Yulex 2013 Dag Wiese Schartum og Anne Gunn B. Bekken (red.) Yulex 2013 Senter for rettsinformatikk Avdeling for forvaltningsinformatikk Postboks 6706 St Olavs plass 0130 Oslo Henvendelser om denne bok kan gjøres til: Senter for rettsinformatikk Postboks 6706 St. Olavs plass 0130 Oslo Tlf. 22 85 01 01 www. jus.uio.no/iri/ ISBN 9788272261503 ISSN 0806-1912 Utgitt i samarbeid med Akademika forlag Trykk: AIT Oslo AS Omslag og layout: Akademika forlag FORORD Som tidligere år har vi også i år oppfordret våre forskere til å gi bort en artikkel til jul. Vi har pakket bidragene inn og sender dem nå som Yulex og julehilsen til SERIs mange samarbeidspartnere og kontakter. Flere av årets artikler har enten vært publisert eller fremført som foredrag i internasjonale fora, noe som viser at forskningen som pågår ved senteret har stor internasjonal relevans. Men også i Norge har vi i 2013 bidratt med viktig forskning, spesielt med rapportene fra det såkalte «Flåtestyringsprosjektet», et samarbeid med FAFO. To av rapportene er utgitt i CompLex (2/2013 og 3/2013), og er tilgjengelige på Complexserien.net. Vi er glade over å kunne se tilbake på et år med forskningsaktiviteter og undervisning over bred front. I Yulex viser vi fram noe av mangfoldet i forskningen vår, og årets bok er blitt en forundringspakke med et innhold vi håper du får glede av. God jul og godt nytt år! PREFACE As in previous years, we have encouraged our researchers to give away a paper as Christmas present. We have wrapped contributions in Yulex 2013 as a Christmas greeting to the many partners and contacts of the NRCCL. Dissemination is an important part of research. This past year we have particularly improved dissemination in two ways. Firstly, we have prepared new project presentations on the Centre’s website. The aim has been to describe projects so that they can create interest both among the general public and experts. In addition, we have established the website Complexserien.net where all publications in this series are available. The website covers every issue from when the series was started in 1981. Each work will still be available as book, but we expect that the site will become main source for this part of our research publications. We are pleased to look back on yet another year of comprehensive and intense research and teaching activities. In Yulex 2013 we serve you examples from the diversity of research issues we work with, and we hope that it has become a surprise package you will enjoy. Merry Christmas and Happy New Year! Dag Wiese Schartum (Chair of NRCCL) Innhold Olav Torvund Kan man tukle med julesangene? Litt om klassikervernet...................................................................................7 Jon Bing Dramatikeren i den digitale verden...........................................................11 Maria Astrup Hjort Digital footprints as evidence in civil proceedings.................................35 Olga Mironenko Enerstvedt Russian PNR system: data protection issues and global prospects......39 Lee A. Bygrave Privacy as a Cultural Value..........................................................................77 Tommy Tranvik Kontroll og overvåking i arbeidslivet........................................................81 Samson Yoseph Esayas Utilizing Security Risk Analysis and Security Testing in the Legal Domain.................................................................................................99 Arild Jansen and Svein Ølnes Benchmarking eGovernment Quality – Whose Quality Are We Measuring?......................................................117 Dag Wiese Schartum Legal definitions and semantic interoperability in electronic government ..................................................................................................131 Emily M. Weitzenboeck The contractual network of the Domain Name System................................................................................147 Tobias Mahler Would You Like to Own a Generic Top Level Domain? .....................................................................................157 Francis Augusto Medeiros Is ‘.com’ international? The .com gTLD: an analysis of its global nature through the prism of jurisdiction....................................179 Olav Torvund Forbrukere og internasjonale nettjenester. Amazon- og Netflix-avtalene............................................................................................227 Kan man tukle med julesangene? Litt om klassikervernet1 Olav Torvund Humanist forlag ga før julen 2012 ut boken «Når nettene blir lange – julesanger for noen hver». Denne inneholder blant annet en avkristnet versjon av «Deilig er jorden». I alle fall deler av kristenfolket reagerte. Kan vi gjøre hva vi vil med slike gamle sanger? «Deilig er jorden» er, som mange av våre andre julesanger, så gammel at den har falt i det fri. Det har gått mer enn 70 år siden opphavsmennene døde og sangen er ikke lenger opphavsrettslig vernet. Også de ideelle rettigheter, retten til navngivelse og vernet mot krenkende gjengivelser, faller i utgangspunktet bort når verket faller i det fri. Vi kan gjøre hva vi vil uten å spørre noen om lov. Men i åndsverkloven § 48 har vi det såkalte klassikervernet. I denne bestemmelsen heter det i første ledd: «Selv om opphavsrettens vernetid er utløpet, kan et åndsverk ikke gjøres tilgjengelig for almenheten på en måte eller i en sammenheng som er krenkende for opphavsmannens litterære, vitenskapelige eller kunstneriske anseelse eller egenart, eller for verkets anseelse eller egenart, eller på annen måte antas å kunne skade almene kulturinteresser.» Respektretten består med andre ord likevel, om enn i en noe annen form. Dette er en bestemmelse som gir Kulturdepartementet hjemmel til å treffe vedtak om å forby en konkret versjon av et verk, den krever ikke at det må innhentes samtykke før verket gjøres tilgjengelig. Dette er en vesentlig forskjell fra om verket hadde vært vernet av opphavsretten. Det er også en vesentlig forskjell at det i praksis er kulturbyråkrater, og ikke en rettighetshaver, som treffer et slikt forbudsvedtak. Men Kulturdepartementet kan forby tilgjengeliggjøring av den omstridte versjonen av «Deilig er jorden», om de mener den strider mot bestemmelsen. Det har i noen tilfeller vært lagt ned forbud mot bruk av klassiske verker i reklame. Dette gjelder blant annet maleri og skulptur av Michelangelo og et maleri av Theodor Kittilsen. Men slik bruk lar vi ligge. Departementet har også lagt ned forbud mot konkrete versjoner av musikk, fordi disse har blitt ansett for krenkende mot opphavsmannen og/eller verket. Sporene skremmer, selv om de begynner å bli ganske gamle. Man har blant annet forbudt Duke Ellingtons innspilling av Edvard Griegs «I Dovregubbens hall» 1 Også publisert på http://blogg.torvund.net/2012/12/21/kan-man-tukle-med-julesangene-littom-klassikervernet/ 7 Yulex 2013 og Arne Domnerus’ innspilling av «Ja, vi elsker». Skal man lete etter krenkende versjoner av Edvard Griegs musikk, mener jeg personlig at den forflatede og intetsigende versjonen av «Norsk dans no 2» som NRK hver fredag bruker som kjenningsmelodi til «Norge rundt», er langt verre enn Duke Ellington. Men den bør ikke forbys av den grunn. Å forby slike versjoner av verk som har falt i det fri, er et inngrep i ytringsfriheten. Dette er i liten eller ingen grad drøftet i de forbudsvedtak som har vært truffet. Jimi Hendrix’ versjon av «Star Sprangled Banner» fra Woodstock-festivalen ville kunne ha ligget tynt an om man skulle ha anvendt de samme reglene på den som på Arne Domnerus innspilling av «Ja, vi elsker». En nasjonalsang kan fremføres som en bitende kritikk av det aktuelle landet. Mange vil mene at det var nettopp det Jimi Hendrix gjorde på Woodstock-festivalen, i en tid da debatten om Vietnam-krigen raste på sitt mest intense. Noen vil kunne oppleve det som krenkende. Men det ville være svært problematisk å forby slike ytringer av den grunn. Forbudshjemmelen bør brukes med den ytterste forsiktighet, om den bør brukes i det hele tatt. Et litt spesielt, men ikke upraktisk spørsmål, er bruk av gamle melodier som har fått en annen betydning enn den opprinnelige. «Deilig er jorden» har en tekst av den danske salmedikteren Bernhard Severin Ingemann og handler egentlig om en pilegrimsreise. Den er skrevet i en slags trassig optimisme etter en periode med krig, og er egentlig ikke en julesang. Melodien er en folketone fra Schlesien, i grenseområdet mellom Polen og Tsjekkia, nedtegnet i 1842. Den melodien må også andre kunne bruke. Dette gjelder også «Star Sprangled Banner». Melodien til denne er hentet fra den engelske drikkevisen «To Anakron in Heaven». Humanists versjon av «Deilig er jorden» kan ses som en religionskritikk, om enn i mild form. Blasfemiparagrafen er opphevet. Riktignok har heller ikke den opphevelsen trådt i kraft fordi Justisdepartementet ennå ikke har fått satt i kraft straffeloven fra 2005. Men den ligger i koma og vil dø når Justisdepartementet en gang får gjort det som burde ha skjedd for lenge siden. Vi har bak oss en karikaturstrid. Mange i Norge har ment at muslimer må finne seg i at man tegner Muhammed, selv om de opplever det som en krenkelse. Da må vi også tåle at noen skriver om våre julesanger og annen symboltung musikk, selv om vi ikke nødvendigvis liker måten det har skjedd på. Vi må våge å stole på at de viktige av våre tradisjoner står sterkt nok til å tåle at noen herjer litt med dem. Den versjonen av «Deilig er jorden» som vi alle kjenner vil nok vare mye lenger enn Humanists versjon. Så langt jeg har sett har heldigvis ingen gått så langt som til å kreve at slike omarbeidede julesanger skal forbys. Kritikk må Humanist forlag tåle, like mye som andre. Religions– og ytringsfrihet gjelder også i julen. Våre juletradisjoner må tåle at noen gjør bruk av disse frihetene. God jul. 8 The contractual network of the Domain Name System PS. Det måtte vel komme. Finn Folke Thorp svarte med å skriv en kristen versjon av Nordahl Griegs “Til ungdommen”. Finn Folke Thorp er et navn som er ukjent for meg. I følge Vårt Land har han skrevet manus til flere av episodene i «Hotel Cæsar» og er sognerådsleder i Fagerborg i Oslo. I følge Vårt Land var han “litt oppgitt” da han fikk høre den avkristnede julesangen og bestemte seg for å “svare med samme mynt”. Vi kan mene hva vi vil om slikt. Jeg er enig med Kristin Rosenberg, en av arvingene etter Nordahl Grieg, i at dette er “litt barnslig”. Å besvare en dumhet med å begå en tilsvarende dumhet selv, er aldri noen god strategi. Finn Folke Thorp har med dette satt seg selv utenfor enhver diskusjon om disse spørsmålene. Men kan Finn Folke Thorp fritt herje med Nordahl Grieg? Svaret er nei. Nordahl Grieg døde i 1943. Opphavsretten varer i 70 år etter utløpet av opphavsmannens dødsår, altså til og med 31. 12. 2013. Finn Folke Thorp har helt klart laget en bearbeidet versjon av Nordahl Griegs dikt. Det kan han ikke gjøre uten samtykke fra de som i dag har rettighetene til dette, uansett om man måtte mene at dette er krenkende eller ikke. Fra 1. januar 2014, da er Nordahl Griegs verker være fri. Fra da vil det bare være klassikervernet som kan gi dem et visst vern. Arbeiderbevegelsens symboltekster er ikke noe mer hellige enn andre symboltekster. 9 Dramatikeren i den digitale verden En skriftlig versjon av kåseri holdt på årsmøtet til Norske Dramatikeres Forbund 16.3.2011 Jon Bing 1 Prolog1 Tim Berners-Lee studerte fysikk ved Queen’s College, Oxford og tok sin endelige eksamen i fysikk 1976, 21 år gammel. I 1980 ble han ansatt i et vikariat som konsulent ved CERN2, det berømte europeiske laboratoriet for partikkelfysikk i Frankrike nær grensen til Sveits. Han forteller selv3 at han ble frustrert over arbeidet med å holde orden på forbindelser mellom mennesker, maskiner og prosjekter. For å løse dette problemet, skrev han et program han kalte Enquire Within Upon Everyting. Navnet til programmet var hentet fra en bok med viktorianske råd. Mitt eksemplar av boken er en faksimile av den 82. utgaven. Da den ble utgitt i 1890 var 1.910.000 eksemplar solgt. Boken inneholdt kortfattede råd eller oppskrifter på alt mulig, organisert på en måte At SINTRAN III vi nok lett finner forvirrende. Men den er command level, type omfattende. Innførsel 2274 «English Champagne» innledes f eks slik: @(GUEST)ENQUIRE «Take fifty pounds of rhubarb and <params> thirty-seven pounds of fine moist sugar. Provide a tub that will hold from fifteen and the system to twenty gallons, taking care that it has a should respond hole for a tap near the bottom …» Enquire V x.x Hello! Fig 1 - påloggingsbildet for Enquire … 1 2 3 Dette avsnittet bygger på Jon Bing «Building Cyberspace: a brief history of Internet» i Lee A Bygrave og Jon Bing (red) Internet Governance: Infrastructure and Institutions, Oxford University Press, Oxford 2009:8-47. CERN er forkortelse for Conseil Européen pour la Recherche Nucléaire. Organisasjonen har for lengst skiftet navn, men beholdt kortformen. Tim Berners-Lee Weaving the Web, HarperBusiness, New York 1999:4-6. 11 Yulex 2013 Oppskriften er på omtrent to spalter, og følges av en oppskrift på «Turnip Wine». Man ser hvordan skyggen av det engelske kjøkken også faller over sidene i denne ellers så utmerkede oppslagsboken. Og boken ble på en måte mottoet for programmet til Tim Berners-Lee. Programmet ble skrevet i programmeringsspråket Pascal på en Norsk Data S10 maskin under operativsystemet SINTRAN-III, som karakteriseres av Tin Berners-Lee som «pretty obscure».4 Men Tim Berners-Lee forlot CERN etter at hans periode som konsulent var over. Norsk Data gikk konkurs, og Enquire … gikk i glemmeboken. Heldigvis vendte Tim Berners-Lee tilbake til CERN, og sammen med bl a Robert Cailliau, klarte han å få godkjent kjøp av en NeXT datamaskin,5 og i november 1990 hadde Tim Berners-Lee ferdig et program som han kalte WorldWideWeb. Det første skrittet var tatt. Flere skritt var nødvendig. WorldWideWeb ble populært, men brukergrensesnittet var beregnet på brukere med programmeringskompetanse. Ved National Center for Supercomputing Applications ved University of Illinois arbeidet Marc Andreessen som student. Han laget den første nettleseren med et grafisk brukergrensesnitt, MOSAIC (1993).6 Våren 1995 introduserte selskapet Digital Equipment Corporation7 en mikroprosessor som ble kalt Alpha. Denne gjorde det mulig å operere databaser svært raskt, og for å demonstrere dette bestemte DECs Western Research at man ville indeksere hele nettet. Systemet ble kalt AltaVista, og var den første søkemotoren. Det ble gjort tilgjengelig for allmennheten i desember 1995 med en indeks på 16 millioner dokumenter. Det ble en øyeblikkelig suksess, mer enn 300.000 søk ble fortatt første dag.8 Ved utgangen av 1995 hadde man de tre hovedelementene som dannet det vi i dag omtaler som «Internett»:9 • Dokumenter i sidebeskrivningsspråket HTML og med integrerte lenker som tillot at brukeren «klikket» seg til andre sider. • En nettleser med et grafisk grensesnitt, hvor man kunne bruker et pekerverktøy (f eks en mus) for å navigere på siden. 4 5 6 7 8 9 Tim Berners-Lee Weaving the Web, HarperBusiness, New York 1999:11. NeXT ble laget av et selskap grunnlag av Steven Jobs i perioden 1988-1990. Rettighetene til MOSAIC var eid av universitetet. Marc Andreessen kjøpte en enkel lisens for å videreutvikle denne nettleseren, det ble til Netscape som igjen ble grunnlaget for Mozilla. Microsoft kjøpte også en lisens, og det ble det første grunnlaget for Internet Explorer. DEC dominerte markedet for minimaskiner, men skulle få år senere forsvinne inn i Compaq, som så ble kjøpt opp av Hewlett Packard. Ved utgangen av 1996 behandlet AltaVista 19 millioner søk daglig. Tall for Google har jeg ikke tilgjengelig. Det er strengt tatt misvisende, men likevel. 12 Dramatikeren i den digitale verden • En søkemotor som gjorde det mulig å finne frem til et nettsted med opplysninger man var interessert i ved å bruke fritt valgte søkeord som beskrev interessen, og som ble brukt av nettstedet. 2 Fra varer til tjenester En av de metatrendene er overgangen fra varer til tjenester. Varer karakteriseres av at de er fysiske, de er til å ta og føle på. Tjenester er – på en måte – alt annet. Uten å fortape seg i filosofiske spørsmål om hvor denne grensen går, kan vi nøye oss med å se på kjente eksempler. Det mest omtalte er antakelig musikk. Tradisjonelt er musikk blitt omsatt som varer. I prinsippet kan man gå tilbake til notehefter, men det er selvsagt grammofonplater, lydbånd, kompaktplater osv som er de mest kjente fysiske bærere av musikk. De har fått konkurranse av lydfiler, som ikke på samme måte har en fysisk representasjon – en lydfil overføres gjennom nett og lastes ned til et lagringsmedium (som er fysisk) hvorfra den igjen kan lastes opp og overføres på ny. Dette stiller rettighetshavere overfor utfordringer med hensyn til rettighetsadministrasjon, jfr nedenfor. Et annet hovedeksempel er film. Grunnen til at film kom etter musikk, er rett og slett at film – levende bilder – krever mange flere tegn for å bli representert: Hvert billedelement skal beskrives med en kode for gråtone og tre koder for farge (RBG-farger – rød, grønn, blå). Billedelementet må være ganske lite for at oppløsningen skal bli tilfredsstillende. Og i tillegg må man representere filmlyden. Da skjønner man intuitivt at det skal til en strøm med uhorvelig mange tallkoder for å få en film til å fremføres på skjermen. Det krevde derfor at nettverket hadde en tilfredsstillende båndbredde. I dag har nettverket det, og dermed fortrenges lett kassettbånd og kompaktplater. Tekst burde jo vært det første eksempelet, for bokstaver har en kompakt representasjon sammenlignet med lyd og bilde, det skal tradisjonelt bare åtte bit (en byte) for å representere en bokstav. Det finnes også gode system for «elektroniske bøker», mest kjent er kanskje Amazons Kindle. I Norge kan man knapt skryte av at vi har kommet svært langt, og det er flere grunner til det. Imidlertid har vi prosjektet Bokhylla.no,10 som drives av Nasjonalbiblioteket på grunnlag av en avtale med Kopinor.11 Dette tillater dels tekster å nedlastes som filer, men for å sikre rettigheter, tillates de nyeste bøkene bare å strømmes over skjerm. 10Jfr http://www.nb.no/Tilbud/Samlingen/Samlingen/Boeker/Bokhylla.no. 11 Jfr http://www.kopinor.no/brukere/bibliotek/nasjonalbiblioteket/nasjonalbiblioteket-bokhylla. 13 Yulex 2013 Dramatikere berøres også av dette. De berøres direkte av den utviklingen som skjer for film – filmen vil jo gjerne bygge på et dramatisk verk. Men også ellers forandrer den tekniske utviklingen omgivelsene dramatikere arbeid i. 3 3.1 Det tradisjonelle vederlagssystemet Hvordan lage et vederlagssystem? Ofte diskuterer vi vederlagsnivå. Noe sjeldnere diskuterer vi hvordan man skal konstruere et vederlagssystem? Hvilke kriterier skal det bygge på? Kriteriene må være valgt slik at det blir enkelt å beregne det aktuelle vederlaget. Og man vil gjerne at kriteriene velges slik at økt bruk eller utnyttelse av verket fører til et tilsvarende høyere vederlag. Vederlag for dramatikk beregnes på ulike måter. Det finnes også mange variasjoner, i dette avsnittet ser vi bare kort på fire hovedeksemepel. Noen få ord om terminologi. Når et dramatisk stykke spilles på en scene, så skjer det en fremføring for allmennheten. I avtalene brukes av og til uttrykket «oppføring», det må forstås på samme måte. Avtalen bruker også uttrykket «visning» og «visningsrett».12 Det er sikkert lett å tolke dette som «fremføring», men i opphavsrettslig terminologi er «visning» noe annet enn «fremføring». Et verk vises når f eks et maleri henges på en vegg eller en skulptur stilles opp ved en gate. Det er unødvendig å bringe inni avtalene et opphavsrettslig uttrykk som åpenbart ikke brukes i sammen betydning som i åndsverkloven. Endelig brukes uttrykket «produsere» eller «produksjonsrett».13 Med dette aksentueres at et teater eller en annen institusjon har fått rett til å foreta den forberedelse som er nødvendig for å fremføre verket – men det synes ikke å ha annen betydning enn «fremføring». Mye kan vel tale for at ved å fjerne de unødvendige uttrykkene, ville avtalene bli lettere tilgjengelige, om enn med mindre variasjon i språket. 3.2 Fremføringsavtalen Et dramatisk verk blir gjerne skrevet for at verket skal fremføres, og den tradisjonelle fremføringen skjer på en scene, ved et teater. For å kunne fremføre et verk, må teateret ha en avtale som gir rett til å gjøre verket tilgjengelig for allmennheten (åndsverkloven § 2). I tillegg regner man med at fremføringsavtalen også gir rett til en begrenset eksemplarfremstilling, leseeksemplar til skuespillere, regi, scenografi, suffli osv. Dette er tradisjonelt eksemplar fremstilt på en enkel måte (ofte reprografi av originalmanuskript, nå 12 Jfr f eks protokollen pkt A og C-2. 13 Jfr f eks protokollen pkt A. 14 Dramatikeren i den digitale verden foreligger gjerne manuskriptet i maskinlesbar form, og det kan skrives ut i et hensiktsmessig format) og innbundet nokså enkelt. Den gjeldende fremføringsavtalen har en tradisjonell utforming av vederlagsklausulene.14 Utgangspunktet er en royalty og beregnes av brutto billettinntekt (fratrukket garderobeinntekter, avgift på fribilletter og avgift til pensjonskassen).15 «Royalty» betegner en bestemt måte å beregne vederlag på, den angis som en prosent eller andel av et annet vederlag (royaltygrunnlaget), som i dette tilfellet er brutto billettinntekter. Slik er vederlaget gjort brukssensitivt, jo flere som ser en forestilling, desto høyere vederlag til dramatikeren. Man kan lett regne seg til at en normalt oppsøkt forestilling med normale billettpriser, vil gi et beskjedent vederlag til dramatiker. Derfor har normalavtalen innført et «grunnhonorar».16 Dette er for tiden satt til «263 682 for en vanlig oppføring». Hva som ligger i uttrykket «vanlig oppføring» fremgår ikke av protokollen. Protokollen definerer «helaftens verk».17 Etter vanlige avtalerettslige tolkningsprinsipper vil man anta at «en vanlig oppføring» da er noe annet, ettersom de definerte termene ikke benyttes. Men det kan naturligvis også være at man har ment å vise tilbake til definisjonene. Grunnhonoraret er å regne «som forskudd på royalty».18 Det vil si at inntil beregnet royalty utgjør 263.682 kr utbetales ikke slikt vederlag. I praksis vil bare de færreste verk tjene inn så vidt høy billettinntekt at grunnhonoraret passeres og royalty faktisk kommer til utbetaling. Det betyr også at selv om vederlaget er utformet slik at det skal stige med økt bruk, vil avtalen i de fleste tilfeller fungere som en avtale om fast pris, hvor den faste prisen svarer til grunnhonoraret. Normalavtalen har også en viktig bestemmelse som begrenser retten til fremføring i tid. Den gjelder bare to år regnet fra premièredato.19 Etter dette faller fremføringsretten bort.20 Rettighetshaver kan da forhandle om fremføringsrettighetene med andre. Dette er med på å sikre at man kan få det fulle økonomiske utbyttet av verket. 14 Normalkontrakt som regulerer avtaler inngått fra dags dato og frem til 31.12.2013 om bruk av dramatikeres tekst i sceniske produksjoner ved teatre som er medlem av NTO (Norsk Teater- og Orkesterforening). 15 Jfr normalkontrakten pkt 5. 16 Normalkontrakten pkt 2, jfr protokoll av 26.10.2012 pkt B-1. 17 Verk for voksne med fremføringstid over 70 minutter, for barn over 60 minutter, jfr protokollen pkt A. 18 Jfr protokollen pkt A. 19 Jfr protokollen pkt C-2-A. 20 Det er gjort et unntak for de sjeldne situasjoner hvor verket ikke er utspilt ved utgangen av toårsperioden, jfr protokollen pkt C-2-B. 15 Yulex 2013 3.3 Dramatikk i bokform Dramatikk blir også utgitt i bokform. Etter Den norske Forleggerforenings bransjestatistikk ble det solgt 8.493 eksemplar av kategorien «skuespill» i 2011.21 Det er derfor et beskjedent salg. Den tradisjonelle vederlagsformen for salg av bøker baserer seg på royalty, dvs omsetningsroyalty beregnet med utgangspunkt i utsalgspris – som foreløpig angis av forlaget. Det gjøres tradisjonelt et fratrekk for «bindets pris», f eks 30 kr. Det resulterende er royaltygrunnlaget. Tradisjonelt er royalty 15 % for de første 5.000 eksemplar, stigende til 20 % for salg utover dette. Men for verk som faller inn under Kulturrådets innkjøpsordning for ny, norsk skjønnlitteratur, betales et vederlag på 20 % royalty fra første solgte bok.22 Dette gjelder også for dramatikk. I tillegg er det avtalte et minstevederlag. Tradisjonelt utgjør dette 1/3 av royalty for første opplag.23 For bøker under Innkjøpsordningen får forfatter fullt vederlag for de innkjøpte 1.000 eksemplar og 1/3 royalty for den del av førsteopplaget som overskrider de innkjøpte 1.000 eksemplar. Vi kjenner igjen prinsippene – man finner «noe» som kan indikere utnyttelsen av verket, og har valgt antall solgte eksemplar. Vederlaget relateres til et salg, og det akkumuleres et totalvederlag ved å summere vederlagene for de enkelte salg. Dette suppleres med et minstevederlag. Men det er mange variasjoner og ulike former.24 I vår sammenheng er det imidlertid tilstrekkelig å konstatere at dramatikk i bokform ofte vil være gjenstand for innkjøp under Innkjøpsordningen. Vederlaget vil da være 20 % royalty fra første solgte eksempler, inklusive de 1.000 eksemplar som går til Innkjøpsordningen. Minstevederlaget utgjør vederlag for de 1.000 innkjøpte eksemplar og 1/3 av den overskytende del av første opplag. 3.4 Dramatikk i radio og fjernsyn 3.4.1 Innledning Radio og fjernsyn er viktige og tradisjonelle områder for bruk av dramatikk. Norske Dramatikeres Forbund har avtaler om slik utnyttelse. Tradisjonelt inngikk man avtale om enten å utvikle et dramatisk verk for radio eller fjernsyn, eller en avtale om å utnytte et verk som allerede var ferdigstilt 21 Bransjestatistikk 2011 Bokgruppe 4.1 norsk skjønnlitteratur for voksne. Året 2011 er det siste året det foreligger statistikk fra. 22 Jfr avtale mellom Norsk kulturråd, Den norske forlegger- forening, Norsk forleggersamband og Den norske Forfatterforening om regler for statens innkjøpsordning for ny norsk skjønnlitteratur for voksne § 22, 1.ledd nr 1. 23 Opplag er det antall eksemplar som blir fremstilt samtidig – med moderne trykkemetoder, karakterisert ved utgivelse på forespørsel, er opplagsbegrepet blitt noe problematisk. 24 En oversikt og diskusjon finner man i Hans Marius Graasvold, Eirik Djønne og Jon Bing Norsk skribentrett, Universitetsforlaget, Oslo 2006:151-170. 