought reactively, that is, when a problem has already occurred, and the main focus is on the identification of an applicable law to a given case (“da mihi factum dabo tibi ius”) [3]. Such an approach
has not always been viewed as satisfactory because disputes and litigation consume time and resources that could otherwise be used more productively. Legal
action is costly and drains productivity, damages businesses’ reputations, and impedes businesses’ ability to prosper, destroying the value they create long before
they collect on any judgment [4]. Subsequently, the focus has evolved toward
proactive legal risk management in which compliance or avoiding non-compliance is the priority through identifying and anticipating probable or potential
future problems and planning for mitigating these problems.
This is particularly relevant in the area of information security, which is attributable to several possible factors: First, the damage caused by a security risk
might not be reversed by winning a case or through monetary restitution. In
other words, losses occurring as a result of most security breaches, particularly
those involving sensitive personal data of customers, often lead to loss of customer trust and loss of reputation through negative publicity. Therefore, organizations should attempt to prevent such risks, not remedy them after they occur.
Second, the pressure for corporate compliance started to increase as regulators
set new requirements and increasingly imposed large fines on organizations that
mishandled sensitive data through negligence or failure to exercise due care [5].
Furthermore, legislators and regulators began to compel businesses to conduct
legal risk analysis in some areas. For example, according to a recent opinion of
the Article 29 Working Party2 regarding cloud computing, cloud users have to
undertake a comprehensive and thorough risk analysis, paying special attention
to the legal risks regarding data protection, mainly security obligations and international transfers, before opting to go to the cloud [6]. Therefore, in some areas,
conducting legal risk analysis is no longer a voluntary exercise.
However, the lack of a generally accepted methodology for legal risk management has proven to be a challenge for some time [3]. In this regard, Mahler [7]
put forth a solid foundation by developing a legal risk management methodology
based on the ISO31000 steps, where legal risks are identified, their likelihood is
assessed, and the consequences are evaluated and then treated in a proactive way.
Fig. 1 shows Mahler’s [7] methodology for the management of legal risks.
2
The Article 29 Working Party is an organ established under Article 20 of the European Data
Protection Directive. It plays, mainly, an advisory role with regard to data protection issues.
100
Utilizing Security Risk Analysis and Security Testing in the Legal Domain
Fig. 1. Legal risk management process
Research has shown that the most important factor in the effective management
of legal risks is having robust and clearly defined processes to evaluate risk on a
continuous basis [8]. Such processes, the research emphasizes, must be specific to
legal risk management and should enable better reporting, ensuring that critical
risks are made visible to the right people as early as possible [8]. Mahler’s [7]
methodology remains an important contribution to this field. However, a particular challenge for assessing risks resulting from legal norms of relevance to
information security3 is that the analysis often involves technical measures. The
relationship is bi-directional in the sense that the identification, assessment, and
treatment of legal risks related to information security relies on an understanding
of the security risks and measures. Similarly, legal norms of relevance to information security often prescribe security requirements that security risk analysts
3
I do not attempt to define which laws would fall under such a category, but for the purposes of
this paper, legal norms of relevance to security could be defined as the rules that govern information and information systems.
101
Yulex 2013
ought to heed. However, lawyers often lack the technical expertise needed to assess technical risks, and technical experts may lack detailed information about
the legal security requirements and the legal consequences of technical problems
[7]. This has triggered a research interest in approaching legal and security risks
in an integrated manner.
A study by Vraalsen et al. [9] confirms that “legal and technical risks can and
should be considered jointly.” Addressing technical risks might involve a variety
of measures. The most common are undertaking security risk assessment and security testing. This paper examines how security risk analysis and security testing
could be used in the legal context. In so doing, it addresses two aspects; first, it
considers how the results of a security risk analysis could be used as a basis for legal risk analysis. According to a recent Harvard Business Review survey, security
and privacy have become significant areas of concern over the past three years
[5]. The research has indicated that regulation concerning information security
and privacy is becoming increasingly demanding and the regulatory fines and penalties are becoming increasingly stringent [5]. Failure to deal with information
security risks is not only costly in terms of finances and damage to the company
and brand, but these regulatory penalties are also quite large [5]. Therefore, from
a risk management perspective, it is important that organizations are able to understand, from their legal standing, what it would entail if a certain information
security risk were to materialize. One way of doing this is to perform an assessment of what the information security risks mean from the legal perspective of
the organization after such risks are identified through a security risk analysis.
Section 2 addresses how this could be achieved through the use of security risks
documented in the CORAS4 threat diagram.
In addition, businesses face a remarkable array of new and often contradictory laws and regulations dealing with information security. To comply with such
an array of regulatory requirements, a business must not only implement measures that ensure compliance but must also have a means to ascertain that the
measures taken have the desired effect. Therefore, providing techniques to assess
the degree of compliance with a given regulatory requirement is a key objective
in every business process platform. Section 3 examines an approach in which
checking compliance with legal norms of relevance to security is supported by
conformance testing. In doing this, it maintains that an organization will be able
to check their compliance with such norms more efficiently if they follow a riskbased approach.
4
The CORAS tool is a graphical language used in risk analysis with constructs, such as threats,
vulnerabilities, risks, unwanted incidents, threat scenarios, and assets. It enables communication
among experts from different disciplines as well as the documentation of risk assessment results.
102
Utilizing Security Risk Analysis and Security Testing in the Legal Domain
2
Security Risk Analysis as the Basis for Legal
Risk Analysis
Vraalsen et al. [9] state that a legal risk analysis in an ICT context would benefit
from being carried out jointly by experts from different disciplines, including
legal experts, security experts, system developers, and users. However, as the
diversity of the experts expands, it becomes more complex for communication
and understanding between these stakeholders, partly because different domains
(IT and law) utilize their own vocabulary [10]. One possible way to address this
problem is through a common communication language that can easily be understood by all stakeholders. The CORAS language for threat modeling has been
designed to mitigate this problem in the security domain. The language supports
the communication and common understanding between personnel of various
backgrounds, facilitate the risk analysis process and the documentation of the results [11]. Furthermore, it has been further extended to include also legal aspects.
Vraalsen et al. [9] examined the possibility of specifying legal threat scenarios
using the CORAS threat diagram. A more extensive work has been done by Lund
et al. [11] where they successfully showed that the CORAS threat diagram can
be used to model legal risks. As a result, the CORAS tool has been extended to
include “Legal CORAS” by introducing a construct for specifying legal norms,
which enables the modeling of legal risks [11]. This section builds on those works
in the sense that it will use the CORAS tool to demonstrate how security risk
analysis can provide input in assessing legal risks related to information security.
Before proceeding to that discussion, it is important to briefly introduce what is
meant by legal risk. Mahler [7] defines legal risk as a risk that has a legal issue as
its source. Legal issue is defined as a set of facts that are assessed under a set of
legal norms [7]. According to Mahler [7], and drawn from the ISO 31000 definition of risk, legal risk involves uncertainty regarding both facts and legal norms.
The distinction between legal and factual uncertainty is important because
the application of every legal norm consists of an antecedent (if A) and a consequent (then B) [10]. This implies that for a certain legal norm to come into
operation against or in favor of someone, one has to apply the norm to a given set
of facts and evaluate the results as either beneficial or detrimental for the assets or
objectives of the stakeholder [10]. If the consequent (B) is negative for the stakeholder, it then becomes important to determine whether the norm will be triggered [10]. That is where these two uncertainties arise, which include, first, whether
the set of facts (A) is or will be true (factual uncertainty) and, second, whether
the application of the norm to the set of facts (A) then renders the consequence
(B) - the legal uncertainty. In short, the legal uncertainty is the uncertainty of
whether a legal norm actually applies to given factual circumstances whereas the
103
Yulex 2013
factual uncertainty is the uncertainty of whether the given circumstances will
actually occur and thereby trigger the legal norm [11]. Therefore, the significance
of a legal norm depends on the combined estimates of these two notions of uncertainties [11]. Fig. 2 shows the relationship between factual and legal uncertainty.
Fig. 2. Factual and legal uncertainty (adapted from [10])
In the figure above, the identification of legal risks involves identifying both legal
and factual uncertainty. The present section shows that security risk analysis could
provide the antecedent (factual uncertainty) for the purposes of legal risk analysis
in information security context. By assessing the factual uncertainty under a set of
applicable legal norms, one can obtain the legal threat scenario resulting from the
particular security risk, which provides the factual circumstances for the legal risk
analysis. Such an approach, along with the benefit to the legal risk analysis, enables
security experts and organizations in general understand the legal implications of
a particular security risk.
One of the motivations for bringing the security risk and legal risk analysis
together pertains to the criteria for measuring the consequence value of information security risks. Often the criterion for measuring the consequences value of information security risk is through the number of records affected by the incident.
However, from a legal standpoint, although the number of records affected are also
important, other factors could be given more weight. For e.g. the UK Information
Commissioner’s Office (ICO), one of the few data protection authorities that publishes data breaches and regulatory measures taken [11], imposed £100000 a regulatory fine for breach of the obligation to take appropriate technical and organizational measures under the Privacy Act, which implements the EU Directive
104
Utilizing Security Risk Analysis and Security Testing in the Legal Domain
95/46.5 The breach affected only one record containing information relating to a
sex abuse of a child, which is left in a public place [11]. Whereas the ICO imposed
only £1000 for a breach that affected 6000 records containing sensitive personal
data of individuals following a DDOS attack and £60000 for a breach that affected 24,000 records containing sensitive personal data [11]. The difference between
these cases lies mainly in the kind of data affected by the breach, how the breach
occurs, the likely consequent harm6 of the breach to data subjects and perhaps the
hands to which the data fell after the breach (whether it is publicly available or is
in private hands).7 Meanwhile, there is little space within the security risk analysis
to consider these issues. This implies that what organizations might consider as a
low security risk could have a devastating legal consequence. In other words, being
effective in managing security risks might not always imply a low risk from organization’s legal stand point.8 Therefore, organizations need to take account of the
legal aspects as well when dealing with their security risks. One way of doing this
would be to take the identified security risks as a basis for legal risk analysis and
assess the legal implications of such risks. This would avoid the possibility, as noted
above, where a security risk that might be considered as a low risk from inflicting a devastating legal consequence. Perhaps the legal risk implications could also
be jointly considered in prioritizing security risks, when necessary. The CORAS
threat diagram is used to present the claim as follows.
Fig. 3. CORAS threat diagram
The figure above shows a simple CORAS threat diagram where a hacker breaks
into a system making use of the insufficient access control in place and obtains
access to customer database that leads to the unwanted incidents of payment data
5
6
7
8
Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to
processing of personal data and the free movement of such data [1995] OJ L281.
The UK Privacy Act has a clause that obliges the consideration whether the breach would “likely
cause damage or distress” to the data subjects [11]. Hence, in the legal context, these facts have
received more weight than the number of records affected.
For e.g. the First-Tier Tribunal reversed a decision of the ICO on a regulatory fine on the ground
that files containing personal information, which are disposed in a garbage bin does not fulfill
the criteria ‘likely to cause damage or distress’ to the data subjects [11].
105
Yulex 2013
leaking to third party and personally identifiable information leaking to third
party. Fig. 4 demonstrates how a legal threat scenario could be derived from the
unwanted incidents in the above threat diagram. For example, the first unwanted
incident could give rise to the following legal threat scenario.
Fig. 4. CORAS legal threat diagram
The unwanted incident personally identifiable information leaks to third party within the security risk analysis constitutes the factual uncertainty for the purposes
of the legal risk analysis as depicted in Fig. 4. This factual uncertainty, including
its likelihood, is captured from the unwanted incident within the security threat
diagram in Fig. 3. That factual circumstance is then assessed under the specific
legal norm—in the above example, Article 17 of the data protection Directive—
to obtain the legal threat scenario client not compliant with EU data protection
Directive. In this regard, a relevant question to ask includes: would Article 17
of the EU data protection Directive apply if personally identifiable information
leaks to a third party? That involves an analysis of the legal requirements under
Article 17 of the data protection Directive along with the likelihood of personally identifiable information leaking to third party (the factual uncertainty).
This is followed by the analysis whether the application of Article 17 to the facts
render the client liable to pay damage in accordance to Article 23 of the same
Directive.9 Then, the likelihoods of the factual and legal uncertainty have to be
combined to determine the likelihood of the consequent becoming true. This is
because, as explained above, it is through the combination of the legal uncertainty
and the factual uncertainty that one would be able to estimate the likelihood of
the unwanted incidents that the antecedent may lead to. Once this estimation is
done, the consequent will be annotated with a likelihood value [12].
As in Fig. 4, the likelihood value for the consequent lies in the intersection
between the likelihoods the factual and legal uncertainty. If the likelihoods the
9
This is relevant because, the application of the legal norm to the facts does not always give rise to
the unwanted incident because there might be exceptions that can exempt the client from legal
liability or another third party could be held liable for the damage. In addition, there is the possibility that the victims might not bring a legal action against the company.
106
Utilizing Security Risk Analysis and Security Testing in the Legal Domain
factual and legal uncertainty happens to be similar, as in Fig. 4, the consequent
could also be annotated with a similar likelihood. However, if the likelihoods of
the factual and legal uncertainty are different, one can take the higher likelihood.
Alternatively, organizations can establish their own criteria for combining likelihoods. Lund et al [12] have examined how quantitative likelihood values of the
legal and factual uncertainties should be combined. According to them, quantitative likelihood values have to be multiplied to obtain the aggregate likelihood
of the consequent [12]. Nevertheless, it might not always be easy to measure the
likelihood of a legal uncertainty.
It is in this way that legal risk analysis can benefit from the results obtained
from the security risk analysis. However, it is more important in the sense that it
gives an overall picture of what the security risks mean from the legal perspective
of the organization. For example, viewed from the standpoint of security experts,
some risks could be of equal relevance if they have the similar likelihoods and
consequences. However, adding the legal picture to that might change that perspective. To illustrate this, let us examine the legal risk scenario for the other
unwanted incident in the security risk analysis. This follows a similar approach as
discussed above where the unwanted payment data leaks to third party is captured
from security threat diagram in Fig. 3 to derive the legal threat scenario client not
compliant with EU payment services Directive in Fig. 5.
Fig. 5. CORAS legal threat diagram
As shown in Fig. 3, the unwanted incidents personally identifiable information
leaks to third party and payment data leaks to third party have the same likelihood
and consequence value, which could mean that they are of equal importance
from the perspective of security experts.10 However, if the legal risk is added into
that picture, as in Fig. 4 and Fig. 5, it becomes clear that the second unwanted
incident, that is, payment data leaks to third party, is more important than the first
unwanted incident from the legal standing of the organization. This remains the
10 This might not always be the case. This is because, for example, the organization might put different value for personally identifiable information as an asset than the customer payment data.
107
Yulex 2013
case despite both having the same likelihood and consequences from a security
standpoint. This is because, as shown in Fig. 4 and Fig. 5, from a legal context,
the second (withdrawal of authorization) puts the organization at a higher risk
than the first (regulatory fine), although some regulatory fines could also endanger the very existence of the organization. The underlying idea behind such an
approach is that organizations should be able to understand what legal problems
they would face if these security risks were to materialize and then take appropriate measures to address such legal problems in advance. Considering both the
security and legal risk together would help organizations determine where to focus their resources. In turn, taking consideration of the legal implications, organizations might be able to prioritize some security risks over others.
In addition, such an approach is essential with regard to organizations’ compliance to data breach notification requirements. Across EU, there are mandatory breach notification requirements in some sectors such as the telecom business.11 Many member states have extended such obligations to other sectors
domestically. For example, Germany implements a data breach notification with
regard to bank and credit data, telecommunication data and data collected online, data related to criminal offense and other particularly sensitive data [13].
The Royal Decree 1720/2007 in Spain requires data controllers to implement,
as part of their security policy, provisions related to a procedure of notification
[13]. Furthermore, currently in the US, 46 States have data breach notification
requirements [14]. And more importantly, the draft General Data Protection
Regulation12 has a mandatory provision regarding the notification of data breaches. For e.g. Articles 31 and 32 of the draft Regulation requires a notification of
any data breach to the authorities. Such breach should be notified both to the authorities and data subjects when the data breach is likely to adversely affect the protection of the personal data, or the privacy, the rights or the legitimate interests of the
data subject. Such determination would only be made after taking consideration
of the details of the security breach at hand. Therefore, an integrated approach for
dealing security and legal matters together will enable for assessing which of the
identified security risks, if materialized, would need notification to the authorities or both to the authorities and data subjects. In this regard, the security risk
analysis is essential in providing essential inputs such as the nature of the data
that has been breached (financial, health, etc.), nature of the breach (widespread,
11 COMMISSION REGULATION (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European
Parliament and of the Council on privacy and electronic communications.
12 Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on the protection of individuals with regard to the processing of personal data and on the free
movement of such data (General Data Protection Regulation).
108
Utilizing Security Risk Analysis and Security Testing in the Legal Domain
or an isolated incident; technical, human error, or theft), and security level (has
the data been encrypted).13
Considering the data breach notification requirements during the security
risks analysis is particularly important because such laws require organizations
notify the breach within a matter of hours or very few days at most.14 However,
if organizations manage to address such compliance issues in advance during the
security risk analysis, it would avoid a possible last minute rush and confusion in
determining which risks to report once a security breach occurs. Furthermore,
the security risk analysis becomes essential when we look at the content of the notification that the regulations require. For example, the General Data Protection
Regulation, under its Article 31, states that the content of the notification should
at least include the nature of the personal data breach, the categories and number of data subjects concerned and the categories and number of data records
concerned. Attaching the data breach notification requirement to security risk
analysis would enable organizations to import such content easily from the latter. Therefore, the best time to address issues of data breach notification is when
conducting a security risk analysis. In the above example, considering the nature
of the data under threat, and the nature of the threat, the organization might put
in place a mechanism to notify both the data protection authority and the data
subjects with regard to the second risk (because it involves financial data) and to
notify only the authority with regard to the first risk (because it affects only the
names of individuals). In addition, measures could be taken such as establishing
a communication channel between the security experts and legal team when a
security breach occurs so that the organization would be able to comply with the
notification requirements in the given short time.
Such an approach may also contribute to the identification of interdisciplinary solutions to the security and legal risks. In other words, security risk analysis
could benefit from the legal domain in the sense that legal treatments could be
applied in treating security risks such as through a contract of (limiting liability), insurance, and persecuting offenders that interfere with the security system.
Similarly, it may be possible to reduce the likelihood of normative events through
non-legal remedies, such as an improved IT system [9].
13 A survey by ENISA [14] shows that a risk-based approach to information breach notifications as
essential means to balance the interest of breach notification fatigue for data controllers and the
interest survey by the breach.
14 For example, Article 2 of the REGULATION (EU) No 611/2013 states that organizations should
notify any breach ‘no later than 24 hours after the detection of the personal data breach’.
109
Yulex 2013
3
Testing for Checking Compliance
In the legal context, both assessing risks and placing controls might not be adequate on their own. This is because controls may not always exert the intended or
assumed modifying effect. It is also important to make certain that appropriate
controls, conducts, and behaviors are being checked, ensuring that undesirable
conduct does not occur. Nevertheless, this is not an easy task, mainly for the
following reasons: First, there is often a misalignment in the lifecycles of business operations and regulatory requirements in terms of time, governance, or
stakeholders in the sense that business operations are designed mainly based on
business objectives, whereas regulatory requirements are dictated by external
sources and at different times [15]. Hence, it is often the case that compliance
requirements cannot simply be incorporated into the initial design of process
models [15]. Second, there is the likelihood of conflicts, inconsistencies, and
redundancies between the business operations of organizations and their regulatory requirements [15]. Third, business operations change from time to time
to satisfy the dynamic business needs and so are regulatory requirements, although the latter occurs less often than the former. Therefore, organizations face
the daunting task of checking their compliance regularly. Moreover, there are also
laws requiring organizations to check their compliance regularly. For example,
the very recent draft European Data Protection draft Regulation15 Article 30 (1)
states that: “Organizations should implement appropriate technical and organizational measures to ensure the security of personal information, which includes:
(e) a process for regularly testing, assessing and evaluating the effectiveness of
security policies, procedures and plans put in place to ensure ongoing effectiveness.”
The above provision is particularly important because it requires organizations
to conduct some testing. This section underlines the need for technical testing
to support organizations’ compliance with legal norms of relevance to security.16 This is essential because checking compliance with information security
obligations (policies) often involves checking the adequacy and effectiveness of
15 An update to the proposal for General Data Protection Regulation has come out in October
22, 2013. Inofficial consolidated version after Libe Committee vote provided by the Rapporteur
22 October 2013, is available http://www.janalbrecht.eu/fileadmin/material/Dokumente/DPRRegulation-inofficial-consolidated-LIBE.pdf.
16 This forms part of an ongoing research project in which we are evaluating the possibility of
an integrated methodology for risk and compliance management. The integration between risk
management and compliance in general opens for a potential integration where compliance
(legal) requirements will be accounted in the risk analysis in general including security risk
analysis. This is because regulations have their entire base on the necessity to protect different
stakeholders from risks and need to be considered in the risk analysis.
110
Utilizing Security Risk Analysis and Security Testing in the Legal Domain
the technical control measures. This implies that organizations will not be able
to obtain the required level of assurance regarding their compliance with such
obligations unless their compliance checking is corroborated with some kind of
technical testing. Despite this, organizations often do not bring their technical
expertise in checking their compliance with legal norms of relevance to security.
This could be attributed to the fact that there is no specific technical (security)
testing that is designated as relevant for legal purposes. Therefore, the main contribution of this section will be to identify the security testing which is relevant to
check compliance with legal norms of relevance to security and how compliance
checking could be attached methodologically to a risk analysis so that it improves
the efficiency of the compliance checking and perhaps the legal risk analysis. This
is particularly relevant because in order to regularly check everything is next to
impossible. At the same time to check compliance randomly might be ineffective.
Therefore, organizations need to be selective in what and how to check. That is
where a risk-based approach becomes essential.
Often organizations implement different measures but are unable to ascertain whether the implemented measures adequately prevent unwanted behaviors
within the organization. And, from a legal standpoint, it is more important for
organizations to make sure that the implemented controls achieve their intended
objectives. If not, they run the risk of falling afoul of the law. Moreover, organizations should be able to check, in an efficient manner, that they are in compliance
with legal norms of relevance to security. This is because the cost of implementing
compliance measures and an inspection policy is often significant [16]. Whereas
resources available for compliance checking are not unlimited. In this respect,
following a risk-based approach to compliance checking becomes essential. This
is because, the (legal) risk analysis could support organizations’ decisions on
where to focus their resources in order to get the necessary assurance that they
are in compliance. Apart from that, the testing could also be used as a source for
identifying new risks.