16 Dramatikeren i den digitale verden ved avtalens undertegnelse. Utnyttelsesformen var vel kjent, variablene få – fortrinnsvis var det et spørsmål om regulering av rett til å sende repriser, det ble typisk sondret mellom korttids- og langtidsrepriser. Norske Dramatikeres Forbund har en rammeavtale med Norsk rikskringkasting «vedrørende overdragelse av produksjons- og utnyttelsesrett mv fra forfatter til NRK for audiovisuelle verk på film- og fjernsynssektoren».25 Også de andre skribentorganisasjonene har rammeavtaler med Norsk rikskringkasting, men de har egentlig en litt annen funksjon. Etter åndsverkloven § 31 etableres en avtalelisens for kringkastere. Det innebærer at når Norsk rikskringkasting har inngått en avtale med en organisasjon som representerer opphavsmennene på området, kan Norsk rikskringkasting kringkaste utgitte verk uten å innhente samtykke fra opphavsmannen. Begrunnelsen er behovet for en smidig og rask mekanisme for rettighetsklarering. Dette var den første bestemmelsen om avtalelisens i norsk åndsverklov, senere har den fått følge av mange andre. I forhold til f eks skjønnlitteratur for voksne, har Norsk rikskringkasting en avtale med Den norske Forfatterforening. Ønsker Norsk rikskringkasting å kringkaste opplesning fra en roman eller novelle, kan man altså gjøre dette uten å kontakte forfatteren (utover at avtalt vederlag overføres). Denne bestemmelsen har mindre betydning for dramatiske verk. Jeg utelukker ikke at bestemmelsen kan komme til anvendelse, f eks om man ønsker å sende et skuespill utgitt i bokform. Men skuespillet må være utgitt for at bestemmelsen kommer til anvendelse, dvs at «et rimelig antall eksemplar av verket med samtykke av opphavsmannen er brakt i handelen» (åndsverkloven § 8). Selv om et skuespill er offentliggjort26 ved fremføring, vil det sjeldnere være utgitt. Av denne grunn spiller åndsverkloven § 31 mindre rolle. Men også selve avtalesituasjonen gjør at åndsverkloven § 31 glir i bakgrunnen. Avtale om et dramatisk verk for fjernsyn eller radio blir gjerne forhandlet frem i samarbeid mellom dramatiker og kringkaster – ikke uvanlig er det at man går veien om et synopsis, og ikke uvanlig er det at man avtaler en rett til å avbryte samarbeidet, f eks hvis synopsis ikke godkjennes. For dramatiske verk i radio eller fjernsyn vil altså avtalen regulere et verk som ennå ikke er ferdig utarbeidet, eller i alle fall ikke ennå offentliggjort på annen måte. 3.4.2 Norsk rikskringkasting og annen kringkasting Det foreligger en nokså omfattende avtale mellom Norske Dramatikeres Forbund og Norsk rikskringkasting. Vederlaget bygger på et regnestykke hvor et grunn25 Radioteater faller altså utenom rammeavtalen. 26 Jfr definisjonen i åndsverkloven § 8. 17 Yulex 2013 beløp27 multipliseres ned «antall bestilte minutter».28 Dette gir et grunnhonorar (GH). Det skjer en ytterligere regulering for reprise mv. Denne vederlagsstrukturen forsøker å ta vare på prinsippet om at økt utnyttelse skal føre til økt bruk. Men mens man for fremføring i teater teller betalende tilskuere, og beregner en royalty etter dette, vil man for kringkasting betale per minutt utfra den nærliggende tanke at jo lengre spilletiden er, jo større er utnyttelsen av verket. Men bak dette spøker fastsettelsen av grunnbeløpet. Jeg er ikke kjent med hvilke argument som benyttes ved denne fastsettelsen. Men det er nærliggende å anta at antallet seere – faktiske seertall om slike skulle foreligge, eller potensielle seere – vil spille en rolle. Det samme vil Norsk rikskringkastings økonomi. Åndsverkloven § 31 gjelder ikke bare Norsk rikskringkasting, men også andre som har «bevilling til å drive kringkastingsvirksomhet». Lenge hadde Norsk rikskringkasting et monopol på kringkasting til allmennheten, men det er nå historie. I denne perioden hadde dramatikere (og andre rettighetshavere) bare en mulig motpart for kringkasting, og denne motparten var direkte underlagt Kulturdepartementet. I forhandlinger om vederlag var det nærliggende for rettighetshaverne å trekke inn kunstnerpolitiske argument. Norsk rikskringkasting vedsto seg da også et kulturpolitisk ansvar. Dermed ble vederlagene fastsatt slik at de skulle være «rimelige», selv om partene nok kunne ha ulike syn på hva et rimelig vederlag utgjorde. Etter at åndsverkloven § 31 åpnet for at også andre kunne benytte avtalisensen, er det – så vidt meg bekjent – ingen andre kringkastere som har benyttet denne muligheten. Disse kringkasterne forhandler altså i hvert enkelt tilfelle med rettighetshaverne, og det er ikke noen rammeavtale som regulerer vederlaget. I en viss utstrekning vil avtalen inngås med et produksjonsselskap som så i sin tur inngår avtale med kringkasteren. Rammeavtalen pkt 3.2 angir den rett Norsk rikskringkasting erverver til å gjøre verket tilgjengelig for allmennheten. Hvilke former for tilgjengeliggjøring som Norsk rikskringkasting erverver, skal i hvert enkelt tilfelle avtales med forfatteren. Etter rammeavtalen pkt 3.2, 3.-5. avsnitt reguleres også utnyttelse i digitale media: «NRK kan kringkaste hele eller deler av verket i fjernsynssendinger og formidle verket via andre teknologiske plattformer, herunder Internett, bredbånd, mobiltelefoni. NRK kan etter avtale gjøre hele eller deler av verket tilgjengelig for allmennheten i andre formater og/eller gjennom andre distribusjonsformer enn 27 Det er i og for seg unødvendig å ha valgt en betegnelse som svarer til ett av de sentrale begrepene i folketrygden, men noen praktiske problemer skaper dette knapt. 28 Rammeavtalen av 6.9.2006 pkt 3.3 (satsene er regulert per 1.5.2011). 18 Dramatikeren i den digitale verden nevnt i forrige avsnitt. Til slike formater/distribusjonsformer hører for eksempel eksemplarfremstilling og salg av video, DVD og POD (publishing on demand). NRK kan etter avtale også gjøre hele eller deler av verket tilgjengelig for brukere på individuelt bestemt sted og tidspunkt (som on demand-tjeneste) i nærmere fastsatt tidsrom på teknologiske plattformer så som – men ikke begrenset til – Internett, bredbånd og mobil.» Bestemmelsen innledes med at Norsk rikskringkasting «kan» utnytte verket i disse formene. Det må leses i sammenheng med rammeavtalen pkt 3.2, 2.ledd, hvor det – som nevnt overfor – fremgår at partene kan «avtale nærmere hvilke former» for tilgjengeliggjøring som avtalen skal omfatte. Slik jeg tolker rammeavtalen, må det altså en eksplisitt tilleggsavtale med dramatikeren for å utløse disse rettighetene. Etter rammeavtalen pkt 3.2, 3.ledd kan verket formidles på andre «teknologiske plattformer» enn tradisjonelt fjernsyn. Som eksempel nevner «internett, bredbånd, mobiltelefoni». Det kan vel diskuteres om alle disse tre er «plattformer», i alle fall er det ingen motsetning mellom «internett» og «bredbånd». Etter rammeavtalen pkt 3.2, 4.ledd kan Norsk rikskringkasting gjøre – etter særskilt avtale – verket tilgjengelig i «andre formater» eller ved «andre distribusjonsformer» enn nevnt i pkt 3.2, 3.ledd. Som eksempel nevnes eksemplarfremstilling og salg av kompaktplater («video, DVD») og formidling ved «POD (publishing on demand)». Det siste er ikke helt klart, «podcasting» er en form for formidling som bygger på overføring av en fil til bruker. Det er derfor ikke noe eksempel på salg av en løsøregjenstand, som f eks kompaktplate, men en ren formidling av en digital fil over nettet. Muligens har avtalen lagt til grunn en annen forståelse, men noen kjente former for publisering på forespørsel av kringkastingsprogrammer kjenner jeg ikke til. Endelig kan Norsk rikskringkasting etter rammeavtalen pkt 3.2, 5.ledd gjøre «hele eller deler av verket tilgjengelig for brukere på individuelt bestemt sted og tidspunkt (som on demand-tjeneste) i nærmere fastsatt tidsrom på teknologiske plattformer så som – men ikke begrenset til – Internett, bredbånd og mobil». Dette omtales gjerne som interaktive tjenester. Denne utbyggingen av de tjenester som avtalen kan omfatter, viser tydelig at avtalen omfatter mer enn vanlig kringkasting. Kringkasting – slik det er definert i kringkastingsloven29 § 1, 1.ledd litra a: «Kringkasting: utsending av tale, musikk og liknende via elektroniske kommunikasjonsnett, ment eller egnet til å ses eller høres direkte og samtidig av allmennheten …» 29 Lov om kringkasting og audiovisuelle bestillingstjenester (1992:127). 19 Yulex 2013 Kringkastingsbegrepet har lenge stått under press av den teknologiske utviklingen, og det kan vel være at grensen mot tjenester som ikke skal regnes for kringkasting, ikke er helt klar etter loven. I vår sammenheng spiller det liten rolle. Etter rammeavtalen pkt 3.2, 6.ledd kan Norsk rikskringkasting overdra rettigheter etter pkt 3.2 til «tredjemann i Norge og i utlandet». Jfr også rammeavtalen pkt 3.5 som gjelder overdragelse av «kringkastingsrett mv». Denne siste overdragelsesretten gjelder for «kringkasting eller på andre medieplattformer i Norge og utlandet». Imidlertid forutsetter rammeavtalen at det er inngått særskilt avtale med dramatikeren om hvilke former for tilgjengeliggjøring som overdras.30 Bestemmelsen innfører også en vederlagsmodell. Hvis Norsk rikskringkasting mottar særskilt vederlag for en overdragelse etter rammeavtalen pkt 3.4, har dramatiker sammen med de øvrige rettighetshaverne rett til 50 % av nettovederlaget.31 Denne rettighetshaverandelen fordeles forholdsmessig i forhold til det opprinnelige vederlaget, dramatikerens andel svarer til andelen av det opprinnelige vederlaget. Det er lett å hefte seg ved utformingen av denne bestemmelsen, f eks at dramatiker ikke har innflytelse på det vederlag Norsk rikskringkasting forhandler seg frem til. Men man må ha i bakhodet at det forutsetter særskilt avtale med dramatikeren, som må sørge for å utnytte sin avtaleposisjon. Som nevnt har Norske dramatikeres forbund en rammeavtale med Norske film- og tv-produsenters forening (NFTVPF) av 4.3.2009.32 Avtalen er i større grad tilpasset den fremgangsmåte som gjerne følges når et manuskript utvikles, bl a ved at man både har med «forfatter» og «manusforfatter». Forfatter overdrar en «produksjonsrett» til produsenten, jfr rammeavtalen pkt 4.3. I tillegg overdras det som kalles «visningsrett» og som omfatter «eksemplarfremstilling og tilgjengeliggjøring», rammeavtalens pkt 4.4. Tilgjengeliggjøring omfatter «vising»33 etter avtale med en kringkaster eller formidling fra «… øvrige tekniske plattformer kringkasteren benytter, herunder ved uendret streaming av Verket, vising på Internett etter tilsvarende nett». Det er i rammeavtalen forutsatt at annen utnyttelse kan være aktuelt, og rammeavtalen pkt 4.6 nevner spesielt som eksempel salg som videogram. Litt upresist nevner man samtidig «visning på pay-TV eller mobiltelefon mv.»34 30 Jfr ovenfor, rammeavtalen pkt 3.2, 1.ledd. 31 Nettovederlaget utgjør Norsk rikskringkastings bruttoinntekt ved overdragelsen minus 30 % til dekning av omkostninger. 32 Avtalen er justert 1.5.2011. 33 Som nevnt ovenfor menes her det som i åndsverkloven kalles fremføring. 34 Avtalen viser til Lov om film og videogram (1987:21) som definerer i § 1, 3.ledd: «eit elektronisk signal for lagring og attgiving av levande bilete som er skrive inn på eit medium eller ein infor20 Dramatikeren i den digitale verden Man formelig ser hvordan den utnyttelsen digital teknologi gjør mulig, spiser seg inn i avtalen. Man kan nok ønske seg større stringens i avgrensning av rettigheter og utnyttelsesformer, men i dagens situasjon skaper nok ikke praktisering av avtalen synderlig tvil. 3.5 Film 3.5.1 Hovedprinsipper Det historiske utgangspunktet for avtalene diskutert i pkt 3.4.2 om kringkasting, er filmavtalen. Norske dramatikeres forbund har også inngått en rammeavtale om «film-, produksjons- og visningsrett» av 15.9.200535 med Norske film- og tvprodusenters forening. Avtalen har stort sett samme utforming som rammeavtalen for kringkasting. I rammeavtalen defineres «filmrett» og «produksjonsrett».36 I rammeavtalen § 10 reguleres minstevederlag for synopsis, filmfortelling og filmmanus (i alt 335.173 kr), for filmretten (kr 332.109).37 I tillegg utgår et vederlag for filmretten av filmens overskudd, et royalty-basert vederlag (jfr rammeavtalen § 10 litra d sml § 11). Hvordan filmens overskudd beregnes, omhandles ikke av rammeavtalen.38 3.5.2 Eksemplarfremstilling - videogrammer Etter rammeavtalen § 2 litra j overdras til produsenten rett til å fremstille eksemplar og gjøre det tilgjengelig for allmennheten ved spredning av eksemplar og fremføring av verket. Eksemplarfremstilling er en nødvendig forutsetning for fremføring på lerret. Tradisjonelt blir et begrenset antall eksemplar av produsent (eller importør på vegne av produsent) tilbudt leid av kinoer. Kinoene får deretter det fysiske eksemplaret, som fremføres på lerret – tradisjonelt ved projisering. Digitale skjermer kan fremføre bilder ved at billedelementene («pixels») styres av en datamaskin. Vederlag til produsent vil typisk være en andel (royalty) av billettinntektene, og bidrar til filmens eventuelle overskudd. Av overskuddet betales så en andel (royalty) til dramatiker mv, jfr rammeavtalen § 10 litra d sml rammeavtalen § 11. 35 36 37 38 masjonsberar». Hverken betalfjernsyn eller formidling over mobiltelefon forutsetter at signalet lagres på et lokalt medium for å fremføres på skjerm. Avtalen er justert 1.5.2012. Det synes ikke å være stor forskjell på disse rettighetene slik de er definert i rammeavtalen § 2 litra g og h, men det har kanskje liten betydning.. Kommer til anvendelse hvor rettighetshaver til det litterære forelegg er forskjellig fra forfatter av filmmanuskript, jfr rammeavtalen § 10 litra c. Men det kan godt fremgå av Norsk filmfonds forskrifter, som det er vist til i rammeavtalen § 11 litra a. Imidlertid synes ikke dette å fremgå av forskrift for føring av regnskap for audiovisuelle produksjoner (2010:359), og andre forskrifter finner ikke jeg i databasen for sentrale forskrifter. 21 Yulex 2013 Tradisjonelt har altså filmavtalen omfattet en overdragelse av rett til eksemplarfremstilling, men da i den sammenheng som er skissert ovenfor – som en nødvendig forutsetning for fremføring på lerret i kino. Men med ny teknologi fikk eksemplarfremstilling en helt annen betydning. En dramatisk del av den tekniske historien er formatkrigen mellom Betamax39 og VHS.40 Utviklingen av systemer for å lagre video på magnetbånd, er lang – og er først og fremst en beretning om kampen om å lese og skrive data til bånd raskt nok. Omkring 1970 var flere japanske industrikonsern rede til å levere utstyr for opptak og avspilling av videogram til hjemmebruk, blant disse var Sony ledende. Det hevdes at Sony inviterte JVC til å lisensiere Betamax-teknologien i 1974, og ble overrumplet da det ble oppdaget at JVC var svært langt kommet i utviklingen av en egen løsning. Likevel hadde Sony markedet nærmest for seg selv i begynnelsen, og solgte i 1975 30.000 Betamax-maskiner bare i USA. Året etter lanserte JVC sitt VHSformat. Dermed gikk startskuddet for ”formatkrigen”. JVCs system hadde omtrent dobbelt så lang spilletid som Sonys, og denne forskjellen ble antakelig avgjørende. I 1977 fikk JVC følge av fire andre japanske elektronikkprodusenter, som alle tok utgangspunkt i VHS. Dette fikk Sony til å forlate sin restriktive politikk ved lisensiering av egen teknologi. JVC fikk imidlertid amerikanske RCA med på laget. Pris var først ikke en dominerende faktor i konkurransen, men i 1977 ble prisen på VHS-maskiner redusert til 300 dollar. I 1982 var priskrigen i full gang. Gjennom det amerikanske rettssystemet seilte samtidig saken som i 1984 sluttet med en høyesterettsdom (”Betamax-dommen»).41 I dommen fikk Universal Studio og Disney ikke medhold i at Sonys videospiller i seg selv representerte en krenkelse av rettighetene til produsenter av film og fjernsynsprogrammer.42 Snarere enn å kjempe mot den nye teknologien, valgte man derfor å utvikle forretningsmodeller for å høste økonomiske fordeler av det gryende markedet. Det er uklart om dommen fikk innflytelse på salget, men Sonys andel i markedet var i 1978 sunket til 19,1 % sammenlignet med RCAs andel på 36 %. Samtidig begynte tilbudet av ferdiginnspilte kassetter å vokse, og allerede i 1981 utgjorde 39 Betamax-kassetten har en halv tomme bredt magnetbånd og signalet lagres analogt. Formatet er utviklet på grunnlag av det tidligere 0,75 tommers brede, profesjonelle systemet U-matic som fremdeles er i bruk. Navnet ”Betamax” hevdes å være avledet av den japanske frasen beta gaki (rå + skriv), men for spøk inneholder varemerket den greske bokstaven beta. Sanyo markedsførte sin versjon opprinnelig som ”Betacord”, men dette ble også referert til som ”beta”-format. 40 Video Home System. Kassettens magnetbånd er en halv tomme bredt, signalet lagres analogt 41Sony v Universal Studios, 464 US 417 (1984). 42 Argumentet var at spilleren gjorde det mulig, eller til og med lett, å fremstille ulovlige eksemplar. Man vil finne argumenter av lignende karakter i mange andre sammenhenger, bl a i den norske avgjørelsen om DVD-Jon (RG-2004-414), ettersom det program han var med på å lansere, gjorde det mulig å omgå beskyttelsesmekanismer for DVD. Jfr nedenfor under pkt 3.5.3. 22 Dramatikeren i den digitale verden Betamax-formatet bare 25 % av markedet, og man forventet at antallet titler tilgjengelig i VHS-format ville bli større. Teknisk sett var formatene sammenlignbare, selv om Sony stort sett ledet an i forbedringer (f eks av lydgjengivelse), kom VHS-produsentene raskt etter. Maskiner for Betamax-format var faktisk ved utgangen av 1985 billigere enn tilsvarende VHS-maskiner. Kampen om formatene endte i 1987 da tidsskriftet Rolling Stone forkynte ”The Battle is over”.43 VHS-spillere utgjorde 95 % av markedet. Sony lanserte sin egen VHS-spiller i september 1988. Ett år senere var andelen av Betamax i forbrukermarkedet sunket til 1 %. Utnyttelse av mulighetene i markedet for videogrammer forutsatte at det ble fremstilt kassetter – senere kompaktplater – for utleie eller salg til forbruker. Rettighetshaverne argumenterte for at denne retten ikke var overdratt til produsentene ettersom denne formen for utnyttelse ikke var kjent da filmavtalene ble inngått. Dette prinsippet er i dag del av rammeavtalen § 3.3 hvor det angis at «rettigheter som ikke eksplisitt er overdratt … beholdes uinnskrenket av» dramatiker mv. Tvisten fant sin løsning innen rammen av det som den gang var en nokså ny forvaltningsorganisasjon, Norwaco, opprettet i 1983. Organisasjonen danner ulike forvaltningssektorer, og en av disse ble filmsektoren. Her var rettighetshavernes organisasjoner representert, og vederlag for utnyttelse av eldre spillefilmer i form av videogram ble overført til Norwaco som gjennom forhandlinger innen filmsektoren kom frem til en fordeling mellom organisasjonene. I 2006 ble ca 2 millioner kroner fra produsentene fordelt mellom andre grupper som etter følgende tabell:44 Gruppe Manusforfattere Regissører Filmarbeidere Skuespillere Musikere Dansere og koreografer Andel 29 % 29 % 10 % 23 % 7% 2% Viderefordeling i gruppe Individuelt vederlag Individuelt vederlag Kollektivt via fond Kollektivt via fond Kollektivt via fond Kollektivt via fond Etter hvert ble selvsagt utnyttelse som videogram innarbeidet i filmavtalene, og rammeavtalen § 12 henviser til at forpliktelsene ved fremstilling av «videogram og lignende» reguleres av en overenskomst mellom Norwaco og Norske film- og tv-produsenters forening. Imidlertid utløp slike avtaler 31.12.2010, 43 Rolling Stone 15.1.1987:43. 44 Norwaco Årsmelding 2006 :12. 23 Yulex 2013 og det siste vederlaget ble fordelt i 2011. Norwaco karakteriserer selv sektoren som «inaktiv».45 Kassettene har etter hvert veket for kompaktplater.46 Sett fra rettighetshaverens synspunkt er dette ikke noen prinsipiell forskjell fra videokassetter, de omsettes som fysiske enheter, og vederlaget som genereres, dels etter bestemmelsene i filmavtalen.47 Imidlertid er det lagt ekstra beskyttelse på platene. Dels har det vært operert med en soneinndeling, en inndeling av markedet i ulike soner. Spillere «autoriseres» for én eller enkelte soner, og vil ikke avspille plater for andre soner. 3.5.3 Fildeling Den digitale utnyttelsen av filmer er tradisjonelt knyttet til fildeling. Det innebærer at et eksemplar av filmen lastes opp til et nettsted, og derfra tilbys til allmennheten for lokal eksemplarfremstilling. Dette kan gjøres av rettighetshaver, som f eks nettstedet til Norsk rikskringkasting gir mange eksempel på. Men mest blest har det vært omkring ulovlig fildeling, gjerne i forbindelse med løsninger for fildeling som Napster, Gnutella og BitTorrent.48 Etter åndsverkloven § 53a er det forbudt å fjerne eller endre et teknisk beskyttelsessystem. Om sonekontrollen på kompaktplater sier imidlertid forarbeidene at «de regionskoder som anvendes på DVD-filmer for å dele opp markedet for filmverk geografisk og tidsmessig [vil ikke] være tekniske beskyttelsessystemer i lovens forstand.49 Det er imidlertid også andre beskyttelsestiltak som bl a skal hindre at en kompaktplate avspilles av en spiller som ikke er autorisert. Dette kom på spissen i den mye omtalte saken om «DVD-Jon».50 Han var tiltalt for å ha gjort tilgjengelig et program som gjorde det mulig å bryte kopibeskyttelsen på kompaktplater og avspille verkene på «ikke-autoriserte» spillere. Av forskjellige grunner ble han frikjent. I den senere tid er den svenske saken om nettstedet Pirate Bay fått stor oppmerksomhet. Nettstedet la forholdene til rette for at brukere kunne dele seg imellom filmverk ved hjelp av et BitTorrent-system. Svea hovrett dømte bakmennene for medvirkning til opphavsrettskrenkelse i en avgjørelse av 21.11.2010.51 45 Norwaco Årsmelding 2011:18. 46 CD-ROM (Compact Disc – Read only Memory) eller Blue-Ray (som har navn etter den blåfiolette laserstrålen som brukes ved avlesning), det kommer sikkert også media basert på USBpinner.. 47 Men, som nevnt ovenfor, der denne reguleringen ikke fullstendig. 48 Jfr Jon Bing Ansvar for ytringer på nett – særlig om formidlerens ansvar, Universitetsforlaget, Oslo 2008:241-248. 49 Jfr Ot prp nr 46 (2004-2005). Om lov om endringer i åndsverkloven m.m pkt 3.5.1.5.1. 50 Borgarting lagmannsrett dom av 22.12.2003, LB-2003-00731. 51 Saken ble nektet fremmet for Högsta domstolen. 24 Dramatikeren i den digitale verden Naturligvis er det først og fremst de som benytter seg av tilbudet og laster opp eksemplar av verket for fildeling uten samtykke av rettighetshaver, som krenker opphavsretten. Et eksempel på dette finner vi i Fredrikstad tingretts dom av 12.3.2007.52 Tiltalte hadde Start.no som nettleverandør, og hadde fått tilbud om en slags «førpremière» på filmen, som ble strømmet til vedkommendes maskin med noe redusert kvalitet i forhold til en film på leid plate.53 Vedkommende brukte et program som avledet strømmen og lagret filmen som en fil på lokalt medium. Den siktede ble dømt for opphavsrettskrenkelse, men også til å betale erstatning til rettighetshaver etter «vederlagsprinsippet», dvs at man legger til grunn vederlaget rettighetshaver ville ha krevd. På grunn av den reduserte kvaliteten satte retten vederlaget til 40 kr per nedlastning, og la til grunn at filmen var nedlastet 2.771 ganger, som utgjorde et tap på 110.840 kr. I tillegg kom tap på grunn av markedsforstyrrelser mv, og retten fastsatte skjønnsmessig det samlede tap til 150.000 kr. Dette ble imidlertid redusert etter prinsippene i skadeserstatningsloven (lov av 13.6.1969 nr 26) § 5-2.54 Selv om erstatningen ble redusert, er den ikke ubetydelig. Den som krenker opphavsretten ved ulovlig fildeling risikerer ikke bare straff, men også et betydelig erstatningsansvar. Det bør understrekes at teknologien for fildeling i seg selv ikke er ulovlig. Tvert imot er rettighetshavere avhengig av effektiv fildeling der rettighetshaver velger å gjøre verket tilgjengelig for allmennheten på denne måten, som f eks mange kringkastere gjør. 3.5.4 Strømming55 Antakelig hører videogrammene allerede til den nære fortid. I fremtiden vil sannsynligvis strømming dominere. Strømming bygger på at det opplastes et eksemplar av verket til et nettsted, og at brukere kan overføre verket fra nettstedet til egen arbeidsstasjon som en strøm av data, styrt av et program som ikke tillater nedlastning på lokal magnetplatestasjon mv. I og for seg er verket like tilgjengelig som om det var lagret lokalt, men det er altså lagret i nettet. Denne løsningen vil sannsynligvis innebære større kontroll med verket enn den løsningen hvor ulovlig fildeling er et stikkord for manglende kontroll. 52 TFRED-2006-177576. 53 Filmen ble strømmet med en kvalitet på 1.350 kb/s sammenlignet med en leiefilm som hadde en kvalitet tilsvarende 6.000 kb/s, 54 Den aktuelle bestemmelsen lyder: «Erstatningsansvaret kan lempes når retten under hensyn til skadens størrelse, den ansvarliges økonomiske bæreevne, foreliggende forsikringer og forsikringsmuligheter, skyldforhold og forholdene ellers finner at ansvaret virker urimelig tyngende for den ansvarlige.» 55 Det varier litt om man bruker formen «strømming» eller «strømning». Jeg fortrekker «strømming», «strømning» er fortrinnsvis sur, svensk og på boks. 25 Yulex 2013 Strømming forutsetter at nettet har tilstrekkelig kapasitet. I internettet sendes data i pakker av lik størrelse, hver pakke finner i prinsippet sin egen vei gjennom nettet – fra avsender til mottaker. Pakken har et serienummer som gjør det mulig å sette et stort antall av pakker sammen i riktig rekkefølge hos mottaker. Systemet for strømming vil begynne å fremføre filmen før alle pakkene er mottatt. Det kan derfor være at det mangler pakker når fremføringen kommer så langt at de burde vært på plass. Dette vil i så fall redusere filmens kvalitet. Kapasiteten i nettet må være tilstrekkelig for å tillate strømming, og det er ikke lenge siden vi fikk et bredt nok bånd. I dommen om «DVD-Jon» (se ovenfor) angis det at hastighetene som var tilgjengelig på i 1999, ville det ta omtrent 12 dager å overføre en spillefilm gjennom nettet med en ISDN-forbindelse. Dette forbyr selvsagt strømming som tjeneste. Det er i og for seg nokså komplisert å beskrive strømming i opphavsrettslige termer.56 Men løsningen forutsetter en eksemplarfremstilling for at verket skal lagres på en slik måte at strømmingsprogrammet kan generere den nødvendige datastrømmen til brukerens maskin. Opphavsmannens enerett omfatter dette eksemplaret, og det må derfor foreligge en avtale med rettighetshaver. Det samtykke rettighetshaver gir, vil normalt være betinget av vederlag. Rammeavtalen for film regulerer ikke dette, man må anta at denne retten er blant dem rettighetshaver har i behold etter rammeavtalen § 3.3. Også hos brukeren dannes et midlertidig eksemplar i arbeidsstasjonens sentralenhet. Man må anta at denne eksemplarfremstillingen faller utenfor rettighetshavers enerett etter åndsverkloven § 11a. Fremføringen vil typisk ikke skje offentlig, men privat.57 Derfor faller også fremføringen utenfor rettighetshavers enerett. Man må altså sikre vederlag og eventuell kontroll med utnyttelsen av verket ved den avtalen som tillater at verket tilbys til allmennheten for strømming. Man kan kanskje merke seg at åndsverkloven avgrenser eneretten for eksemplarfremstilling og fremføring på litt forskjellig måte. Eneretten for eksemplarfremstilling omfatter etter åndsverkloven § 2 enhver eksemplarfremstilling, men etter åndsverkloven § 12 avgrenses det mot eksemplarfremstilling til privat bruk. For fremføring gjelder imidlertid eneretten etter åndsverkloven § 2 bare offentlig fremføring. Grensen for hva som er offentlig etter åndsverkloven bygger på et skjønn – men det skal ikke så mange til før det anses for å være en offentlig fremføring. For privat eksemplarfremstilling utreder staten et privateksemplarvederlag (jfr åndsverkloven § 12, 1.ledd) som administreres av Norwaco og fordeles mellom de berørte organisasjonene. Men kunne argumentere for at etter hvert som strømming blir mer vanlig, burde det også utgå et privatfremføringsvederlag. 56 Et forsøk er Jon Bing «Strømming av åndsverk. Noen opphavsrettslige aspekter ved en tenkt maskin», Noridiskt Immateriellt Rättsskydd 3/2008:191-200. 57 Jfr «Smartkortdommen», HR-1995-2-A – Rt-1995-35. 26 Dramatikeren i den digitale verden 4 4.1 Elektroniske spill Interaktive romaner I 1982 – samme år som IBM solgte sin første ”personal computer” – ble jeg bedt av OECD om å skrive en artikkel om edb-spill.58 Disse var i sin vorden, men jeg ga nokså hemningsløst uttrykk for min begeistring. Begeistringen hadde tynt grunnlag. Jeg hadde riktignok deltatt på turneringer i interaktiv tennis som ble arrangert av ungdommelige forskere i mitt eget miljø. Jeg tviler på at noen i dag klarer å opparbeide fascinasjon over to prikker (”baller”) som strengt følger reglene for at ”innfallsvinkel er lik utfallsvinkel» der de tegner langsomme striper over en rektangulær bane. Og hvor man med fjernkontrollen kan flytte to racketer i form av streker for å intervenere og sende ballen i en ny retning. Men regler og teknologiens begrensninger var nok til å gjøre det til et spill sammen med pizza og øl. Selv om jeg ikke fikk noen følelse av å spille på Wimbledon, så var det morsomt nok. En helt annen opplevelse var erfaringene med interaktive romaner. Den første som fikk noen utbredelse i Norge, ble spilt på Universitetet i Oslos sentrale DEC10-anlegg. Dette var et spill med et tekstuelt grensesnitt, som en vanlig bok. Men teksten sluttet plutselig, og fortellingen stanset opp. Da måtte leseren gripe fatt i hovedpersonen og foreslå hva som nå skulle skje. Slik ble fortellingen til i samarbeid mellom spillets regler og leserens fantasi. Det kom en hel mengde slike interaktive romaner. En av dem jeg husker best, var Trinity.59 En situasjon der kan kanskje forklare noe av fascinasjonen. Hovedpersonen befinner seg i Kensington Gardens en ettermiddag da denne parken er – som vi alle vet – fylt av barnepiker med barnevogner. Det er lek langs stiene, noen vogner står tomme mens barnepikene steller med smårollingene. Det blåster i sterke vindkast, og noen av barnepikene slår opp paraplyer som rives bort av vinden. Hovedpersonen vet at han eller hun må komme seg over plenen og ned til sjøen midt i parken. Det er bare det at når man skritter ut på plenen – der advarende skilt sier ”Trå ikke på gresset» – så fanges anklene av strå som slynger seg rundt dem og gjør det umulig å komme videre. Løsningen? Det ligger en forlatt ball på en av grusgangene, det får hovedpersonen vite ved å ”se seg om”, det vil si at han eller hun ber spillet beskrive hvordan det ser ut rundt seg. Han eller hun tar ballen og kaster den mot en paraply som er fanget i en trekrone. Paraplyen faller ned, hovedpersonen setter seg opp i en av de forlatte barnevognene, slår opp paraplyen – og vinden kommer gufsende og fører den improviserte seilfarkosten over gressplenen og ned til vannet. 58 ”The electronic game gambit”, Impact 4/1982:425-431. 59 Infocom 1986. 27 Yulex 2013 Gir dette eksempelet en slags følelse av hva slags eventyr som interaktive romaner kan romme? Og en dramatiker ser straks at de interaktive romanene er en form for dramatikk. Det er en scene, scenografi og en dramatisk fortelling. Forskjellen er imidlertid at det inne i denne dramatiske fortellingen vaser det rundt en spiller som forårsaker at situasjoner oppstår, ofte situasjoner som skaperen av romanen aldri hadde tenkt at ville finne sted. 4.2 Spillenes dramaturgi Det er langt fra disse tidligere eksemplene til dagens spill. Jeg tror vi er kommet over den tiden da datamaskinbaserte spill først og fremst ble assosiert med slagsmål og kappløp med raske biler, hvor spillerens oppgave var å eliminere så mange motstandere som mulig med våpen eller fantasifulle slag og spark, samtidig som spilleren selv skulle unngå å bli drept. Dette var spill som bokstavelig talt var basert på en korridormodell: Spilleren startet i den ene enden av korridoren, og slo seg så fremover mot mål. Men det kan likevel være med på å eksemplifisere at spill har en dramaturgi. Korridormodellen er enkel: Spillerens oppgave er å bevege seg i korridorens retning, riktignok kan det være omveier gjennom sidegrener, men stort sett er det rett frem. Samtidig blir korridoren en tidslinje som spillet utvikler seg langs, det minner litt om en film. Spillerens kontroll er redusert til å løse oppgavene langs veien. Og det kan være spennende nok. Men Trinity gir et eksempel på en litt annen modell, forummodellen. Spilleren plasseres i en situasjon og får så selv velge hva som er neste skritt. Det blir som å stå på et torg med boder – så lenge man bare står det, skjer nesten ingen ting. Men må selv ta det første skrittet inn i en bod, snakke med dem man finner der, se hva som måtte skjule seg der inne. Her har ikke spillmakeren samme lineære kontroll. For å illustrere det: La oss tenke oss at det er en mordgåte, og at det avgjørende beviset er et brev fra den avdøde. Det ville være kjedelig om spilleren bestemte seg for å gå inn i avdødes arbeidsrom, åpne skrivebordet, finne brevet og avslutte spillet i tre trekk. Spillmakeren må sørge for at hvis spilleren begynner slik, så mangler brevet i skrivebordsskuffen: Spilleren hindres av spillets logikk i å lese den siste siden først, det avgjørende skrittet kan først tas når andre og nødvendige skritt er tilbakelagt. Det er betydelig mer utfordrende å lage et spill etter forummodellen enn etter korridormodellen.60 Og dette er bare en antydning av de dramaturgiske utfordringene og mulighetene i spillene. Et annet viktig element er at spillene ikke bare befolkes av de 60 Selv har jeg faktisk forsøkt å lage et spill etter forummodellen, jfr Savnet i Lokaya – Human Quest I, Universitetsforlaget og Norges Røde Kors, Oslo 1996 – jeg bidro bare med et første utkast. 28 Dramatikeren i den digitale verden personer og vesener som spillmakeren har utformet. Spillene tillater at spilleren selv trer inn i spillets virkelighet. Spilleren velger seg gjerne en avatar – et uttrykk som er lånt fra sanskrit avatāra, som betyr ”inkarnasjon”, og opprinnelig refererte til hvordan et guddommelig vesen viste seg i vår verden. Spilleren kan velge fra et galleri av avatarer, men spillet kan også la spilleren utforme sin egen avatar. Slik fremstår spilleren som en del av spillet, han eller hun er synlig for de andre spillerne. Og spillet tillater selvsagt også at avataren har en viss frihet til å gjøre valg, til å kommunisere med andre avatarer og – selvsagt – utfordre dem til kamp. Det kan være mange spillere samtidig til stede i disse spillverdenene. I ”massive, direktekoblede multispillerrollespill”61 er kompleksiteten svært høy. Avatarene blir dyktigere etter hvert som spillerne lærer om mulighetene. Hjelpemidler kan konstrueres. Et sverd som brukes flittig, lar avataren oftere seire i dueller. Eksempelet antyder at dette er beslektet med rollespill som Dungeons and Dragons,62 hvor spilleren inviteres inn i et fantasiland med drager, trollmenn og andre eventyrskikkelser – ofte i omgivelser som minner om de JRR Tolkien har gjort berømte i sin trilogi om Ringenes herre.63 Noen av de mest populære spillene tilhører nettopp denne kategorien, som f eks World of Warcraft. Denne fantasiverdenen ble først introdusert av Blizzard Entertainment i 1994 (Warcraft: Orcs & Humans), og senere er nye utgaver kommet. Det anses for å være verdens mest populære i sitt slag, med ca åtte millioner abonnenter64 over hele verden. Det vil altså si at det ”bor” omtrent dobbelt så mange mennesker i denne liksomverdenen enn i Norge. Til enhver tid er det hundretusener av spillere koblet til spillet, spillerne danner forbund og legger planer for å mestre nye utfordringer. Men omgivelsene kan være ganske annerledes alminnelige. Et eksempel er Second Life, en tredimensjonal verden som ble lansert av Linden Labs i 2003. Dette er nærmest en datamaskinbasert kopi av hverdagens verden. Her har IBM kontorer, Sony butikker – valutaen er konvertibel, og man kan f.eks. kjøpe seg en tomt og bygge et hus (da må man selvsagt kjøpe materialer og finne de nødvendige ressursene for å konstruere huset). Og så kan man forsøke å selge eiendommen til andre ”innbyggere”. Ailin Graef ble den første millionæren på denne måten. Avataren hennes kjøpte billige virtuelle tomter, utviklet dem, delte dem opp, og hun solgte dem med fortjeneste i virkelighetens verden.65 Riktig så stort som WoW er ikke dette spillet, men det har mer enn fem millioner brukerkonti. Med slike brukertall kan man liksom ikke skyve spillene til side. De er viktige deler av moderne kultur, på linje med musikk, tradisjonelt drama og film. De 61 MMORPG (”massively multiplayer online role-playing games”). 62 D&D var opprinnelig et rollespill støttet av et brettspill, utviklet av E Gary Gyax og Dave Arneson, først utgitt i 1974. 63 The Lord of the Rings, 1954-55. 64 August 2007. 65 Anna Raciti “Fantasiens rikdom”, Lov&Data 91/2007:22-24. 29 Yulex 2013 har da også etter hvert fått oppmerksomhet, nye spill bli anmeldt og vurdert. Dramaturgi og pedagogikk i spillene er komplekse og sofistikerte. Virkemidler kan vurderes i flere perspektiv – kunstnerisk, teknisk, forretningsmessig. Opplevelsene er svært forskjellige. Disse perspektivene i spillene kan jeg bare så vidt antyde, og på ingen måte yte rettferdighet. Spillmakeren blir en dramatiker – eller rettere sagt vil spillene lages av en gruppe som utvikler et spill eller holder spill vedlike, gjerne innen rammer som skal sikre koordinering og konsistens. Det blir som en dramatisk serie, men med den viktige forskjellen at handlingen aldri helt blir den samme fordi spillerne blander seg inn og utnytter den fleksibilitet og de valgmuligheter spillene gir. Som nevnt ovenfor vil spillene være spillmakerens åndsverk, men når en eller flere spillere deltar, vil det audiovisuelle uttrykket som glir over skjermen bli et (flyktig) verk hvor også spillerne bidrar – de kan være medopphavsmenn. Og det forekommer at det oppstår en slags kultur rundt et spill, der deltakerne «tar opp» selve spillforløpet og gjør det tilgjengelig for andre, dvs allmennheten. Et eksempel er spillet Minecraft. Det er utviklet et eget program for å ta opp skjermbildene, Ezvid.com, og man kan se resultatene av spillernes innsats flere steder, f eks på YouTube. Her bruker spillerne de mulighetene Minecraft stiller til disposisjon for å lage forbløffende nye versjoner, hvor det er spillernes, snarere enn spillmakernes, oppfinnsomhet som tiltrekker seg oppmerksomheten.66 4.3 Grensesnitt mot nettet Spill – som f eks Second Life – kan også oppfattes som et grensesnitt mot nettet. Noen av oss husker da grensesnittet var tegnbasert. En kommandolinje med grønne eller gule tegn mot en svart skjerm, eller hvite tegn mot blå bakgrunn. Slik var grensesnittet for Trinity, det fungerte for interaktive romaner. Men heldigvis har vi nesten glemt dette. Apple introduserte et grafisk grensesnitt for sin Macintosh i 1984, etter hvert fikk også andre operativsystem grafisk grensesnitt. Også nettet fikk et grafisk grensesnitt. Det er nettopp det grafiske grensesnittet til World Wide Web og nettlesere de fleste av oss kjenner og daglig bruker. Et øyeblikk kan vi kanskje tenke etter hvor forskjellig skjermbildet er fra de boksidene vi vokste opp med: Ikke bare er det forskjeller i variert typografi, grafikk med farger og bevegelser – det er også hyperlenker og søkemuligheter som får fotnoter eller bak-i-boken-registre til å virke nokså puslete. Også dette er et nytt medium, og forstås av brukere helt forskjellig fra en bokside. 66 Takk fil førsteamanuensis Tobias Mahler som gjorde meg oppmerksom på Minecraft og kulturen rundt spillet. 30 Dramatikeren i den digitale verden Men likevel er mange begrensninger velkjente. Skal vi kommunisere, sender vi et e-brev, ikonet er ofte et lite bilde av en konvolutt med et frimerke, som om dette skulle forklare hva som skjer – det er i virkeligheten en referanse til en fordums virkelighet, som om vi skulle forklare et fjernsyn med å vise et lite bilde av en teaterscene. Vi kommuniserer også med lyn- og tekstmeldinger. Bruken av et lite kamera for toveis billedkommunikasjon har ikke helt slått gjennom. Poenget er at vi bruker separate tjenester. Vi sender et brev, vi søker ved hjelp av en søkemotor, vi slår opp i en nettavis. I Second Life henger alt sammen på en annen måte. Vi er selv til stede som en avatar i den virtuelle virkeligheten som nettet representerer. Det er som om vi har sendt en agent inn i verdenen bak skjermen. Den virtuelle virkeligheten er noe mer enn tekst, grafikk og lyd – den er blitt sammenhengende, kontinuerlig og oppleves av vår avatar. William Gibson fant opp ordet ”cyberspace» for å beskrive dette.67 Men det er likevel bare en begynnelse. Tenk deg et mulig sluttbrukerutstyr. Først høyttalerne, en for hvert øre, full stereolyd. En mikrofon limt på kinnet. Glem skjermen. Tenk i stedet på en forbedret utgave av Virtual Retina Display,68 utviklet ved University of Washington Human Interface Technology Lab i 1991. Laserstråler projiseres direkte gjennom pupillene på netthinnen og danner høyoppløselige fargebilder som dekker hele synsfeltet. Venstre og høyre bilde er litt forskjellig, en forskjell som av hjernen tolkes som tre dimensjoner: Man ser ikke et bilde på en skjerm, man ser inn i et tredimensjonalt rom. Glem tastaturet. Tenk i stedet på en forbedret datahanske. Slike finnes i virkeligheten, ”Data Glove» er for eksempel et varemerke for Sun Microsystems. Følere registrerer bevegelser til fingrene. Haptisk tilbakekobling lar deg oppleve berøring. Forbedrede utgaver vil kunne ha hydraulisk styrte nupper innvendig som imiterer enhver tekstur – fra myk hud til grov grus. Mikroklima lar deg føle om det er varmt og fuktig eller kaldt og tørt. Hansken kan stivne i enhver stilling, og gi illusjonen av at du stryker noen over kinnet eller griper om et jernrør. Med stemmen kan du gi kommandoer. Vi forutsetter ikke at stemmegjenkjenning eller forståelse av naturlig språk er kommet stort lenger enn i dag. Men allerede kan vi gi kommandoer som styrer systemer: ”Ring hjem!”, ” Lys på!” og så videre. Noe tastatur har vi ikke. Vi har heller ikke en berøringsskjerm. Si: ”Vis tastatur!”, så dukker det et tastatur opp i vårt tredimensjonale synsfelt, vi kan skrive på det med våre hanskekledde hender. Hvis vi skulle trenge det. For det er nok av andre ting vi kan gjøre i den virtuelle verdenen uten tastatur. I vår vanlige 67 I romanen Neuromancer (1984), som han faktisk presenterte ved sin atavar på et foredrag i Second Life august 2007. Boken er oversatt av Torgrim Eggen, til norsk som Nevromantiker (Aschehoug , Oslo 1999). 68Se http://www.cs.nps.navy.mil/people/faculty/capps/4473/projects/fiambolis/vrd/vrd_full.html. 31 Yulex 2013 hverdag klarer vi jo oss godt uten. Vi kan åpne en dør, vinke til en venn, klappe en katt … Forresten har hanskene vokst. De er blitt til en tettsittende kroppsdrakt med innvendige nupper hele veien rundt, direkte i kontakt med naken hud. Nå kan du føle varmen av solen i ansiktet, spruten fra bølgene langs stranden, de skarpe klørne til katten som maler i armene dine. Og du kan flytte deg i landskapet ved ganske enkelt å gå, eller late som om du går. Kanskje hoppe på en virtuell trikk for å komme fortere frem. Eller kjøre en virtuell bil … Kanskje det også er små sonder som fører til munn og nese, og som blander bittert og søtt, syrlig og salt og lar deg smake på et eple eller kjenne duften av nybakte vafler? Dette er en skisse av fremtidens grensesnitt. Det finnes ikke i dag. Men de fleste komponentene finnes. De er bare ikke satt sammen til forbrukerelektronikk. Men tenk deg at du hadde en slik kroppsdrakt med trådløs bredbåndstilknytning til nettet. Tenk deg da at du trådte inn i World of Warcraft. Du dukker opp i skikkelsen til din avatar, håndhilser på de av dine kamerater som akkurat nå er logget inn. Tar deg tid til litt småprat, ser deg om – den friske luften fra den susende furuskogen, tjernet som glitrer nedenfor bakken. Du veier spydet i hånden, skygger for solen med det skjoldet … Mulighetene er like mange som fantasien tillater. Med andre ord ubegrensede. Gjennom speilet og hva Alice fant der69 er tittelen på den andre fortellingen om Alice av Lewis Carroll. Eventyrene ga speilet omtrent samme funksjon om en skjerm, det reflekterte ikke bare ansiktet til den som så i det, speilet kunne også brukes til kommunikasjon og gi svar på spørsmål – hvem husker vel ikke den onde dronningens i eventyret om Askepott som spør sitt magiske speil: ”Hvem er vakrest i landet her?” Og Lewis Carroll røpet i sin andre fortelling om Alice hvordan hun klatret opp på kaminhyllen, og hvordan speilet liksom smeltet til en tåke av sølv, og Alice plutselig var på den andre siden, i den speilvendte verden, nesten lik vår egen, men likevel ”så forskjellig som det går an” – et ”second life”. Det ville være fåfengt å forsøke med en oppregning av hva en slik teknologi kan brukes til. Man kan tenke seg at man har sett den første flimrende filmen av svarte og hvite bilder i begynnelsen av det 20. århundre, og så forsøker å forklare det nye mediets potensial – ikke bare som eventyr og kunst, men som dokumentasjon, reportasje og undervisning. Men det er åpenbart at potensialet til den virtuelle virkelighetsteknologien er enda større for drama, romantikk og pedagogikk. Man kan ikke bare parallellforskyve filmens muligheter, den store forskjel69 Through the Looking-glass and what Alice found there (1871). 32 Dramatikeren i den digitale verden len blir at til filmen er man bare tilskuer, mens man i den virtuelle virkelighet er deltaker gjennom sin tilstedeværende avatar. Ikke bare vil andre spilleres avatarer kunne trenge seg inn i handlingen, spillmakerens figurer styres av autonome datamaskinprogrammer og vil samhandle med avatarene. Og naturligvis alle de andre mulighetene – din avatar er menig soldat i Vietnams jungel, din avatar er en smart rakettbombe på vei mot en bunker i Irak, din avatar står ved siden av kirurgen og rekker ham skalpellen idet han skal gjøre det første snittet for å blottlegge et feilfungerende hjerte … Som sagt, det er fåfengt å regne opp mulighetene. Men det er lett å tenke seg at ”virkelighetsflukt” får et nytt innhold. ”De evige gleders palass” forekommer i en fortelling av Will Worthington.70 Palasset minner om en drueklase, hver drue er fylt av en næringsvæske som det flyter mennesker i, knyttet til kybernetiske systemer av slanger og kabler. Rundt palasset er byen falt i ruiner, men menneskene drømmer videre hjulpet av maskiner som får energi fra solstrålene. Det er en ekkel, forførende visjon. Og den varsler hvordan mange vil reagere på den virtuelle verdensteknologien. Vi vil advare mot den, frykte de nye opplevelsene – på samme måte som vi tidligere reagerte på film. På tegneserier. På fjernsyn. På interaktive spill. På selve nettet. I 1972 landet Apollo 17 på Månen. I dag er det over førti år siden et menneske satte fot på en annen klode. Men 1972 var også året da de rutinene som gjorde elektronisk post mulig, ble integrert i det rudimentære Internettet.71 På en måte kan man si at mens reisen til det ytre rom ble avviklet, konstruerte man de verktøy som skulle gjøre det mulig å reise i det indre rom – det univers av kunnskap, innsikt, drømmer og fantasier som mennesker selv har skapt. Et univers som er like ubegrenset, og like raskt ekspanderende, som selve verdensrommet. Dette er spennende perspektiv for en dramatiker. Men det kommer mer i det århundret vi nå har tatt en tiendedel av. Det kommer kanskje som en overraskelse at man nå snakker om ”Adaptable Brain Interface» (ABI), som gjør det mulig å kontrollere en datamaskin med tankene. Kjernen er et nevralt nettverk som er integrert med brukeren, som selv bærer et portabelt EEG-system. Dette analyserer variasjonene i rytmene til flere av hjernens områder, og lærer hvordan disse skal tolkes. Tenk ”start bilen”, og uten fjernkontroll åpnes bilen og motoren startes. Eller mer realistisk: Integrasjon med en jagerpilot og flyet som selv ikke glir lik en fugl gjennom luften, men snarere lik en stein kastet over himmelen av jetmotorene, og som derfor er avhengig av lynraske reaksjoner fra piloten. Ved å koble piloten direkte til flyet, slipper man å gå omveien om hender eller fingre, piloten styrer flyets funksjoner som om de var hans eller hennes egne kroppsdeler. 70 Will Worthington ”Plentitude» (1960), gjengitt som ”Det søte liv» i Bing & Bringsværd Tider skal komme, Gyldendal, Oslo 1968:169-178. 71 Programmene SNDMSG og READMAIL, utviklet av Ray Tomlinson, MIT. 33 Yulex 2013 Det finnes en novelle av Anne McCaffry – ”The Ship who Sang” (1969) – som igjen er blitt et slags symbol for meg. En kvinne blir utsatt for en alvorlig ulykke, kroppen hennes er ikke til å redde, men hjernen kan holdes i live. Og hjernen blir overført til et stjerneskip, nervebanene knyttet til skipets systemer, skipet blir kvinnen nye kropp, med veldige rakettmotorer kontrollert av nervene til bena. Er dette umenneskelig – eller en frigjøring fra en skjebne som en slags menneskelig plante, en skjebne vi vet at mennesker ønsker seg bort ifra: Våren 2002 fikk to pasienter i England rettens kjennelse for at de selv skal kunne få bestemme når de maskinene som holder dem i live, skal slås av. Mon tro om de ikke ville sett en ny tilværelse som kjernen i et stjerneskip – eller kanskje bare et kampfly – som et reelt alternativ? Kyborgene kommer – og du blir kanskje en av dem! 34 Digital footprints as evidence in civil proceedings1 Maria Astrup Hjort This paper concerns digital footprints. Since the literature regarding digital footprints is mainly aimed at criminal proceedings, my task will be to present use of digital footprints as evidence in civil litigation. I have to emphasize that I will concentrate on Norwegian law, but I will make some comparisons with English, Swedish and Danish law. First, some brief keywords to describe the difference between Norwegian civil and criminal procedure. Criminal procedure is closely connected to criminal law and the purpose is to punish those who have committed a crime, and make the punishment a reality. Civil procedure covers case management in all cases not involving questions of punishment. In Norway, there is no third procedural track for administrative matters, like in Sweden, or for family matters, like in England and Wales. This means that the civil procedure rules in the Norwegian Dispute Act covers a heterogeneous group of legal issues, where the need for use of digital footprints can vary significantly. Another key difference between Norwegian criminal and civil procedure is the role of the police. In criminal proceedings, the police have virtually all possibilities to obtain digital footprints and present them as evidence in court. In civil cases, however, there are two conflicting parties who basically want to know everything about the other party, including what they might have stored electronically. In the absence of an authority, like the police in criminal proceedings, it is basically up to the parties to locate relevant evidence and to decide what to present to the judges. Without a general understanding of digital footprints, such evidence is easily overlooked or less highlighted in civil proceedings – one might erroneously be left with the impression that digital footprints are not as useful in civil litigation as in criminal proceedings. “Digital footprints” can be defined as automatically generated data. Because the data is generated without any specific permission from the person generating them, it varies whether one is aware of the footprints. Examples can be GPS information from your cell phone tracking your route to your office, the data you leave entering the office with an access card, metadata generated while you are working on your computer, data from the RFID chip when you borrow a book from the 1 Paper presented at Nordic Conference in ICT law, «The proof is in the digital pudding», Oslo, November 14th 2013. 35 Yulex 2013 library, or information registered when validating your bus ticket on your way home. There is basically no reason why this information should only be used in criminal proceedings. Why should there be a greater opportunity to clarify the facts in criminal cases than in civil matters? Two basic principles in Norwegian civil procedure are important in this respect; one is the right of unrestricted presentation of relevant evidence and second is the principle of unrestricted evaluation of the evidence. This means that, as a starting point, there are no restrictions as to what kind of evidence the parties may present, or how this evidence shall be considered and evaluated. The Norwegian civil procedure does not, to the same extent as the English; categorize evidence in hearsay evidence, circumstantial evidence and so on, depending on the nature of the evidence. The court must evaluate all possibly relevant evidence presented and reach a conclusion on the basis of a comprehensive assessment. The crucial issue, from a practical point of view, is therefore not what the parties may present, but what they get access to for the purpose of presenting the evidence to the court. The question of access has a particular significance when it comes to digital footprints, because access to this kind of evidence in most cases requires assistance from an IT expert and a budget for such investigation. This might be a challenge when it comes to the principle of proportionality. A starting point for the question of access to evidence, is the general rule in the Dispute Act sec. 21-4 first paragraph, saying that “The parties shall ensure that the factual basis of the case is correct and complete. They shall provide such explanations and summaries of evidence as are required to fulfil this obligation, and they have a duty to give testimony and access to evidence pursuant to section 21-5”.2 This obligation is extended in the second paragraph: “A party shall also disclose the existence of important evidence of which such party has reason to believe that the opposite party is not aware. This shall apply irrespective of whether such evidence is in favour of such party itself or in favour of the opposite party”. These sections might remind you of the English disclosure rules, and in fact, the provision is inspired by the English system.3 On the other hand; Norwegian civil procedure is also based on a principle that it is the parties’ duty to take care of their presentation of evidence; each party has a responsibility to present the evi2 3 NOU 2001: 32, p. 1083. NOU 2001: 32, p. 465. 