Müller, and Supatgiat [16] have examined a risk based-approach toward compliance management where they assess the risk of non-compliance (in terms of
costs), the cost of the measure that needs to be implemented in order to comply,
the cost of checking the effectiveness of the measure, and the likelihood of the
auditor spotting the non-compliance [16]. They employed a mathematical formula to capture all these factors, in terms of cost [16]. This enables organizations to allocate their compliance resources efficiently on those rules that pose
high non-compliance risks and taking account of the likelihood of being spotted
by auditors. However, their approach is purely quantitative and relies on complex mathematical approach, which makes it hardly understandable for lawyers.
Furthermore, their approach does not provide a systematic methodology on how
such risks can be identified, assessed and evaluated.
111
Yulex 2013
Fig. 6 shows the interaction between legal risk analysis and testing in the legal
context.
Compliance checking is commonly referred to as auditing [17]. Therefore,
in the legal context, we refer to audit testing. Doing so would avoid some confusion as audit testing also involves nontechnical testing. The primary goal of audit
testing is to assure organizations that they are in compliance with legal norms of
relevance to security.
Fig. 6. Testing and legal risk analysis
In the context of information security, it is common that testing and risk analysis
support each other. This could occur, for example, through risk-based testing.
Such an approach is believed to improve the effectiveness of testing. Similarly,
as in the figure above, legal risk analysis can be used to identify which areas of
112
Utilizing Security Risk Analysis and Security Testing in the Legal Domain
an organization should be tested to ascertain its compliance with legal norms of
relevance to security. Therefore, legal risk analysis will provide input when planning the test, that is, what to test and how to test it. A risk-based approach toward auditing enables efficient allocation of resources to high risk departments or
areas. Depending on the test results and the nature of the gap identified through
testing, one can either opt for a second iteration of legal risk analysis or the test
could be followed by a much simplified approach, which is referred as deficiency
management, in which the gaps are addressed without going through the formal
procedures of risk management or are marked for close follow-up.
Audit testing can involve both technical and non-technical testing. The technical testing which is relevant for the legal context is referred to as conformance testing in the Common Criteria [18], where the evaluator/tester is required to devise
and conduct tests with the objective of confirming that the target of evaluation
(TOE) operates in accordance with its design representations, including, but not
limited to, the functional specifications. The main goal of such an approach is to
gain confidence in correct operation through representative testing, rather than to
conduct every possible test [18]. In this regard, the legal risk analysis can be used to
identify such a representative sample. From a legal perspective, conformance testing enhances the assurance given to organizations that they are in compliance with
their information security obligations. For example, for the purposes legal norms of
relevance to security, this would involve the evaluation of the correct implementation of the technical measures in place that protect information, control individual
access to information, and guard against unauthorized access to data transmitted
over a communications network. Equally relevant, from a legal perspective, is that
organizations should be able to demonstrate that they are compliant with such legal
rules. Therefore, certifications for tested controls will also ease organizations’ need
to demonstrate compliance with information security obligations.
Nontechnical testing involves evaluating and testing effectiveness in the implementation of policies, procedures, and business processes implemented to
adhere to legal norms.17 This could be done, for instance, by selecting high risk
departments and reviewing their implemented policies and procedures to determine whether there is a gap between those policies and procedures and the compliance requirements through observation of business procedures and inquiry
into and examination of different documentations and interactions. It also involves evaluating documented administrative procedures pertaining to the selection
and execution of certain compliance measures. For example, for the purposes of
17 Although it may not reflect the conventional usage within the technical sphere to refer such tasks
as testing, it is not uncommon to encounter such reference. For example, the Organizations of
the Treadway Commission (COSO) refers to compliance measures as ‘‘controls’’ and to the inspection policy as ‘‘testing’’ the controls [16]. Similarly, privacy regulations refer to compliance
measures as ‘‘access control measures’’ and to inspections as ‘‘testing’’ the controls [16].
113
Yulex 2013
legal norms of relevance to information security, non-technical testing involves
checking physical computer systems and related buildings and equipment for protection from fire and other natural environmental hazards, as well as intrusion.
Ultimately, it is important to point out that such tasks could be automated
with the support of tools. In this regard, the ongoing work in RASEN18 is expected to contribute to the effective use of such methods. In that project, we are
evaluating the integration of risk assessment, risk management, and testing tools,
where a risk management tool automatically initiates testing at certain time intervals, with details of who, what, and how to test; the testers conduct their tests
and report their test results to that tool. Such integration would also enable the
results of a risk assessment conducted in the CORAS tool to be imported to the
risk management tool. This would provide organizations with a platform for integrating the above presented approaches supported by these tools. Furthermore,
the project offers the platform to test the above discussed approaches using real
life scenarios.
4
Conclusion
As the regulatory requirements in the area of information security become increasingly stringent and as the regulatory fines for such breaches increase, organizations need to address technical and legal risks together. This paper identified
a potential point of synergy between legal risk and security risk analysis as well as
compliance checking and security testing. It has been shown that when assessing
risks resulting from legal norms of relevance to information security, security risk
analysis can be used as a basis, allowing organizations to understand the legal implications of their security risks. In addition, it is indicated that checking compliance with legal norms of relevance to information security significantly benefits
from the support of security testing. In particular, the use of conformance testing
enhances the level of assurance given to organization that they are in compliance
with such obligations. Furthermore, it has been indicated that a risk-based approach to compliance checking improves the efficiency of organizations in allocating their resources to high risk areas or departments. If needed, the testing could
also be used to identify new risks, which could be followed by another iteration of
legal risk analysis or a simplified approach i.e. deficiency management.
18 RASEN (316853) is an EC funded project with the main objective of strengthening European
organizations’ ability to conduct security assessments of large scale networked systems through
the combination of security risk assessment and security testing, taking into account the context
in which the system is used, such as liability, legal and organizational issues as well as technical
issues. See further http://www.rasen-project.eu/.
114
Utilizing Security Risk Analysis and Security Testing in the Legal Domain
Acknowledgments. This work has been funded by the European Commission
via the RASEN (316853) project. Thanks are also due to Tobias Mahler for his
continuous guidance and support.
References
[1] Lessing, L.: CODE 2.0. Basic Books, New York (2006).
[2] Reidenberg, J.: Lex Informatica: The Formulation of Information Policy
Rules Through Technology. Texas Law Review 76, 553-593 (1998).
[3] Mahler, T., Bing, J.: Contractual Risk Management in an ICT Context –
Searching for a Possible Interface between Legal Methods and Risk Analysis. Scandinavian Studies in Law 49, 340-357 (2006).
[4] Haapio, H.: Introduction to Proactive Law: A Business Lawyer’s View.
Scandinavian Studies in Law 49, 21-34 (2006).
[5] Harvard Business Review Analytic Services.: Meeting the Cyber Risk
Challenge. (2012). http://www.computerweekly.com/blogs/public-sector/
Meeting%20the%20Cyber%20Risk%20Challenge%20-%20Harvard%20
Business%20Review%20-%20Zurich%20Insurance%20group.pdf.
[6] Article 29 Data Protection Working Party.: Opinion 05/2012 on Cloud
Computing (WP196). (2012).
[7] Mahler, T.: Legal Risk Management: Developing and Evaluating Elements
of a Method for Proactive Legal Analyses, with a Particular Focus on Contracts. University of Oslo, PhD thesis, (2010).
[8] Practical Law Company.: Benchmarking survey: Legal risk and compliance.
(2009). http://www.bakermckenzie.com/files/Publication/a2a678d5-cefd490e-832f-336bac345d92/Presentation/PublicationAttachment/fa757c2be9d0-447d-b65d-3b75101f8d92/london_rmc_importance_rms_survey_2009.pdf.
[9] Vraalsen, F., Lund, M.S., Mahler, T., Parent, X., Stølen, K..: Specifying Legal
Risk Scenarios Using the CORAS Threat Modelling Language: Experiences
and the Way Forward. In: Herrmann, P. et al. (eds.): iTrust 2005. LNCS, vol.
3477, pp. 45–60. Springer, Heidelberg (2005).
[10] Mahler, T.: DEFINING LEGAL RISK. Paper presented at the conference
“Commercial Contracting for Strategic Advantage – Potentials and Prospects”, Turku University of Applied Sciences 2007, Conference Proceedings,
pp. 10-31.
115
Yulex 2013
[11] Breach Watch website: http://breachwatch.com/ico-fines/
[12] Lund, M.S., Solhaug, B., Stølen, K..: Model-Driven Risk Analysis: the CORAS Approach. Springer, Berlin Heidelberg (2011).
[13] European Network and Information Security Agency (ENISA).: Data
Protection Notification in the EU. (2011) http://www.google.no/url?sa=t
&rct=j&q=&esrc=s&source=web&cd=6&cad=rja&ved=0CFQQFjAF&u
rl=http%3A%2F%2Fwww.enisa.europa.eu%2Fact%2Fit%2Flibrary%2Fde
liverables%2Fdbn%2Fat_download%2FfullReport&ei=jGZ7UszFGcLWs
wa6_IHQDg&usg=AFQjCNF-xhsOCTKZgUBhhPkcPv4PQc1o4w&sig2=
1m6OK7FfXnz952Cr_XVvow&bvm=bv.56146854,d.Yms
[14] National Conference of State Legislatures.: http://www.ncsl.org/research/
telecommunications-and-information-technology/security-breach-notification-laws.aspx
[15] Governatori, G., Hoffmann, J., Sadiq, S., Weber, I.: Detecting Regulatory
Compliance for Business Process Models through Semantic Annotations.
In: Ardagna, D. et al. (eds.): BPM 2008 Workshops. LNBIP vol. 17, pp.
5–17. Springer, Heidelberg (2009).
[16] Müller, S., Supatgiat, C.: A quantitative optimization model for dynamic
risk-based compliance management. IBM Journal of Research and Development 51(3/4), 295-308 (2007).
[17] Werf J.M., Verbeek, E., Aalst, W.M.P.: Context-Aware Compliance Checking. In: Barros, A., Gal, A. Kindler, E. (eds.): BPM 2012. LNCS, vol. 7481,
pp. 98–113. Springer, Heidelberg (2012).
[18] Common Criteria.: Common Criteria for Information Technology Security
Evaluation: Part 3: Security assurance components. Version 3.1, Revision 4,
September 2012. CCMB-2012-09-003.
116
Benchmarking eGovernment Quality
– Whose Quality Are We Measuring?1
Arild Jansen, Section for eGovernment,
University of Oslo, Norway, [email protected],
Svein Ølnes, Western Norway Research Centre),
Norway, [email protected]
Abstract. This paper analyses the results of several years of benchmarking of public online services in Norway. We compare these data, which are showing significant differences in measured quality between small and larger municipalities,
with results from a comprehensive survey measuring citizens’ satisfaction with
public services. Finding that these observed differences are not supported by the
user survey, we have to ask: whose quality are we really measuring? Many evaluation systems rely on similar heuristic methods, e.g. the EU’s eGovernment benchmark 2012 framework, while the Danish benchmarking system has a different
approach. The paper argues for a multi-dimensional approach to evaluation of
public websites and gives some suggestions for this.
Keywords: Quality, Heuristics, Benchmarking, Evaluation, eGovernment
1
Introduction
Given the high priority of digital public service provision, their quality in general is important. Evaluating digital services is thus of crucial importance to
assure that the overall goals have been reached. Several benchmarking systems
have been applied; many of them are of great importance. Most notably, the EU’s
eGovernment Benchmark 2012 [1] is an important tool for evaluating the effect
of EU initiatives and the different national ICT polities. However, critics have also
argued that the EU benchmarking system needs a thorough rework [2]. Schellong
[3] in his evaluation of the EU’s eGovernment benchmarking system, points to
several troubling issues and suggests a number of improvements.
Norway is among the countries with a long history of evaluating public websites, which has been carried out annually since then 2001. The Norwegian framework is built on a set of general indicators common for all websites, using expert
based heuristics, and there have been relatively small changes during the last 10
1
Paper presented at EGOV 2013, Koblenz, September 16-19 2013.
117
Yulex 2013
years. This framework is partly in line with the EU benchmarking system, but
different from e.g. the Danish benchmarking system where domain specific indicators are used [4].
Bannister [5] points to several problems with benchmarking in general:
Firstly, any ranking system needs a final single scale and the ability to compute
a score on that scale. Secondly, if what one is ranking a concept or a mental state
(e.g. attitude) rather than something concrete, it becomes necessary to use. psychometric type tools. Bannister emphasizes that the answers to these question will
vary with the context.
This paper compares the results from the Norwegian evaluations of public
websites with a comprehensive citizen survey and finds that there are diverging
conceptions of quality. Such findings provides arguments for asking whether the
quality criteria’s formulated in the Norwegian evaluations, and partly included
in the EU eGovernment benchmarking, reflect a different conception of quality
than the one that is perceived by the end users. Heuristic based evaluation systems for public websites are necessary to raise the awareness of common design
principles, but may not be sufficient to assure quality to the end users. On the
other hand, Denmark uses a combination of automated and manually assessed
indicators [8], and in addition a short user survey
Our main research question is accordingly: What quality is measured in the
various benchmarking systems and for whom are we evaluating?
Furthermore, developing benchmarking systems must be according to some
overall objective. A sub-question is thus: Are the objectives of evaluations compatible,
and are the methods used adequate?
Brief on our research approach: This work is based on an inductive approach, in
which we use data from various benchmarks and evaluations: i) the Norwegian
evaluation of public web sites from 2007 to 2011 [6], ii) a survey among users of
Norwegian public services from 2009/2010 [7]. Furthermore, we have carried
out a limited literature review based on relevant literature from the eGovernment
Reference Library (EGRL). The insights gained from these results are used as
reference when analysing the criteria used the Danish “Bedst på nettet” [8] and
the EU’s benchmarking system [1]. Through these comparisons, we suggest some
guidelines for developing more adequate frameworks for measuring quality of
information and public e-services. Our focus is on the quality of available online
services, and not on the broader issue such as benchmarking capabilities of eGovernment across nations.
The structure of the paper is as follows. In chapter 2 we discuss the quality concept as well as different heuristic models for evaluations. In chapter 3 we
analyse the results from the Norwegian quality evaluations, fuelling our question
118
Benchmarking eGovernment Quality – Whose Quality Are We Measuring?
of whose quality we are measuring. Chapter 4 conclude by suggesting a broader
approach to quality assessment of eGovernment online services.
2
Can We Measure Quality?
Few words have been more used and misused than quality. Public as well as private companies emphasize the importance of increased quality of services, but very
often they fail to define what quality means. Some definitions can illustrate this:
• a system’s capability to satisfy needs, expectations and requests [9]
• the proportion between expected and experienced yield of a system [10]:
These definitions emphasize different aspects of quality. The first one looks at
measuring the difference between what is specified and what is measured or registered through ‘objective’ criteria while the other is based on experienced properties, that is, ‘a subjective evaluation from the individual user concerned’.
ISO-8402 of the ISO-9000 standard is guidelines for quality management and
quality assurance and uses this definition of quality: “Quality is defined as the
total sum of properties a unit carries and that concerns its ability to satisfy explicitly
expressed or implied needs”.
Dahlbom and Mathiassen [9] held that quality is then often measured and
analysed into a number of factors, such as correctness, reliability, efficiency, integrity, usability, flexibility, interoperability, portability etc. Each of these factors as
more or less explicitly defined in order to give a precise meaning of the term used.
However some of these factors may contradict each other [9, p140].
In general, we may use two different forms of evaluation, one based on metrics, measuring objective measurable attributes (criteria), and one based on perceived quality. This is rather depending on competence and individual judgement, which may also include aesthetic factor (e.g. how a webpage looks), and
symbolic aspects as part of the overall quality; Symbolism has to do with its social
use, e.g. as a mean for communicating the culture of an organisation. In this respect, understanding quality must also include cultural aspects and even a political dimension (interests and power), which is about why we evaluate and how the
results will be used. Accordingly, quality criteria must conform to the overall goals, and furthermore the needs of important user groups and other stakeholders.
2.1 Heuristic Models for Measuring Quality
Measuring quality of websites does often rely on using heuristic methods, which
have become the most used approach for expert-oriented evaluations [14].
119
Yulex 2013
Kahneman [15] offers this definition of heuristics: “A simple procedure that helps
find adequate, though often imperfect, answers to difficult questions”. A more practical definition concerning the use in website evaluations is “all the sets of process
guides, principles, criteria, tips and tricks, and guidelines that are available to support web designer” [16]. It should be added that in the on-going process of developing and broadening the scope of public website evaluation the focus has shifted
from almost solely assessing usability issues to add more and more governmental
issues such as the level of digital service provisions.
The heuristic method for evaluating website quality was developed by Nielsen
and Molich in the early 1990s [17]. In a heuristic evaluation, one or more experts
check a given website using a predefined set of evaluation criteria, the heuristics
[14]. The heuristics developed by Nielsen and Molich were primarily aimed at
evaluating user interfaces, and consist of ten basic principles derived from studies
of problems found in dealing with user interfaces. However, although the heuristic model involving an expert evaluation is much used, we do not know very
much about how heuristics function [14]. Donker-Kuijer et. al. [14] analysed five
e-Government heuristics with respect to a) context of use, (b) the information
they cover, (c) their validity, and (d) their presentation format (ibid). Their conclusions were that the government heuristics are very complex documents difficult for (end) users to read and comprehend. Also information about the foundations of the heuristics is often missing making it difficult to judge the quality
of the heuristics. Compliance with the heuristics is also in many cases difficult to
check because it requires an extensive amount of automated and (manual) expert
evaluation techniques. All in all the authors seriously doubt if the examined heuristics aid the experts in their work. De Jong and van der Geest [16] thus distinguish between these four foundations for heuristics:
1. Standards-based heuristics
2. Theory-based heuristics
3. Research-based heuristics
4. Practitioners’ heuristics
Heuristic models have their weaknesses and limitations, but for large scale screening of website quality there are hardly any alternatives. For measuring the usability aspects there are methods like user testing. In his book Usability Engineering
[18] Jakob Nielsen discusses the usability of a system and refers to concepts like
user friendliness, usability and usefulness which can all be viewed as different
dimensions of system acceptability. One of his main arguments is that different
categories of users, different user situations and individually different preferences
make usability testing difficult. He points to three main dimensions:
• experience with computers and relevant computer systems in general
• experience with the actual system (novice – expert)
120
Benchmarking eGovernment Quality – Whose Quality Are We Measuring?
• knowledge and competence in the actual domain where the system is used
The heuristic methods are especially suited for evaluating usability. Nielsen [18] has
formulated 10 heuristic principles for usability, derived from the usability properties listed above. Nielsen points to problems with user testing in general where the
results will differ because of different user categories as mentioned above. We agree
with Nielsen that user tests should take into account all the three dimensions.
2.2 Using Heuristics when Measuring Quality of Public Services
Norway has been evaluating public websites since 2001 and the number has risen
from around 500 to more than 700, of which approximately 430 are municipality
sites and the rest various governmental agencies’ websites. This work is based on
the following definition of quality: “The quality of websites in this project is defined
as that public information and services on the Internet must meet a predefined standard or level that can satisfy some central user needs”.[11]
The central guidelines for the development of quality assessment indicators are:
• the Governmental ICT policy [12]
• Relevant laws, regulations and principles for public administration
• Widely accepted standards and guidelines on the web (= heuristics), formulated by the W3C, especially their recommendations for web accessibility, expressed through the recent Web Content Accessibility 2.0 Guidelines
(WCAG) [13].
The overall structure of quality indicators has been based on these three dimensions: i) Accessibility, ii) Usability, iii) Useful services.
Similarly, the Danish benchmarking system (Bedst paa nettet) started out in
2001 as an expert evaluation based on a mainly heuristic set of criteria. Gradually
it has shifted the focus to the citizens with the introduction of user surveys, after
having tried both sector specific criteria sets and self-evaluations. The 2012 benchmarking consist of an accessibility evaluation, Webtjek, which is a combination
of automated and manually assessed indicators [8]. In addition to the screening
it also consists of a user survey of eight questions which all municipalities and
governmental agencies must carry out in order to participate in the contest.
EU’s benchmarking system has been a cornerstone of the Commission’s ”open
method of coordination” since the Lisbon meeting introducing the first eEurope
plan [3]. It has been regarded a success due to its influence on the eGovernment
progress and polities in the EU. However, it has also been criticized for being too
focused on the supply side of eGovernment and not really user oriented. The
“Insight Report” [26] presents the findings of the 2012 eGovernment survey. The
121
Yulex 2013
framework for this survey is rather complex and include three main areas: i) A
demand-side citizen view of public services, ii) Three life-event assessments of
very relevant customer experiences, iii) Assessment of five key technology enablers, the foundations on which services can be delivered in a more consistent
manner. In each country two mystery shoppers assessed these life events against
seven criteria.
In the demand-side citizen survey 28,000 internet-using citizens where asked 27 questions about 19 common citizen services. These questions includes
eGovernment use and channel preferences, furthermore barriers, eGovernment
satisfaction: and finally fulfillment and benefits: reasons for using eGovernment
services and indicating whether governments are able to meet expectations citizens do have. It cannot be questioned that the results from this survey is very interesting and useful for the work to improve improving online services, both oat
a national and an international level. However, whether these data should be used
for comparison between countries is questionable, being based on subjective and
(volatile) criteria.
2.3 Assessment and Benchmarking of e-Government Initiatives
Benchmarking of governmental websites and national e-government initiatives has been conducted in a number of years. There are several well-established surveys on e-government e.g. CapGemini [19], United Nations [20]»eventplace»:»New
York»,»URL»:»http://unpan1.un.org/intradoc/groups/public/
documents/un/unpan028607.pdf»,»number»:»ST/ESA/PAD/SER.E/112»,»auth
or»:[{«family»:»United Nations»,»given»:»»}],»issued»:{«date-parts»:[[2008]]}}}
],»schema»:»https://github.com/citation-style-language/schema/raw/master/cslcitation.json»} , and West [20]. These surveys employ different assessment models for e-readiness, digital divide and other relevant factors, leading to varying
conclusions on the global state of e-government. The grounds for these efforts are
well illustrated by a statement from the EU report [21]:
“The ministerial declaration on the eGovernment conference, together with
benchmarking survey should give political momentum to the development of online
public services and to the identification of the needs for these services at pan-European
level. This will have to be complemented by a focus on back-office re-organization,
the creation electronic marketplaces for public procurement and investment in new
equipment in administration”.