36 Digital footprints as evidence in civil proceedings dence that he or she will rely on.4 As you can see, these principles are in conflict with each other and that is probably the reason why the obligation to disclose evidence in favor of the opposite party is rarely sanctioned. Danish and Swedish civil procedure has not incorporated an Anglo-American inspired provision like the Norwegian rule, and the presentation of evidence is fully based on the principle of the parties’ right and responsibility to present the evidence they rely on.5 The Norwegian civil procedure seems to balance between the Anglo-American tradition and the Scandinavian tradition in this respect.6 The balance is difficult because of the conflicting principles, and it’s not certain there is a distinct line in balancing between these two principles. In case of non-compliance of the disclosure rule, the party will have to request a court order for allowing access to the evidence. Without specific knowledge of the evidence, it is difficult for the requesting party to convince the court that the evidence is relevant, and that the disclosure costs are proportional to the issue at stake. This is especially a challenge when it comes to digital footprints, because this evidence usually appears as circumstantial evidence, and the court needs convincing reasons to order a party to give access to evidence of less important to the subject matter. Therefore, the court might conclude that evidence, like digital footprints, are not considered necessary in reaching the correct conclusion. In many cases this view might be correct; however, when this guideline is applied to digital footprints, this might also lead to an unwarranted exclusion of such evidence. When requesting access to digital footprints, or electronic evidence in general, there are a couple of recurring challenges connected to such evidence. One important question is how to obtain the relevant information - and only that. There are currently no guidelines in Norwegian civil procedure regarding this question. This lack of regulation is particularly apparent when a party requires access to evidence secured by the court. The Norwegian Dispute Act offers an opportunity to request a pre-action disclosure called “securing of evidence”. With reference to this provision, the court may order the enforcement officer to arrange for forensic images of hard discs, servers and other storage devices. The specific evidence the party wants, is often to be found in-between enormous amounts of other information that is, at best, irrelevant. The material may also include personal information, trade or business secrets, privileged attorney – client communication etc. The relevant information needs to be sorted out, and for that purpose, regularly technical expertise is needed. 4 5 6 NOU 2001: 32, p. 1100. Ulrik Rammeskow Bang-Pedersen and Lasse Højlund Christensen, Den civile retspleije (2010), p. 487 and p. 84-85, Bengt Lindell, Civilprocessen (2012), p. 110-111, 471-472 and 492-496. On the Scandinavian legal tradition, see Konrad Zweigert and Hein Kötz, Introduction to Comparative Law (1998), p. 276 f. 37 Yulex 2013 The Norwegian securing orders may resemble the English search orders, formerly known as Anton Piller orders,7 but unlike these search orders, securing of evidence is frequently used to secure electronically stored information, including digital footprints. In Denmark and Sweden this kind of order can only be given in proceedings regarding intellectual property rights.8 The actual use of electronic evidence in civil cases in Norway has not yet been brought to a very sophisticated level. Lawyers still prefer to search for, read and present evidence that appear on a piece of paper. But we generate enormous amounts of electronic information, and the digital medium offers new, unimagined possibilities to search for relevant evidence. Digital footprints have become a new tool in the lawyer’s toolbox and this possibility should not be reserved for criminal proceedings. Parties and their lawyers need to be reminded of this treasure chest of evidence in our digital era. My prediction is that digital footprints will be more important in future civil litigation in Norway, with all the options and challenges that will imply for the parties, their lawyers and the court. 7 8 Paul Matthews and Hodge M. Malek Q.C., Disclosure (2012), p. 37-39. Bang-Pedersen and Højlund (2010), p. 505-512 and Ot.prp. no. 33 (2003-2004), p. 3. 38 Russian PNR system: data protection issues and global prospects1 Olga Mironenko Enerstvedt Abstract The usage of Passenger Name Record (PNR) for security purposes is growing worldwide. At least six countries have PNR systems; over thirty are planning to introduce them. On 1 December 2013, a Russian PNR system will be implemented. But enhanced collection of personal data leads to increased surveillance and privacy concerns. Russian authorities state that passengers’ rights will be respected, but a closer look at the Russian regime reveals a number of critical points. From a global perspective, the Russian regime is only one of many PNR systems, including new ones to come in the future. Apparently, for the majority of them, similar challenges and problems will apply. At the same time, for the EU, with its strict data protection requirements, PNR requests by third countries (i.e. non-EU countries) create conflicts of laws. In order to resolve them, the EU concludes bilateral PNR agreements. However, the current deals, especially the one between the EU and the USA, involve a number of weaknesses. Accepting the latter, and having a pending proposal on the EU PNR system, the EU has weakened its position in negotiations with third countries. How will the EU deal with the Russian as well as with all the future requests for PNR? This paper provides legal analysis of the Russian PNR regime, pointing out common problems and giving prognosis on the global situation. Keywords: PNR, Passenger Name Record, Russia, privacy, data protection, security, aviation, personal data 1 Under publication in Computer law and security report ([2014] 30 CLSR p.?) 39 Yulex 2013 1 Introduction Today, security experts agree that aviation security requires a risk-based, pro-active rather than reactive approach, and this is already reflected in international and national policies.2 This strategy implies, among other things, advanced collection and analysis of personal data: since the vast majority of passengers pose no threat to civil aviation, information is critical to assess the risk. The goal is to find meaning in enormous amounts of data and then see connections and make predictions.3 A special role in these processes is played by Passenger Name Record (PNR).4 PNR are used by the state authorities for security purposes, to combat terrorism and crime. Moreover, the analysis of PNR data is valuable for threat and risk assessment and management; it may help not only to identify passengers who are a known threat, but to identify potentially dangerous persons who are an unknown threat. According to IATA, as of 2013, access to PNR for security purposes is required in six countries and in the works in thirty more.5 At the end of 2013, a Russian PNR system is planned to be implemented. All airlines operating domestic or international flights or passing Russia will have to hand over passenger data to Russian security authorities. With the largest territory in the world, the Russian Federation is a natural boundary and a natural bridge between Europe and Asia as well as one of the fastest growing markets for international air travel. Many foreign airlines, including EU airlines, carry out flights into and out of Russia;6 in addition, around 53,000 European flights transit over Russia to Asia each year. The key point for this paper is that usage of PNR for security purposes has a serious impact on the rights to privacy and data protection, so that these rights may be interfered with, limited or violated. Enhanced collection of passenger personal data leads to increased surveillance of mostly innocent and unsuspicious people. “Security versus privacy” has become a common expression. This dilemma generally implies balancing of these two values and definite trade-offs, usually at the price of privacy: it is obvious that security in the air must be provided, and that security, which is vital to survival, is more important than privacy. But in short, the dilemma does not necessarily imply that security needs and data protection interests cannot co-exist. Both are important for society; what is needed is to find a way to ensure both values, without loss to either. Is it possible to use PNR for security purposes and at the same time respect the passengers’ rights? 2 See, e.g. Standard 3.1.3 of ICAO’s Annex 17; 3Schneier Schneier on security (2008) p. 7 4 PNR data will be elaborated on in Section 2. 5 IATA. Facilitation and Passenger Data http://www.iata.org/whatwedo/security/facilitation/ Pages/index.aspx (data accessed: 19.08.2013). 6 Currently, foreign air carries do not have access to the Russian domestic aviation market. 40 Russian PNR system: data protection issues and global prospects Similar to other states justifying the introduction of PNR regimes, the Russian authorities explain that the new measure is warranted by the need to improve aviation security. As for the protection of passenger personal data, they state that Russia ratified the Council of Europe Convention No 108 and adopted law implementing the Convention into national law, thus, that the passengers’ rights will be respected. But despite these assurances, the EU Commission expressed concerns regarding the new Russian PNR regime. First of all, the EU became worried about the unilateral nature of the proposal. Since the EU was not familiar with the details of proposed measures and could not evaluate the impact (according to the EU officials, they raised the issue in Moscow early in 2013 and sent a letter in March, but never got a response),7 the EU asked Russia to postpone implementation of the PNR measures and to provide additional information on the regime.8 Secondly, according to the EU officials, the situation with human rights in Russia creates a potential for data abuse.9 For instance, in 2012 the EU was concerned about measures taken against members of the opposition, media freedom, the situation in the North Caucasus, the children’s rights issues and issues of discrimination and racism, etc.10 With such a background, it will undoubtedly be difficult for the EU to believe that, in contrast to the above-mentioned issues, the PNR system will respect the rights of air passengers. Moreover, pursuant to the EU data protection legislation, transfer of PNR to Russian authorities by EU airlines will be illegal since the Russian Federation is not considered as a country providing an adequate level of data protection. Therefore, if the situation does not change, the EU airlines will find themselves in a difficult situation: to fly to or over Russia, they will need to comply with either EU or Russian law. They can either refuse to transmit the data, thereby becoming subject to Russian authorities’ sanctions, or they can deliver the data in violation of the EU law. The International Civil Aviation Organization (ICAO) Guidelines on PNR11 stipulate in §§2.4.3-5 that air carrier must comply with the laws of the state of departure and the state destination. If the laws of the state of departure do not allow an air carrier to comply with the requirements of the state of destination, both countries should settle the conflict of laws. Prior to the settlement, states are 7Nielsen EU tells Russia to drop air passenger data law (2013) 8 See Nielsen Russia blames EU for airline data fiasco (2013) 9 Nielsen (2013) 10 Council of the EU. EU Annual Report on Human Rights and Democracy in the World in 2012 (Country Reports). Brussels, 21 May 2013. 11 Document 9944 - Guidelines on Passenger Name Record (PNR) data of 2010 (ICAO PNR Guidelines) 41 Yulex 2013 advised to apply no fines or other sanctions against air carriers taking into account the specific circumstances of the case. Although, in a response to the EU concerns, Russia stressed that the full text of the Order was published in September 2012 and the EU had sufficient time to prepare,12 as a reaction, taking into account international agreements and the need for additional time for foreign and Russian carriers to prepare,13 the term was postponed from 1 July 2013 as planned initially to 1 December 2013. In 2003, when a similar problem arose for the EU carriers flying to the USA, most EU airlines chose to provide PNR to the US authorities, being unable to simply stop flying across the Atlantic.14 However, later, this was regulated by a series of bilateral EU-US PNR agreements laying down the legal basis for the transfer. To date, the EU has such agreements with the USA, Canada and Australia. On the one hand, formally, the agreements state that they ensure an adequate level of data protection. On the other hand, data privacy advocates argue that these agreements, especially the EU-US one, fail to ensure appropriate data protection standards and contain a number of serious deficiencies and disturbing points. Clearly, compromises were made due to political and commercial needs: flights must go on. In addition, it is quite arguable whether the EU’s strict data protection requirements can be achieved in the security field. What will be the case for Russia? Will the dilemma for the EU airlines indicated above be solved, or postponed again, or will the EU carriers have to choose which law to follow? Apparently, the time leading up to1 December 2013 can be used to try to settle the conflict of laws. However, it depends greatly on how effective the time is spent and whether the parties are open and willing to dialog. If an EU-Russian dialog is established, what will the EU expect from Russia: compliance with the strict but practically unrealistic requirements of the EU data protection law, establishing compromise solutions similar to the current bilateral agreements, or requiring some additional, specific safeguards and guarantees, taking into account particular circumstances? In contrast to the USA, Canada and Australia, Russia is a non-Western state. It is a question whether data protection weaknesses accepted by the EU in the EU-US PNR agreement will be accepted for the EU-Russian deal. Another question is the Russian authorities’ ability to make the rules work in case guarantees are provided. In theory, Russian regulators may adopt rules on PNR which would formally satisfy to the EU data protection standards, but will they be implemented? The problem law-in-books versus law-in-action is particu12 See Nielsen (2013) 13 The Ministry of Transport of the Russian Federation, News, 2.07.2013 http://www.mintrans.ru/ news/detail.php?ELEMENT_ID=20434 (date accessed: 03.07.2013). 14 See: Ntouvas. Air Passenger Data Transfer to the USA: the Decision of the ECJ and latest developments. In: International Journal of Law and Information Technology. Vol. 16 (2008). 42 Russian PNR system: data protection issues and global prospects larly relevant for states like Russia, with relatively newly established democratic regimes and democratic values, where many legal rules are written on paper but are not fully enforced in reality, where the laws simply do not work. At the same time, the US regime raises doubts about the proper enforcement and lack of abuses as well (e.g. recent cases about the secret collection and use of personal data pursuant to NSA domestic surveillance programs). Who can stop a sovereign state if it suddenly decides to enhance security measures violating its previous promises on data privacy? This makes the problem even more complicated. Without going into political considerations, this paper will provide a legal analysis of the newly established Russian PNR regime. In order to see the broader picture, it will also discuss Russian general data protection regulation as well as current problems of its enforcement and realization. Further, it will analyze the selected elements of the PNR regime from a data protection point of view, taking into account the ICAO recommendations on PNR transfer (where applicable), the EU data protection requirements and current bilateral EU-US PNR agreement which is officially acceptable to the EU. A more global point is that surveillance is increasing worldwide. Russia is not the only state demanding or planning to demand PNR, and the number of states is growing. At the same time, the list of states with “adequate data protection level” (according to the EU) includes the vast minority. The majority may suffer similar challenges and problems as those suffered by Russia, both with regard to the lack of legislation and the fact that the laws do not work. All this creates global possibilities for abuses and violations of air passengers’ data privacy rights. The Russian regime can thus be considered as only one example of many regimes, including future regimes. The paper hence endeavors to outline some prospects on the global development as well, pointing out possible common problems. 2 What is PNR? According to §2.1.1 of ICAO PNR Guidelines, PNR is the common name given to records created by aircraft operators or their authorized agents for each journey booked by or on behalf of any passenger. These data are used by aircraft operators on commercial and operational purposes while providing air transportation services. PNR are contained in operators’ computer reservation systems (CRS), departure control systems (DSC), or equivalent systems providing similar functionality. PNR are created every time a traveler makes a reservation. Technically, they are not deleted from CRS and can be viewed even if a person never bought a ticket or cancelled the reservation. The basic record may contain multiple passengers within the same record. But each entry, even for one passenger, contains data on other people as well: the passenger, the travel arranger or requester, the 43 Yulex 2013 travel agent or airline employee, a person paying for the ticket, etc. The PNR system contains all passenger data of the whole airline company, thus, the system is not restricted to a specific flight. Most travel agencies also use the CRS as their primary customer database and accounting system and store all customer data in CRS profiles. Thus PNR also contain data on individuals who never travel by air at all, since lots of travel services, such as car rental and hotel reservations, are made through CRS.15 PNR can be captured up to 360 days in advance of flight; hence, PNR data are dynamic and are subject to change. The range of PNR is very wide and may constitute up to 106 elements of data. Although different systems provide varying facilities, and the number and nature of fields vary from airline to airline and even among individual PNRs from the same airline, all PNRs contain at least passenger name(s), itinerary, and contact information.16 The Annex to ICAO PNR Guidelines provides a list of possible PNR data elements. They can be categorized in the following groups: (i) Machine Readable Travel Document (MRTD) details (names, date of birth, etc.), (ii) contact details, (iii) passenger details; (iv) payment details; (v) other information (name of person making the booking, travel agent information); and (vi) data related to aircraft flight. Passenger details include OSI - Other service related information, SSI Special Services Information, SSR - Special Service Requests, and General remarks. Through OSI/SSI/SSR, PNR may include requests for special medical service or special dietary meals, that is, they may contain details of travelers’ physical and medical conditions, indications of travelers’ religious practices, that is, data of a sensitive nature. General remarks may contain data on internal conversations and contacts between airline company’s employees and agents, including various comments and abbreviations.17 As for the completeness or accuracy, two types of information can be distinguished. The first group includes MRTD details (also known as API (Advance Passenger Information) which derives from travel documents information. These data are official and validated, spellings and dates are transcribed accurately, offering objective and permanently valid information. Such information may be used to check against watch lists, that is, to identify already known persons. The second group includes the information that the passenger submits to the CRS himself or herself, thus, these data cannot be guaranteed in completeness or accuracy; such data may not be fully updated on the date of departure. 15 See Hasbrouck What’s in a Passenger Name Record (PNR)? (2009) 16 IATA. Passenger Services Conference Resolutions Manual (PSCRM). 01Jun2007-31May2008 27th Edition 17 §2.1.6 of ICAO PNR Guidelines 44 Russian PNR system: data protection issues and global prospects Nevertheless, overall, PNR provides a comprehensive and extremely detailed record of every entry and include data on the basis of which aspects of the passenger’s history, conduct and behavior can be deduced. PNR can thus be used in profiling, offering information on the background of the individuals and their possible relationship to other persons being investigated. As such, PNR may be very useful for intelligence in identifying both known criminals and potentially dangerous persons who are not yet known from databases. 3 Usage of PNR The Chicago Convention (1944) rests on the notion that states are sovereign over their land and air space.18 The principle of state sovereignty constitutes the legal basis for the national security of the state. Moreover, Article 13 of the Chicago Convention stipulates that the laws and regulations of a state as to the admission to or departure from its territory of passengers shall be complied with by or on behalf of such passengers upon entrance into or departure from, or while within the territory of that state. Therefore, the state itself determines which information it requires from persons entering, departing or staying in this state.19 Taking into account the growing importance of PNR data transmission for aviation security purposes, the ICAO urges states to use PNR as an aid to aviation security.20 In order to harmonize the PNR usage worldwide, the ICAO issued PNR Guidelines which establish uniform measures for PNR data transfer and the subsequent handling by the states; IATA - Recommended Practice PNRGOV.21 In §2.2.2, ICAO PNR Guidelines provide a list of purposes for PNR analysis: improve aviation security; improve national and border security; prevent acts of terrorism and other serious crimes of transnational character, including organized crime, and fight against them; protect vital interests of passengers and population, including health; improve border controls at the airports; facilitate passenger flow. The principles of PNR transfer are as follows: minimization of costs of the industry; accuracy of the information; completeness; protection of personal data; timeliness; effectiveness and efficiency of data management / risk management.22 The Guidelines and PNRGOV provide other details as well. But the ICAO and 18 Art. 1-2 of Chicago Convention signed 7 December 1944, ICAO Doc 7300/6. The Convention is now in its ninth edition. 19 §1.2. of ICAO PNR Guidelines 20 ICAO, 37th Assembly (2010) Resolutions. 21 IATA Recommended Practice 1701a, 2012 (PNRGOV) 22 §2.3.2 of ICAO PNR Guidelines 45 Yulex 2013 IATA’s documents are not binding to the states, thus, it is up to the latter to establish concrete requirements and guarantees. In reality, different states establish different and sometimes conflicting PNR demands, and full harmonization is not achieved. The problems include various data exchange requirements (e.g. formats and methods of transfer), requests for data elements beyond existing international standards; absence of common objectives and clear agreement on process among states.23 As a result, air carriers may face legal, technical and financial problems. For instance, according to IATA, a part of the data required in Russia (such as passport numbers), do not take into account international reservation systems.24 There appears a problem of collecting data on passengers flying over the territory of Russia: the CRS contains data on airports of departure and arrival, but no lists of countries whose air space is crossed by the plane during the flight.25 Further, according to the aviation industry, the composition and structure of passenger data protocol do not coincide with PNR and API files currently used in air transport, and some items cannot be filled because of lack of information.26 The requirement to transfer data in real time no later than 30 minutes after entering the data into the information systems does not take into account the fact that CRS provides passenger data to airlines in certain intervals.27 Data protections problems emerge as well. First of all, some states (e.g. the USA) use PNR for data mining and profiling - techniques which use statistical methods that cross-index randomly selected information from large databases and provide risk assessment of individuals or predict their future behavior. 28 In profiling, the core idea is to record, store, process and retrieve personal data to create profiles in searchable databases in order to indicate potentially dangerous persons.29 According to many security experts, profiling, combined with use of intelligence, offers a huge potential for preventing terrorist acts.30 However, these techniques are not very accurate, with high number of false negatives and false positives,31 while the increased and unlimited use of personal data, with long-term or unlimited storage, creates enormous risks for data protec23PNRGOV 24Elkova Russian sky will be closed to the lock (2013) 25 Elkova (2013) 26Sirena-Travel Problems of realization of the Order of the Ministry of Transport N243 (2013) 27 Elkova (2013) 28Poullet. Data protection legislation: What is at stake for our society and democracy? In: Computer Law & Security Review. Vol. 25 (2009). p. 214 29Lyon Surveillance studies: An overview (2007) p. 5 30Yehoshua. Terrorist profiling: analysing our adversaries personalities. In: Aviation Security International. Vol. 17 (2011). p. 23 31Solove. Data mining and the security-liberty debate. In: The University of Chicago Law Review (2008). p. 353 46 Russian PNR system: data protection issues and global prospects tion. Hence, privacy advocates argue that PNR data should not be used for data mining or profiling and its use must be limited to specific crimes or threats on a case-by-case basis.32 There are different views on how effective the use of PNR can be. Opponents (mostly data protection advocates and researchers) state that no substantial evidence is provided to prove that collection of PNR is necessary and proportionate and supports the fight against terrorist offences and serious crime.33 Proponents (mostly, security experts and law enforcements agencies) argue that PNR, if properly used for targeted passenger profiling, are extremely valuable, with a potential to reveal “clean skin” terrorists.34 According to British Conservative MEP Timothy Kirkhope, PNR data was “instrumental” in capturing collaborators of the 7 July 2005 London bombers and the 2008 Mumbai terror attackers, and “led to the capture of dozens of murderers, pedophiles and rapists” and “95% of all drug captures in Belgium and 85% in Sweden are caught using PNR data.”35 Nevertheless, no matter how this can be viewed, the collection and use of PNR for security purposes is already a reality worldwide and common practice. The countries which currently use PNR for law enforcement purposes include the USA, Canada, Australia, New Zealand, South Korea and the UK; Japan, Saudi Arabia, South Africa and Singapore, France, Denmark, Belgium, Sweden, the Netherlands and others have either enacted relevant legislation and/or are currently testing potential uses of PNR data; others are considering setting up PNR systems.36 According to Dutch Liberal MEP Sophie in ‘t Veld, the countries also planning to implement PNR regimes include India, Malaysia, Qatar and the United Arab Emirates, and it is only a matter of time before China does the same.37 As mentioned previously, the Russian system will be implemented in December 2013. 32 European Parliament resolution of 5 May 2010 on the launch of negotiations for Passenger Name Record (PNR) agreements with the United States, Australia and Canada. 33 E.g. see Article 29 Working Party on data protection: Letter to the Civil Liberties Committee of the European Parliament, Brussels, 6 January 2012. Ref. Ares(2012)15841 - 06/01/2012; Brouwer. The EU Passenger Name Record System and Human Rights: Transferring Passenger Data or Passenger Freedom. In: CEPS Working Document (2009). 34Wolff. Are We Ignoring the “Risk” in Risk Based Screening? In: Aviation Security International. Vol. 18 (2012). p. 4 35 BBC News Europe, MEPs back deal to give air passenger data to US, 19 April 2012, http://www. bbc.co.uk/news/world-europe-17764365 (date accessed: 30.04.2012). 36 Communication from the Commission On the global approach to transfers of Passenger Name Record (PNR) data to third countries, COM(2010) 492 final, Brussels, 21.9.2010, p.4. 37 See Nielsen (2013) 47 Yulex 2013 Apparently, all these states provide different data protection guarantees (if any), and have different opportunities to enforce them in reality. The data protection perspectives will be considered below. 4 PNR transfer: data protection perspective globally From the data protection perspective, the problem is that PNR contain personal data about air passengers, who are protected by law both nationally and internationally.38 Accordingly, if the security measures have an impact on the right to data protection, they need to be accompanied by strong and adequate safeguards. This is already reflected in international recommendations: the ICAO, for instance, urges the states using passenger data for security purposes to ensure the protection of passengers’ privacy.39 §2.6.2 of ICAO PNR Guidelines contain minimum requirements on data protection: the states receiving PNR should: • • • • • • use the data only for the purpose for which they were collected, limit access to the data, limit retention of data, ensure the data subjects’ rights of access, rectification, ensure redress, ensure presence of data protocols and appropriate automated systems to access or receive data in a manner that is consistent with ICAO’s recommendations. General principles of PNR data protection are as follows: (i) the state should ensure that every state authority having access to PNR ensures the appropriate level of data protection; (ii) in the absence of national data protection legislation, states should establish procedures, develop laws or rules for protection of PNR data; and (iii) there should be a reasonable balance between the need to protect PNR data and right of the state to require the disclosure of passenger data. Therefore, states should not be overly restrictive concerning the transfer of PNR data by air carri38 International instruments include: the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data of 23.09.1980; United Nations Guidelines Concerning Computerized Personal Data Files of 14.12.1990; Article 8 of the European Convention on Human Rights, Articles 7 and 8 of the Charter of Fundamental Rights of the EU, Article 16 of the Treaty on Functioning of the EU; the Council of Europe (CoE) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28.01.1981 (known as Convention No 108; it is open for ratification by states other than members of CoE); APEC Privacy Framework of 2005, etc. 39 High-Level Conference on Aviation Security (HLCAS, September 2012) as well as ICAO Document 9944 Guidelines on Passenger Name Record (PNR) data of 2010. 48 Russian PNR system: data protection issues and global prospects ers to foreign authorities, and states should ensure the protection of PNR.40 Since PNR often involves transborder data flow, governments are encouraged to reach an agreement with each other in order to provide protection of personal data.41 But as mentioned above, the ICAO’s Guidelines are not binding: ultimately, it is up to the states to establish concrete requirements and guarantees. Some national regimes or bilateral agreements already provide quite satisfactory guarantees. For instance, according to the EU-Australian Agreement, PNRs are stored five and a half years; the use of sensitive data is prohibited; persons have the right to access his or her PNR data on request to the Australian Customs and Border Protection Service; the list of governments entitled to access PNR data is exhaustive; etc.42 But as said before, capabilities of various states are different. The EU plays a special role in this respect since data protection requirements are stricter and much higher than in other countries. First of all, it should be remembered that in the EU, the Directive 95/46/EC of 1995 (DPD)43 is the most comprehensive legal instrument on data protection.44 The transfer of personal data from the EU to the countries lacking adequate level of protection is prohibited. Pursuant to the DPD, determinations of adequacy which are binding on EU member states are made by the European Commission with input from Article 29 Working Party, the Article 31 Committee, and the European Parliament.45 Analysis of adequate protection comprises two basic elements: the content of the rules applicable and the means for ensuring their effective application.46 To date, only a few countries have met the criteria,47 and Russia is not on the list. 40 §§2.12.1-3 of ICAO PNR Guidelines 41 IATA. Facilitation and Passenger Data. http://www.iata.org/whatwedo/security/facilitation/ Pages/index.aspx (date accessed: 19.08.2013). 42 Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service, 29.09.2011. (L 186/4, 14.7.2012). 43 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of data. 44 For overview, see Bygrave Data protection law: approaching its rationale, logic and limits (2002) 45 Council Decision 1999/468/EC of 28.6.1999 laying down the procedure for the exercise of implementing powers conferred on the Commission (OJ L 184, 17.7.1999, 23). 46 Further, see Article 29 Working Party Opinion 12/98 of 24.07.1998 Transfers of personal data to third countries. Applying Articles 25 and 26 of the EU Data Protection Directive as well as Article 29 Working Party opinions on concrete national regimes. 47 Andorra, Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guernsey, State of Israel, Isle of Man, Jersey, United States (Transfer of Air Passenger Name Record Data and Safe Harbour), New Zealand, and Uruguay. http://ec.europa.eu/justice/data-protection/document/ international-transfers/adequacy/index_en.htm (date accessed: 19.08.2013). 49 Yulex 2013 In the case of PNR, if an airline transfers personal data of EU passengers to a country lacking an adequate level of protection, it violates EU data protection legislation and risks incurring liability in the form of fines established by national legislation of EU member states. To avoid this result and create a legal basis for the transfer, the EU followed the practice of concluding bilateral agreements between the EU and the states in question. Accordingly, it was sought to solve the problem of inadequacy by ensuring an adequate level of data protection in the agreements. The history of bilateral PNR agreements between the EU and non-member countries started in early 2000s, after the US requests for access to PNR data of European passengers flying to the USA came into conflict with the EU data protection principles. As of the present, the EU has three bilateral agreements on PNR, including an agreement with the USA (the first agreement was concluded in 2004.48 It was then ruled invalid by the European Court of Justice,49 and in 2006, an “Interim Agreement”50 was signed, followed by 2007 agreement;51 on 19 April 2012, the European Parliament gave its consent to a new agreement52),53 with Canada (the first one concluded in 2005, with a new one being negotiated),54 and with Australia (the first one of 200855 and a new one of 2011).56 The agre48 Agreement between the European Community and the USA on the Processing and Transfer of PNR Data by Air Carriers to the United States Department of Homeland Security and Bureau of Customs and Border Protection of 28 May 2004. 49 ECJ Judgment of 30 May 2006 on joint cases C-317/04 European Parliament v. Council of the European Union and C-318/04 European Parliament v. Commission (OJ C 228 of 11 September 2004), paragraphs 61, 70. 50 Agreement between the European Union and the United States of America on the processing and transfer of passenger name record (PNR) data by air carriers to the United States Department of Homeland Security, 2006 O.J. (L 298) 29. This agreement was valid until 31 July 2007. 51 Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) of 29 June 2007. 4.8.2007. (L 204/18). 52 Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security Council of the EU (17434/11), adopted by Council 26.04.2012, on 19.04.2012, the European Parliament gave its consent. The agreement entered into force on 1.06.2012. 53 For overview of EU-US PNR agreements 2004-2007, see Mironenko Air passenger data protection: Data transfer from the European Union to the United States (2010) 54 Agreement between the European Community and the Government of Canada on the processing of Advance Passenger Information and Passenger Name Record data. 21.3.2006. (L 82/15). 55 Agreement between the European Union and Australia on the processing and transfer of European Union-sourced passenger name record (PNR) data by air carriers to the Australian Customs Service, 8.8.2008. (L 213/51). 56 Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service, 29.09.2011. (L 186/4, 14.7.2012). 50 Russian PNR system: data protection issues and global prospects ements were supposed to establish, ensure and guarantee an adequate level of protection for PNR transfer. The problem arose that EU PNR agreements were concluded on a case-bycase basis, and despite the fact that all the agreements addressed the same issues, the provisions were not identical, leading to different rules for air carriers and for data protection. Data privacy advocates still argue that the EU PNR agreements, especially the American one, fail to ensure an adequate level of data protection or proof that they are necessary and proportionate.57 In order to harmonize the PNR transfer and establish common requirements, in 2010, the European Commission published a strategy on the global approach to transfers of PNR to non-EU countries (the EU Strategy).58 Two basic elements are in place: first, basic principles for the protection of personal data for any PNR agreement with a non-EU country, secondly, the means for ensuring their effective application. However, for the longer term, if many more countries become involved with PNR, the Strategy declared the EU’s aim to set these standards on an international level.59 On the one hand, as Newman argues, although Europe does not always prevail in international regulatory debates, in the data privacy field it has acquired “regulatory capacity”, creating and expanding rules in Europe and around the world.60 It is a fact that during the past decades many countries, such as Russia, have established regimes based on the EU model (at least on paper) and the list of “adequate” states is slowly growing. On the other hand, with reference to particularly PNR transfer, where the interests of national security are involved, and all the states are sovereign to impose requirements on their own, the EU can hardly possess economic or political powers to impose the EU standards. In addition, in reality, the complete compliance with the rules on global data transfer seems to be very difficult, as in the case of the EU PNR agreements. It is a question of whether it is possible to provide adequate safeguards at all. Moreover, there are some views which question whether the EU data protection requirements on global transfer are adequate at all. It is argued that some features of the current regime are “unrealistic, overly bureaucratic, costly, and inefficient.”61 As a result, the restrictions on data transfer were (and probably are?) ignored by many 57 E.g. Article 29 Working Party on data protection: Letter to the Civil Liberties Committee of the European Parliament, Brussels, 6 January 2012. Ref. Ares(2012)15841 - 06/01/2012. 58 Communication from the Commission On the global approach to transfers of Passenger Name Record (PNR) data to third countries. Brussels, 21.9.2010, COM(2010) 492 final 59 Page 10 of Communication from the Commission On the global approach to transfers of Passenger Name Record (PNR) data to third countries. Brussels, 21.9.2010, COM(2010) 492 final 60Newman Protectors of privacy: regulating personal data in the global economy (2008) p. 8-9 61 See Article 29 Data Protection Working Party Opinion 3/2010 on the principle of accountability”, 13.07.2010, paragraphs 55-57. 51 Yulex 2013 organizations.62 It is proposed that data transfer should be governed by accountability and ongoing responsibility, rather than arbitrary barriers and bureaucratic form filing.63 Finally, the enhanced surveillance and increased collection of personal data for security purposes, including PNR, reflects the worldwide tendencies. The Russian request raised concern that it may be followed by other states outside Europe. By 2012, eleven countries had filed a request at the European Commission for PNR data,64 and apparently, the number will continue to grow. All of them can be encouraged to act unilaterally; the EU may be faced with the same problems while dealing with each of them. The request also drew attention to the disputable and recently rejected (although not cancelled) proposal on a European PNR system,65 which circulation and possible adoption may further weaken the EU’s position (already weakened by accepting the EU-US terms) on any negotiations on PNR. The problem is, therefore, much wider than the EU-Russian relations regarding PNR transfer, and involve all the countries, both those requiring PNR and those which airlines have to provide PNR. 5 Russian PNR system: overview In 2007, the Ministry of Transport of the Russian Federation was required to create a unified state information system of transport security (USISTS), with automated centralized databases of personal data on passengers (ACDPDP) being its integrated part.66 The corresponding provisions were included into the Russian Air Code67 and other regulation. However, only in 2012, the concrete provisions on ACDPDP were stipulated by an order of the Ministry of Transport (Order).68 With respect to air transport, initially, the Order was supposed to enter into force from 1 July 2013, but then was postponed until 1 December 2013. 62Grant. Data protection 1998-2008. In: Computer Law & Security Report. Vol. 25 (2009). p. 48 63Tene. Privacy: The new generations. In: International Data Privacy Law. Vol. 1 (2011). p. 22 64 European Parliament. Committee on Civil Liberties, Justice and Home Affairs. Draft Recommendation on the draft Council decision on the conclusion of the Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records (PNR) to the United States Department of Homeland Security. 30.01.2012. 65 In the meantime, EU PNR proposal was rejected in April 2013 by MEPs in the civil liberties committee. 66 The Federal law On Transport Security of 09.02.2007 N16-FZ (Article 11). 67 The Air Code of Russian Federation of 1 April 1997, Article 85(1). 68 Order of the Ministry of Transport of the Russian Federation of 19.07.2012 N 243 On approval of the formation and maintenance of automated centralized databases of personal data on passengers, as well as providing the data they contain. 52 Russian PNR system: data protection issues and global prospects In contrast to other PNR schemes covering air transport only (e.g. the EUUS system), the Order covers all modes of transport: domestic and international air transport (including flights into, out of, and over Russia), long-distance rail transport, international transport by sea, inland waterway and road transport. In addition to participants of transport infrastructure69 and carriers (“Suppliers of information”), the data will be provided by federal executive bodies as well as foreign governments and organizations in the framework of international cooperation on transport security. Suppliers of information incur liability for non-compliance with the transport security requirements pursuant to legislation of RF,70 namely, administrative and criminal liability, depending on the consequences of the violation. If the carrier simply did not transfer the PNR data, the penalty is a fine or grounding of the aircraft.71 If there are serious consequences of violation (e.g. large-scale damage, grave injury to human health, death of persons) then the carrier may incur criminal liability, including imprisonment up to seven years.72 Accordingly, if foreign carriers flying to/from Russia or over Russia to Asia choose not to transfer PNR to Russia due to prohibition by EU data protection rules, they risk being grounded, being subject to fines or more serious sanctions if non-compliance caused serious injuries or damages. As for the data protection issues, according to the Russian authorities, the right to data protection will be respected since, as mentioned before, Russia ratified the Council of Europe Convention No 108,73 and in order to implement the latter into national law, adopted Personal Data Law74 which is applicable to PNR transfer. The Order also declares in §3 that ACPDPD will be formed and operated according to the following principles: compliance with the constitutional rights of citizens, technological independence of the ACPDPD’s structure and its functioning from administrative, organizational and other changes in the activity of participants of information exchange; ensuring the confidentiality of information; ensuring the integrity and reliability of the data transferred. All these declarations sound fine, but what about concrete, more detailed data protection guarantees? This requires closer consideration: first, regarding 69 Defined as legal and natural persons who are the owners of transport infrastructure objects and vehicles or use them on a different legal basis (Federal law On Transport Security of 09.02.2007 N16-FZ Article 1(9). 70 Article 12(3) of the Law on Transport Security. 71Shadrina. Will not go far: From July next year it will not be possible to buy a ticket for a single mode of transport without a passport. In: Rossiyskaya Gazeta 26.09.2012 2012. 72 Article 263.1 of the RF Criminal Code. 73 Federal Law of 19.12.2005 N 160-FZ On Ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. 74 Federal Law on Personal Data of 27.07.2006 N 152-FZ. 53 Yulex 2013 Russian general data protection law, secondly, regarding specific elements for PNR transfer. 6 Overview of Russian data protection law In the Russian Federation, historically, in contrast to the western traditions, the public interests prevailed over private during many centuries. According to official Soviet ideology, personal data was considered solely as an information resource necessary for the state. In the absence of legal regulation mechanisms, various abuses occurred: duplication of powers of state and other bodies in the collection and processing of personal data, excessive collection, etc. The need to ensure the confidentiality of personal data was not even considered.75 In the 1990s, the spread of computer technology made the situation worse. Poor control over the use of personal data without establishing liability led to of the emergence of an illegal market for various personal databases76 and other abuses.77 The need to provide appropriate protection to personal data became clear. Moreover, the processes of European integration and globalization dictated the need to bring Russian legislation and practice into line with international standards: otherwise, Russia could be isolated from other countries in the data protection field. Today, the Russian Constitution recognizes the rights of privacy, data protection and secrecy of communications.78 Russia is a member of the Council of Europe and signed Convention No 108 on 7 November 2001. However, the process of ratification and implementation took years, and the Convention was ratified with several reservations, among other things, that it will not be applied to personal data constituting state secrets. Russia reserved the right to impose restrictions on the right of data subject to have access to his/her personal data in order to protect national security and public order. 79 The final stage of the Convention ratification was completed in 2013, when necessary amendments were made into federal laws.80 75Petrykina Legal regulation of personal data flow. Theory and practice. (2011) p. 4 76 See Beroeva. Who and how do they steal databases? In: Komsomolskaya Pravda 2006. 77 Petrykina (2011) p. 4 78 Articles 23-25 of the Constitution of the Russian Federation of 12.12.1993. 79 Federal Law of 19.12.2005 N 160-FZ On Ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Convention is in force in Russia from 1.09.2013. 80 Federal Law of 7.05.2013 N 99-FZ On Amendments to certain legislative acts of the Russian Federation in connection with the adoption of the Federal Law On ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, and Federal Law On Personal Data. 54 Russian PNR system: data protection issues and global prospects The Personal Data Law was designed to fulfill Russia’s obligation to implement the Convention No 108 into national law and to build Russian data protection law according to European and international standards. This would enable Russia to come closer to equal cooperation with foreign countries in the field of personal data protection and to solve internal problems in ensuring the right to data protection.81 National data protection rules are also contained in other acts82 and sector-specific federal laws.83 The Personal Data Law generally protects personal data from being collected and processed illegally and without consent of data subject. In comparison with the past, many positive changes are in place, and the law is constantly updated. For instance, substantial amendments were adopted in 2011, clarifying many important terms (e.g. personal data, controller, anonymization of personal data, etc.), updating responsibilities of the controller to secure the data, etc. However, there are still some deficiencies in the regulation; some provisions are not fully implemented in reality and are not effective. Pursuant to the Personal Data Law Article 23, the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor) is the authorized body in the sphere of personal data protection responsible for supervising to ensure that respective activities are carried out in compliance with the Personal Data Law. However, in contrast to European data protection authorities which are independent bodies, the Russian counterpart was established under the Ministry of Communications84 and it is a body structurally subordinated to the latter. In addition, the Government, the Federal Security Service of the RF (FSB), and other executive agencies acquired substantial powers in the personal data field. Thus Roskomnadzor cannot be considered fully independent. One of the most critical points is that the Personal Data Law gives many exemptions to the state authorities on the basis of a wide range of grounds. In the context of PNR transfer, the applicable grounds will be transport security and security needs in general. Pursuant to these needs, the right of the data subject to access to his/her personal data may be restricted; the controller can be released from the obligations to notify Roskomnadzor about the processing and to obtain data subject’s consent even when processing sensitive data. As a result, 81Tsadykova The constitutional right to privacy (2007) 82 Federal Law On Information, Information Technologies, and the Protection of Information of 27.07.2006 N 149-FZ, Order of President of RF of 06.03.1997 № 188 on Approval of the list of confidential information (stipulates that the latter covers personal data, with a few exceptions), Resolutions of Governments, etc. 83 E.g. Labor Code (Chapter 17), Tax Code (Art. 84), Federal Law On Mass Media of 27.12.1991 N 2124-1, Federal Law On Operational-search activities of 12.08.1995 N144-FZ, etc. 84 §2 of Resolution of Government of RF of 16.03.2009 N 228 About Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications 55 Yulex 2013 data subjects can hardly know which state organs and officials are working with their data.85 Another critical point is that the legislation mainly focuses on technical requirements to personal data processing rather than on protection of data subjects.86 The data security requirements are very comprehensive and detailed, differing greatly from the respective rules of other states. For instance, both the EU and the USA do not provide any technical standards. The laws indicate that the methods of data protection must be reasonable and sufficient, leaving the implementation of these principles to the controller, who will take full responsibility if the measures taken are insufficient. In Russia, controllers must provide technical measures according to the security levels determined by the RF Government.87 The choice of means of protection of personal data is carried out by the controller in accordance with the regulations adopted by the FSB and the Federal Service for Technical and Export Control of the RF (FSTEC). In practice, concrete methods and techniques appear to be excessive and expensive: expenses for security equipment (which must be produced by companies licensed by the FSTEC and the FSB) constitute up to 200% of annual turnover and then 10-15% of the cost for the annual maintenance.88 But in reality, personal data in Russia are usually stolen by bribery of responsible employees rather than by breaking the security systems, so all these requirements may have no sense at all. Other problems are poor administration and failure of controllers to comply with the law.89 The annual report of Roskomnadzor of 201290 noted that leakages of personal data are caused by the failure of data controllers to ensure the confidentiality and security. The most typical violations of data protection requirements are violation of confidentiality in the processing of personal data, inappropriate form of data subject’s written consent, failure of the controller to ensure security of personal data and exclude unauthorized access to it, notification to the 85 Modern Telecommunications Russia The Council of Federation adopted Personal Data Law (2011) 86Chernova. We protect personal data through multi-stakeholder approach. In: Personal data (2013). 