Although eGovernment benchmarks are derived from political goals and decisions, their results generate in many cases political discussions and may lead to
122
Benchmarking eGovernment Quality – Whose Quality Are We Measuring?
new political decisions. In itself it is not a problem; that is what benchmarking
systems are developed for, but if the results are not comparable, it can be a serious problem. Schellong [3] shows that the rankings in three major eGovernment
benchmarks (EUeGovBe, UN and Brown/Brookings) differ rather remarkable,
almost dramatically. This shows that comparisons of benchmarks e.g. between
countries is not only difficult but often downright wrong, as Schellong[3] andBannister [5] warns.
3
Results from the Norwegian Quality Evaluations Below we present the results from two different studies; (a) the results from the
expert evaluation of public websites 2007 to 2011 [6], and (b) a user survey targeted at the users of public websites [7].
3.1 Expert Evaluations of Websites 2007 - 2011
The set of indicators used for expert evaluation of public websites in Norway has
only modest changes from 2007 to 2011. The indicators are divided into three
subsets, as listed in the following table. The table also show the number of indicators and the maximum score in points per subset.
2007
Subset
Accessibility
Usability
Useful services
Total
No. of
indicators
11
14
7
32
2011
Max. points
27
37
28
92
No. of
indicators
11
12
10
33
Max. points
28
30
35
93
Table 1: Indicator set in 2007 and 2011
The usability indicators are mostly based on the heuristic principles for usability
formulated by Nielsen [18]. The last set of indicators, useful services, looks at the
service provision from a user’s point of view.
The only weighting in the set is in the maximum number of points for each
indicator. The table above shows that useful services have been given priority over
accessibility and especially usability over the period of five years. This reflects the
strategy at the national level where provision of digital services to the citizens
has been given an increasingly higher priority. The weight on accessibility has re-
123
Yulex 2013
mained almost constant and only usability has lost weight compared to the other
subsets.
The following table gives the results for the 2007 and the 2011 evaluations and
the change in percentage points for this period. The municipalities are divided in
three groups after their population: up to 5.000, from 5–20.000, and more than
20.000 people. [27]. The labels ‘medium’ and ‘large’ must be seen with respect
to the general size of Norwegian municipalities. Most of them are small by any
measures.
Table 2: Total score for municipality websites after size (percentage of max.
points)
Municipality group
Small municipalities (< 5 000)
(N = 226 in 2007 and 229 in 2011)
Med. sized munic. (5 000 – 20 000)
(N = 148 in 2007 and 2011)
Large municipalities (> 20 000)
(N = 52 both in 2007 and 2011)
Average, all municipalities
2007
2011
Change (% points)
46.6
58.4
11.8
50.7
66.1
15.4
58.4
72.0
13.6
49.5
62.7
13.2
Significant differences both between municipality sizes and years (95 % confidence
interval)
The results in the table above show that the large municipalities scored better
than small and medium sized municipalities and they have also had the greatest improvement the last five years in terms of quality of websites as measured
with this evaluation system. The difference in quality of websites between small,
medium sized, and large municipalities is increasing. Part of this difference can
probably be attributed to the increasing weight put on useful services, which in
2011 counted for 37.6 % of the maximum score in 2011 compared to 30.4 % of
the 2007 indicator set.
3.2 Survey among Users of Public Services
Norway also undertakes a comprehensive user survey of public services with 3-4
years intervals. The last published survey is from 2009/2010 and comprises questions from a range of governmental bodies and municipalities [7]. It is a large
survey with questions from many sectors and services. The survey consisted of
two main parts, where the first part was sent to some 30.000 citizens above 18
years and the response rate was 42 %. The second part of the service was sent to
those of the respondents of the first part that had some experience with any of
124
Benchmarking eGovernment Quality – Whose Quality Are We Measuring?
the chosen public services during the latest year. Part two of the survey was sent
to 11.135 of the originally 30.000 citizens, and the response rate was 60 % (ibid.).
Of special relevance for this paper is the question of satisfaction with digital municipality services grouped after size of municipality. The results from
2009/2010 show that there are no significant difference in satisfaction between
citizens from small municipalities and citizens from larger ones. In services like
planning and building permissions and care for elderly people, citizens from
small municipalities give higher score than citizens from larger municipalities.
But in services like kindergarten and primary school the result is opposite; citizens from larger municipalities are more satisfied than citizens from smaller
municipalities. All in all the users’ satisfaction with digital services cannot help
us explaining the differences in quality observed in the expert evaluations of the
websites. This could very well be an example of what Jakob Nielsen calls the first
rule of usability: “Don’t listen to the users, watch them work”2. These results make
it necessary to ask: what quality we are evaluating, and for whom?
3.2 Better Quality for the Users? The objective for evaluating public websites in Norway as well as in Denmark
has been to stimulate quality improvement. The results from Norway presented
above show that there have been improvements from the evaluation in 2007 to
the last undertaken in 2011, in terms of overall score on the quality indicators.
Analysis of the same evaluation for the first years 2001-2003 also show a significant improvement in quality [11]. Thus, main objective of the evaluation project
seems to have been met.
We cannot assure that this really is an indication of better digital services for
the users. The results from the user survey described above do not confirm these
results; in particular they do not give support for the observed difference in measured quality between small and large municipalities. So what is virtually measured in the evaluations of public websites? The problems with the heuristics which
the evaluations is built on, is that they do not necessarily coincide with the genuine user needs and their behaviour. An important aspect that is missing in the
expert evaluations is their context, as these evaluations are all carried out through
expert testing, which is clearly different from the context of a typical user.
Usability testing would be an obvious response to the problems of the expert-based heuristics and the context problem. But given the number of websites and the vast, accumulated amount of information on them, regular usability
testing would not be feasible. Of the three main categories of indicators used in
2http://www.nngroup.com/articles/first-rule-of-usability-dont-listen-to-users/
125
Yulex 2013
Norwegian evaluations, the accessibility category is the least difficult to assess
given the general and widely used heuristics derived from W3C’s WCAG work.
The more we assess usability and usefulness of websites, the more difficult it gets
because our expert-based heuristics have difficulties in capturing the needs and
the experiences of a real user.
4
Evaluating Public Websites: What Answers Do
We Really Get? Our main research question was “what quality is measured in the various benchmarking systems and for whom are we evaluating? The discussion above shows
that the various evaluation and benchmarking frameworks that have been used in
the past 10-15 years produce rather different, if not contradicting results in terms
of scores and ranking of the different countries. E.g. Schellong [3] shows that
the rankings in three major eGovernment benchmarks differ significantly. At a
national level, both the two different evaluations of public websites in Norway as
well the Danish are not compatible, but they all produce relevant results.
Such differences are not themselves problematic, as they can be attributed to
different approaches (methods): the criteria are not compatible and the samples
represent distinct universes. The first aspect concerns what type of measurement
method do we use (as questionnaires, interviews or heuristics involving users or
experts, etc.). Another is aspect is scope: what is to be measured, which is determined by its purpose. The third one is scale, which implies limiting the sociodemographic reach of an evaluation, and what is to be assessed and compared.
However, the way such results are used creates a lot of confusion and often misleading conclusion, when not taking into consideration the context of the evaluations. In this way they can be a misleading basis for political priorities.
The other research question was: Are the objectives of the evaluations compatible,
and are the methods used adequate?
Our understanding of quality is closely linked to fulfilling overall goals and
supporting (political) priorities, and has to include various perspectives and dimensions. However, there is often a lack of a clear connection between the purpose of an evaluation and what dimension(s) or perspectives that shall be evaluated. This is illustrated by the multi-functional character of a municipal website:
both to serve the democratic ideals, to mainly focus on service-delivery (customer-orientation) in the service provisions and as well as to include emphasize the
efficiency perspective. These goals are not necessarily compatible. In that respect,
we believe that the last EU benchmark is an improvement, but it does still create
some confusion. Our first suggestion is thus:
126
Benchmarking eGovernment Quality – Whose Quality Are We Measuring?
1. The design of evaluation framework should be compatible with the specific goals
and priorities that are defined.
Measuring quality should not rely on one single method or approach, but cover
different perspectives, and include both objective and subjective criteria depending on the purpose of the measurements. This requires different approaches including formal methods as measurements based on well-defined metrics along
with more heuristic based evaluations and user testing etc. Important in this
work is to design detailed user scenarios and different user settings in which the
website is to be evaluated. These different perspectives do have important implications for how we define the quality requirements. This point is illustrated by the
EU benchmark framework, based on a “eGovernment “Progress diamond“ including 4 dimensions: i) Better eGovernment, ii) Efficient eGovernment processes, iii) Egovernment Building blocks and iv) eGovernment empowerment. Our
second suggestion is then:
2. The selection of quality criteria set should reflect the perspectives that are the
primary target for the evaluations.
Is standardisation one way to go? We do agree that a “mild standardisation” in the
benchmarking approach (criteria set, methods used, type of heuristics, etc.) can
be an efficient way of help improving the quality of public web sites and it can also
be an efficient instrument to ensure that public bodies follow standards; either
formally approved standards or recommended standards. It presupposes, however, that such standards as well as the arguments for such standards are widely
recognised, which also imply that the objectives are well defined and accepted.
However, we emphasize that the indicator sets should include more criteria
than those the existing evaluations are based on. We furthermore claim that these
evaluations should be supplemented with other types of testing in order to get
a more comprehensive picture of a web site. The experiences from such testing
can then be used to further develop these indicator sets. Usability tests of a selection of the evaluated websites would give valuable feedback to the development
of indicators. Surveys among users and those responsible for the work with the
websites are also valuable methods that can give a richer picture and complement
the overall quality issue. It is then important to bring these methods together in a
common framework, and not separating them in different projects and processes
as is currently done in Norway. Our third suggestion is thus:
3. Evaluation or assessment frameworks should combine multiple methods and
techniques, and should be used in ways that allows for learning and knowledge accumulation within this field.
127
Yulex 2013
There is clearly need for more research, e.g. in where different methods of quality
assessment are combined and the effects ultimately measured on real users. There
is a need to combine heuristic methods (expert evaluations), usability tests, and
user surveys to try to find a link between these. Such research should also help
inform practitioners and not least decision-makers (politicians, etc.) about the
usefulness as well as the limitations of various benchmark approaches.
References
[1] Cap Gemini, IDC, Sogeti, IDC, IS-practice and IndiGov, RAND Europe, and
Danish Technological Institute, “eGovernment Benchmark Framework 20122015 Method Paper,” European Commission DG Communications Networks, Content and Technology, Brussels, SMART 2012/0034-1, Jul. 2012.
[2] Grönlund Å., “Ten Years of E-Government: The ‘End of History’ and New
Beginning,” in Electronic Government - 9th IFIP WG 8.5 International Conference, EGOV 2010, Lausanne, Switzerland, August 29 - September 2, 2010,
Proceedings, Springer Berlin/Heidelberg, 2010, pp. 11–24.
[3] Schellong A., “EU eGovernment Benchmarking 2010+ General remarks on
the future of benchmarking Digital Government in the EU,” Dec. 2009.
[4] Videnskapsministeriet, “e-Service på borgernes premisser? Statusrapport
for Bedst på Nettet 2002.”
[5] Bannister F., “The curse of the benchmark: an assessment of the validity
and value of e-government comparisons,” International Review of Administrative Sciences, vol. 73, no. 2, pp. 171–188, 2007.
[6] Difi, “Kvalitet på nett,” Kvalitet på nett. 2012.
[7] Difi, “Innbyggerundersøkelsen Del 2,” Agency for Public Management and
eGovernment (Difi), Oslo, 2010:14, 2010.
[8] Digitaliseringsstyrelsen, “Bedst på Nettet - Vurderingsgrundlag 2012,”
Digitaliseringsstyrelsen, Copenhagen, 2012.
[9] Dahlbom B. and L. Mathiassen, Computers in context. Basil Blackwell,
1993.
[10] Braa K. and L. Øgrim, “Critical View of the Application of the ISO Standard for Quality Assurance,” Information Systems Journal, vol. 5, no. 4, pp.
253–269, 1995.
128
Benchmarking eGovernment Quality – Whose Quality Are We Measuring?
[11] Jansen A. and S. Ølnes, “Quality assessment and benchmarking of Norwegian public web sites,” in 4th European Conference on E-Government,
Dublin, 2004, pp. 17–18.
[12] Ministry of Government Administration, Reform and Church Affairs, “På
nett med innbyggerne - Regjeringens digitaliseringsprogram,” Ministry of
Government Administration, Reform and Church Affairs, Oslo, 2012.
[13] W3C, “Web Content Accessibility Guidelines (WCAG) - W3C Recommendation.” W3C, Dec-2008.
[14] Donker-Kuijer M. W., de Jong M., and L. Lentz, “Usable guidelines for usable websites? - An analysis of five e-government heuristics,” Government
Information Quarterly, vol. 27, no. 3, pp. 254–263, 2010.
[15] Kahneman D., Thinking, fast and slow. Farrar, Straus and Giroux, 2011.
[16] de Jong M. and T. van der Geest, “Characterizing web heuristics,” Technical
Communication, vol. 47, no. 3, pp. 311–326, Aug. 2000.
[17] Nielsen J., “Heuristic evaluation,” in Usability Inspection Methods, New
York, N.Y.: John Wiley, 1994.
[18] Nielsen J., Usability Engineering. San Diego, CA: Academic Press, 1993.
[19] Cap Gemini, Rand Europe, Sogeti, and DTi, “Method Paper 2010,” European Commission, Directorate General Information Society and Media,
2010.
[20] United Nations, “UN eGovernment Survey 2008: From eGovernment
to Connected Governance,” United Nations, New York, ST/ESA/PAD/
SER.E/112, 2008.
[21] West D., “State and federal electronic government in the United States,
2008,” The Brookings Institution. Governance Studies, 2008.
[23]Grönlund Å., Electronic government: design, applications and management.
IGI Global, 2002.
[26]See Public Services Online ‘Digital by Default or by Detour? Assessing User
Centric eGovernment performance in Europe – eGovernment Benchmark
2012
[27] Langørgen A. and R. Aaberge, “Gruppering av kommuner etter folkemengde og økonomiske rammebetingelser 2008,” Statistics Norway, Oslo,
8/2011, 2011.
129
Legal definitions and semantic
interoperability in electronic government
Dag Wiese Schartum
1
Introductory remarks
This article is based on the assumption that inadequate legislation methods constitute a problem within areas of law where legislation will be implemented by
means of ICT-based systems in the government sector (“eGovernment systems”).
I discuss drafting of legislation when it is clear that the law will be implemented
by means of eGovernment systems, in particular ICT systems performing a high
degree of automated collection and further processing of data in individual cases.1 The relation between legislation and ICT government systems to implement
this legislation is, of course, many-sided. Here I highlight questions regarding
only the choice of words and phrases and their definition.
As an introductory comment, I will remind the reader about the very central role legal regulations have within the area of government administration.
Individual decisions in government administration will almost always have legal bases and implications. When eGovernment systems are developed, input,
processing and output must to a large degree be evaluated within a legal framework. The question is whether this legal framework is, or could develop to be,
compatible with technological requirements (and vice versa).
Words in legislation describing factual bases of decisions in individual cases (e.g. “live-in partner”, “residence” and “wage earnings”) may often not be
understood in terms of colloquial language, but must be interpreted pursuant to relevant legal sources which establish the legally correct definitions.
Easy and reliable access to legal definitions2 or other clarifications of legal concepts is thus a crucial first step for everyone with ambitions of mapping the semantics of such legislation, for instance with the aim to develop ICT systems and
exchange data between government agencies.
1
2
Such as cases concerning various taxes and duties, social benefits, admission to the educational
system etc.
When parties of cases are individuals, many of the legal concepts relate to personal information
which comes under personal data legislation. Data protection and privacy questions, however,
will not be addressed in this article.
131
Yulex 2013
Because they describe basic aspects of citizens’ lives, some words and the corresponding types of data are used in several legal decision-making processes.3
Information regarding identity (name, personal identity number etc), connections to other individuals (relationship, marriage, employment, etc.) and sources
of income (wage earnings, social benefits, pensions, etc.) are among the types of
data which are often bases of individual decisions. Other types have more specialized use (“residence permit”, “unemployed”, etc.), while a third group is highly
specialized and corresponds most likely to information needs of very few government agencies (“patent number”, “date of bankruptcy petition”). The initial
expectation, however, should be that most types of government data are relevant
and of potential use to at least two government agencies – sometimes several.
In other words, there is seemingly a great potential of designing eGovernment
systems for sharing such information. This is an important reason why semantic interoperability and reuse of data is a central objective of EU and of many
European governments.4
In this article I discuss questions of semantic interoperability within administrative law and eGovernment information systems or, in other words, the
important overlapping area between semantics as a general topic and legal interoperability.5 My contribution is not based on the view that semantic interoperability between legal instruments is always a possible and sensible strategy.
Within some areas, needs exist to choose definitions of terms which are different
from existing and almost identical definitions. Sometimes politicians may find
differences necessary in order to express something which yields fair and political acceptable results. If so, the consequence may be that reuse of existing information resources will not be desirable, and time and expenses of information
processing may thus rise. Having said this, it is important to add that lack of awareness, methods and tools may make it difficult to identify and choose semantic
interoperability in legislation relating to public administration even when it is
possible and desirable to do so. This article is based on the firm assumption that,
in many cases, there are unexploited potentials of data sharing and reuse, and
that often this is not due to valid political and legal grounds but result from lacking awareness and capabilities.6
3
4
5
6
Corresponding situations arise regarding information about businesses, but the discussions here
will primarily concern private citizens
Cf European Interoperability Framework (EIF) for European public services, v. 2.
In public administration there are, of course, semantic questions not related to law (although
very many questions are), and there are questions of legal interoperability not related to semantics which I will not elaborate on here.
Questions of concepts denoting facts are certainly not the only category of concept within this
overlapping area between law and semantics. Equally important and interesting is the issue of
questions relating to concepts denoting operations, i.e., how factual information should be processed. Here, however, I will emphasize the first category of semantics.
132
Legal definitions and semantic interoperability in electronic government
The major empirical material on which the following discussion is based, is
an examination of all new Norwegian laws in the period 2007–2010 with identification of the extent to which and the way the legislator has established legal
definitions, that is, occurrences where the meaning of legal terms is decided in a
statute.7 To the extent that words and phrases are fully defined in a statutory text,
concepts are to a large degree fixed and only to a limited extent open for interpretation. Thus, legal definitions represent an important statutory technique with
direct effects and potentials for the development of adequate information systems
in government administration.
2
Interoperability and the law
Interoperability between eGovernment systems is often seen as comprising four
layers: technological, semantic, organizational, legal and political.8 One aspect of
legal interoperability concerns legal semantic questions.9 Here, I understand semantic interoperability as the ability to exchange information and to mutually use
the information which has been exchanged.10 One of the questions on the layer of
legal interoperability is the extent to which information based on legally defined
concepts can be exchanged.
We may partly talk about horizontal legal-semantic interoperability, that is,
use of the same concepts with one uniform definition in different Acts.11 Another
aspect is the degree of semantic interoperability in statutory hierarchies, meaning
between Acts of Parliament, secondary regulatory levels and instruments of their
implementation. Such vertical legal-semantic interoperability exists if uniform
definitions are established from top to bottom; for example, Acts, regulations,
government’s internal guidelines on application of the law, as well as forms and
eGovernment systems developed to implement the law. Here, I will not discuss
7
See Dag Wiese Schartum: Legaldefinisjoner i nyere norske lover [Legal Definitions in Novel
Norwegian Laws]. Unipub forlag 2011 (ISBN 9788272261381), CompLex (6/11). Definitions
could also be part of preparatory works of the law, cf section 6 (below).
8 See, European Interoperability Framework (EIF) for European public services, v. 2, section 4.1.
9 In contrast to the explanation of legal interoperability in European Interoperability Framework
(EIF) for European public services, v. 2, section 4.3, I will claim that this concept should give
room for more than exchange of data and also include other aspects of coherence and compatibility between laws, for instance regarding overall statutory structure, external and internal reference structures between/ within laws etc; that is, other qualities which determine how difficult
it is to understand the interplay between related laws.
10 Cf the European Interoperability Framework (EIF) for European public services, v. 2, section
4.5, which describes semantic interoperability as ”the meaning of data elements and the relationship between them”, including ”developing vocabulary to describe data exchanges” and ensuring
”that data elements are understood in the same way by communicating parties”.
11 Data definition in Act 1 is equal to definition in Act 2 (DAct1 = DAct2).
133
Yulex 2013
the vertical aspects in any detail, but only observe it as a basic requirement to
legislation and appurtenant eGovernment systems. Contrary to the horizontal
aspects of legal-semantic interoperability, the vertical aspects are often beyond
discussion with no strong remonstrance.12
Figure 1. Horizontal and vertical aspects of legal semantic interoperability
Legal interoperability within the semantic field should first and foremost be the
result of the legislative process and not only, or primarily, be a question which
is solved in the course of implementation. In Norway, modernization of public
administration is first and foremost on the technological agenda. Related legal
initiatives are to a large extent about removing juridical obstacles and paving
the way for desired computerized solutions.13 Such reactive approaches may of
course be necessary. This article is based on the view that laws should as far
as possible be drafted to fit with technological and administrative models and
processes from the start. My research on legal concepts and their definitions
therefore to a large extent concern how the legislative process ought to be in
order to prepare the ground for development of eGovernment systems designed
to implement legislation.
12 But certainly not without problems; see Dag Wiese Schartum: Om forholdet mellom forvaltningslover og tilknyttede skjemaer [On the Connection Between Administrative Laws and
Related Forms]. Lov og rett 2011 ;Volume 50.(9), 551-566.
13 See, Norwegian eGovernment Program - Digitization public sector services, section 3.9, available from http://www.regjeringen.no/en/dep/fad.htm.
134
Legal definitions and semantic interoperability in electronic government
3
Legal definitions and the vague nature of legal
concepts
In many ways, administrative law is about the art of handling vagueness and
discretion in natural language. When passed, statutory texts are open for interpretation and often with considerable manoeuvring room for those applying the
law. This uncertainty may be intended and could be the result of the admission
that it is difficult to formulate a clear and fixed rule regarding, for example, a difficult problem area undergoing rapid development. Even if they do not clearly admit it, legislators may decide on the basis of the view that “you never know about
the future”, and thus have rather low ambitions as to the degree of preciseness of
legal concepts. Instead of clarifying every possible question of how terms may be
interpreted in every type of future situation, legislators may trust that the context
will give sufficient guidance and rely on the assumption that those applying the
law will have sufficient competence to make reasonable choices in the future. If no
known individual case makes an interpretation question topical, it may furthermore be regarded as too theoretical to be solved. Legislators may thus choose to
trust that courts of justice and other actors of the legal system will identify problems and solve them in due time, and to the extent questions of interpretation
should prove to be of practical significance.
It is important to understand the interaction between legislators and other actors of the legal system in order to explain the rather “shocking” degree of uncertainty and need to interpret statutory texts. The fact that the judiciary, appellate
authorities and legal theory may analyse and solve various questions over time,
represents a technique to adapt law to actual situations, and not only presuppose
situations which have been predicted in the legislative process. With regard to
legal concepts in statute law, this may, in other words, be seen as a continuous
definition process: It starts with rather vague concepts and continues with continuously increased precision over the years, and – probably – ends up as relatively
well-defined concepts. Viewed in this way, application of the law implies a dynamic process of concept definition where various actors of the legal system take
part in a continuous and rather open deliberative process.
135
Yulex 2013
In contrast, establishing legal definitions, that is, more or less fixing the meanings of terms and phrases in laws implies that much of the definition process
precedes implementation. Thus, semantic and legal flexibility/uncertainty is
exchanged with a higher degree of semantic rigidity/certainty, implying that the
ground is better prepared for establishment of information systems.
Figure 2. Traditional development of legal definitions over time
Figure 2 illustrates how definitions in statutory law (DS) may be rudimentary and
handed over to case law for complementation over time (cf DCL1 -3). To the extent
that individual fairness and political flexibility and control are prioritized, such a
continuous process of definition and redefinition could be considered reasonable
and even valuable. However, emphasis on efficiency of case processing, automation and lowering of administrative costs provides an argument for choosing predefined and relatively fixed legal concepts. In this event, the significance of case
law will be reduced (but may not be eliminated).
When legal-semantic interoperability is an aim, it is required to have a high degree of precise definitions already in the regulatory process. Instead, the regulatory process should yield results in harmony with requirements of the eGovernment
system which is necessary for the implementation of the law. Thus, such definition
processes must be system driven, that is, the degree of definition must be decided
on the basis of system needs (and not the needs of a case-by-case approach).14
Most legal terms are not explicitly defined.15 Only a small selection of words
and phrases in laws are defined on the statutory level. However, the results of
my investigations demonstrate that legal definitions in Norwegian legislation are
usually not designed to solve every definition issue related to the words and phrases in question. Thus, they both cover situations when only a few definitional
14 The distinction between case-driven and system-driven interpretation of legal sources was introduced in Dag Wiese Schartum: Fra lovtekst til programkode [From Wording of an Act to
Programming Code], (August 2012), available from http://www.uio.no/studier/emner/jus/afin/
FINF4001/h12/pensumliste.xml.
15 But could partly be defined by its context and by means of amplifying statements.
136
Legal definitions and semantic interoperability in electronic government
elements are established in the statutory text and situations when a “complete”
definition is stated.16
Development of eGovernment systems may give grounds for definitions that
are as complete as possible, preferably defined in ways which fully answer questions of interpretation required to develop efficient information system as part of
implementation of the relevant law.
4
Primary and derived legal definitions
Legal definitions are usually placed in one of the first sections/articles of the instrument but may also be placed in other parts of a body of rules.17 The scope of
such definitions is typically the legal instrument in which definitions are made,
but as a rule, definitions must be understood as applying to subordinate legislation
and other related legal instruments.18 Within Norwegian legislation, only a small
selection of words and phrases are defined in each law, often numbering no more
than five to ten. My investigation of all legal definitions contained in all novel
Acts of Parliament in Norway during the period 2007 – 2010, showed that legal
definitions existed in 35 of 53 laws, that is, in the majority of occurrences. Almost
all novel Acts of a certain complexity and volume contained legal definitions.19
Legal definitions in my investigation comprised words and phrases commonly occurring in the Norwegian language, as well as expressions especially designed for a specific legal purpose. Even if defined words are commonly used, there
were several examples of legal definitions clearly deviating from definitions of the
same word in dictionaries. However in the majority of cases, definitions were within the scope of what could be commonly accepted in the Norwegian language.
The investigation showed that legal definitions were generally more detailed
than similar definitions in dictionaries. Moreover, legal definitions frequently
contain formal definitional elements, that is, elements referring to something
which has been manifested because it is decided or officially registered. It is
possible to distinguish between at least three groups of such formal elements in
legal definitions:20
16 One requirement to a «system driven» approach should probably be that a great number of
definitional elements are decided.
17 A similar technique is applied, for example, in EU directives and regulations, and in various
conventions, etc.
18 Cf vertical legal semantic aspects as shown in section 2 (above).
19 The total number of definitions was 210, implying an average of six definitions per Act There was
relatively great variation between the Acts, ranging from only a couple of definitions to up to 40.
20 Cf Jon Bing: Om tolking av enkeltord – særlig i lovtekst [On Interpretation of Single Words –
Particularly in Statutory Texts], In: Anders Bratholm m.fl. (red), Samfunn Rett Rettferdighet
Festskrift til Torstein Eckhoffs 70-årsdag, Tano, Oslo 1986, 131-143.
137
Yulex 2013
1. Measurable and quantifiable indicators/variables (e.g. length, weight, time,
amount etc);
2. Physical phenomena and conditions which are recognized as notorious facts
or which could be objectively observed (e.g. gender, physical conditions, chemical compositions); and
3. Final authoritative decisions, regarding formal positions (such as Member of
Parliament, lawful spouse, owner), established rights and obligations (eligibility to a concrete benefit, decision regarding tax liability) and other decisions
with a significant bearing on a person’s legal situation (e.g. a decision regarding residence, i.e., a piece of information registered in specific information
system etc).
Category 3) is particularly comprehensive and heterogeneous, and here I will not
explore details. In cases of “authoritative decisions” – as in categories 1) and 2) – it
will be possible to ascertain beyond reasonable doubt whether or not something
is legally true or valid (e.g. that a person has the right to receive a certain benefit,
if duty to pay a certain tax exists, etc). Of course, in a small minority of cases it
could happen that a person is transsexual, that decisions regarding benefits, etc.
are incorrect and that erroneous facts are registered in a government information system. Our assumption may nevertheless be that indicators, conditions and
decisions in categories 1) – 3) typically are relatively fixed, and at least much less
uncertain than in situations where correct interpretation of, for example, “supports a child”, “too heavy”, “owns a fortune” have not been established by a final
authoritative decision or registration.
Figure 3. Primary and derived definitions
138
Legal definitions and semantic interoperability in electronic government
In line with the observation and categorization mentioned above, it is thinkable
that legal definitions are constructed by means of such formal and relatively fixed
elements. “Domicile” could be defined, for instance, as “the place where a person
has his/her true, fixed, permanent home, and to which, whenever the person is
absent, he/she has the intention of returning.” As point of departure, such a definition is obviously open to dispute, and it would require a lot of effort to examine
the conditions, for instance regarding a person’s intentions. When this question
is settled and a domicile is established as a result of an authoritative decision, it
would be possible to introduce legal definitions which build on this decision/
establishment of facts. Thus, a derived legal definition of domicile may be, for
example, “the place where a person has his/her home according to legally valid
information in the National Register.” The meaning of “domicile” could in other
words be fixed by referring to what has been established as part of registration in
an authoritative information source (or a decision).
Figure 3 (above) illustrates how a primary definition in statutory law (D1S), including supplementary definitional elements in preparatory works
primary
(D1PW), may be shared in several Acts (D1S-derived in Act A –D). It may be difficult, however, to draft all laws on the basis of one defined word or phrase that describes
where people live. It might be necessary to have different but similar expressions
in the National Register Act and the Immigration Act describing where people
live. If so, construction of overlapping (modular) definitions21 should be considered, by introducing a new definition (D2, cf figure 4, below) which partly contains the same definitional elements as in D1. In this event, the same word defined in different ways in the two Acts should be avoided. Instead of introducing
a synonymous phrase (e.g. ”place of residence”) the legislator should consider
using terms identifying the relationship between the two concepts. For instance
one definition may relate to “formal domicile” and the other to “actual domicile”.
Subsequent legislation may, in such a case, choose between two primary definitions – or more. The point is that a relatively small selection of primary legal
definitions may cover the need for definitions in a relatively great number of laws.
An example from my investigation of legal definitions in Norwegian legislation may illustrate the potentials of a modular approach distinguishing between
primary and derived legal definitions. The concept “employee” [arbeidstaker] is
defined in seven Acts of Parliament. Three of these definitions are identical, implying that we have four different legal understandings of the same word. However,
all existing definitions contain some common definitional elements. On top of
that, the definitions contain additional definitional elements and may therefore
be designed as the joint definition plus special definitional elements.
21 About a modular approach, see Dag Wiese Schartum: Sharing information between government
institutions - Some legal challenges, in: van der Hov og Groothuis (eds.) Innovating Government,
Information Technology and Law Series vol. 20, Springer 2011.
139
Yulex 2013
5
Selection of terms to be defined
In guidelines from the Norwegian Ministry of Justice, it is advised that legal definitions should be used in situations with a particular need for strict concepts and
in cases when concepts have a basic function in the relevant law. 22 However the
Ministry does not specify further what should be regarded as a “particular need”
and “basic function”. Legislation is many-sided, and it is obviously hard to formulate general and simple rules to govern which types of words and phrases should
be subject to legal definition. If we restrict the discussion to the area of eGovernment, however, it would probably be feasible to formulate some general guidelines.
Information systems of government agencies which process data in the course
of decision-making in individual cases contain typically well formalized types of
data describing each case. System requirements regarding input data about, for
example, people’s “income”, “matrimonial status” (“married”, “divorced”, “live-inpartner” etc), or the fact that a person is the “supporter of children under 18 years”, etc., are established as part of the system development process. Formalization
comprises elements such as the establishment of mandatory input data, requirements regarding the number of digits in input codes, various cross-checks of
inputs (e.g. consistency checks and probability checks), etc. However, as long as
input data are registered manually, such formal requirements are not on the level
of what we reasonably can call definitions, because they only deal with representation in the data system and not the semantic content: For instance, we may
decide that “income” is a mandatory type of data and that it may be represented
by Arabic numerals, but without defining the type of assets included in the term.
Norwegian laws contain a very limited number of explicit legal definitions of
words and phrases denoting input data to government data systems. Thus, system
developers using law as the source for data models in eGovernment systems do
not have many clear definitions to apply. Clearly, lawyers may find definitional
elements scattered around in relevant legal sources (case law, preparatory works,
administrative practice etc), but these will require time-consuming expert effort
from lawyers, and the conclusions will easily be disputable. One possible response is to transform questions of defining legal words and phrases from a problem
of applying the law to a problem of making the law. The basis of data input for
eGovernment systems could, in other words, be defined by statute to a much
greater extent than currently.
Automated processing of data in eGovernment systems does not come as a
surprise, but is very often an obvious consequence of novel legislation, and is
always a result when existing legislation relating to automated public administra22 See, Ministry of Justice and the Police, Lovteknikk og lovforberedelse. Veiledning om lov- og
forskriftsarbeid [Statutory Technique and Preparation of Laws], Justis- og politidepartementet
2000, section 7.4.
140
Legal definitions and semantic interoperability in electronic government
tion is amended. Uncertainty as to the degree of automation, etc., does not change
this fundamental fact. If the question is posed in this situation as to which words
and phrases should be considered for legal definition, some answers and grounds
could be indicated, in my view.
Rule of law and predictability could obviously be held as grounds for requiring strict concepts in laws, and in particular as part of eGovernment systems
which implement laws. This is especially true regarding systems producing individual decisions pursuant to highly automated routines. A high degree of automation will make this argument stronger due to reduced control by people.
Words and phrases denoting a factual basis for individual decisions are of fundamental relevance, and should therefore always be considered for legal definitions.
The previously mentioned legal concepts, “domicile”, “income”, “married” and
“live-in-partner” denote information on which individual decisions dependent,
and which thus should be considered for legal definition. Some definitions could
be derived from other pieces of legislation, while other definitions may be legally
defined in a primary mode, cf the distinction in section 4 (above). Ffor instance,
there will almost never be a need for an alternative definition of “married” in the
Marriage Act, while “income” occurs with numerous definitions and may often
be linked up as a derived definition.
Unless there are well-founded reasons for another conclusion, all input data
required in eGovernment systems with law as a source should, in my view, be
considered for definition. Such a policy would strongly promote semantic interoperability within the legal domain. My argument does not imply that such legal
definitions should be designed to be as exhaustive and strict as possible. When
one decides how definitions should be carried out, the most important factors are
probably choice of definition technique, organization of the regulatory process
and tools, see the next sections.
6
Definition techniques
Definition statements in statutory texts may create expectations of exhaustive
identification of definitional elements, something which would imply that all/
most issues of interpretation of the word or phrase in question will be solved. My
investigation of legal definitions in Norwegian legislation showed that in order
to be fully informed of every aspect of the defined term, it was in most cases
necessary to consult the preparatory works of the Act in question. Such further
delimitations and explanations in preparatory writings were often comprehensive. Frequently they contained further references to other documents, making it
necessary to read former, repealed legislation, other Acts of Parliament in force
and various legal instruments of the European Union.
141
Yulex 2013
Full information pertaining to the defined words and phrases could only be
attained, in other words, from reading the statutory definition itself, explanations
in preparatory works, plus one or several documents within other parts of the
legal domain. Although definitions were apparently simple when worded in the
statutory text, legal definitions in Norwegian laws only expose a fraction of relevant definitional elements. Such definitions are not designed to make application
of the law simple. If the objective is to establish clear definitions of words and
phrases, such a practice is obviously inappropriate. On the other hand, this does
not necessarily imply that all definitional elements should be found in the law
itself. Other legislative techniques must also be considered.
Given the dynamic nature of the legal system, the choice of legislative technique has considerable significance. The evolution of legal definitions as a result of
application of the law (case law, etc.) is problematic for designers of eGovernment
systems. If, for instance, a data system is designed to automatically collect caserelevant data from specific databases in another government agency, and the system is able to do so because the statutory definitions are identical, it will obviously
be a problem if case law gradually formulates deviating definitional elements on
the basis of considerations of object clauses, new policy considerations, etc. If this
happens, establishment of manual routines to handle cases covered by such new
definition considerations is a possible option as an emergency solution, but will
probably only be a quick and not a very lasting fix. There is at least one realistic
approach to such problems caused by the dynamic nature of law, cf below.
In my view, legal definitions should always be established by combining statutory definitions and definitional elements in preparatory works.23 Here, there
should be no “either/or” discussion, but rather a determination of the desirable
mix between the two types of definition techniques. Argumentative legal weight
of statutory text is generally greater than the weight of statements and clarifications in preparatory works, and the first mentioned technique thus represents the
most stable and lasting way of defining a legal term. However, stability is not the
only important consideration. Equally important is a certain flexibility and the
possibility to adapt to changing circumstances. When primary legal definitions
are placed as integrated elements in several laws,24 this will increase the probability that changed political considerations related to one of these acts will create
needs to amend the joint definition. If that happens, it is important to avoid that
this results in a breaking out from the interoperable pattern.
Placing definitional elements in preparatory works creates the possibility for
such flexibility. In preparatory works, for instance, it could for be stated that certain definitional elements may be taken under consideration, but without intro23 Or alternatively in texts with similar functions, for instance in preambles of EU directives and
regulations.
24 Cf derived definitions in section 4 (above).
142
Legal definitions and semantic interoperability in electronic government
ducing these elements as strictly binding. Statements in preparatory works could
furthermore accentuate the relevance of semantic compatibility and administrative considerations regarding electronic exchange of data. Such statements may
only reduce the probability of case law developments that break with joint definitions. It would not be acceptable if the legislator tried to stop courts of justice’s
from controlling that legally based words and phrases are correctly implemented:
Courts should always in principle have the competence to decide on the basis of
concrete interpretation in individual cases and thereby be a guarantee for a minimum degree of fairness in legislation. Stable and effective eGovernment systems
could only be one of several considerations.
To the extent that definitional elements are given in preparatory works, it is
crucial that these elements are collected and jointly presented. Contrary to what
my investigation showed, definitional elements should not be scattered around in
several documents making it necessary to go on a treasure hunt through various
sources. The degree of semantic interoperability, in other words, should be easy
to assess by consulting the wording of the Act and a separate explanatory section
of preparatory works where all definitional elements on that level are collected
and commented.
7
Organization of the regulatory process
Observed from the outside, laws leave the regulatory process when they have
been sent to government administration for implementation. Development of
eGovernment systems required by legislation is seemingly a task of a technological nature – and to a large extent this is true. However, important parts of
this development should also be seen as a continued regulatory process – with
the important difference that the formal regulators have left the scene. The fact
that the regulatory process is continued is not more surprising than the fact that
secondary law is established after the Act is passed. In both situations, the task is
to bring the often rather general and lofty provisions of the Act “down to earth”
and translate abstract rules into concrete conditions, procedures etc. For instance,
the design of eGovernment systems could be about finding out how the phrase
“supporter of child under the age of 18” in the provisions of an Act should be
interpreted in order to identify whether or not it is necessary to collect this information manually, or alternatively, if automatic collection is possible, from existing databases which match with the legally required definition.
Definition differences are not necessarily politically unavoidable: For instance
the legislator has defined “live-in-partner” as “two people with a joint address
living in a marriage-like, established and stable relationship”, while available information resources are based on the definition “two people sharing accommo143
Yulex 2013
dation and living in a marriage-like relationship with the intention to continue
to live together.” Although there are differences between these two definitions,
this does not mean that drafting it would have been politically unacceptable if
one used only one of the definitions in both laws. If a single acceptible definition
corresponds to that of a machine-readable source and the other is unique and requires expensive manual collection of data, it may very well be that the legislator
would choose the definition represented in the digital source – if only they knew
that these sources existed.
One obvious challenge for the legislator is to discover that a choice exists between two or more defined machine-readable data resources. There are many ways
of mapping available digital data with the required legal definitions. One possible
model is to establish a task force with special competences and responsibility to
perform such analyses as part of the legislative process. Draft legislation could,
in other words, be analysed by people who investigate existing legal definitions,
as well as administrative and technological consequences of using existing words
or introducing new ones. The task force could then give their result as input to
the drafting committee. Arguments and consequences of legislative choices will
in this way be better understood, and possibilities of optimizing information systems will be enhanced.
Possibilities of choosing definitions which yield a politically acceptable and
fair result, and which at the same time represent an appropriate solution regarding system design and effective automated processes, depends on the legislator’s
awareness of existing alternatives. In Norway, and probably in most other countries, the legislator will often not know which concepts applied in the proposed
statutory text are already defined in existing regulations. Furthermore, they will
not know the existing definitions that match definitions in available ICT-based
information systems. This kind of insight typically arises after the law is passed
and implementation has started or, to put it bluntly: too late. Special tools may
change the picture.
8
Law-making tools
ICT tools are probably necessary in order to change the regulatory process in
ways which improve the capability of interoperability considerations on the
lawmaker’s side of the table. Currently, no such special tools have been developed
to facilitate the lawmaking process in Norway.25 Change from hand-made rules to
lawmaking tools entails not only questions of how to deal with legal definitions,
25 A prototype tool ”Regelverkshjelpen” [Regulation Aid] is under development in a collaboration between Norwegian Research Center for Computers and Law (NRCCL), the Lawdata
Foundation [Stiftelsen Lovdata] and the Norwegian Ministry for Justice and Public Security.
144
Legal definitions and semantic interoperability in electronic government
but constitutes answers to general needs and sets of possibilities for supporting
the regulatory process. Regarding legal definitions, a simple and concrete indication of a possible element of such a tool may take the much used definition of
“personal data” as an example.
“Personal data” is defined in the Norwegian Data Protection Act:26 “personal
data: any information and assessments that may be linked to a natural person”.
Additional clarifications in the preparatory works of the Act are integral parts of
a 530-word explanatory text in the bill written without structure to ease retrieval
of definitional elements etc. When clearly analysed and structured, the following
six supplementing elements can be identified (represented here as keywords):
• Marks of identification
• Ways and efforts of identification
• Significance of the object clause of the Act
• Limitations regarding legal persons
• Limitations regarding deceased persons
• Relation to a definition in the Public Administration Act
My point here is that although the legislator has a choice of where to place definitional elements, these elements should be made available without regard to which
part of the regulatory process they refer to. Thus definitional elements in preparatory works should be formalized in a semi-structured way so that each element is
easy to identify, understand and display together with the relevant legal definition
of the Act. Even if a concept is not defined in the Act, definitional elements in
preparatory works should be identified and made easy available together with
occurrences of the statutory term in question. Such a complete and easy overview
of how legislators understand statutory concepts would be of great importance to
developers of eGovernment systems.
We can, of course, hope that participants in the legislative process will do
analyses of existing legal definitions and search in available information resources without the help of any particular method or tool. The chances for getting
effectual results, however, will increase if aids exist. Here I will not go into any
detailed discussion of possible methods and tools, merely outline some simple
starting points.
First and foremost, it is important to build a library of legal definitions which
could be made available by means of a law-drafting tool. My investigation of legal
definitions in recent Norwegian legislation shows that placing and wording of such
definitions allows automatic retrieval of a very high percentage of legal definitions.27
26 The national definition is based on article 2 (a) of the Data Protection Directive (95/46/EC).
27 Roughly more than 90% could probably be found by automatic means. Mapping of 100% of
existing definitions will require scrutiny and manual effort, but total coverage is probably not
important as part of establishment of a general library of definitions.
145
Yulex 2013
Mapping existing definitions is necessary in order to create a basic library
of existing definitions that could be expanded on the basis of future regulatory
processes. The idea is to develop a tool which is integrated with the editor used
to draft statutory texts, and which automatically searches through the library of
existing legal definitions and displays possible existing definitions of words/phrases that are used in the draft text.