87 Requirements for the protection of personal data during their processing in information systems of personal data approved by Resolution of RF Government of 01.11.2012 № 1119 88 Modern Telecommunications Russia (2011) 89 Modern Telecommunications Russia (2011) 90 The Ministry of Communications of Russian Federation. The Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications. Report on the work of the Authorized body protecting rights of personal data subjects for the year 2012. Moscow, 2013. Available at http://rkn.gov.ru/docs/Otchet_2013_UZPSPD_RSPECTR.doc (date accessed: 26.09.2013). Pages 6, 11-15. 56 Russian PNR system: data protection issues and global prospects authority about the processing of personal data containing incomplete and (or) false information. Further, the researchers note that Roskomnadzor is concentrating on checking whether the controllers comply with the formal requirements of law instead of checking actual leakages of data; the controllers are punished for violating the rules rather than for causing damage to the citizens.91 At the same time, Roskomnadzor faces a number of difficulties: according to experts, it possesses insufficient resources and personnel; it cannot initiate administrative proceedings and does not receive help from other organs such as the Ministry of Internal Affairs which considers data protection offences as not serious.92 One more challenge is the relatively low amount of fines. Today, sanctions for failure to observe the data protection requirements include administrative, civil, disciplinary, and criminal liability. However, the penalties are insufficient: for instance, fines for violation of collection, storage, use or distribution of personal data for legal entities amount to 5–10 000 rubles.93 Accordingly, it is more profitable for the controllers to pay the fines rather than implement the data protection legislation.94 Moreover, a large number of administrative cases are closed due to the expiration of the limitation period which lasts only three months. In the meantime, it is proposed to substantially increase the amount of fines95 and the limitation period. As a result of all the mentioned factors, constant attempts to make the law stricter in reality do not necessarily achieve the aims, but create additional problems, significantly complicating the life of controllers (many of them prefer simply not to follow the law, and are more concerned with avoiding problems with the authorities rather than with actually protecting personal data), the end users (who will be ultimately payers), and create opportunity for abuses and corruption.96 There are still cases of unauthorized disclosure of personal data on the Internet as well as thefts of databases from various public and social institutions, mobile operators, and other owners.97 91 Chernova (2013) 92Kovrigin Total non-compliance with data protection law in Russia (2012) 93 RF Code of Administrative Offences Article 13.11. 94 From the explanatory note to the draft of Federal Law On Amendments to the Code of Administrative Offences posted on the Ministry of Economic Development website. Buh 1C Protection of personal data: The results of the control (2012) 95 ConsultantPlus. Roskomnadzor suggests to substantially increase the amount of fines for violation of personal data processing. 14.09.2012. http://www.consultant.ru/law/review/fed/nw201209-14.html (date accessed: 27.09.2013). 96 Modern Telecommunications Russia (2011) 97 See Palamarchuck. Supervision over the implementation of the legislation on personal data on the Internet. In: Zakonnost. Vol. 12 (2010). p. 3-5 57 Yulex 2013 Consequently, at present, the level of legal protection of personal data in Russia falls behind the Western countries where the legislation was passed decades earlier. Many factors make the right to data protection particularly vulnerable in Russia: historical traditions, a relatively short period of legal regulation, lack of an appropriate theoretical framework, weaknesses of legislation and lack of enforcement mechanisms, and lack of judicial practice.98 The aim to reach the data protection level of the EU and international standards is still to be achieved. Among proposed improvements, commentators suggest the establishment of a new independent data protection authority, to include provisions in law for control of personal data at all stages, 99 to substantially increase penalties for data protection offenses and impose more serious criminal sanctions, etc. But some problems cannot be solved by improving data protection law only. For instance, the problem of the illegal database market is mainly caused by first the economic reasons (low salaries of state officials) and secondly lack of legal methods to obtain information, for example via special private firms such as in the USA.100 Therefore, a broader, complex approach to the solutions is needed: from education and propaganda to repairing civil society systems and combating corruption (which is a never ending process). 7 Analysis of data protection elements In this section, the paper will analyze the concrete data protection elements of the Russian PNR regime as it is per date, taking into account the EU data protection requirements on PNR, the ICAO recommendations (where applicable), and current EU-US PNR agreement. For the analysis, the author used legislation and documents available from open sources, correspondence with the Ministry of Transport and conversation with the Operator of the ACDPDP (however, the latter stressed that the Operator is responsible for the technical issues only and does not deal with data protection issues). It should be noted that a representative of the Ministry of Transport, in response to the author’s questions, informed that according to §§23-24 of the Order of the Ministry of Transport of 04.07.2008 N86, “the characteristics of the processing, storage, transmission and protection of data in the ACDPDP and USISTS as a whole, including personal data, are restricted information and can only be provided on the basis of a reasoned request from the organization, agency or enterprise, indicating the reasons for the need for the data, methods for their further 98Izmailova Privacy in civil law: the law of the UK, the USA and Russia. (2009) 99 Izmailova (2009) 100 See Beroeva (2006) 58 Russian PNR system: data protection issues and global prospects use and the measures to be taken by the receiver to protect them.” 101 Nevertheless, some answers were received. The list of considered elements is not exhaustive and present selected items which, in the opinion of the author, constitute the most critical and disputable ones. 7.1 Use of data According to the EU Strategy, the scope of the use of the data by a third country must be determined clearly and precisely and should be no wider than what is necessary for the aims to be achieved. The purposes for PNR data should include only law enforcement and security purposes to fight terrorism and serious transnational crime. Moreover, the terms terrorism and serious transnational crime should be defined based on the EU regulation. In the EU-US Agreement Article 4, PNR data are be used to prevent, detect, investigate and prosecute terrorism and serious transnational crimes. Serious crimes are defined as crimes punishable by 3 years of imprisonment or more under US law. But the definition of transnational serious crime is very wide and, covering all crimes where more than one jurisdiction is involved.102 Additionally, PNR may be used “on a case-by-case basis where necessary in view of a serious threat and for the protection of vital interests of any individual or if ordered by a court” as well as “to identify persons who would be subject to closer questioning or examination.” This means that PNR can be used for other cases as well, (e.g. minor immigration or customs offences), and may be used for profiling of passengers. According to the European Parliament, PNR may in no circumstances be used for data mining or profiling.103 As a result, data privacy advocates argue that the purpose limitation is too broad and disproportionate.104 In Russia, §63 of the Order stipulates that processing of passenger data in ACDPDP is carried out in accordance with Article 5(2) of Personal Data Law which provides that the processing of personal data should be limited to the achievement of specific, pre-defined, and legitimate purposes. The processing of personal data that is incompatible with the purpose of collection of personal data 101 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal Support and Legislative Activities, Ministry of Transport of RF. 102 Article 29 Working Party on data protection Letter to the Civil Liberties Committee of the European Parliament (2012) 103 European Parliament resolution of 5 May 2010 on the launch of negotiations for Passenger Name Record (PNR) agreements with the United States, Australia and Canada. 104 European Data Protection Supervisor Opinion of the European Data Protection Supervisor on the Proposal for a Council Decision on the conclusion of the Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security (2011) 59 Yulex 2013 is not allowed. The purpose of PNR processing is “to implement measures to ensure transport security.”105 From the EU perspective, it can be argued that the purposes are not indicated clearly or precisely, for example, no specification is made that the security purposes are restricted to combating terrorism and serious transnational crime. In practice, “measures to ensure transport security” can include a very broad category of activities, including profiling. Moreover, different statements made by officials in the press may raise questions as well. For instance, according to Chertok, Deputy Head of the Ministry of Transport and Federal Service for the Oversight of Transport (Rostransnadzor),106 although the main purpose of the database is transport security, protection against acts of unlawful interference, probably, in the future, information from the database will be used for such cases as a passenger losing a ticket, or to recover damages from the carrier on request of the court.107 Clearly, these purposes may ensure passengers’ consumer rights, but what about narrow purpose limitation? In an interview of Smirnov, the suggestion was made that a database should not be used for other purposes, for example that it must not allow law enforcement agencies to take untargeted people (for instance those who avoid child support, etc.) from the flight.108 The rules of the Personal Data Law mentioned above prohibit the use of personal data incompatible with the purpose of collection, but will the security organs follow without any exceptions similar to the US case? It can be concluded that the Russian PNR system does not fully follow the purpose limitation principle as prescribed by the EU Strategy. However, by signing the EU-US PNR Agreement, the EU accepted that this principle can be compromised. 7.2 Data scope The EU Strategy requires that the exchange of data should be limited to the minimum and should be proportionate. There should be an exhaustive list of the categories of PNR data to be transferred; PNR containing sensitive data cannot not be used unless under exceptional circumstances. The ICAO PNR Guidelines contain the list of possible PNR elements. The EU-US Agreement contains 19 PNR Data Types. In field 17, it contains SSR/OSI/SSI, which may include sensitive information. Moreover, a closer look reveals that many data fields contain multiple data. See, for example, line 7: “All available contact information (including originator information).” The same 105 Article 11(1) of the Federal law On Transport Security. 106 Federal organ which will oversee the transfer of data to the database by transport companies. 107 Shadrina (2012) 108Smirnov All the world has long been collecting the data this way (2007) 60 Russian PNR system: data protection issues and global prospects applies to other lines. According to the opinion of EDPS, the list of data to be transferred to the DHS is disproportionate and contains too many open fields; it should be narrowed and exclude sensitive data.109 In Russia, there is a common list of data for all transport modes and provides additional fields on every transport mode, hence, many data fields are repeated several times and the list looks much longer than the American one. As mentioned above, some technical problems arose with the composition and structure of the proposed protocol of passenger data and some items. However, in developing the rules of information exchange between a specific carrier and Operator of USISTS, some data elements may be excluded from the list or included, depending on technical possibilities. An essential point is that in contrast to the EU-US list, the Russian system does not require any PNR data which may contain sensitive data. This was confirmed to the author in a letter from the Ministry of Transport.110 No collection of sensitive data means no problem with their processing. This fact makes the Russian list more proportional and reasonable in comparison with the EU-US regime. 7.3 Data Security Both ICAO and the EU Strategy state that PNR data must be protected against misuse and unlawful access by all appropriate technical, security procedures and measures to guard against risks to the security, confidentially or integrity of the data. The EU-US Agreement stipulates the technical measures and organizational arrangements in Article 5(1-2). Additionally, in Article 5(3-4) it provides notifications of affected individuals in the case of a privacy incident and in the cases of “significant privacy incidents” involving PNR - relevant European authorities. The EDPS suggested that the recipients of the notification be clarified, to notify a competent US authority; to define what constitutes a “significant privacy incident”; to specify the content of the notification to individuals and to authorities.111 But obviously, there are no claims regarding security standards. As mentioned above, the Russian regulator provides detailed and comprehensive security requirements. The Order follows this line. Security of personal data is provided by organizational measures and means (including cryptography), and information technologies. The Operator of USISTS is responsible for data security of ACDPDP.112 Accordingly, he is obliged to use security equipment deter109 European Data Protection Supervisor (2011) 110 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal Support and Legislative Activities, Ministry of Transport of RF. 111 European Data Protection Supervisor (2011) 112 The Operator is Federal State Unitary Enterprise “ZashshitaInfoTrans,” an enterprise subordinated to the Ministry of Transport. 61 Yulex 2013 mined by the FSB and the FSTEC and produced by companies licensed by the FSB and the FSTEC. According to the information of the Operator, all necessary attestation and certificates for securing data in ACDPDP have been obtained.113 The Ministry of Transport specifies that providing data to ACDPDP is carried out electronically via secure channels (VPN-channels of Internet or channels of protected branch networks).114 Formally, it can be argued that the Russian PNR system’s provisions on data security fall within the requirements of the international and EU requirements. But all the positive moments may be neglected, since, as mentioned before, personal data in Russia are usually stolen by bribery of responsible employees rather than by breaking the security systems. 7.4 Oversight and accountability According to the EU Strategy, a system of supervision by an independent public authority responsible for data protection with effective powers of intervention and enforcement must exist to exercise oversight over those public authorities that use PNR data. According to EU-US PNR Agreement Article 14, compliance with the privacy safeguards shall be subject to independent review and oversight by Department Privacy Officers, such as the DHS Chief Privacy Officer. In addition, independent review and oversight is conducted by the DHS Office of Inspector General, the Government Accountability Office, and the U.S. Congress. However, the Chief Privacy Officer is appointed by and report to the head of the DHS, thus cannot be considered independent. Lack of independent supervision was indicated as one of the weaknesses of this Agreement.115 As mentioned above, pursuant to Personal Data Law, the authorized body in the sphere of personal data protection is Roskomnadzor. The status, role and powers of Roskomnadzor are closer to European data protection authorities than any of the US organs mentioned above. However, it cannot be considered as a fully independent body. This point may constitute the similar weaknesses in the EU-US scheme. 113 Telephone conversation with the Operator’s employee 4.07.2013. 114 Ministry of Transport. Information for entities of the transport infrastructure and carriers in connection with the entry into force of the Order of Ministry of Transport of Russia № 243. 20.06.2013. http://www.mintrans.ru/news/detail.php?ELEMENT_ID=20360 (date accessed: 2.07.2013) 115 Article 29 Working Party on data protection (2012) 62 Russian PNR system: data protection issues and global prospects 7.5 Transparency and Notice The EU Strategy provides that every individual shall be informed at least as to the purpose of processing of personal data, the persons who will be processing that data, under what rules or laws, the types of third parties to whom data is disclosed and how and from whom redress can be sought. The ICAO suggests a typical form of such notification and stipulates that air carriers or their agents must properly notify passengers (for example, at the time of booking of flight or ticket purchase) that the carrier may be required to provide any or all of its available data PNR to the authorities of the state of departure, arrival or transit, and that this information may be shared with other authorities. The EU-US Agreement Article 10 contains corresponding provisions. The Russian Personal Data Law provides that data subject has the right to be informed about processing of his/her personal data, including information about the legal basis, purposes of processing, the controller, terms of processing and storage period, etc. (Article 14(7). Accordingly, the controller must, upon request of the data subject, inform him/her of processing of personal data (Article 18(1)). However, the new PNR system does not provide any specific rules about the air passenger notification. Clearly, the general rules obliging the controller to provide data “upon request of the data subject” cannot ensure proper notification of every individual involved. This constitutes a weakness in comparison with the EU-US scheme and the ICAO and the EU’s recommendations. The legislation should oblige the authorities to ensure that the passengers are informed about the data processing at the earlier stages mentioned above. 7.6 Access, rectification and deletion The EU Strategy and ICAO PNR Guidelines suggest that an individual shall be provided with access to his/her PNR data, and where appropriate, with the right to seek rectification and deletion of his/her PNR data. The EU-US Agreement Articles 11-12 state that any individual, regardless of nationality, country of origin, or place of residence will have the right to access their PNR data, correct or rectify the PNR, including the possibility of erasure or blocking, if the information is inaccurate. But some “reasonable legal limitations” under US law apply. As a result, the Working Party expressed doubts as to whether US law and the Agreement provide for the respective rights in line with requirements of the EU law.116 Articles 14, 20 and 21 of Russian Personal Data Law stipulate the rights of the data subject to obtain information related to the processing of his/her personal data, to access it, to cure breaches of personal data processing, to correct, block or 116 Article 29 Working Party on data protection (2012) 63 Yulex 2013 destroy personal data. However, §5 of Article 14(8) of Personal Data Law provides that the right of the data subject to access to his/her personal data may be restricted according to federal laws if processing of personal data is carried out according to the legislation on transport security, in order to ensure the stable and secure functioning of the transport system, to protect the interests of individuals, society and the state in the transport sphere against acts of unlawful interference. Personal data collected according to the Federal law On Transport Security constitute elements of transport security information, thus, §5 of Article 14(8) restricts the data subject’s right to access.117 In contrast to the EU-US Agreement, this is a general rule rather than exception. However, the risk of broad application of the restrictions and limitations in the US case makes the regimes quite similar. Taking into account the acceptability of the EU-US regime for the EU, it could be argued that the Russian regime should be acceptable too. 7.7 Redress The EU Strategy stipulates that every individual shall have the right to effective administrative and judicial redress where his or her privacy has been infringed or data protection rules have been violated, on a non discriminatory basis regardless of nationality or place of residence. Article 5(5) of the EU-US Agreement states that administrative, civil, and criminal enforcement measures are available for privacy incidents under US law. Article 13 provides redress for individuals regardless of nationality, country of origin, or place of residence. Administrative and judicial redress in accordance with US law is provided. The EDPS noted that Article 21 explicitly states that the agreement “shall not create or confer, under US law, any right or benefit on any person,” hence, even if a right to redress is granted in the US under the agreement, such right may not be equivalent to the right to redress in the EU.118 In Russia, the data subject’s rights are protected according to Personal Data Law,119 stating that if the data subject believes that the data controller infringes his/ her rights and liberties, he/she is entitled to contest controller’s actions or failure to act with the authorized data protection body or in court. The data subject has the right to protect his/her rights and legal interests, including the right to require compensation for losses and/or compensation for moral damage, in court (Article 17). 117 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal Support and Legislative Activities, Ministry of Transport of RF. 118 European Data Protection Supervisor (2011) 119 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal Support and Legislative Activities, Ministry of Transport of RF. 64 Russian PNR system: data protection issues and global prospects Formally, although this is not stipulated with reference to the PNR system, according to the principle of equality of individuals before the law, the right to administrative and judicial redress under the Russian law may apply for individuals regardless of race, origin, nationality, etc. However, it is unknown whether effective enforcement measures will be available for privacy incidents involving PNR as long as there are problems with human rights enforcement in general. It is hence questionable if redress mechanisms correspond to the standards of the EU law. Accordingly, the problem of failure to provide the right to effective judicial redress may appear. However, the EU accepted this risk in the EU-US case. 7.8 Retention of data Both the ICAO and the EU recommend that the period of retention of PNR should not be longer than necessary for the performance of the defined tasks. The EU Strategy notes that the period of retention should take into account the different ways in which PNR data are used and the possibilities of limiting access rights over the period of retention, for example by gradual anonymization of the data. ICAO adds that the state should, in accordance with national laws or regulations, have a system for monitoring, ensuring appropriate deletion of the PNR data. Under the EU-US Agreement, US authorities will keep PNR data in an active database for up to five years. After the first six months, all information which could be used to identify a passenger would be “depersonalized.” After the first five years, the data will be moved to a “dormant database” for up to ten years, with stricter access requirements for US officials. Thereafter, data would be fully “anonymized” by deleting all information which could serve to identify the passenger. Data related to any specific case will be retained in an active PNR database until the investigation is archived. According to the EDPS and the Working Party, the storage of all data for up to 15 years is excessive and disproportionate. Moreover, after 15 years, only anonymization of the data is provided. Taking into account the difficulty of truly anonymizing data and the lack of explaining why the anonymized data is needed, it should be deleted. 