Equally important is the idea that such a tool should facilitate collection of
new legal definitions, that is, support the establishment of a library of definitions
that will be updated in every case of a new legal definition. The goal should be to
create a general collection of existing legal definitions that is as up-to-date as possible. Identification of every legal definition with full reference to all definitional
elements regardless of where these elements are placed makes it possible to highlight occurrences of legal definitions in a legal text and to display these elements
to the reader. The tool can collect and order present definitional elements from
several sources.
9
Conclusion
Legislation should always be drafted with implementation in mind. Otherwise
legislators will probably often find that legislation is put into force in ways that deviate from their intentions. Legislation which presupposes eGovernment systems
must be tuned to fit some of the basic technological requirements and potentials.
One of the potentials which should be considered as part of the legislative process
is data sharing between several government agencies and the prerequisites for
this to happen. Today, the Norwegian government has interoperability and data
sharing as an important political goal. However, they seem to believe that data
sharing is a technological and administrative issue, whereas it should be obvious
that interoperability is a regulatory and legal issue: Legislators may run the risk
of drafting legislation without considering the effects on the possibility to realize
efficient eGovernment systems as expected in government administrative modernisation schemes. If so, they will probably continue to produce obstacles and
unnecessary problems for systems development and implementation. The only
sound solution, in my view, is to extend the legislative process so that the consequences for implementation in eGovernment systems of proposed legal texts
are assessed as part of the legislative process. In my mind, there are not sufficient
grounds to defer dealing with these questions and relegate them to system developers who are then forced to «blindly» handle political and legal choices.
146
The contractual network of the
Domain Name System1
Emily M. Weitzenboeck
1.1 Introduction
The Internet Corporation for Assigned Names and Numbers (ICANN) is tasked with the management and coordination of the Domain Name System (DNS).
Through its so-called IANA functions,2 ICANN is also responsible for the root
zone management for the DNS and the global coordination of the Internet
Protocol (IP) address space.3 It is thus no wonder that ICANN has been called
one of the governors of the Internet.4
The main objective of ICANN’s coordination of the DNS is to ensure that every Internet address is unique and that the users of the Internet can find all valid
addresses. A domain name is a unique identifier for an IP address or number in
a mnemonic form. Thus, instead of writing 129.240.178.65, one writes the more
meaningful www.uio.no. The day-to-day responsibility for the administration of
the DNS is in the hands of IANA.
1
2
3
4
The work presented here is based on a working paper by the author on the hybrid network
structure of ICANN and the DNS. It is written within the framework of the Igov2 research project (http://www.jus.uio.no/ifp/english/research/projects/internet-governance/) which is jointly
funded by the Norwegian Research Council and UNINETT Norid AS.
ICANN carries out the IANA-functions under a renewable contract with the US Department
of Commerce (DOC). See http://www.ntia.doc.gov/page/iana-functions-purchase-order. Unless
otherwise stated, all websites have been last accessed on 14 November 2013.
See further http://www.iana.org/.
L A Bygrave and T Michaelsen, “Governors of the Internet” in L Bygrave and J Bing, Internet
Governance: Infrastructure and Institutions (OUP 2009) 92-125. There are several other governors, both private and public bodies such as the Internet Sociery (ISOC) which provides an
organizational umbrella for Internet standards development and funds the Internet Engineering
Task Force (IETF) which is the main Internet standard development body and is another governor. In addition, there is the Internet Architecture Board (IAB) which presides over the development of Internet standards; the Internet Engineering Steering Group (IESG) which manages
and oversees the technical operation of the IETF; the Internet Research Task Force (IRTF) which
focuses on long-term research issues; the World Wide Web Consortium (W3C) which develops
standards for the web; and the Internet Assigned Numbers Authority (IANA) discussed above.
See further on these bodies ibid 95-114.
147
Yulex 2013
There are two categories of top level domain names: generic top-level domains
(gTLDs)5 and the set of two letter country code top-level domains (ccTLDs). The
initial general framework of the DNS system structure and delegation was documented by Jon Postel in RFC 1591.6 Since May 1999, ICANN/IANA follows
ICP-1: Internet Domain Name System Structure and Delegation which lays down
IANA’s current practices in administering inter alia RFC 1591.
With the opening of the top-level domain in the new gTLD program, 1930
applications for new gTLDs were filed in spring 2012. Since November 2009,
ccTLDs may apply for Internationalized Domain Names (IDNs) in scripts other
than US-ASCII.7 The new gTLD program also allows for the first time the addition of IDN gTLDs into the root zone.8
The DNS forms a tree-like hierarchy. Each TLD includes many second-level
domains (such as ‘uio’ in www.uio.no); each second-level domain can include a
number of third-level domains (such as ‘jus’ in www.jus.uio.no), and so on. A
TLD is operated by a registry, a second-level TLD is operated by a registrar and a
domain name holder is known as a registrant. A registry operates a database for
registration of domain names in the domain it administers. A registrar facilitates
the actual registration of domain names. Some entities combine both registry and
registrar functions such as the .no and .eu domains.9
Governance of the gTLD namespace is contractual, with a web of contracts
spun between respectively ICANN, a registry, registrar, data escrow provider and
eventually between the registrants and their registrar. The management of the
ccTLD varies with some countries having opted for a formal contractual arrangement with ICANN whilst others have preferred an informal arrangement. Some
countries also have statutory regulation of their ccTLD. The regulatory framework of the gTLD and the ccTLD namespace are examined in more detail in the
following two sections.
1.2
Contractual network of the gTLD namespace
ICANN uses a portfolio of contracts in the governance of the gTLD. An analysis
of ICANN’s gTLD agreements shows that ICANN tends to use a standard-format
5
6
7
8
9
As at 8 October 2013, there are 60 in ASCII (the American Standard Code for Information
Interchange – ASCII – is a character-encoding scheme originally based on the English alphabet).
See http://www.icann.org/en/about/agreements/registries.
On RFC 1591, L Bygrave, S Schiavetta, H Thunem, A B Lange and E Phillips, ‘The naming
game: Governance of the Domain Name System’ in L Bygrave and J Bing, Internet Governance:
Infrastructure and Institutions (OUP 2009) 158, 186-187.
See further http://www.icann.org/en/resources/idn.
See further http://www.icann.org/en/resources/idn/fast-track/string-evaluation-completion.
See further Bygrave et al (n 6) 150.
148
The contractual network of the Domain Name System
set of agreements which varies depending on whether the registry is sponsored10 or not. This use of a standard format applies also to the new gTLD Registry
Agreement published in July 2013 with regards to the new gTLDs to be approved
under the new gTLD program. One advantage of this is that it makes for easier
compliance management by ICANN of all these intertwined agreements. The
registry agreements (RA) under the old system contain as one of their appendices a standard format Registry-Registrar agreement (RRA) which the registry
is bound (through a clause in the ICANN-Registry agreement) to use with its
registrars. An important clause of the registry-registrar agreement is the obligation on the registrar to follow ICANN’s dispute resolution policy. The new gTLD
Registry Agreement does not contain a draft of such standard contract. However,
the Registry is bound, through a clause in the new gTLD Registry agreement, to
use a uniform non-discriminatory agreement with all accredited registrars, such
agreement to also be known as the Registry-Registrar Agreement. Every gTLD
registry must also enter into a Registry Data Escrow Agreement with ICANN and
a third party data escrow provider.
ICANN also has a contractual relationship with the (second-level) gTLD
registrars through its registrar accreditation system and the use of a Registrar
Accreditation Agreement (RAA). This is the case both under the old system and
in the case of new gTLDs to be delegated under the new program where a new
RRA was approved in June 2013. In its turn, the standard registry-registrar agreement in the old system and the new gTLD Registry Agreement both contain various obligations on the registrar with regards to its relationship with those wishing to register a second-level or third-level domain name (known as registrants).
A prospective registrar must also undertake to submit an electronic copy of their
registration database to ICANN or else to an ICANN-approved third-party data
escrow provider.11
The above discussion clearly shows that there is a network of contracts between ICANN, a gTLD registry, its registrar and each of the latter’s registrants.
The situation is apt to get even more complex because in the case of the (currently
pending) new gTLDs, the gTLD Applicant Guidebook allows ICANN-accredited
registrars to apply for a gTLD, subject to certain requirements and restrictions.12
10 Sponsored TLDs are set up for use by a particular community or industry such as .cat (for the
Catalan linguistic and cultural community on the Internet) and .mobi (for users and producers
of mobile telecommunications services).
11 See section 3.6 of the 2009 version of ICANN’s Registrar Accreditation Agreement at http://
www.icann.org/en/about/agreements/registrars.
12 ICANN may refer an application to a competition authority where the registry-registrar crossownership arrangements raise competition issues – see Applicant Guidebook version of 4 June
2012, Module 1 section 1.2.1 on ‘Registrar cross-ownership’; and Module 5 section 5.1 on
‘Registry Agreement’ at http://newgtlds.icann.org/en/applicants/agb.
149
Yulex 2013
Cross-ownership between registries and registrars will thus be possible under the
new gTLD regime.13
In addition, the ICANN-Registry Agreement inter alia also contains as an appendix: (1) a standard draft of a Zone File Access Agreement that a Registry must
enter into with any third party requesting zone file access; and (2) a service level
agreement or a description of the functional and performance specifications which
the Registry undertakes to uphold. gTLD registries maintain DNS zone files that
contain resource records for the domain names that are active within those gTLDs.
There is not merely a web of contracts in the sense of a set of loosely related
contracts between various actors (such as registries, registrars, escrow providers)
and ICANN to regulate the gTLD namespace. Some parts of this web actually
form a contractual network. As Cafaggi observes, ‘it is not sufficient to have a
multiplicity of linked contracts for a contractual network to emerge.’14 More is
required:
‘there has to be (1) a strong collective interest to pursue (2) a common objective,
and (3) a high level of interdependence among the contracts and the activities
performed through contracts.’15
One utility of contractual network theory is that it helps elucidate how contracts
are interlinked and hence, whether and the extent to which one can make crossreferences between such contracts to assist in their interpretation. Another utility
is that it helps address doctrinal difficulties created by the notion of privity of contract16 or, as it is known in civil law jurisdictions, the relativity of contracts.17 The
13 Current gTLD registry agreements prohibit registries from acquiring directly or indirectly
more than 15% of a registrar - see ‘New gTLD Program Explanatory Memorandum: RegistryRegistrar Separation’ of February 2009, chapter 2 at https://archive.icann.org/en/topics/newgtlds/regy-regr-separation-18feb09-en.pdf.
14 F Cafaggi, ‘Contractual networks and contract theory: a research agenda for European contract law’ in F Cafaggi (ed) Contractual networks, inter-firm cooperation and economic growth
(Edward Elgar 2011), 74.
15 Cafaggi (n 14) 74.
16 Briefly stated, contractual privity means that contracts are binding only between the parties
thereto and cannot be enforced either by or against third parties. However, the Contracts (Rights
of Third Parties) Act 1999 introduced an exception to this doctrine in English law such that a
third party may acquire enforceable rights under a contract if, and to the extent that, the parties
to the contract so intend. See H G Beale (gen ed), Chitty on Contracts - Vol 1: General Principles
(including 3rd cumulative supplement of 2011, 30th edn, Sweet & Maxwell 2008) para 18-001.
Similarly, most civil law jurisdictions recognise so-called contracts for the benefit of a third party. See, for example, B S Markesinis, H Unberath and A Johnston, The German Law of Contract:
A Comparative Treatise (2nd edn, Hart Publishing 2006) 186-203.
17 See, for example, article 1165, French Civil Code. This is also the main rule in Norway – see Rt
1997 p 1322 referred in G Woxholth, Avtalerett (8th edn, Gyldendal Akademisk 2012) 167.
150
The contractual network of the Domain Name System
doctrine of privity appears to be a major stumbling block to recognising rights for
parties in other linked contracts but who are, technically speaking, extraneous to
the bilateral contract that has been breached. A typical example of such an extraneous party would be the registrant vis-à-vis an ICANN-Registry Agreement (RA).
In effect, the backbone of the DNS is made up of a set of interdependent bilateral linked contracts. With respect to each respective gTLD, due to the treelike structure of the DNS, there is a vertical linked contractual network between
the ICANN-registry agreement (RA), registry-registrar agreement (RRA), and
the registration agreement between the registrar and registrant. However, the
contractual network is more complex than this, with at least18 two other subnetworks linked to the vertical bilaterally-linked contractual network, namely:
1. The contractual network between ICANN, the registry and the escrow agent
which comprises the ICANN-registry agreement (RA) and ICANN’s third
party registry data Escrow agreement.
2. A mirror contractual network to that in (1) above between ICANN, the registrar and the escrow agent
All the three elements of a contractual network identified by Cafaggi, namely
(1) a strong collective interest (2) a common objective and (3) a high level of
interdependence, are met in the case of each respective gTLD. There is a strong
collective interest of all the various contractual parties to pursue the common
objective of regulating and operating the respective gTLD in a manner which
works, observing the tree-like structure of the TLD (here the relevant parties are
ICANN, the registry, the registrar and the registrant) and ensuring security of the
registration data (here the relevant parties are ICANN, the registry, the registrar
and the third-party escrow agent). To achieve (1) and (2) aforementioned, there
is a high level of interdependence between the various contracts and the activities performed under such contracts, as discussed above. The existence of these
contractual networks in Cafaggi’s sense implies that the contracts forming a contractual network could be read together to give coherence to the underlying legal
framework such as, for example, to understand the extent of a party’s obligations.
Moreover, a strong argument can be made that there is also a contractual
network in the whole gTLD namespace or, perhaps more precisely, there are two
contractual webs: (1) the contractual web of the gTLDs issued under the old system (i.e. not including the new gTLD program), and (2) the contractual web of
the new gTLDs under the new program. This makes for a complex regulatory
structure. However, it also highlights the significant help that contractual network
theory as proposed by Cafaggi provides in trying to seek coherence in this web.
18 The contractual web becomes more complex in those cases where a registrar has entered into a
registrar reseller agreement with a reseller(s) with respect to the resale of domain names to and
from registrants.
151
Yulex 2013
From the above it is clear that the preferred regulatory tool for the gTLD namespace is contract. This massive reliance on contract, with ICANN being the focal node of the network, shows the growing influence of ICANN as the principal
and dominant actor in the regulation of the gTLD namespace. ICANN is indeed
the protagonist here: it is the main drafter of the regulatory mechanisms, that is,
of the various contracts used in this web. Not only that, but all of the other actors
– whether offering services in the gTLD namespace (e.g. registries, registrars) or
wanting to register a gTLD (i.e. registrants) – have little option but to accept such
terms with hardly any leeway if they want to operate in the gTLD namespace.
1.3
The ccTLD namespace
Historically the delegation of ccTLDs has been informal, with several ccTLDs
delegated by Jon Postel without any formal agreement. ICANN has formalized
relationships with a few ccTLD managers (e.g. .au, .jp and .ke) through formal
‘Sponsorship Agreements’.
Following discussions with ccTLD managers and after considering the
‘Guidelines for ccTLD managers Accountability Framework discussions with
ICANN’ developed by the ccNSO, ICANN has sought to document its existing
relationship with ccTLDs through the use of either of two mechanisms, in the
absence of a formal agreement.19 One option is an Accountability Framework
document which not only contains clauses stating the obligations of a ccTLD manager and ICANN, but is also meant to cover dispute resolution and termination.
It was designed ‘to cater to those ccTLD managers who require a more “formal”
document with ICANN.’20 In actual fact, although it is also meant to cover dispute resolution, some of the ccTLDs chose not to include such a clause in their
Accountability Framework.21
The other option is the use of an exchange of letters which has even less formal language than the Accountability Framework. The legal enforceability of such
letters is dubious, to say the least. In fact, several exchanges of letters contain a
clause stating that the letters ‘will not form the basis for any claim for any legal
or equitable relief, or create reliance on the part of either party’ and that ‘nothing
contained in this letter shall give rise to any liability, monetary or otherwise’ by
one party towards the other. Such clauses appear, for example, in the exchange of
letters between ICANN and the ccTLD manager of, respectively, Norway, the UK,
19See http://www.icann.org/en/news/announcements/announcement-12feb06-en.htm.
20Ibid.
21 See clause I in the Accountability Framework with Ecuador, Mexico, Costa Rica (http://www.
icann.org/en/about/agreements/cctlds).
152
The contractual network of the Domain Name System
Luxembourg, Austria and Brazil.22 Other countries have variants of this clause but
the main thrust of such exchange of letters seems to be their declaratory and informal nature. Clauses like the abovementioned make it clear that the parties have no
intention to be legally bound and hence such letters are not contractually binding.23
Though not as informal as the exchange of letters, the legal bite of the
Accountability Framework is rather weak as it also contains, as one of its standard
clauses a ‘no monetary liability’ clause similar to the one found in the exchange of
letters. Moreover, as abovementioned, in the case of countries that have opted out
of having a dispute resolution clause,24 a further clause was added to emphasise
that it was not the intention of the parties to use litigation as a form of dispute resolution and that the parties are to use their best endeavours to resolve any dispute.
Most ccTLD managers have opted for either of the abovementioned two informal mechanisms. This is evidence of their reluctance to have a formal, legally
binding contract with ICANN regarding their management of the ccTLD. What
most ccTLD managers embrace, though, is the principle of subsidiarity. The
White Paper recognized the role that national governments have in ‘manag[ing]
or establish[ing] policy for their own ccTLDs.’25 This principle was incorporated
in both the ICANN’s MOU with the DOC and in other documents,26 most notably RFC 1591, ICP-1 and the GAC ‘Principles and guidelines for the delegation
and administration of country code top level domains’. The latter state that:
‘… ccTLD policy should be set locally, unless it can be shown that the issue has
global impact and needs to be resolved in an international framework. Most of the
ccTLD policy issues are local in nature and should therefore be addressed by the
local Internet Community, according to national law.’27 (article 1.2)
This principle of subsidiarity has been transposed, practically verbatim, in a number of the ICANN-ccTLD Exchanges of Letters.28 One could say that in such cases
subsidiarity applies in lieu of a formal agreement with ICANN.
Although the management of a ccTLD is in the hands of the respective ccTLD
manager, registrations in the second-level and other levels further from the TLD
are managed on lines similar to that of second-level gTLDs, i.e. through agreements between the ccTLD registry and registrars, with the latter assisting regis22 A copy of these letters is available at http://www.icann.org/en/about/agreements/cctlds.
23 Bygrave concurs. See L A Bygrave, ‘Contract versus statute in Internet governance’ in I Brown
(ed), Research Handbook on Governance of the Internet (Edward Elgar Publishing 2013) 175.
24 See n 21.
25 See NTIA, ‘Management of Internet Names and Addresses (‘White Paper’), 5 June 1998.
26 See Bygrave et al (n 6)158.
27 http://archive.icann.org/en/committees/gac/gac-cctld-principles.htm.
28 See, for example, the exchange of letters regarding .no, .uk, .lu and .at. Other ccTLD managers
like AFNIC (.fr) opted to refer to the GAC principles and guidelines in toto.
153
Yulex 2013
trants in the registration of their domain names. However, in the case of ccTLDs,
there is no system of ICANN accreditation of registrars. It is normally the respective ccTLD registry which accredits its registrars. Moreover, as explained above,
the role of contracts here is more modest than it is in the regulation of the gTLD
namespace.29 In effect, the management of the country-code namespace is in the
hands of the ccTLD manager, in the spirit of the principle of subsidiarity abovementioned. Some ccTLDs have a rather liberal policy with the types of domain
names registered, and with regards to who is allowed to register a domain name
(e.g. Austria). Other ccTLDs are more restrictive in their policy. Thus, for example, to register a domain name under .no, a business must first be registered in the
register of business entities in Norway, whereas a private individual may only be
registered under the priv.no domain provided he/she is 18 years or older and has
a Norwegian identity number.30
Some ccTLD regimes have a statutory footing. Thus, for example, Norway’s
Domain Name Regulations,31 issued under the authority of the Electronic
Communications Law,32 establish the role of the registry (Norid) and registrars
and requires that an applicant for a domain name signs a declaration confirming
certain facts (e.g. that the domain name is not in breach of the law, does not infringe third party rights, etc.) It also sets up an ADR committee to hear domain
name disputes. Anyone wanting to register a domain name in Norway has to apply via one of Norid’s approved list of .no registrars.
The .eu domain is a strange creature sitting among the other country-code
top-level domains. The EU is not a federal state like the US but an economic and
political partnership between 2833 independent states in Europe, each of which
has its own ccTLD. Thus, the assignment of the .eu domain to a registry designated by the European Commission, the executive arm of the EU, makes for curious
reading since it blends the use of standards with contract and statutory law of a
very special kind, namely EU law. Once the two-letters “eu” were exceptionally
reserved as the country code for the European Union in ISO 3166-1,34 this paved
the way for ICANN/IANA to delegate .eu as a ccTLD to the entity designated by
29 See also Bygrave (n 23) 180.
30 See further http://www.norid.no/domeneregistrering/registrere.en.html . See also Bygrave et al
(n 6) 172-212.
31 Forskrift om domenenavn under norske landkodetoppdomener (abbreviated as domeneforskriften)
of 1 August 2003.
32 Lov av 4. juli 2003 nr 83 om elektronisk kommunikasjon (abbreviated as ekomloven).
33 On 1 July 2013, Croatia became the EU’s 28th member.
34See http://www.iso.org/iso/home/standards/country_codes/iso-3166-1_decoding_table.htm#EU.
154
The contractual network of the Domain Name System
the EU, viz. EURid. The setting up of the .eu registry, was a result of Regulation35
733/2002,36 which set out how the eventual entity to run the .eu registry would be
chosen, what the obligations of the registry shall be, and the policy framework for
this domain. EURid was formally set up under Belgian law as a private, not-forprofit organization on 8 April 2003 and was subsequently designated .eu registry
through another piece of EU legislation – Decision 2003/375/EC. This was followed by another EU legislation – Regulation 874/2004,37 – which set out in greater
detail the public policy rules concerning the implementation and functions of the
.eu TLD such as, for example, accreditation of registrars by the registry, applications for second-level domain names, and an ADR procedure to settle domain
name disputes.
With regards to the formal delegation of the .eu TLD, EURid entered into a
Registry Agreement with ICANN. There are a number of provisions in this agreement which are similar to those found in the registry agreements that ICANN
uses with gTLD operators, though there also a number of differences. Thus, one
of EURid’s obligations is to establish a data escrow policy, though this has to be
in accordance with the rules established under EU law, namely article 15 titled
“escrow agreement” of Regulation 874/2004. Unlike a gTLD ICANN-registry
agreement, EURid’s registrars do not need to be accredited by ICANN but must
be accredited by EURid.38
1.4 Closing words
The above analysis illustrates the complexity of the regulatory framework of the
DNS, both with regards to the types of regulatory mechanisms used – ranging
from hard to ‘soft’ law – as well as in the sheer quantity of mechanisms used. A
similar intricate regulatory framework may be seen behind the legal structure of
ICANN. This issue, as well as the question whether and how these different types of instruments may, if at all, co-exist and interrelate as a coherent regulatory
framework are the basis of this author’s current research.
35 It should here be pointed out that the three binding forms of EU legislation are regulations, directives and decisions. Regulations and directives are addressed to all member states of the EU.
A regulation is directly applicable without need for national legislation to implement it. On the
other hand, a directive must be transposed into national law within a prescribed date. A decision
is not of general application but is normally addressed to particular member states, individuals
or companies and is binding on those to whom it is addressed.
36 Regulation 733/2002 of 22 April 2002 on the implementation of the .eu Top Level Domain.
37 Regulation 874/2004 of 28 April 2004 laying down public policy rules concerning the implementation and functions of the .eu Top Level Domain and the principles governing registration as
variously amended, the latest being through Regulation 560/2009 of 26 June 2009.
38 See article 4 “Accreditation of registrars”, Regulation 874/2004.
155
Would You Like to Own a Generic
Top Level Domain?
Tobias Mahler1
1
Introduction
The domain namespace is currently being strongly expanded by adding more than
a thousand new top-level domains (TLDs) to the Internet’s root servers. This is a
significant change, compared to the hitherto small number of pre-existing TLDs,
which include generic TLDs (gTLDs), such as <.com> and <.info>, and country
code TLDs (ccTLDs), for example <.uk> and <.no>. The top level of the domain
name system (DNS) has appeared fairly static during most of the Internet’s history. This perception of a static DNS is probably most prevalent amongst Internet
users who primarily use the Latin alphabet and who may not have noticed the
recent addition of TLDs in non-Latin scripts.2 The dynamics of DNS change will
become apparent to many more users with the current introduction of approximately one thousand new TLDs, and the likely addition of more in the next years.
The expansion of the domain namespace was enabled by a liberalization of the
market for TLDs finally approved in 2011.3 This policy change counts as one of
the most fundamental developments in the history of the DNS. In the first phase
of this expansion commenced in 2012, any organization in good standing could
have applied for virtually any TLD–with a few exceptions.4 Over 1000 applicants
have applied for more than 1400 TLD strings, often with several competing applications for the same name. When this round of expansion will be concluded,
the namespace will have been extended with new TLDs dedicated to geographical
1
2
3
4
This is a working draft of a paper presented at the Igov2 Symposium, held in Oslo in September
2013. The author wishes to thank the audience for relevant comments. I am also grateful to the
members of the IGov2 project at the NRCCL, and in particular Lee Bygrave and Jon Bing, for
valuable feedback on an earlier version of this paper.
There have been several introductions of new TLDs using scripts other than Latin, such as the
<.рф> (in Cyrillic) and other internationalized country code TLDs. See further ICANN’s overview page on Internationalized domain names available at < http://www.icann.org/en/resources/
idn>, last accessed 16.09.2013.
The decision to liberalize the namespace was decided by the ICANN board at its Singapore
meeting in 2011. The board resolution is available at http://www.icann.org/en/groups/board/
documents/resolutions-20jun11-en.htm, last accessed 16.09.2013. This was based on an earlier
ICANN board decision of 26 June 2008.
See ICANN, Gtld Applicant Guidebook (2012), Module 2.
157
Yulex 2013
areas (<.london> and <.bavaria>), industries (<.bank> and <.insurance), communities (<.catholic>, in many scripts), brand names (<.microsoft> and <.ibm>)
and many generic words (<.music>, <.kids>, <.gay>, etc.).
Thus, there seems to exist an interest, at least shared by some, to acquire this
new digital asset. Yet, from a legal perspective it is not entirely clear what kind of
legal position an applicant for a TLD aspires to and, if successful, acquires. From a
technical perspective, a TLD can be characterized as an entry in a database, the root
zone file of the DNS. In some sense this seems similar to the registration of domain
names. The latter are also entries in the DNS, but at a lower level in the hierarchy
of names. While domain names are entered at the second or third level,5 TLDs are
entered at the first level—also referred to as the Internet root.6 However, despite this
technical similarity, there are many practical differences between the fairly nonbureaucratic domain name registration and the long and complicated process of
applying for a TLD. Moreover, successful TLD applicants enter into a fairly complex
network of contracts with other DNS actors, as described further below.7
This article focuses on the following question: what legal position is acquired
by successful TLD applicants? One might expect that this question should be
easy to answer, because there is a contract between the successful applicant—the
TLD ‘registry’—and the Internet Corporation for Assigned Names and Numbers
(ICANN), which grants these applications. The legal position of TLD registries
should be easily understood by reading this contract. However, the gTLD agreement is based on a conceptual framework that has its origin in the technical
management of the DNS, rather than in established legal concepts. This is probably because ICANN has a primarily technical focus, and legal issues often come
as an after-thought to the technical management. Many of the concepts used for
describing the management of the DNS have a fairly clear technical meaning,
but are not sufficiently precise to describe the legal and contractual relationship
governing the use of a TLD. Therefore, this article examines how some of the
technical concepts used in the management of the DNS are reflected in legal and
contractual concepts.
2
Overview
This article is structured as follows. It first creates a framework for the analysis,
both in terms of the technological basis and theoretical background (section 3).
Thereafter section 4 provides a theoretical platform for discussing conceptual is5
6
7
For example, under <co.uk> domain names are registered at the third level.
See in general Mueller M, Ruling the Root: Internet Governance and the Taming of Cyberspace
(MIT Press 2002).
See below Section 3.
158
Would You Like to Own a Generic Top Level Domain?
sues regarding a right to a gTLD. It addresses the function of concepts in legal reasoning in general, and Ross’ theory of intermediate legal concepts in particular.
On the basis of this framework, the subsequent sections discuss a number of
possible hypotheses about a right to a gTLD. Would it make sense to say that the
gTLD is delegated, in the legal sense, to the TLD holder? This hypothesis is rejected
in section 5. Thereafter it is discussed whether a right to a gTLD can be conceptualized differently or, indeed, if there is a possibility that a TLD holder does not acquire any right in the TLD. As elaborated in section 6, there are a few arguments for
rejecting the TLD holder any right to a TLD, but these do not carry much weight
in the current phase of the development of the DNS. The search for an adequate
concept to conceptualize a right in a gTLD continues with section 7, which examines whether there can be a property right in a TLD, and section 8, which focuses
on a possible contractual license to use the TLD. Both of the above hypotheses are
promising, but ultimately cannot provide an adequate conceptual clarification.
As explained in section 9 we are therefore left with the notion of a “designation” as Registry Operator as the most promising conceptual basis for a gTLD
right. This notion, it is argued, provides the only foundation for a gTLD right that
can be based on the text of the Registry Agreement. Conceptually, it is a rather
rather unclear notion, but it does seem to have at least two important consequences. First, as explained in section 10, while it does not give the TLD holder a
subjective right to the insertion of the TLD in the DNS, it does oblige ICANN to
support this step, within the limits of its authority. Second, as presented in section
11, the designation as Registry Operator has a number of exclusionary effects,
which are likely the most valuable element from the perspective of TLD holders.
On this basis, section 12 concludes that we can begin to discern the contours
of an emerging gTLD right. This right has its basis in the Registry Agreement
with ICANN, and it is not a classical intellectual property right. Nevertheless,
the gTLD right, if we choose to use this term, gives the TLD holder a relatively
comprehensive ability to exclude others from the TLD, and this ability has both
factual and legal components. While the introduction of the term “gTLD right”
is not without complications and possible pitfalls, because it could lead to confusions with intellectual property rights, it could nevertheless be used to describe in
summary fashion the bundle of rights a successful TLD applicant acquires.
3
The Internet root and TLD delegation
This Section highlights some of the key organizational and technical concepts
that are commonly used to describe the management of the DNS. The DNS is
used by anyone viewing a web page or sending an email, but these acts require
159
Yulex 2013
virtually no knowledge of the underlying technical architecture and organizational arrangements in place to ensure its functioning.
Put briefly, domain names are alphanumeric strings used to name computers
on the Internet.8 As a first approximation we can say that this naming system is
necessary for the use of the Internet, because every computer must have a unique identifier. Internet navigation is primarily based on domain names and IP
(Internet Protocol) addresses, but the latter are for most practical purposes hidden behind the former. The use of domain names is relatively user-friendly, at
least compared with IP addresses such as 10.255.255.255.
The dominance of domain names has in recent years been somewhat threatened by alternative and complementary modes of Internet navigation, such
as through search engines, apps, social networks and graphical QR codes.
Nevertheless, domain names currently still have a central function for a number
of Internet applications, not least WWW navigation and the addressing of emails.
Moreover, domain names also have an important role in facilitating users’ trust,
which is particularly important in the context of, for example, financial services.
Internet users may memorize or at least recognize some domain names, and use
this to distinguish between genuine and fraudulent websites.
For practical reasons, the domain name system is structured hierarchically.
The top level of the hierarchy is at the end of the name, reading from left to right.
Thus, the domain name <www.icann.org> has as its top level the TLD <.org>.
The second level of <www.amazon.com> is “amazon”. Each name designates a
domain. This simply means that, functionally, a name server points to an IP address when queried for a name in the domain. Thus, the root servers point to the
IP address for “.com”, and name servers for the latter point to the IP address for
“amazon.com”.
The domain name system represents an island of hierarchy in an otherwise
largely non-hierarchical and widely distributed Internet. The creation of a new
TLD involves at its core the addition of the TLD string to the Internet’s “root”. 9
ICANN uses the term “delegation” for the “process through which the root zone
8
9
Mueller M, ‘Toward an Economics of the Domain Name System’ in Cave M, Majumdar SK and
Vogelsang I (eds), Handbook of Telecommunications Economics Volume 2, Technology Evolution
and the Internet (Elsevier 2005).
In RFC 1034, Mockapetris writes: “Once an organization controls its own zone it can unilaterally change the data in the zone, grow new tree sections connected to the zone, delete existing nodes, or delegate new subzones under its zone”, see Mockapetris PV, ‘Domain Names Concepts and Facilities’ (RFC 1034, 1987) <http://tools.ietf.org/html/rfc1034.html> . Regarding
the importance of the Internet root, see Mueller, Ruling the Root: Internet Governance and the
Taming of Cyberspace. There are, in fact, many root servers but the authorative one is operated by Verisign, under a contract with the US Department of Commerce, see further Mueller,
Ruling the Root: Internet Governance and the Taming of Cyberspace, 47. Regarding the Verisign
Cooperative Agreement see the website of the National Telecommunication and Information
160
Would You Like to Own a Generic Top Level Domain?
is edited to include a new TLD, and the management of domain name registrations under such TLD is turned over to the registry operator.”10
In essence, successful TLD applicants become registry operators for their respective TLDs. In this role they have authority over the TLD, within the limits set
by ICANN. For example they can allow or disallow registration of domain names
under the respective TLD, usually via a registrar (i.e., a third party domain name
retailer). For example, the registry operator for the TLD <.london> can contract
with registrars to sell domain names such as <pizza.london>. Presumably, the
registrant for such a name could be a pizza baker in London. Another example of
the use of the TLD is when a brand holder registers one of its products within its
TLD, for example <prius.toyota>.
Conceptually, the management of the top level of the DNS is thus characterized by a focus on the role of a “Registry Operator”, which the respective actor assumes contractually in a Registry Agreement,11 followed by a “delegation”. We are
particularly interested in the legal position of Registry Operators, which we will
call “TLD holders”. The difference in naming reflects the specific perspective of
this paper. ICANN primarily focuses on the role Registry Operators fulfil in the
management of the DNS. From the technical and management perspectives, the
role of Registry Operator is therefore an adequate conceptualization. However, if
we shift perspective towards the legal and economic position held by these actors,
it might be useful to speak of “TLD holders” rather than of “Registry Operators”.
We are interested in the rights, if any, held by the TLD holder, both from a legal
and an economic perspective.
From an economic perspective applicants likely consider the TLD a significant investment in an Internet-related asset. An application for a TLD is a very
costly process, but if it is successful the TLD will offer a potentially valuable advantage—visibility at the highest level of the domain name system. Each application requires the payment of an application fee of US$ 185.000 plus significant
additional costs of preparing the application. Why would anybody invest these
amounts, if they did not expect to receive a clear benefit from acquiring rights in a
TLD? Applicants for names such as <.toyota> and <.ibm> probably see the investment in a TLD as the acquisition of an asset that improves the visibility of their
brand name. While it is technically correct to say that Toyota assumes the role of
Registry Operator for the TLD <.toyota>, involving a delegation of the TLD in
the Internet root, this description fails to clearly identify the economic function
of the transaction, at least from the applicant’s perspective. After the delegation,
Administration (NTIA): http://www.ntia.doc.gov/page/verisign-cooperative-agreement, last
visited 30. 09. 2013.
10 See ICANN’s new gTLD glossary, available at <http://newgtlds.icann.org/en/applicants/glossary>, last visited 16. 09. 2013.
11 See below, Section 8.
161
Yulex 2013
the “Registry Operator” seems to have an asset or a resource—the TLD—it did
not have before, but this aspect is under-communicated in the technical language.
Therefore, the term “TLD holder” will here be used for a successful gTLD applicant that is awarded a TLD contract.
The term “TLD holder” is intended to be a neutral label for the entity that
is awarded a TLD (i.e., the Registry Operator), but the term does not clarify
what legal position this entity has. The nature of this position is addressed in the
following.
4
Intermediate concepts in legal reasoning
The answer to the question ‘what is the legal position of a TLD holder?’ will likely
contain one or more legal concepts. Before starting the search for a possible answer to the question, we should therefore take a step back and reflect about the
function(s) of concepts in legal reasoning.
Legal concepts have a central function for the communication of legal rules,
and they provide the semantic basis for legal argumentation and decision-making. Legal reasoning requires us to use a set of basic concepts such as obligation
(‘shall’), prohibition (‘shall not’), ownership and right, to mention just a few. In
addition, lawmakers and contract drafters often see the need to specify exactly
the meaning of certain terms that are relevant for a given context, and lawyers
and legal theorists spend a great deal of their time discussing conceptual issues.12
In the context of Internet TLDs, many of the concepts have a technical rather
than a legal origin. Yet when we explore the legal position of TLD holders, we require concepts that are related to a conceptual framework with relevance to legal
norms. The legal position of a TLD holder could be denoted by using notions such
as delegation, exclusive monopoly, property right, license, or perhaps even “gTLD
right”. As a first approximation, we are therefore not looking for basic operators
such as the deontic notions of obligation or prohibition. We are more likely to
find useful concepts amongst the category termed “intermediate legal concepts”.
Intermediate legal concepts are useful and important in legal reasoning, and the
Danish scholar Alf Ross has famously illustrated this with the concept of “Tû-Tû”.13
Ross exemplifies the idea of intermediate legal concepts by introducing a native tribe on a distant island, which, according to anthropologists, endorses two
kinds of rules.14 The first set are rules that state under what conditions something
is, or becomes, ‘tû-tû’. In Ross’ example, if someone in the tribe has eaten the
12 See, e.g., Eng S, Analysis of Dis/Agreement with Particular Reference to Law and Legal Theory
(Kluwer Academic Publishers 2003).
13 Ross A, ‘Tu-Tu’ [1957] Harvard Law Review 812-25.
14 See further, Sartor G, Legal Reasoning: A Cognitive Approach to the Law (Springer 2005), 553.
162
Would You Like to Own a Generic Top Level Domain?
chief ’s food, they have or are tû-tû.15The second set of rules states further normative qualifications or positions that are determined by having ‘tû-tû’. Conceptually,
‘tû-tû’ can be exchanged for a variety of intermediate concepts, such as ’ownership’, which have an intermediate function in the sense that they combine a set of
circumstances and legal consequences. You own something because you bought
or inherited it, or somehow lawfully acquired it through some other circumstances. And the ownership has certain legal consequences for you—it gives you
the legal power to transfer the ownership to somebody else, and the permission
to throw it away. It is characteristic for intermediate concepts that they can be
omitted from legal reasoning. Thus, for example, you could say that you bought
something and therefore you are allowed to discharge yourself of it, without even
mentioning the intermediate concept of ownership.
The intermediate concept we are looking for in the context of TLDs is simply
a semantic notion that summarizes the conditions under which a TLD holder
achieves some kind of legal position, and the legal consequences this position
implies. It should, however, be noted that we are addressing this at a different level
of abstraction and in a different legal context than the one in Ross’ theory of intermediate concepts. We are not looking for an anthropological concept, and we are
not focusing on a concept that is generally recognized as valid within a specific
legal system. Rather, we are looking for an intermediate concept to summarize
the primarily contractual basis and consequences of the position of TLD holders
within the global context of the Internet.
In the search for a possible intermediate legal concept to adequately describe
the TLD holder’s legal position we will refer to the technical context of the DNS,
as well as the contractual language governing the use of the TLD. Thus, we will
study both the global Internet community’s understanding of “delegation” and
examine in detail the contractual foundation of the relation between ICANN and
respective TLD holders.
5
Delegation
The first candidate for an intermediate concept is “delegation”. Is it adequate to say
that a TLD holder is delegated the TLD?
This concept has a long history in the management of the DNS; it was introduced during the development of the DNS as a distributed system. As mentioned
above, the technical term delegation refers to two distinct aspects:16 The first is the
editing of the root zone file, where the TLD is introduced. And second, through
15 Ross, ‘Tu-Tu’ above n 13, 813.
16 See ICANN’s new gTLD glossary, available at <http://newgtlds.icann.org/en/applicants/glossary>, last visited 16. 09. 2013.
163
Yulex 2013
delegation the management of domain name registrations under a TLD is finally
‘turned over’ to the registry operator.
Before we address the legal notion of delegation, we first need to consider one
possible question about the technical notion of delegation. What does it mean
that the management of the TLD is ‘turned over’? Does this only refer to the factual possibility to register domain names under a TLD? Or does this also include
the contractual transfer of the responsibility for the TLD? It follows from the
sequence of events in a typical delegation, that the management of the TLD is not
turned over when the formal agreement for the TLD is signed.17 This is because
the signature of the agreement actually happens before the editing of the root, so
on the day of signature the TLD still does not ’exist’ in the Internet. Functionally,
the management of the TLD is therefore first turned over to the registry operator
when the TLD is inserted into the root and points to the registry operator’s name
server. Thus, the technical concept of delegation focuses only on the immediate
change in the DNS.
The next question is whether delegation can also be a meaningful concept
to understand the legal position of the TLD holder. Would it be adequate to say
that the TLD holder is being delegated a TLD, in the legal sense? Delegation is
an intermediate legal concept that is used in a variety of contexts. It usually implies a transfer of a bundle of normative positions from a delegator to a delegate.
Depending on the context, the transfer may include legal authority, obligation,
and sometimes perhaps also permission. In other words, the delegate becomes
authorized or responsible for a delegated act, and the delegation usually includes any powers or permissions needed for executing it. In law, the concept of
delegation is used both in contracting—where the power can be delegated—and
in the context of managing hierarchical structures. Both of these contexts are
considered below, in order to assess whether delegation is an adequate concept to
describe the legal consequences of a successful TLD application.
The contractual nature of the relation between ICANN and the registry operator might lead some to the misconceived impression that the registry operator becomes an agent of ICANN, through delegation of power. However, there is
no support in the Registry Agreement for such an interpretation. We will return
to examine the contract language below, but for now it suffices to state that no
part of the contract supports the delegation of agency power. Google and Toyota,
which both will have their own TLDs, will manage the TLDs on their own behalf
and will not become ICANN’s agents.
There is also a second context in which delegation is a meaningful legal concept. There are hierarchical organizations, such as governments, where competence and tasks can be delegated, usually from the top to lower levels. Conceptually,
17 See ICANN, Gtld Applicant Guidebook, Section 5, Transition to delegation.
164
Would You Like to Own a Generic Top Level Domain?
this understanding is clearly relevant for the technical management of the hierarchical domain name system. However, it is doubtful whether this concept is
adequate to describe the legal relationship between ICANN and TLD holders. Is
hierarchy an adequate starting point to describe the legal relationship between
ICANN and entities such as Toyota, Google, the Vatican, and the Government of
Switzerland, all of which have applied for new gTLDs? The perspective of hierarchy clashes with the contractual form of the registry agreement, which is agreed—
and sometimes even negotiated—amongst independent parties.
Thus, while the concept of delegation is meaningful both in the DNS context
and in law, it would be misleading to describe the legal consequences of the registry agreement as a delegation of the TLD. Clearly, delegation—in the technical
sense—is a necessary requirement for the use of the TLD by the TLD holder, but
this is something slightly different, so we have to look elsewhere for an adequate
legal concept.
6
No right to a TLD?
So far we have implicitly assumed that TLD holders have some kind of yet unspecified right in the TLD. However, we should also consider the possibility that no
such right exists.
An argument against any right to a TLD could be based on the technical
document RFC 1591 «Domain Name System Structure and Delegation».18 The
author of this Request for Comments (RFC)19, Jon Postel, was influential in the
development of the domain name system. In Postel’s view, “concerns about rights
and ownership of domains are inappropriate”, because Registry Operators20 are
«trustees for the delegated domain, and have a duty to serve the community.”
Instead of rights, it is appropriate to be concerned about «responsibilities» and
«service» to the community.”
From the wording of Postel’s memo it is not immediately clear whether this
claim is made primarily as a descriptive statement or as a normative statement
about what ought to be the rule, or both. In any case it should be mentioned that
this memo was written in 1994, which almost counts as ancient history in the
18 Postel J, Rfc 1591 Domain Name System Structure and Delegation (1994).
19 This RFC does not specify an Internet Standard of any kind, it was simply intended as a “memo
[that] provides information for the Internet community.” In general, RFC documents are useful in drafting Internet standards and launching new ideas, see Alvestrand H and Lie HW,
‘Development of Core Internet Standards: The Work of Ietf and W3c’ in Bygrave LA and Bing J
(eds), Internet Governance: Infrastructure and Institutions (Oxford University Press 2009).