120 The EDPS goes even further and suggests that the data should be anonymized (irreversibly) or deleted immediately after analysis or after a maximum of 6 months.121 In Russia, Article 5(7) of the Personal Data Law states that personal data shall be stored in a way that allows verification of the identity of the data subject no longer than it is necessary for processing purposes, if the retention period of personal data is not set by federal law or the treaty a party (or beneficiary, guarantor) 120 Article 29 Working Party on data protection (2012) 121 European Data Protection Supervisor (2011) 65 Yulex 2013 to which is the data subject. Processed personal data shall be destroyed or anonymized upon achieving the set purposes or in the case if such purposes cease to be relevant, unless otherwise provided by federal law. In case of the PNR data processing, the retention periods are not determined,122 providing options for unlimited storage. Clearly, this contradicts international and the EU recommendations on data protection, and is weaker overall than the (although controversial) EU-US scheme. 7.9 Domestic sharing The EU Strategy states that PNR data should only be disclosed to other government authorities with powers to combat terrorism and serious transnational crime, and which afford the same protections as those afforded by the recipient agency under the agreement in accordance with an undertaking to the latter. PNR data should never be disclosed in bulk but only on a case-by-case basis. According to ICAO PNR Guidelines §2.12.1, the state must take steps to ensure that every public authority having access to PNR must provide the appropriate level of data management and data protection. The EU-US Agreement provides corresponding provisions in Article 16. However, according to the Working Party, the agreement is not specific on how compliance with the safeguards can practically be ensured, particularly with respect to retention periods; the agreement does not provide that transfers shall be done on a case-by-case basis only.123 The EDPS believes that the list of authorities that might receive PNR should be specified, and the DHS should not transfer the data to other agencies unless they guarantee an equivalent level of protection.124 In Russia, according to Article 11(4) of the Federal law On Transport Security, information resources of the USISTS are restricted information. The Order in §13 provides that federal executive bodies authorized by the Government of the Russian Federation to carry out functions in the field of transport security, the Russian Interior Ministry, and the Federal Security Service (FSB) (“consumers of information”) use the data contained in the ACDPDP. But what actually are the “federal executive bodies authorized by the Government of the Russian Federation to carry out functions in the field of transport security”? Logically, it should be found in the Government’s resolutions. 122 This was also stated in the Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal Support and Legislative Activities, Ministry of Transport of RF. 123 Article 29 Working Party on data protection (2012) 124 European Data Protection Supervisor (2011) 66 Russian PNR system: data protection issues and global prospects As for aviation security, the development and implementation of the state policy in aviation security is fulfilled by the Federal Air Transport Agency.125 But actual aviation security activities –providing measures to protect civil aviation against acts of unlawful interference - are performed by this agency in cooperation with the Federal Security Service of the Russian Federation (FSB), Ministry of the Interior, Ministry of Defense, Ministry of Foreign Affairs, Federal Customs Service of the Russian Federation.126 In addition, according to the Program of Civil Aviation Security of the Russian Federation, some functions are carried out by the Ministry of Transport and Federal Service for the Transport Oversight (Rostransnadzor), as well as other interested federal organs of the executive branch.127 It can be seen that the list can hardly be exhaustive. Moreover, for other transport modes, additional organs may be relevant. Taking into account that the database is common for all transport modes and that all the organs authorized to carry out security functions on other transport modes (rail, sea, etc.) also will have access to the data, the scope of organs having access to the data is quite broad. At the same time, according to the information of the Operator,128 the organs authorized to use the data contained in the ACDPDP are limited to the Interior Ministry, FSB, and security department of the Ministry of Transport (i.e. not even the whole ministry, but a special department), while a representative of the Ministry of Transport, in response to the author’s request, noted that the list of organs authorized to access data from the ACDPDP is contained in the Order129 - see above. Since the information is quite controversial, it is not possible to draw any certain conclusions. Apparently, the same problems as those indicated with reference to the EU-US scheme above may be relevant. It would be helpful if the regulator provided an exhaustive list of authorized agencies and obliged them to provide safeguards. 7.10 Onward transfers to third countries The EU Strategy stipulates restrictions on use and further dissemination of PNR data to another third country. Such onward transfers shall be subject to appro125 §7, Resolution of Government of RF of 30.07.1994 N 897 About Federal System of Protection of Civil Aviation from Acts of Unlawful Interference. 126 §8, Resolution of Government of RF of 30.07.1994 N 897 About Federal System of Protection of Civil Aviation from Acts of Unlawful Interference. 127 Program of Civil Aviation Security of the Russian Federation, Order of the Ministry of Transport RF of 18.04.2008 N 62 (with amendments of 10.03.2011). 128 Telephone conversation with the Operator’s employee 4.07.2013. 129 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal Support and Legislative Activities, Ministry of Transport of RF. 67 Yulex 2013 priate safeguards. In particular, the receiving third country should transfer this information to a competent authority of another third country only if the latter undertakes to treat the data with the same level of protection as set out in the agreement and the transfer is strictly limited to the purposes of the original transfer of the data. PNR data should be disclosed only on a case-by-case basis. The EU-US Agreement provides rules on third countries transfer in Article 17(1). They refer to the terms of the agreement, but the latter does not specify how compliance with these terms can be ensured; the agreement does not provide that transfers shall be done on a case-by-case basis only.130 The EDPS recommends that data transfers to third countries should be subject to prior judicial authorization; the DHS should not transfer the data to third countries unless they guarantee an equivalent level of protection.131 Other comments include the following: there is no obligation to make sure that third countries do not forward the information to other parties/countries; no penalty if the third country uses the data for something else; no obligation to ensure that the onward transfer is proportionate; no need to keep records of the transfer; no role for any data protection authority.132 The Russian Order does not contain any terms and provisions on the other countries’ transfer. The Personal Data Law Article 12 contains general rules: cross-border transfer of personal data to foreign countries that are parties to the Convention No 108, as well as to other foreign countries providing adequate data protection is carried out in accordance with this federal law, and may be prohibited or limited in order to protect the foundations of the constitutional system of the Russian Federation, morality, health, rights and lawful interests of citizens, national defense and state security. The list of foreign countries that are not parties to Convention No 108 and provide adequate data protection is adopted by the authorized body (Roskomnadzor). The Ministry of Transport did not provide to the author any further details on the possibilities of onward transfer of PNR referring to restricted information.133 According to the information of the Operator, the PNR data will not be transferred from Russia to other countries.134 No transfer means no problems similar to those indicated for the EU-US scheme. However, lack of concrete provisions does not constitute grounds for concluding that there will be no transfer for sure; additional legal guarantees are needed. 130 Article 29 Working Party on data protection (2012) 131 European Data Protection Supervisor (2011) 132 Amberhawk Training Limited A review of some important aspects of the EU-USA PNR agreement (2011) 133 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal Support and Legislative Activities, Ministry of Transport of RF. 134 Telephone conversation with the Operator’s employee 4.07.2013. 68 Russian PNR system: data protection issues and global prospects 7.11 Methods of transfer The EU Strategy and PNR Guidelines of ICAO suggest that to safeguard the data in the databases and to maintain airlines’ control thereof, data should be transmitted using the “push” system.135 The Strategy adds that the number of times that data is transferred before each flight should be limited and proportionate. Article 15(1) of EU-US Agreement states that data will be transferred using the “push” method. However, Article 15(5) requires carriers to “provide access” to PNR data in exceptional circumstances. The Working Party argued that if the pulling of data remains technically and legally possible, there should be rigorous independent monitoring (of the log files).136 EDPS suggested prohibiting the “pull” system. 137 Article 15(3) requires carriers to transfer PNR to DHS initially at 96 hours before the scheduled flight departure and additionally either in real time or for a fixed number of routine and scheduled transfers as specified by DHS. This provision fails to determine the frequency of PNR transfers clearly.138 According to the Russian Order, the suppliers of information provide data to ACDPDP in electronic form automatically on a schedule on a time scale close to real by selecting the required data from their information systems and unloading them into the exchange file of agreed format. This means that the “push” method is used. Data transfer mode is 24 hours a day/7 days a week. The suppliers must provide data to ACDPDP no later than 30 minutes after entering the data into their information systems (unless otherwise provided by the regulation of passenger data transfer of a particular mode transport). For air carriers, API and PNR data collected before the passenger check-in at the airport must be transferred to ACDPDP 36 hours before passenger check-in at the airport of departure. Transfer of API data received during check-in at the airport is done in interactive regime (if such regime is available) or 15 minutes before the departure of the aircraft. Transfer of PNR data obtained in the course of boarding of the passengers on the aircraft and after the departure of the aircraft is done immediately after fixing these events in the air carrier’s systems. It can be seen that the, in contrast to the EU-US scheme, frequency of PNR transfers is defined, and only the “push” method is used, thus, stronger protection is given. 135 The “push” method of transfer implies that the data are selected and transferred by airlines to the authorities upon request of the latter. The “pull” method means that the authorities have direct and immediate access to airlines’ databases. 136 Article 29 Working Party on data protection (2012) 137 European Data Protection Supervisor (2011) 138 Article 29 Working Party on data protection (2012) 69 Yulex 2013 8 Conclusion It is clear that PNR exchange is becoming worldwide practice. Not only Russia, but many other countries are using or planning to impose PNR regimes. The international community represented by such organizations as ICAO and IATA, realizing that this process will grow, is endeavoring to establish common rules which would standardize and harmonize PNR collection for security purposes, including data protection standards. However, their recommendations are not obligatory and there are no enforcement mechanisms. The EU, with its strict data protection regulation, also endeavors to establish common standards for PNR transfer to third countries, but the EU hardly possesses economic or political powers to enforce these standards in the rest of the world. It is also questionable whether the EU requirements are realistic at all: the already concluded bilateral agreements show that full compliance with the EU data protection requirements has not been achieved. The analysis of the Russian PNR regime discovers that many elements of the system are based on the ICAO PNR Guidelines. As for the data protection, the Russian Personal Data Law is applicable, which is based on the international and the EU standards. Some data protection guarantees, at least formally, are provided. The positive features are non-processing of sensitive data and usage of only the “push” method of transfer (both of which constitute better protection if compared with the EU-US PNR regime) and strict requirements to data security. Some elements are provided, but various weaknesses remain: The purposes of transfer are established, but they are broad. Provisions on oversight and accountability are contained in the Personal Data Law, but the data protection authority is not completely independent. Rules on redress are provided, but in practice they may be weaker than the EU level of protection. The list of organs authorized to access the data is provided, but its exhaustiveness is questionable. The data subject’s right to access to his/her personal data is restricted on the grounds of transport security needs. However, these weaknesses are quite similar to the EU-US system. The points which are weaker than the EU-US scheme are the lack of terms on transparency and notification and the fact that the retention periods are not determined. Finally, terms of onward transfer to other countries (if any) are restricted information. Some of the indicated weaknesses could be repaired if the Russian regulators provided further legal rules on this matter, that is, more specified and concrete provisions and guarantees regarding the PNR system in addition to general rules of the Personal Data Law. This concerns in particular the redress mechanisms, oversight and accountability, transparency and notification. Other weaknesses concern mainly the security demands and needs (the purposes of processing, the right to access, retention period, the list of organs, and transfer to other countri70 Russian PNR system: data protection issues and global prospects es). Apparently, for any change, balancing between data protection and security interests is required. But the analysis of Russian PNR rules “on paper” is not enough. One more challenge relates to specific Russian realities. Historical background as well as the situation with human rights and civil society in Russia in general make data protection rights particularly vulnerable. The problems indicated with reference to general data protection law, if not solved, may be applicable to the PNR regime as well. Providing effective law enforcement mechanisms depends greatly on the whole system, including legal, judicial and other systems and integral parts of the civil society, and the weaknesses of these parts may play a negative role. Thus, simply establishing legal norms to protect passengers’ data protection rights may not be enough. Overall, no matter if the Russian PNR system is considered to be better, worse or same as the EU-US one, from the EU’s perspective, Russia is not a country providing an adequate level of data protection; thus, transfer of PNR by EU airlines to Russian authorities would be illegal. From 1 December 2013, if the situation does not change (by settlement of the conflict of laws, or if the new measure is cancelled or postponed again), the EU airlines will find themselves in a difficult situation: to fly to or over Russia, they will need to comply with either EU or Russian law. Therefore, a dialog between Russia and the EU is expected. Of course, the conflict of laws can be approached with the help of political or economic pressure. For example, the review of the visa facilitation deal with Russia could be used “as leverage” to counter Russia’s demands.139 There are a number of other pending issues which could be used as well, but it is quite doubtful that they may help the EU to “cancel” the Russian PNR regime or solve the data protection problems. Another solution could be a bilateral EU-Russian PNR agreement. Apparently, it will be problematic to resolve all the data protection problems discussed above by a contractual solution. In addition, the EU, accepting the EU-US PNR scheme, weakened its position in the negotiation with Russia (as well as other countries requiring PNR data): it would be the politics of double standards to deny to others what was accepted to the USA. Moreover, the EU’s own proposed PNR regime raises similar questions and disputes; if adopted, the data protection positions will be further weakened. But an agreement could at least create a legal basis for the transfer, not leaving the EU airlines alone with the dilemma, thus, it is preferable to have an agreement than not to have one. However, the author cannot exclude the possibility that the EU-Russian negotiations might be pending for an unknown period of time. 139 The Portugal News Euro MPs raise grave concerns over Russia’s demand for EU air passengers’ data (2013) 71 Yulex 2013 But again, no matter what will be stipulated in the Russian law and/or in a contractual solution (if any) between the EU and Russia, a separate question will be whether Russia is capable in reality of ensuring the established rules, safeguards and guarantees. From a global perspective, the Russian PNR regime is not the only one to emerge – as stated, many states require or will require PNR data. The majority of states will be considered as failing to provide an adequate level of data protection in EU terms. For a part of them, the dilemma of law-in-books versus lawin-action will be relevant. Consequently, similar challenges and difficulties may concern any state. Further, no state is guaranteed from more and more enhanced surveillance and possible abuses by law enforcement authorities in the name of security. Even within the established and negotiated with the EU PNR frameworks, who can guarantee that the USA will keep its promises, and that abuses and violations will not happen? The recent cases of the NSA’s secret use of personal data-pursuant surveillance programs do not add optimism to the picture. As a result, the question formulated above - Is it possible to use PNR and at the same time respect the passengers’ rights? – cannot be answered in a simple way. Clearly, globally, the PNR case, upon closer look, reveals a number of critical issues: the security versus privacy dilemma, privacy and data protection concerns, problems of internal regulation and law enforcement, enhanced and unlimited surveillance, underdevelopment of democratic values, etc. How to deal with these problems? Further dialogs between the states, including discussions on the international level, could be helpful. The ICAO PNR recommendations are already used as models for PNR transfer, but deficiencies remain, and there are no enforcement mechanisms. Bilateral agreements, although providing a legal basis for transfer, fail to resolve all the problems. The point is that PNR processing is a part of national security strategies, where the powers of the international community or other states are limited. The majority of the problems have internal, national roots. Thus, national endeavors constitute the key factors, and a broader, complex approach is needed. Olga Mironenko Enerstvedt ([email protected]) Ph.D. Research Fellow, Norwegian Research Center for Computers and Law (NRCCL), University of Oslo, Norway The author would like to thank Prof. Dag Wiese Schartum and Prof. Lee Andrew Bygrave for their valuable comments to an earlier version of this article. 72 Russian PNR system: data protection issues and global prospects 9 References Amberhawk Training Limited (2011) Amberhawk Training Limited. A review of some important aspects of the EU-USA PNR agreement, 2011. Article 29 Working Party on data protection (2012) Article 29 Working Party on data protection. Letter to the Civil Liberties Committee of the European Parliament. Brussels, 2012. Beroeva (2006) Nigina Beroeva. Who and how do they steal databases? In: Komsomolskaya Pravda 2006. Brouwer (2009) Evelien Brouwer. The EU Passenger Name Record System and Human Rights: Transferring Passenger Data or Passenger Freedom. In: CEPS Working Document (2009). Buh 1C (2012) Buh 1C. Protection of personal data: The results of the control http://buh.ru/document.jsp, 2012. Bygrave (2002) Lee A. Bygrave. Data protection law: approaching its rationale, logic and limits. Kluwer Law International, The Hague / London / New York, 2002. Chernova (2013) Aleksandra Chernova. We protect personal data through multistakeholder approach. In: Personal data (2013). http://www.privacy-journal. ru/article/122/2/1516. Elkova (2013) Olesya Elkova and Sergey Kolobkov. Russian sky will be closed to the lock. http://www.rbcdaily.ru/industry/562949987318547, 2013. European Data Protection Supervisor (2011) European Data Protection Supervisor. Opinion of the European Data Protection Supervisor on the Proposal for a Council Decision on the conclusion of the Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security. Brussels, 2011. Grant (2009) H. Grant. Data protection 1998-2008. In: Computer Law & Security Report. Vol. 25 (2009). p. 44-50. Hasbrouck (2009) Edward Hasbrouck. What’s in a Passenger Name Record (PNR)? . http://hasbrouck.org/articles/PNR.html, 2009. Izmailova (2009) N.S. Izmailova. Privacy in civil law: the law of the UK, the USA and Russia. Moscow, 2009. 73 Yulex 2013 Kovrigin (2012) V.V. Kovrigin. Total non-compliance with data protection law in Russia. http://can-work.ru/index.php/neews/press-tsentr-kompanii/145law-on-personal-data-if-it-works, 2012. Lyon (2007) David Lyon. Surveillance studies: An overview, 2007. Mironenko (2010) Olga Mironenko. Air passenger data protection: Data transfer from the European Union to the United States. Oslo, 2010. Modern Telecommunications Russia (2011) Modern Telecommunications Russia. The Council of Federation adopted Personal Data Law. http://www. telecomru.ru/article/?id=606, 2011. Newman (2008) Abraham Newman. Protectors of privacy: regulating personal data in the global economy, 2008. Nielsen (2013) Nikolaj Nielsen. EU tells Russia to drop air passenger data law. http://euobserver.com/justice/120387, 2013. Nielsen (2013) Nikolaj Nielsen and Andrew Rettman. Russia blames EU for airline data fiasco. http://euobserver.com/justice/120450, 2013. Ntouvas (2008) Ioannis Ntouvas. Air Passenger Data Transfer to the USA: the Decision of the ECJ and latest developments. In: International Journal of Law and Information Technology. Vol. 16 (2008). p. 73-95. Palamarchuck (2010) A.V. Palamarchuck. Supervision over the implementation of the legislation on personal data on the Internet. In: Zakonnost. Vol. 12 (2010). p. 3-5. Petrykina (2011) N.I. Petrykina. Legal regulation of personal data flow. Theory and practice. Moscow, 2011. Poullet (2009) Y. Poullet. Data protection legislation: What is at stake for our society and democracy? In: Computer Law & Security Review. Vol. 25 (2009). p. 211-226. Schneier (2008) Bruce Schneier. Schneier on security. Indianapolis, Ind., 2008. Shadrina (2012) Tatiana Shadrina. Will not go far: From July next year it will not be possible to buy a ticket for a single mode of transport without a passport. In: Rossiyskaya Gazeta 26.09.2012 2012. Sirena-Travel (2013) Sirena-Travel. Problems of realization of the Order of the Ministry of Transport N243. http://www.ato.ru/content/problemy-realizaciiprikaza-mt-rf-no243-formirovanie-i-vedenie-avtomatizirovannyh, 2013. Smirnov (2007) Oleg Smirnov. All the world has long been collecting the data this way. http://www.aviaport.ru/digest/2007/04/09/118983.html, 2007. 74 Russian PNR system: data protection issues and global prospects Solove (2008) D. J. Solove. Data mining and the security-liberty debate. In: The University of Chicago Law Review (2008). p. 343-362. Tene (2011) Omer Tene. Privacy: The new generations. In: International Data Privacy Law. Vol. 1 (2011). p. 15-27. The Portugal News (2013) The Portugal News. Euro MPs raise grave concerns over Russia’s demand for EU air passengers’ data. http://www.theportugalnews.com/news/euro-mps-raise-grave-concerns-over-russias-demand-foreu-air-passengers-data/28637, 2013. Tsadykova (2007) Elvira A. Tsadykova. The constitutional right to privacy. Moscow, 2007. Wolff (2012) Steve Wolff. Are We Ignoring the “Risk” in Risk Based Screening? In: Aviation Security International. Vol. 18 (2012). Yehoshua (2011) Sagit Yehoshua. Terrorist profiling: analysing our adversaries personalities. In: Aviation Security International. Vol. 17 (2011). 