20 Postel speaks of TLD holders not in the current ICANN terminology of “Registry Operators”,
but as “designated authorities”.
165
Yulex 2013
Internet context. Its precise legal status is uncertain. In the meantime, there have
been instances where country code TLDS, such as <.tv> were sold by a Registry
Operator to a third party. Moreover, ICANN’s application process for new TLDs
may have created some expectations amongst applicants that they will indeed receive at least some rights in TLDs after a long and costly application process that
can involve the transfer of large amounts of money in an auction.
Thus, it would be at least counterintuitive if a TLD holder were awarded no
degree of protection in ICANN’s management of the DNS. Yet we still need to
establish any basis for a right to a gTLD.
7
Property right
TLD applicants and holders clearly have an interest in a fairly strong protection
of their interest in the TLD. This interest would arguably be best served if they
were to receive some kind of property right. The discussion about property rights
in TLDs is not new, and parallels a similar discourse about property rights in
domain names—as noted below.
Already in 1999 the ICANN Governmental Advisory Committee (GAC) declared that “no private intellectual or other property rights inhere to the TLD itself
nor accrue to the delegated manager of the TLD as the result of such delegation.”21
This assertion does not seem to have been challenged subsequently, but the GAC
did not offer a definition of “property right”, and it did not clarify whether a TLD
holder’s interest in a TLD is protected in some other way.
There is an interesting parallel to this issue in the debate about the legal protection for domain names. It is clear that domain names as such do not automatically constitute classical intellectual property rights, because they usually do not
constitute a copyrightable work, a patentable invention, a trademark or a protectable design, although it may be possible to combine some of these intellectual
property rights with domain names. This does not preclude, however, that the
right to a domain name can be classified as a property right in some legal systems,
as shown below.
Domain names are usually registered through a contract between a registrant
and a registrar or a registry.22 Yet internationally it is not clear whether registrants
thus acquire a property right in a domain name. This is to a large degree due to
the different conceptual frameworks surrounding the domain of property law.
The legal basis for domain names becomes particularly pertinent when a domain
name is somehow challenged by, or transferred to, a third party.
21 ICANN, Communiqué of the Governmental Advisory Committee, Aug. 24, 1999
22 In some contexts, domain names can be registered directly with a ccTLD registry. This is the
case, for example, in Finland.
166
Would You Like to Own a Generic Top Level Domain?
In the United States, there are court decisions that could be taken as an argument to support an “intangible property” right in domain names. In the case of
Kremen v Cohen & Network Solutions, the US Court of Appeals for the 9th Circuit
decided in 2003 that a registrant has property right in a domain name, and that
this right is accordingly subject to conversion. To establish that tort, a plaintiff
must show “ownership or right to possession of property, wrongful disposition
of the property right and damages.”23 The case concerned the hijacking of the
domain name <sex.com> by Cohen, who had sent a fraudulent letter to Network
Solutions, thus achieving the transfer of the domain name.
The Court applied a three-part test to determine whether a property right
exists: «First, there must be an interest capable of precise definition; second,
it must be capable of exclusive possession or control; and third, the putative
owner must have established a legitimate claim to exclusivity.»24 According to
the Court, domain names satisfy each criterion. It is interesting to revisit the
Court’s arguments, because these would generally seem to apply to TLDs too.
The Court argued that, like a share of corporate stock or a plot of land, a domain
name is a well-defined interest. A registrant decides where on the Internet those
who invoke that particular name are sent. Ownership is exclusive in that the
registrant alone makes that decision, based on a legitimate claim to exclusivity.
Moreover the Court pointed to the fact that, like other forms of property, domain names are valued, bought and sold, and they are even subject to in rem
jurisdiction in the US.25
It might be argued that the Court possibly overstated the function of a registration, when it asserted that registering a domain name “is like staking a claim
to a plot of land at the title office. It informs others that the domain name is the
registrant’s and no one else’s.” It might be contended that the registration of a
domain name and an IP address primarily has a technical function, and that the
entry of administrative data in the WHOIS database has numerous, albeit rather
unclear purposes.26 Disregarding this minor disagreement, the Court’s remaining
arguments appear reasonable, if this is the standard for property right.
However, in an international context the question is rather whether this definition of “property right” is universal. It is striking that the intermediate legal
concept “property right” does not necessarily have the same meaning across, or
23 Kremen v Cohen, US Ct. of App. (9th Cir.), 25.7.2003. See also Burshtein S, ‘Is a Domain
Name Property?’ 1 Journal of Intellectual Property Law & Practice 59-63; Rački Marinković
A, ‘Domain Names: Towards a New Form of Ip Right’ 6 Journal of Intellectual Property Law &
Practice 632-7.
24 See Kremen v Cohen, ibid. The court quoted G.S. Rasmussen, 958 F.2d at 903.
25 See 15 U.S.C. § 1125(d)(2).
26 See Cojocarasu DI, Legal Issues Regarding Whois Databases (Norwegian Research Center for
Computers and Law 2009).
167
Yulex 2013
even within, all legal systems.27 And the economic concept of “property right” can
be different again.28
A comprehensive study of legal and semantic differences between different
concepts of “property rights” across the world is beyond the scope of this article.
A convenient illustration of the differences between the US and Germany can
nevertheless be found in a recent decision by the German Federal Supreme Court
(Bundesgerichtshof). Like the above-mentioned US case of Kremer v Cohen, this
case regarded a situation in which the claimant alleged that the defendant had
taken his domain name, and claimed damages.29 The defendant in this case was
registered in the WHOIS database as the contact person for this domain, and
the claimant wanted to change this registration to reflect his name, instead. In
deciding this issue the Supreme Court considered the kind of right domain name
registrants receive in a domain name. Interestingly, it found that registrants do
not have a property right, or even a similar absolute right under the provisions of
the German Civil Code.
The reasons given in this decision are noteworthy, because they may also have
some relevance for any property rights in TLDs, under German law. In order to appreciate these reasons, we must briefly explain the conceptual framework used here.
Under the German civil code, property is limited to “things”, and domain names lack the required corporal characteristics, so there cannot be a property right
as such (Eigentum) in domain names.30 However, the Civil Code also protects
other similar “absolute” rights against infringement. This is based on a distinction between absolute rights that apply against anybody (erga omnes), and relative rights that apply amongst the involved parties (inter partes).31 Under German
law absolute rights include, in addition to ownership, a catalogue of other rights
including, for example, certain rights in intellectual property, such as holding a
copyright. Examples of relative rights include those conferred by a license to use
intellectual property, applying only amongst the parties. In applying this conceptual framework, the court argued that there exists a contractually based right to
use a domain name, but that this right is relative, akin to a license, rather than absolute, as a property right. The key argument against the existence of an absolute
right was that the registration of a domain name is not legally exclusive, but only
exclusive in the sense that others are technically excluded from the domain name,
because it can only be registered once. The court did not refer to the international
27 Compare the US notion of property right above and the German concept presented below.
28 Regarding the economic concept of property rights see, for example, Posner RA, Economic
Analysis of Law (7th edn, Wolters Kluwer for Aspen Publishers 2007), 31.
29 Bundesgerichtshof, 18.01.2012, Az. I ZR 187/10, <gewinn.de>.
30 Cf. Sections 90 and 903 of the German Civil Code.
31 See, e.g., Brox H, Allgemeiner Teil Des Bürgerlichen Gesetzbuchs (18th edn, Carl Heymanns
Verlag 1994) 269.
168
Would You Like to Own a Generic Top Level Domain?
discourse about the role of code,32 or lex informatica,33 in regulating the Internet,
but it might be said that the exclusivity of domain names is based on what in the
US discourse has been called “west coast code” (computer code), rather than “east
coast code” (legal code).
This classification of a domain name right as a relative right does not mean or
imply that a domain registrant is excluded from protection under German law.
Relative rights are also protected, albeit somewhat more weakly, and there is a
possibility to recover a domain name from somebody who has received it without
legal basis.34 Thus, the conceptual differences in the US and Germany do not need
to lead to different outcomes. The comparison of the cases shows that legal consequences are based on a more complex set of rules, and intermediate concepts,
such as ownership, do not necessarily directly determine the outcome of a case.
The outcome can be the same, even though one legal system accepts a property
right, and the other rejects it.
In fact, the German case illustrates why the discussion of property rights of
domain names should be embedded in a specific conceptual framework. The abbreviated account of the decision above omitted that the Supreme Court also discussed the concept of property rights in different legal frameworks, comparing
notions of “property right” in German civil and constitutional law, and European
human rights law. In light of the above conclusion it might appear surprising that
the Court doubted that registrants have a property right to the domain name in
the sense this concept is used in the German Constitution and in the European
Convention on Human Rights and Fundamental Freedoms (ECHR). These instruments employ a different concept of property rights, which do not necessarily
correspond to the concept in civil law. The constitutional (and ECHR) protection
of property covers both absolute and relative rights, and jurisprudence under
both instruments has concluded that domain registrations can constitute property, or “possession”.35
Thus, it is difficult to discuss the intermediate legal concept of property rights
in the abstract, detached from the conceptual framework of a specific legal context.
In any case, the new gTLD Agreement explicitly foresees in Section 7.12 that
it shall not be construed as establishing or granting any property ownership rights
or interests in the TLD string. On the other hand it follows from the context of the
gTLD program that TLD holders are likely to acquire some other type of legally
32 Lessig L, Code Version 2.0 (Basic Books 2006).
33 Reidenberg J, ‘Lex Informatica: The Formulation of Information Policy Rules through
Technology’ 76 Tex L Rev 553
34 The <gewinn.de> decision is a case in point, see above, n 29.
35 European Court of Human Rights, Paeffgen GmbH v Germany, 18.09.2007; German Federal
Constitutional Court, GRUR 2005, 261, <adacta.de>.
169
Yulex 2013
relevant position. Therefore, the next sections discuss at a concrete level what
right, if any, a TLD holder acquires through a successful application for a TLD.
8
License
The next hypothesis to be examined is that TLD holders might get a contractual
license to a TLD. We know of licenses in many comparable contexts, including,
for example, the use of a frequency in the electromagnetic spectrum for purposes
such as broadcasting or wireless telephony. Government agencies can use licenses as a form of regulation that allows the agency some control over a licensee.36
These notions of “license” fit well with a dictionary definition of “license” as permission granted by a competent authority to engage in a business or occupation
or in an activity otherwise unlawful.37 In addition, we use the term license outside
the regulatory context, for example when certain usage rights in intellectual property are licensed.
The concept of license is attractive in the domain name context, because it
could enable us to conceptualize ICANN as analogous to a regulatory agency for
the domain name system. Much of ICANN’s management of the domain name
system shows similarities to government regulation, despite ICANN’s legal form
as a private, non-profit corporation established under the laws of California.38
Moreover, the gTLD Registry Agreement also includes some language that
could be interpreted to award a license. According to its section 2.1, a Registry
Operator shall be entitled to provide specified “Approved Services”. An entitlement to provide Approved Registry Services could be interpreted as a license. It
could signify that the TLD holder is licensed to provide Approved Services, and
this could potentially be the entitlement for which TLD applicants are prepared to
pay large amounts of money. However, a detailed reading of this license might be
slightly disappointing for prospective TLD holders. Initially, we should note what
is not included amongst the Approved Services: The Registry Agreement does
not offer the TLD holder a general license to use the TLD. Instead, the Registry
Agreement lists a number of very general services, such as the receipt of data from
registrars, the dissemination of zone files and the operation of DNS servers.39
36 Flanagan A, ‘Authorization and Licensing’ in Walden I (ed), Telecommunications Law and
Regulation (Oxford University Press 2012).
37 «License.» Merriam-Webster. Merriam-Webster.com. Last visited 23 Sept. 2013. <http://www.
merriam-webster.com/dictionary/license>.
38 ICANN is sometimes compared with a government authority, and Weber and Gunnarson have
even suggested to embed ICANN in a constitutional framework, see Weber RH and Gunnarson
RS, ‘A Constitutional Solution for Internet Governance’ 14 Colum Sci & Tech L Rev 1.
39ICANN, New Gtld Registry Agreement (2013), Section 2.1.
170
Would You Like to Own a Generic Top Level Domain?
These are clearly relevant to the operation of a TLD Registry yet they do not explicitly give the TLD holder any specific right in the TLD. Moreover, it is striking
to note that none of the listed services would normally require any permission.
Absent an explicit prohibition, TLD applicants such as Toyota, Google or the
Vatican do not need ICANN’s permission or approval to provide any of these
Approved Services. Granted, without the delegation40 of the respective TLD, say
<.toyota>, the TLD holder could not provide Approved Registry Services for the
respective TLD in the official Internet root.41 Yet this practical barrier must be
distinguished from the legal question of whether it would be forbidden to provide these services. No such general prohibition seems to exist. If an organization
does not have the TLD <.toyota> in the official Internet root then this is simply a
practical barrier. This neither makes it illegal to receive data from Registrars, nor
to operate DNS servers. We need to distinguish between the permission to provide services and the factual possibility to provide them, due to Internet architecture–or code, in Lessig’s terminology.42 The latter point is particularly pertinent
because there are in fact alternative roots, outside the official ICANN-sanctioned
Internet root, where registry name service could be provided without ICANN’s
consent.43 For example, there is an existing <.shop> TLD in an alternative DNS
root.44 It is worth noting, though, that the use of such alternative roots is not
particularly attractive due to the lack of networking effects—few users can be
reached through an alternative naming system that is not widely used.45 In summary, the provision of Approved Services would be possible and lawful, without
any need for a license, but it would be fairly unattractive without access to a TLD
in the official Internet DNS.
An interesting question is why ICANN elected to include a license to Approved
Services in the Registry Agreement in the first place. This license seems slightly
awkward in the above context. Is this license as meaningless and unnecessary as if
a baker were to offer a license to put butter on the purchased bread? It is not. At a
closer look, this provision in the Registry Agreement does have a clearly relevant
function: It limits the TLD holder’s freedom of action, rather than extending it.
The provision effectively limits the set of Registry Services that can be provided
by a Registry Operator to those listed in the contract. It contractually forbids the
TLD holder to provide other Registry Services not agreed by ICANN. In other
40 Delegation in the technical sense, that is, the listing of the TLD in the Internet root.
41 An exception would be the case if a TLD were delegated in an alternative root. See Mueller,
Ruling the Root: Internet Governance and the Taming of Cyberspace, 54.
42 Lessig, Code Lessig, Code Version 2.0
43Mueller, Ruling the Root: Internet Governance and the Taming of Cyberspace, 54.
44 See namespace’s alternative root, www.namespace.us, last visited 30.09.2013.
45 Regarding networking effects in the DNS context see Manheim KM and Solum LB, ‘An Economic
Analysis of Domain Name Policy’ Loyola-LA Public Law Research Paper No 2003-14 <http://
ssrn.com/paper=410640> , 47.
171
Yulex 2013
words, if a TLD is delegated, the Registry Operator’s freedom to provide Registry
Services is limited to those listed in the agreement.
This means that the license element in the Registry Agreement does not address whether the TLD holder has any right to the TLD. Concomitantly, this element is not helpful to clarify the kernel of the Registry Operator’s legal interest
in the TLD. Therefore, the subsequent section continues to explore whether such
a right exists.
9
Designation as Registry Operator
TLD applicants may search in vain for an explicit right to the TLD in the Registry
Agreement. The wording of the agreement simply states: “ICANN designates
Registry Operator as the registry operator for the TLD, subject to the requirements and necessary approvals for delegation of the TLD and entry into the rootzone.”46 It may be surprising to note that the concrete implications of this “designation” are not clearly stated in the agreement. One aspect is that designated Registry
Operators count as “contracted parties”, and have special participation rights in
ICANN,47 but this is not likely to be at the centre of gTLD applicants’ interests.
Applicants for gTLDs will likely be most interested in the following two aspects: first (and most pertinently) whether the designation of an applicant as
“Registry Operator” gives this entity a subjective right to have the TLD delegated
(in the technical sense); and secondly the degree to which the designation ensures
an exclusive use of the TLD for the designated TLD holder. These questions are
addressed in the two subsequent sections.
10 No subjective right to delegation
The Registry Agreement does not include a subjective right to delegation, but
ICANN has an obligation to facilitate the delegation, limited in various ways. In
principle, ICANN “shall use commercially reasonable efforts to ensure that the
authoritative root will point to the top-level domain nameservers designated by
Registry Operator for the TLD”. In practice, ICANN’s IANA department has a
process for Registry Operators to submit delegation requests, which are then
verified by ICANN and forwarded to the NTIA.48 However, this applies only
46 New gTLD Registry Agreement, Form Approved by ICANN’s NGPC 2 July 2013, Section 1.1.
47 See, e.g., Article X, Section 3 of ICANN’s Bylaws.
48 See User Documentation on Delegating and Redelegating Generic Top-Level Domain (gTLD),
available at http://www.icann.org/en/resources/registries/gtld-drd-ui-10sep13-en.pdf, last visited 30 September, 2013.
172
Would You Like to Own a Generic Top Level Domain?
“[to] the extent that ICANN is authorized to set policy with regard to an authoritative root server system”, and this authority depends on the above-mentioned
IANA contract.
If a Registry Operator were given a right to the delegation of a TLD then
ICANN would be obligated to delegate the TLD. The reason for not including
such a right in the Registry Agreement is arguably that ICANN does not have
the power to make direct changes to the Internet’s root servers—it can only make
a recommendation. This issue requires a closer look at the practical handling of
delegations, and ICANN’s limited role in these. In addition to ICANN, a delegation involves the NTIA of the US Department of Commerce, and the private
corporation Verisign, Inc.
A comprehensive description of this collaboration between the NTIA and,
respectively, ICANN and Verisign is beyond the scope of the present article.
However, in short and slightly simplified, the control over the authorative Internet
zone file is based on a triangular contractual relationship between the NTIA and,
respectively, ICANN and Verisign. Verisign hosts the authoritative root server—
and holds the function of root “zone publisher”49—under a contract with NTIA.50
Thus, Verisign effectuates ICANN-authorized changes to the Internet root zone
file, as instructed by the NTIA. The relationship between ICANN and the NTIA
is specified in the so-called “IANA functions contract”. Under this contract,
ICANN fulfils the function of Internet Assigned Numbers Authority (IANA).51
To summarize, ICANN cannot directly insert a TLD into the root zone file, and
any obligation to do this would be in vain.
According to the IANA contract, ICANN cannot delegate a gTLD itself, but it
can “submit its recommendations” to the NTIA.52 Thus, there is no certainty that
the NTIA will follow ICANN’s recommendation. The exact limits of the NTIA’s
discretion on the matter are far from clear, but it would appear that the NTIA
could at least assess whether ICANN has fulfilled its contractual obligations. The
IANA contract explicitly states that ICANN has to provide documentation to
support the fulfilment of two cumulative criteria.53 First, ICANN has to verify
that it followed its own policy framework. This provision appears as a first safety
net, as it would seem to give the NTIA at least the power to reject delegation
recommendations that were adopted by ICANN in clear conflict with its own
49 See, e.g. Stéphane Van Gelder, blog post Is the Risk Real With the New gTLD Program? (An
Interview with Verisign), dated 26.09.2013, available at circleid.com, see http://www.circleid.
com/posts/20130926_is_the_risk_real_with_new_gtld_program/.
50 See above, n 8.
51 The IANA Functions Contract is documented on the NTIA website http://www.ntia.doc.gov/
page/iana-functions-purchase-order, last visited 30.09.2013. See further Kevin McGillivray,
Transfer of the IANA Functions Contract into a Cooperative Agreement (unpublished).
52 IANA contract, ibid, Section C.2.9.2.d.
53Ibid.
173
Yulex 2013
policy framework. The provision explicitly mentions that this includes whether
the “process provided the opportunity for input from relevant stakeholders”, so
lack of an opportunity to provide input could lead to a rejection.
The second criterion of the same provision54 offers the NTIA yet another safety net, as ICANN also needs to verify that the recommendation “was supportive
of the global public interest”. This open-ended criterion could potentially be used
to reject a number of unpopular gTLD delegation requests, because the concept
of “global public interest” opens for a variety of possible considerations. This is
not the place to discuss the NTIA’s powers regarding a delegation recommendation. It suffices to conclude that ICANN lacks the power to effectuate a delegation,
and that the success of a delegation recommendation can be somewhat uncertain,
although the NTIA can perhaps be expected to act upon most gTLD delegations.
This procedural uncertainty is perhaps somewhat under-communicated in the
context of the Registry Agreement’s designation as Registry Operator “subject to
the requirements and necessary approvals for delegation of the TLD”.55
It follows from the above that the designation as Registry Operator should not
be interpreted to convey a direct subjective right to have a TLD delegated. On the
other hand, the designation implies some level of exclusivity, which is addressed
in the next section.
11 The exclusionary effect of a TLD
In a sense, the designated Registry Operator receives a global exclusivity to the
TLD for the time of the contract duration, which normally can be renewed for periods of ten years. Once one entity has been designated as the Registry Operator
for a TLD, no other entity can achieve the same status.
This means that the respective TLD holders for <.merck> and <.app> are in
practice protected against claims by other entities that also wish to acquire this
TLD. This is an important point, particularly when several entities have an interest in the same name. At the time of writing, both the US and the German brand
holders of “Merck” are applying for <.merck>, and they are essentially competing
for the indefinite right to exclude the other from using that TLD.56 Similarly, the
TLD <.app> is in fact the most applied-for TLD, with originally 12 applicants.57
Contentious applications for the same TLD string are resolved based on a combination of decision-making procedures, including priority due to legal rights or
54Ibid.
55 New gTLD Registry Agreement, Section 1.1.
56 See ICANN’s overview page of gTLD application results, https://gtldresult.icann.org/applicationstatus/viewstatus, last visited September 22nd, 2013.
57 Some of these applicants have withdrawn in the meantime, see ibid.
174
Would You Like to Own a Generic Top Level Domain?
relevant community support, but can ultimately be decided via an auction.58 It
is outside the scope of this paper to describe the selection process, but it seems
relevant here that the winning applicant can in some sense exclude all other interested parties from the TLD. This means that no other entity can compete for the
status of Registry Operator during the duration of the Registry Agreement, and
as long as the agreement is prolonged.
The exclusivity of the TLD holder goes even beyond protection against identical TLD applications, and includes similar applications. The rules for the 2012 application process included two procedures to minimize the possibility of confusion between similar strings. First, all applied-for TLD strings were automatically
examined for visual similarity with both existing TLDs and other applications.59
In addition, all existing TLD holders could file an objection for “string confusion”
between and an applied-for gTLD and the TLD that it operates.60 Thus, for example, Verisign has filed objections against applications for <.cam>, due to similarity with its TLD <.com>. Due to inconsistent decisions and surprising outcomes
of some string similarity assessments, this topic is currently highly debated in
ICANN circles61. However, regardless of these current problems it is noteworthy
that TLD holders have a possibility to defend their TLDs against applications for
similar strings, and this gives them a much more comprehensive right to exclusivity than in the context of simple domain names.
It does not imply, on the other hand, that all other interested parties are excluded from registering domain names in the TLD through a registrar. The possibility to register domain names is an independent, second question. The answer to the latter question depends on whether the TLD is operated as an open
TLD, where registration via registrars is possible, or as a closed TLD, often called
“<.brand>”, where domain names can only be registered for the TLD holder. An
example of the latter group is <.toyota>, which will only be open to registrations
from the automobile manufacturer.
Yet even with this caveat the exclusionary effect of a TLD registry agreement
is relatively strong. A TLD holder thus receives some element of global exclusivity for the TLD at the top level of the Internet naming system. This exclusivity
is a practical consequence of having a TLD, rather than based on a legal right. By
58ICANN, Gtld Applicant Guidebook, Module 4.
59 See ICANN, Gtld Applicant Guidebook, Module 2, Section 2.2.1. In the 2012 application round
this led, for example, to the finding that the applications for <.unicom> and <.unicorn> were too
similar, so they were added to a contention set that resolves competing applications.
60 See ICANN, Gtld Applicant Guidebook, Module 3, Section 3.2.2.1.String similarity is amongst
the most contentious issues of the current TLD application round, after the panels rejected similarity between singular and plural versions.
61 This issue is still under debate; see Kevin Murphy, blog post “ICANN looking into string confusion confusion” at domainincite.com, dated 18 September 2013, available at http://domainincite.
com/14512-icann-looking-into-string-confusion-confusion.
175
Yulex 2013
comparison, a trademark holder receives a legal right to exclusivity, but this is limited to a specific geographical area and a particular context. The trademark holder has a legal monopoly right to use the trademark commercially, which means
that this right is broader in scope than the exclusivity inherent in a TLD. The TLD
holder can only practically exclude others from holding the role of TLD Registry
Operator for the respective TLD, and has a procedural possibility to defend the
TLD from similar TLDs. The TLD holder has a limited policy authority over the
TLD, but it does not have an exclusive right to register domain names in the TLD,
except if it is closed.
12 Conclusion: The Contours of a “gTLD” right?
The above discussion has shown that the legal position of a TLD holder is multifaceted and fairly complex. Nevertheless, it would be misconceived to conclude
that a TLD holder is without legal protection.
Based on the above we can begin to see the contours of an emerging legally relevant position, and for lack of a better name we could call it a “gTLD right”. This
right is contractual in nature, of limited duration but renewable,62 and contains a
bundle of rights. At the centre of this bundle are ICANN’s obligation to facilitate
a delegation, and some measure of exclusivity of a TLD. In addition, the TLD holder has special participation rights in ICANN’s organs.63 This bundle of rights is
subject to a number of restrictions expressed in the Registry Agreement, and can
be further regulated through new policies to be adopted by ICANN in the future.64
The expression “gTLD right” is here used to describe the bundle of rights a
TLD holder receives. The proposed notion is an intermediate concept that connects a number of conditions and legal consequences. It is typical for intermediate concepts that the concept itself can be omitted in legal reasoning. For example,
it would be possible and useful to connect the exclusivity consequences of a TLD
directly to the successful completion of a TLD application. If one were to use the
phrase “gTLD right”, this would simply provide a name for the intermediate status
of having a TLD. Given the descriptive intent here, it is not meant to convey any
normative argument about what rights a TLD holder ought to have. Nevertheless,
as all descriptive concepts, this could be used as a basis for a normative discourse,
for example, about the future of TLD management.
62 According to Section 4.2 of the Registry Agreement (above, n 39), the agreement will be renewed for successive periods of ten years, except in cases of fundamental material breach.
63 For example, the ICANN Generic Names Supporting Organization’s Council has a special house
for contracted parties, where Registry Operators can have representation within ICANN’s multistakeholder governance processes.
64 See Registry Agreement, Section 2.2.
176
Would You Like to Own a Generic Top Level Domain?
The specific implications of a right of a gTLD depend on where in the lifecycle
a TLD project is. Initially, applicants for TLDs are likely interested in achieving delegation and fighting off competing applications. Once a TLD has been delegated,
TLD holders may be more interested in the exclusionary effects, and in protecting
the TLD. Given the renewability of the contract, ICANN cannot easily withdraw
the designation except in circumstances warranting a contract termination.
One justification for introducing a new intermediate concept would be the
simple fact that the TLD holder’s legal position currently does not have a name,
despite the significant demand for new gTLDs. On the other hand, the proposed name could be problematic, because it is not used in ICANN documents.
Moreover, the expression “gTLD right” simplifies a fairly complex set of issues,
which could lead to confusion. In particular, it is possible that some might misunderstand the concept of gTLD right to signify the existence of an intellectual
property right.
An alternative to introducing a new intermediate concept would therefore be
simply to refer to the Registry Agreement as the contract that is constitutive for
the TLD holder’s position. However, as the analysis above shows, large parts of
the Registry agreement primarily focus on limiting the TLD holder’s right to the
TLD, rather than clearly stating the TLD holder’s rights. Moreover, the bundle
of rights and entitlements of a TLD holder include protection for the TLD that
is based outside the Registry Agreement.65 In particular, the protection against
similar TLD applications and the special participation rights in ICANN’s organs
transcend the ambit of a usual contractual relation. Therefore, the use of the expression “gTLD right” might be warranted.
65 The possibility to protect the TLD against new similar TLDs is not included in the Registry
Agreement, but it follows from the procedures for applying for a gTLD, as specified in the
Applicant Guidebook.
177
Forbrukere og internasjonale nettjenester.
Amazon- og Netflix-avtalene1
Olav Torvund
Avtalevilkårene til Netflix og Amazon illustrerer hvordan forbrukere ofte fratas
rettigheter når de inngår avtaler på nett. Det er ofte vanskelig å avgjøre hvor en
sak eventuelt skal behandles og hvilket lands lov som gjelder. Resultatet er at det
blir vanskelig å håndheve de rettighetene man måtte. Internasjonale avtaler er
ikke for amatører.
Netflix og Amazon
Netflix og Amazon har på hver sin måte illustrert noen av problemene som forbrukere kan møte når de gjør bruk av internasjonale nettjenester. Netflix krever
bl.a. i sin avtale at kundene frasier seg retten til å reise sak for domstoler og at tvister skal avgjøres ved voldgift i Delaware. Amazon forbeholder i sine vilkår seg retten til å slette alt man har kjøpt for Kindle, hvis man etter Amazons vurdering har
brutt noen av lisensvilkårene. De betaler ikke tilbake for det man har betalt for,
men ikke får beholde. Og de nekter å forklare hva slags brudd på lisensvilkårene
en kunde eventuelt har gjort seg skyldig i. Det lyder kjent. Det høres ut som det
Franz Kafka beskrev i romanen «Prosessen». At Amazon har gjenåpnet kontoen
etter mediebråk, fortsatt uten å gi noen forklaring, endrer ikke dette.
Netflix har visst sagt at de ikke har ment å frata norske kunder retten til å gå
til sak i Norge. Men det er bare å gjenta det jeg pleier å si når noen sier at vi ikke
mente det slik: Hvis dere ikke mener det, da er det heller ingen grunn til at det
skal stå i kontrakten.
Vi må starte med noen enkle utgangspunkter. Når du har klikket på at du har
lest kontraktsvilkåene og aksepterer dem, da starter du i motbakke. At du ikke
leste vilkårene før du aksepterte dem, er ditt problem. Om du er i godt eller dårlig selskap når du aksepterer uten å lese hva du aksepterer, skal være usagt. Men
du havner i alle fall i stort selskap. Jeg har lest en del slike vilkår av profesjonelle
grunner. Men når jeg opptrer som forbruker gjør jeg som alle andre: Jeg aksepterer uten å lese de lange og ofte ganske uleselige vilkårene.
1
Artikkelen finnes også på digi.no med tittelen «Dette er ikke for amatører»
227
Yulex 2013
Jurisdiksjon - hvor skal tvist behandles?
Et første spørsmål er hvor du skal reise sak. Det er langt viktigere med hjemmebane i en rettslig tvist enn i en fotballkamp. Den som har makten krever gjerne at
saken skal behandles hos oss. Spørsmålet om hvor eventuell sak skal reises er et
spørsmål om jurisdiksjon.
Netflix sier at sak skal behandles ved voldgift i Delaware. Voldgift er en form
for privat rettergang som brukes mye i kommersielle avtaler. Men den hindrer at
sak kan komme opp for de allminnelige domstoler. I Norge kan det etter voldgiftsloven § 11 ikke inngås forhåndsavtale om voldgift i forbrukersaker, men det
kan avtales voldgift når en konflikt først har oppstått.
Sett på avstand tror vi at USA er USA, og vi ler av USAnere som tror at Europa
er Europa. Det har ikke en gang hørt om EØS-avtalen! Men mye av lovgivningen
i USA gis på delstatsnivå. Delaware er en liten delstat på østkysten. Den er kjent
for sin selskapsvennlige lovgivning. Derfor er veldig mange selskaper i USA registrert i Delaware. For oss som av og til besøker USA kan det også være nyttig å vite
at Delaware er en av de få delstatene i USA hvor det ikke er sales tax, slik at det er
et fint sted for shopping. Men det har ikke noe med netthandel å gjøre.
Amazon i Europa er et selskap i Luxemburg. Vi tror at vi handler med et
selskap i England. Men det er bare engelske, franske, tyske, italienske og spanske nettsider. Hvis vi skal gå til sak mot Amazon i Europa, må sak anlegges i
Luxemburg, etter Amazons vilkår.
I utgangsunktet kan partene i et kontratsforhold selv bestemme hvor en sak
skal behandles. Det kan være i et av landene hvor partene hører hjemme, men
man kan også avtale et tredjeland. I internasjonale kommersielle forhold er det
ikke helt uvanlig å avtale at sak skal reises i London, selv om ingen av partene
driver sin virksomhet der.
Det er den domstol hvor sak reises som avgjør om den er kompetent eller
ikke, altså om den har juridiksjon. Reises sak ved Oslo tingrett er det Oslo tingrett som avgjør om de er rett instans, og spørsmålet avgjøres etter norske vernetingsregler. Om Oslo tingrett skulle mene at saken hører hjemme ved en engelsk
domstol, så vil de avvise saken. Dette kan overprøves i det norske rettssystemet,
men ikke av en utenlandsk domstol. Men en norsk domstol kan selvfølgelig ikke
pålegge en engelsk domstol å ta saken til behandling. Det avgjør den engelske
domstolen selv.
Tilsvarende kan en norsk domstol bestemme at den er kompetent og ta saken
til behandling, selv om andre lands domstoler skulle komme til at saken ikke
hører under norsk jurisdiksjon.
En ting er å få en dom. Noe annet er spørsmålet om hva dommen er verdt,
i praksis om dommer lar seg fullbyrde. Noen land har jurisdiksjonsregler som
klart favoriserer egne borgere. Det er vel ingen overraskelse at USA og Frankrike
228
Forbrukere og internasjonale nettjenester. Amazon- og Netflix-avtalene
er blant de land som går lengst her. Kort og unøyaktig har Frankrike regler som
innebærer at en franskmann ikke skal behøve å finne seg i å bli saksøkt annet enn
for en en fransk domstol. Og en franskmann skal kunne anlegge sak mot alle ved
en fransk domstol, uansett hvor i verden saksøkte måtte være. Vive la France!
Skulle en franskmann anlegge sak mot et kinesisk selskap ved en fransk domstol, så nytter det nok ikke å komme til Kina med den franske dommen og kreve
at denne skal fullbyrdes i Kina mot den kinesiske saksøkte, like lite som man kan
komme med en kinesisk dom og kreve at den blir fullbyrdet i Frankrike.
Vi har noen internasjonale konvensjoner om anerkjennelse og fullbyrding
av utenlandske dommer. Den i praksis viktigste for dette området er Luganokonvensjonen, som regulerer forholdet landene i EØS samt Sveits. Dette er egentlig en påbygning til Brussel-konvensjonen, senere Brussel-forordningen. Men disse
gjelder bare innenfor EU, så Lugano-konvensjonen er en påbygning til denne.
Men selv om det ikke er så mange EØS-land, så er alle EU-land part i EØS-avtalen
med de europeiske stormaktene Norge, Island og Lichtenstein.
Etter Lugano-konvensjonen art 16 kan en forbruker anlegge sak mot en næringsdrivende som denne har inngått avtale med, i det land hvor han bor. Og
forbrukeren må saksøkes i det land hvor forbrukeren bor. Det er en del nyanser
og teknikaliteter her, men de går jeg ikke nærmere inn på.
En norsk forbruker kan med andre ord anlegge sak mot europeiske Amazon
i Norge, og Luxemburg er konvensjonsforpliktet til å fullbyrde en slk dom i
Luxemburg. Men vi vil være prisgitt håndhevelsen i det aktuelle landet. Jeg vet
ingen ting om hvor effektivt man kan håndheve forbrukerrettigheter i Luxemburg.
Men som eksempel nevner jeg at det har vist seg vanskelig å håndheve forbrukersaker mot Ryanair, fordi den irske håndhevingen av slike saker i Irland er lite effektiv.
Mot Netflix blir det vanskeligere. Vi har ingen konvensjon som regulerer dette
i forholdet mellom Norge og USA. Sannsynligvis ville en norsk domstol anse seg
for kompetent og ta en sak mot Netflix til behandling. Det er ingen tvil om at
Netflix markedsfører seg mot norske forbrukere. Det er vanligvis tilstrekkelig til
at en norsk domstol vil kune anse seg for kompetent. Det er også dette prinsippet
som legges til grunn i USA, så de har liten grunn til å klage over at andre land
anvender de sammre regler.
Det er neppe så mange saker hvor forbrukere i USA saksøker nettleverandører utenfor USA. Men en konsekvens av at så mange rettsspørsmål håndteres på
delstatsnivå, er at de har mange saker hvor spørsmålet kan være om saken f.eks.
skal behandles i Delaware eller Ohio. Det er derfor en rikholdig praksis om dette
i USA, uten at jeg skal påstå at jeg kjenner detaljene på dette området.
Om man får en norsk dom mot Netflix, er det slett ikke sikkert at man vil få
den dommen fullbyrdet i Delaware. Men hvis Netflix skulle ha verdier i Norge
eller et annet land som anerkjenner norske dommer, vil man gjerne kunne få fullyrdet dommen der. Og som noen norske selskaper har fått erfare hvis de ikke har
229
Yulex 2013
tatt det som fremstår som meningsløse søksmål i USA på alvor: En dom avsagt
av en domstol i USA vil gjerne kunne fullbyrdes mot det de måtte ha av verdier
i USA.
Lovvalg
Men spørsmålet om hvilken domstol som skal behandle saken er bare første hinder. Det neste er hvilket lands rett som skal legges til grunn. Det er ikke noe i
veien for at en norsk domstol behanler en sak som skal avgjøres etter f.eks. tysk
rett. Saken blir mer komplisert ved at de ikke bare må overbevise retten om hva
som er de faktiske forhold, men også om hvordan i det tilfellet tysk rett er. Men
det lar vi ligge. Dette er et spørsmål om lovvalg.
En domstol avgjør lovvalgsspørsmålet etter eget lands lovvalgsregler. En
norsk domstol vil alltid avgjøre selve lovvalgsspørsmålet etter norsk rett. På noen
områder har vi klare lovvalgsregler. Finansavtaleloven § 3 sier f.eks. at på den lovens område skal norsk rett gjelde for avtale med forbruker. Men vi har ikke noen
generelle bestemmelser om dette på forbrukerområdet.
Her er det enda mindre konvensjonsregulering. Innenfor EU har man
Roma-forordningen om lovvalg i kontrakter. Men denne er bare åpen for land
innenfor EU, og det er ikke en tilleggskonvensjon for EØS tilsvarende Luganokonvensjonen. Utenforlandet Norge er derfor ikke med i denne konvensjonen.
Partene kan i utgangspunktet avtale hvilket lands rett som gjelder. I Amazonavtalen heter det et den er undelagt Luxemburgsk rett, mens Netflix-avtalen er
underlagt Delaware-rett. Etter Roma-forordningen er hovedregelen for forbrukeravtaler at retten i forbrukerens bostedsland skal anvendes. Det kan avtales at
et annet lands rett enn forbrukerens skal legges til grunn, men ikke slik at det
innebærer at forbrukeren fratas rettigheter han ville ha hatt om hovedregelen om
forbrukerens bostedsland hadde vært fulgt.
I en tvist med forbruker i annet EU-land ville Amazon i Europa måttet ha
akseptert at forbrukeren ikke stilles dårligere enn etter hjemlandets rett. Selv om
de ikke vil være noen konvensjonsmessige forpliktelser, er det vanskelig å se at
man vil kunne komme med innvendinger om et land utenfor EU baserer seg på
det samme prinsippet. Hvis en norsk domstol avsier dom, vil Luxemburg etter
Lugano-konvensjonen være forpliktet til å fullbyrde den. Jeg kan ikke se at lovvalgsspørsmålet vil kunne bringes inn i en slik fullbyrdelsessak.
Overfor tjenesteleverandør utenfor EU, f.eks. i USA, vil vi ikke ha slike holdepunkter i lovvalgsspørsmålet.
230
Forbrukere og internasjonale nettjenester. Amazon- og Netflix-avtalene
Lovvalg om avtaleinngåelse
Det er også et annet viktig spørsmål som vil måtte avgjøres etter det lands rett
hvor sak reises: Er det inngått noen bindende avtale? Hvis det ikke er inngått
noen bindende avtale, da har man heller ikke noen bindende avtale om jurisdiksjon og lovvalg, uansett hva det måtte stå i det som påstås å være en bindende
avtale.
Spørsmålet om det er inngått en bindende avtale vil behandles etter retten i
det land hvor saken behandles, uansett hva som måtte stå i avtalen om jurisdiksjon og lovvalg.
Jeg skal ikke her gå inn i spørsmålet om avtalerettslig ugyldighet, bare ta det
helt opplagte: Om noen retter en pistol mot hodet ditt og tvinger deg til å skrive
under en avtale hvor du fraskriver deg alle rettigheter, at eventuelle tvister skal
avgjøres ved voldgift i Mafiosistan hvor din motpart oppnevner voldgiftsretten,
og det hele skal avgjøres etter mafiosistansk rett, da har du ikke inngått noen
bindende avtale. En norsk domstol kan behandle dette som om ingen avtale er
inngått, og andvende de regler som vil gjelde når ikke annet er avtalt.
Vil norsk rett være til noen hjelp?
Men om nå en norsk domstol skulle ta saken til behandling og anvende norsk
rett, hvor havner vi da?
Norsk rett er ikke nødvendigvis forbrukerens frelse. Det er ikke vanskelig å
finne eksempler på at forbrukere blir lurt av norske tjenesteytere, og at det er
vanskelig å komme noen vei med disse sakene også. Vi har ingen lover som regulerer denne type tjenester, slik at vi må falle tilbake til generell kontrakts- og
markedsføringsrett.
For en del år siden utredet jeg spøsmålet om å la forbrukerkjøpsloven også
gjelde for digitale ytelser. Jeg konkluderte med at forbrukerkjøpsloven burde gjelde også for dette. Men Justisdepartementet var ikke enig. Så noe lovforslag i samsvar med mine synspunkter ble ikke fremmet. En slik lov ville ha gitt forbrukeren
rettigheter i Amazontilfellet, hvor filene lastets ned. Men en streamingtjeneste
ville uansett falle utenfor.
Jeg er ikke særlig i tvil om at Amazons vilkår om at de kan slette alt innhold
ved påstand om brudd på lisensvilkår uten begrunnelse og uten at man betaler
tilbake, ville bli satt til side som urimelig og i strid med avtaleloven § 36.
Rett til ensidig å endre avtalen og bare varsle ved at endringene legges ut på
nettsiden (Amazon), eller at det ikke varsles i det hele tatt (Netflix), vil nok heller
ikke bli opprettholdt. Men dette rekker ikke lenger enn til at man vil være bundet
av de vilkår man aksepterte, men ikke senere endringer i forbrukers disfavør.
231
Yulex 2013
Etter markedsføringsloven vil Markedsrådet kunne forby bruk av konkrete avtalevilkår som man finner urimelig. Forbrukerombudet forbereder slike
saker, og vil kunne forhandle med det ris bak speilet at de bringer saken inn
for Markedsrådet om de ikke kommer til en enighet. Det var dette som var
Forbrukerombudets rettslige grunnlag for å ta kampen opp mot Apple for noen
år siden, en sak Forbrukerrådet kom godt ut av. Forbrukerombudet har sagt de
vil følge Neflix nøye. Men et vedtak i Markedsrådet vil bare forby bruk av disse
vilkårene for fremtiden. Det får ikke betydning for allerede inngåtte avtaler.
Selv om det er enkelt å inngå en avtale, klikke at man aksepterer vilkårne og
betale med kredittkort, så er internasjonale avtaler fortsatt kompliserte og vanskelige å håndheve. De er ikke for amatører. Når global netthandel er så enkelt,
også for amatører, er det ikke overraskende at noen føler seg fanget i en felle når
problemer oppstår.
Lovgivning på internasjonalt nivå er komplisert og tar veldig lang tid. EUs
overnasjonalitet gjør det noe enklere å gi forbrukervernregler som i alle fall gjelder innenfor EU/EØS-området. Det er gitt en forordning om forbrukervernsamarbeid, som også er gjort til en del av EØS-avtalen. De løsninger de velger er ikke
nødvendigvis de vi ville ha valgt selv. Men det gir i det minste regler som fungerer
innenfor sitt område. Det er langt fram før vi har et internasjonalt forbrukervern
som fungerer like effektivt som internasjonal netthandel -- om vi noen gang kommer dit.
232

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2024 Paperzz