75 Privacy as a Cultural Value1 Lee A. Bygrave “Part philosophy, some semantics, and much pure passion”! These are the words that Alan Westin once famously used to describe privacy.2 As many of you know, Westin, who died earlier this year, was one of the seminal and most influential policy entrepreneurs in the regulation of privacy and data protection matters. As professor of public law and government at Columbia University, he was also one of the first academics to explore deeply the various dimensions of privacy. His description of privacy as a mixture of philosophy, semantics and passion speaks volumes about privacy. Most importantly for our discussion today, it highlights the inherent diffuseness of privacy at the same time as it indirectly connects privacy to a broader cultural context. For philosophy, semantics and passion tend to be culturally conditioned. And as soon as we move from a discussion of privacy as a state or condition of being – for instance, a state of limited accessibility – to a discussion of privacy as a desired or valued state of being, the cultural is implicated. Our views of privacy as a value and, hence, our views of how much privacy ought to be permitted, are intimately tied to culture. This is really rather trite. More difficult is to define precisely what culture is. If privacy is a nebulous concept, culture is equally so. It can potentially embrace a great deal. And distinguishing cultural factors from other factors – biological, technological, economic to name a few – is difficult. I do not have time today to delve into these distinctions and related definitions. It suffices to emphasise that the analytical parameters for our discussion today are far from sharp: neither privacy nor culture are firm, easily defined concepts. Nonetheless, I would venture to claim that all of us here today appreciate – intuitively at the very least – that culture matters in discussions of privacy and data protection. When we compare, for instance, the number of video surveillance cameras in the public spaces of Warsaw with the number of cameras in the public spaces of London, we readily appreciate that the difference bespeaks, at least partly, a cultural difference. Yet it is far from easy to identify precisely what that cultural difference is. And making valid generalisations on the basis of culture is also fraught with difficulty. It is further fraught with disagreement. Take, for example, attempts to explain why judges in the USA so readily recognised a tort for breach of privacy yet English judges did not, despite the fact that each of the jurisdictions concerned had a common law heritage. Some analysts have claimed 1 2 Address given to the opening plenary session of the 35th International Conference of Data Protection and Privacy Commissioners, Warsaw, 25th September 2013. A F Westin, Privacy and Freedom (Atheneum 1967) p. x. 77 Yulex 2013 that the English are more constrained than Americans by protocol and codes of behaviour to respect individuals’ privacy, and that it was a lack of such “taste” that precipitated the American judges’ embracement of a tort for breach of privacy.3 Other analysts, though, claim that the different judicial directions taken reflect English judges’ inherent conservatism, narrow-mindedness and distaste for nebulous rights.4 Whatever the case, we lack a large body of systematically collected empirical data about cultural attitudes to privacy – data which can lift us well beyond explanations in which anecdote and popular cultural stereotypes play a considerable part.5 Of course, collecting such data is not going to lift us beyond disagreement over what causes what, nor will it make explanation easy. This is partly because concern for privacy within a given culture or country is often uneven. In the UK, for example, proposals to introduce multi-purpose Personal Identification Number (PIN) schemes similar to those in Scandinavia have traditionally been met with great antipathy, yet video surveillance of public places in the UK seems to be considerably more extensive than in Scandinavian countries and, indeed, the rest of the world. Levels of privacy across nations and cultures, and across broad historical periods, are in constant flux – a point I shall come back to at the end of my talk. At the same time, desire for some level of privacy appears to be a panhuman trait. Even in societies in which apparently little opportunity exists for physical or spatial solitude, human beings seem to adopt various strategies for cultivating other forms of social distance. I refer here particularly to Barrington Moore’s study of the Siriono Indians in Bolivia,6 and to David Flaherty’s study of colonial society in New England.7 While we may acknowledge or intuitively appreciate the cultural dimension of privacy and data protection, I would venture to claim that many of us here today forget it in the routine of our jobs. I am a lawyer; many of you here are too. As such, we work with legal texts, typically in the form of Acts on privacy and data protection. Many of you – lawyers or otherwise – administer these texts’ requirements. They are texts that, remarkably, appear as largely abstract, technical codes filled with largely procedural norms and divorced from any obviously cultural context. Scratch at them, though, and that context quickly emerges, often in the form of a cultural bias or premise. This is most obvious with provisions 3 4 5 6 7 See eg J Martin and A R D Norman, The Computerized Society (Prentice-Hall 1970) p. 468; W F Pratt, Privacy in Britain (Bucknell University Press 1979) p. 16. See eg B W Napier, “International Data Protection Standards and British Legislators”, Informatica e diritto, 1992, vol. 1, p. 83, 85. See too C J Bennett and C D Raab, The Governance of Privacy (2nd edn, MIT Press 2006) p. 6. B Moore, Privacy: Studies in Social and Cultural History (M E Sharpe 1984). D H Flaherty, Privacy in Colonial New England (University Press of Virginia 1972). 78 Privacy as a Cultural Value that single out particular kinds of data as especially sensitive and subject them to more stringent rules than otherwise apply. Article 8 of the EU Data Protection Directive is a prominent example. Those provisions caused some consternation in Scandinavian countries inasmuch as they include data on trade union membership – an inclusion that was grounded in the political realities of southern Europe but had little relevance for northern Europe. The cultural bias of privacy and data protection rules is often under-communicated by lawmakers. This might be due partly to ignorance or forgetfulness but also to a reluctance to take greater account of the cultural dimension. Culture, as I said before, is slippery, hard to measure, and thus hard to operationalise with legal certainty. Yet I suggest that lawmakers need to take greater account of it. We need to keep our eyes more open to the extra-legal dimension of privacy and data protection law. And we ought to think very carefully before we allow formalistic, rigid legal requirements to bludgeon their way across cultural divides. This is particularly pertinent in relation to rules in data protection laws dealing with sanctions and remedies. There is no necessary link between tougher enforcement powers and better compliance. Compliance levels are a function of numerous factors of which enforcement powers and the ability to use such powers are just two. Other factors include the seriousness with which a given community generally takes privacy and data protection matters, the extent to which the administrative and corporate cultures of a given jurisdiction inherently respect data protection ideals, and the talents of the data protection commissioners and their personnel. In some jurisdictions, social mores are particularly important. For example, Miyashita observes that while the formal sanctions for breaches of data protection rules in Japan are weaker than those in Europe, “it is crucially important to understand that a data breach in Japan means the disruption of social trust and the intimate relationship with customers. In Japan, the risk of loss of social trust and business reputation is regarded as much more significant than paying a fine”.8 Similarly, it cannot be assumed that a data protection authority with strong formal powers will necessarily have greater success in fulfilling its objectives than one with weaker formal powers. Experience from Germany, for instance, indicates that, given a particular constellation of the sorts of factors listed above, a significant degree of compliance can be achieved without a data protection authority 8 H Miyashita, “The evolving concept of data privacy in Japanese law”, International Data Privacy Law, 2011, vol. 1, p. 229, 233. 79 Yulex 2013 having the power to issue legally binding orders (eg prohibiting certain forms of data processing).9 Finally, I want to return to the point about cultural flux. We need to be very careful about painting particular cultures into a corner out of which they cannot escape. This is particularly pertinent in respect of societies which putatively embrace collectivist rather than individualist ideals – that is societies that seem to place primary value on securing the interests and loyalties of the group at the expense of the individual. African and Asian countries are often lumped in this category. However, these are not static societies. One of the most remarkable developments in the field of privacy and data protection is the emergence of organisations in the Asia-Pacific and Africa as policy-brokers in the field. Examples are the Asia-Pacific Economic Cooperation (APEC) and, even more significantly, the Economic Community of West African States (ECOWAS). Just a decade ago, these organisations scarcely figured as policy-brokers in the field. The situation today is very different, particularly in Africa where some of the most ambitious and normatively prescriptive data protection initiatives have been recently launched. I refer here especially to the Supplementary Act on Personal Data Protection within ECOWAS, adopted in 2010.10 Further, the East African Community (EAC)11 has issued a recommendation that its member states adopt data protection laws in line with best international practice.12 These events show not just the shifting character of privacy as a cultural value but underline also that privacy is very much a generational value. D H Flaherty, Protecting Privacy in Surveillance Societies (University of North Carolina Press 1989). 10 Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS, adopted 16 February 2010. The ECOWAS states are Benin, Burkina Faso, Cape Verde, Cote d’Ivoire, Gambia, Ghana, Guinea, Guinea Bissau, Liberia, Mali, Niger, Nigeria, Senegal, Sierra Leone and Togo. 11 Composed of Tanzania, Rwanda, Kenya, Uganda and Burundi. 12 Legal Framework for Cyber Laws (Phase 1) November 2008, formally adopted 7 May 2010. However, unlike the ECOWAS instrument, the EAC recommendation does not set out substantive data protection rules nor is it legally binding. 9 80 Kontroll og overvåking i arbeidslivet1 Tommy Tranvik Innledning I dette kapitlet drøftes utfordringer knyttet til kontroll og overvåking i arbeidslivet, nærmere bestemt bruken av feltteknologi: elektroniske systemer for registrering og behandling av opplysninger om ansatte som jobber utenfor fast arbeidssted. I første del av kapitlet drøftes grunnleggende forhold knyttet til arbeidsgiveres anvendelse av feltteknologi for kontroll og overvåking av arbeidsutførelsen: Hvordan kan feltteknologi utfordre de ansattes personvern, hvordan feltteknologiprodukter er oppbygd og fungerer, hvilke lover og regler gjelder ved bruk av feltteknologi i arbeidslivet og hvilke personverninteresser kan komme i spill når denne typen elektroniske systemer anvendes i arbeidslivet? I andre del av kapitlet oppsummeres erfaringer med innføring og bruk av feltteknologi i 50 virksomheter fordelt på sju forskjellige bransjer. Her drøftes spesielt erfaringer med selve innføringen av feltteknologi, hvilke argumenter for og imot innføring som ble brukt (av arbeidsgivere og arbeidstakere) og rapporter om misbruk av opplysninger om ansatte. Til slutt drøftes virksomhetenes overholdelse av rettslige regler ved innføring av feltteknologi og ved den senere behandlingen av opplysninger om ansatte. Drøftelsene i andre del vil vise at de 50 virksomhetene som deltok i studien stod overfor viktige utfordringer, både når det gjaldt å balansere hensynene til arbeidsgivers kontrollbehov og de ansattes personvern, og overholdelsen av de lover og regler som regulerer innføring og bruk av feltteknologi. Del I – Grunnleggende spørsmål Definisjon av problemet – et eksempel Elektroniske systemer for kontroll og overvåking av ansatte utenfor fast arbeidssted har vært i bruk – og skapt kontroverser – i noen år allerede. Det var en sak fra renovasjonsbransjen i Nord-Troms som i 2010 for alvor brakte disse problemstil- 1 Drøftelsene i dette kapitlet er basert på Tranvik 2013. 81 Yulex 2013 lingene inn i offentlighetens søkelys.2 Utgangspunktet var at det interkommunale renovasjonsselskapet Avfallsservice AS i Nord-Troms hadde tatt i bruk flåtestyringssystemet GPS Realtime Waste Management på sine renovasjonsbiler.3 Systemet ble blant annet brukt som et navigasjonsverktøy for selskapets sjåfører og til registrering av opplysninger om sjåførenes arbeidsutførelse. Det siste foregikk ved at sjåførene sendte inn en elektronisk kvitteringsmelding til selskapets datamaskiner for hvert tømmingspunkt de var innom på ruten.4 De elektroniske meldingene ble påført et tidsstempel og lagret i en tømmingslogg. Dermed kunne ledelsen i selskapet sjekke når sjåførene hadde vært innom de ulike tømmingspunktene og hvor lang tid de hadde brukt mellom hvert tømmingspunkt. De to typene opplysninger skulle i utgangspunktet brukes til to forskjellige formål: dokumentasjon av arbeidsutførelsen (den elektroniske tømmingsloggen) og utbetaling av lønn (de manuelt førte timelistene). Ledelsen mente imidlertid at den hadde grunn til å mistenke at én av sjåførene førte opp for mange timer på sine timelister. Ledelsen sjekket derfor tidspunktene for tømming registrert i tømmingsloggen og sjekken viste at sjåføren hadde brukt uvanlig lang tid mellom mange av tømmingspunktene på kjøreruten. Likevel hadde han ført opp dette som arbeidstid i timelistene. På denne bakgrunn mente selskapet at sjåføren hadde fått lønn for arbeid han ikke hadde utført, og sjåføren ble oppsagt fra stillingen. Dette godtok ikke sjåføren. Han krevde at oppsigelsen ble kjent ugyldig og forlangte erstatning fra selskapet som følge av urettmessig oppsigelse og ulovlig behandling av personopplysninger. Instansene som fikk saken på sitt bord – Datatilsynet,5 Personvernnemnda,6 Hålogaland lagmannsrett7 og Høyesterett8 – mente at selskapet hadde brutt viktige bestemmelser i arbeidsmiljøloven og i personopplysningsloven. Likevel fikk ikke sjåføren medhold av domstolene på noen punkter, verken i lagmannsretten eller i Høyesterett. Nedenfor skal vi se at renovasjonssaken i Nord-Troms ikke er et isolert tilfelle.9 Elektroniske systemer for overvåking eller kontroll av ansatte utenfor fast arbeidssted tas i bruk av stadig flere arbeidsgivere i mange forskjellige yrker og bransjer. Det er derfor ingen overdrivelse å hevde at innføring og bruk av elek2 3 4 Saken drøftes blant annet i Borchgrevink 2011: 33-35, Edvardsen 2011 og Nedberg 2011. Systemet leveres av selskapet Norsk Navigasjon, se http://www.norsknavigasjon.no/. Sjåførene kunne også sende inn avviksmeldinger, for eksempel at søppelbeholdere ikke kunne tømmes fordi de hadde veltet, ikke var satt ut eller ikke stod der de skulle. 5Se http://www.datatilsynet.no/Regelverk/Personvernnemda/Klagesaker/2011/Ulovlig-bruk-avGPS/. 6Se http://www.personvernnemnda.no/vedtak/2011_04.htm. 7Se www.lovdata.no, LH-2011-155315. 8 Se Rettstidende 2013, side 143 eller www.lovdata.no, HR-2013-234-A. 9 Samtidig ble en tilsvarende sak behandlet i Datatilsynet i løpet av våren 2013, se http://www. datatilsynet.no/Nyheter/2013/Overtredelsesgebyr-for-ulovlig-bruk-av-gps-data-fra-yrkesbil/. 82 Kontroll og overvåking i arbeidslivet tronisk kontroll og overvåking er et av de viktigste teknisk-organisatoriske utviklingstrekkene i de delene av arbeidslivet som omfattes av denne rapporten. Teknologien Renovasjonssaken dreide seg om at elektroniske kontroll- eller overvåkingssystemer ble brukt til å samle inn opplysninger om sjåførene. Slike systemer betegnes vanligvis som feltteknologi. I tillegg til flåtestyring, finnes det en rekke andre typer feltteknologi. De mest vanlige er elektroniske kjørebøker, håndholdte dataenheter (smarttelefoner, PDA, bærbar pc, osv.), strekkodesystemer, ulike typer sensorer, radiofrekvensidentifisering (RFID), digitale fartsskrivere, bompengebrikker og bensinkort. Det disse feltteknologiene tilbyr arbeidsgiverne, er tilstedeværelse uten fysisk nærhet. Den vanligste måten dette gjøres på er at opplysninger om ansatte i felten visualiseres på dataskjermer som lederne (eller annet personell på kontoret) følger med på. Lederne kan dermed vite om forhold de tidligere var uvitende om eller som de først fikk kjennskap til i ettertid, for eksempel hvor de ansatte befinner seg, hvor lang tid de bruker hos ulike kunder, hvor ofte de tar pauser, hvilke kjøreruter de velger, hvor fort de kjører, osv. Denne typen feltteknologi kan derfor sies å ha følgende kjennetegn: • Synliggjøring: Feltteknologi kan synliggjøre forhold som tidligere var helt eller delvis skjult for arbeidsgiver. • Sentralisert oversikt: Feltteknologi kan gi oversikt over ansattes bevegelser og aktiviteter fra én sentral lokasjon (for eksempel kjøresentralen, driftssentralen, ressursstyringssentralen eller trafikkledersentralen). • Fjernstyring i sanntid: Feltteknologi kan gjøre det mulig for lederne på kontoret (eller personell på sentralen) å gripe inn i eller dirigere arbeidsutførelsen mens arbeidet fortsatt pågår. • Desentralisert tilgang: Feltteknologi kan gi ansatte tilgang til interne datasystemer og informasjonsressurser mens de befinner seg utenfor kontoret (for eksempel ordre- og fakturasystemer, pasientjournaler, kundehistorikk, håndbøker og rutinebeskrivelser, osv.). Ikke all feltteknologi har alle disse kjennetegnene. Noen produkter er for eksempel bygd opp slik at opplysninger om ansatte gjøres tilgjengelige for arbeidsgiver lenge etter at de er registrert i felten. Andre produkter har en oppbygning som gjør det vanskelig eller upraktisk for lederne (eller annet personell) på kontoret å følge med på hva ansatte til enhver tid bedriver, men opplysningene kan likevel bli gransket i ettertid. 83 Yulex 2013 Lovgivningen Innføring og bruk av feltteknologi er rettslig regulert på flere måter. Dersom bruken av feltteknologi defineres som et kontrolltiltak, gjelder reglene i arbeidsmiljølovens kapittel 9.10 Her stilles det vilkår for innføring av kontrolltiltak (feltteknologi) og det kreves til at innføringsprosessen skal foregå i henhold til visse saksbehandlingsregler. Den elektroniske behandlingen av opplysninger om ansatte (personopplysninger) som skjer etter at kontrolltiltaket (feltteknologi) er satt i drift, reguleres av reglene i personopplysningsloven med forskrift. Etter disse reglene har arbeidsgiverne en rekke plikter når opplysninger om ansatte behandles elektronisk. Samtidig har de ansatte en rekke rettigheter i forhold til arbeidsgivers behandling av opplysninger om dem selv. Innføring og bruk av kontrolltiltak i arbeidslivet, feltteknologi inkludert, kan også være regulert i tariffavtaler og i egne avtaler/ protokoller mellom partene på virksomhetsnivå. Drøftelser av de rettslige reglene som gjelder ved innføring og bruk av feltteknologi, kan leses i Dag Wiese Schartum (2013): Rettslige aspekter ved feltteknologi i arbeidslivet. Personvernet Hvorfor skal ansatte som benytter feltteknologi og som jobber utenfor fast arbeidssted, ha forventninger om personvern? Mange av dem jobber jo i det offentlige rom, for eksempel bussjåfører, vektere eller trikkeførere, og de kan i tillegg være lett synlige av andre grunner, for eksempel at de kjører biler med firmalogo eller bærer arbeidsantrekk som gjør at de skiller seg ut. Så hvorfor skal ikke arbeidsgiver kunne følge med på hva egne ansatte gjør når vi andre kan observere dem i løpet av dagen? Spørsmålet om personvern for ansatte utenfor fast arbeidssted handler ikke om at arbeidsgiver ikke kan få vite det vi andre observerer i det daglige. Det handler heller ikke om at arbeidsgivere ikke skal kunne følge med på eller følge opp egne ansatte. Det handler isteden om hvor systematisk, rutinemessig og fokusert behandlingen av opplysninger om ansatte skal være: i hvilken grad skal ansatte være synlige for og bli gransket av personer de er underordnet og står i et avhengighetsforhold til? Når blir synligheten og granskingen av en slik karakter at autonomien og selvstendigheten – den individuelle sfæren – forvitrer eller forsvinner? Personvern for ansatte utenfor fast arbeidssted kan derfor forstås som en måte å regulere forholdet mellom to parter hvor den ene (arbeidstakere) er underordnet den andre (arbeidsgiver). Det betyr at spørsmål om personvern er nært sam10 Hva som menes med kontrolltiltak defineres ikke i selve lovteksten eller i forarbeidene til loven. Se Ot. prp. nr. 49, 2004-2005, Om lov om arbeidsmiljø, arbeidstid og stillingsvern mv., kapittel 12 (http://www. regjeringen.no/nb/dep/ad/dok/regpubl/otprp/20042005/otprp-nr-49-2004-2005-.html?id=396602). 84 Kontroll og overvåking i arbeidslivet menvevd med spørsmål om makt. Arbeidsgiver styrker sin makt når ansatte blir synlige på ledelsens dataskjermer eller gjenstand for detaljert gransking i virksomhetens datasystemer. Maktskjevheten kan utjevnes noe dersom de ansatte får innflytelse over hvordan ledelsen håndterer opplysninger om dem, for eksempel hvilke opplysninger som vises på dataskjermene eller registreres i datasystemene. Personvern defineres derfor som graden av kontroll som ansatte har med arbeidsgivers bruk av opplysninger som gjelder dem selv. I faglitteraturen beskrives dette som informasjonsmessig integritet.11 I renovasjonssaken hadde sjåførene en viss, men begrenset informasjonsmessig integritet (kontroll med registreringen av opplysninger i flåtestyringssystemet). Det var de selv som sendte inn elektroniske kvitteringsmeldinger og de kunne selv vurdere hvilke avvik som burde rapporteres. Samtidig hadde de liten kontroll med arbeidsgivers bruk av opplysningene etter at de var mottatt av renovasjonsselskapet. Sjåførene hadde for eksempel ingen mulighet til å sjekke om opplysningene i flåtestyringssystemet ble sammenholdt med opplysninger hentet fra andre datakilder (timelistene). Utbredelse og tidligere forskning Det finnes ikke gode tall som viser utbredelsen av feltteknologi i de bransjene/ yrkene som deltok i denne undersøkelsen. Det finnes heller ikke gode tall på den totale utbredelsen av feltteknologi i arbeidslivet som sådan. I en spørreundersøkelse gjennomført av Forskningsstiftelsen FAFO i 2010, svarte sju prosent av arbeidstakerne at flåtestyring ble brukt på deres arbeidsplass. Det ble ikke spurt om utbredelsen av andre typer feltteknologi.12 Opplysninger fra de leverandører, tillitsvalgte og virksomhetsledere som deltok i denne studien, tyder imidlertid på at bruken vokser raskt, og at veksten har vært særlig stor siden 2009-10. Veksten ble blant annet forklart med at prisen på mange av produktene er synkende slik at også små og mellomstore virksomheter har råd til å kjøpe produkter av typen GPS Realtime Waste Management. Det er ikke gjort tidligere studier av årsakene til eller konsekvensene av innføring og bruk av feltteknologi på virksomhetsnivå. Det er imidlertid gjort noe tidligere forskning på betydningen av informasjons- og kommunikasjonsteknologi for overvåking, kontroll og personvern i arbeidslivet, både internasjonalt og i Norge.13 Men også her er det gjennomført få empiriske studier på virksomhetsnivå. Det er derfor relativt lite hjelp og veiledning å hente fra tidligere forskning. 11 Forståelsen av at vern av opplysninger om den enkelte er en sentral del av personvernet ble første gang formulert i Westin 1967: 7. Se også Schartum og Bygrave 2011: kapittel to og Blekeli 1977. 12 Se Bråten 2010. 13 Se for eksempel Allmer 2012, Bråten og Tranvik 2012, Swell 2012, Swell et al. 2012, Ball 2010, Bråten 2010 og 2008, Øvstedal et al. 2010, Berkvens 2009, Bing 2009, Bodie og Estreicher 2007, Hansson og Palm 2005 eller Ravlum 2004. Slike spørsmål behandles også i den generelle or85 Yulex 2013 Del II: Erfaringer med feltteknologi i sju bransjer Bransjene og datagrunnlaget Disse problemstillingene diskuteres med utgangspunkt i studier av 50 virksomheter i sju forskjellige bransjer eller yrker. Følgende bransjer/yrker deltok i studien: • Elektrobransjen. De viktigste feltteknologiene var elektroniske kjørebøker, flåtestyring og håndholdte dataenheter (smarttelefoner, PDA eller bærbar pc). • Renhold. De viktigste feltteknologiene var håndholdte dataenheter (smarttelefoner eller PDA), radiofrekvensidentifisering (RFID) og elektroniske kjørebøker. • Den kommunale hjemmetjenesten. Den viktigste feltteknologien var håndholdte dataenheter (smarttelefoner eller PDA) integrert mot interne datasystemer, for eksempel elektroniske journaler. • Sikkerhet (vekterselskaper). De viktigste feltteknologiene var håndholdte dataenheter (smarttelefoner eller PDA), strekkodesystemer og elektroniske kjørebøker. • Kollektivtransport (buss og trikk). Den viktigste feltteknologien var avanserte flåtestyringssystemer. Elektroniske billettsystemer med satellittsporing og sanntidsinformasjonssystemer var også i bruk. • Godstransport. De viktigste feltteknologiene var flåtestyring, digitale fartsskrivere, håndholdte dataenheter (PDA) og strekkodesystemer • Veivedlikehold. De viktigste feltteknologiene var satellittbaserte systemer for innsamling av produksjonsdata og håndholdte dataenheter (smarttelefoner eller PDA). Totalt deltok 50 virksomheter fordelt på de sju bransjene nevnt ovenfor. Virksomhetene som deltok var ikke representative for sin bransje eller for det norske arbeidslivet som sådan. For det første fordi store og mellomstore virksomheter var overrepresentert i utvalget. For det andre fordi det store flertallet av virksomheter var preget av ordnede partsforhold, for eksempel at det fantes tillitsvalgte og verneombud i virksomhetene. Dette gjør at erfaringene som drøftes nedenfor trolig gir et mer positivt bilde av tilstanden i de sju bransjene (og i arbeidslivet for øvrig) enn vi ville fått dersom flere mindre virksomheter og virksomheter uten ordnede partsforhold hadde vært inkludert i studien. I tillegg til de 50 virksomhetene, deltok også 16 leverandører av feltteknologi og representanter for ulike ekspertgrupper, primært bransjekonsulenter og forskere, som informanter i studien. ganisasjons- og arbeidssosiologisk litteratur. Se for eksempel Grint 2005, Holman et al. 2003, Sennett 2003 og 1999 eller Zuboff 1988. 86 Kontroll og overvåking i arbeidslivet Alt i alt ble det gjennomført 97 intervjuer med leverandører, virksomhetsledere, tillitsvalgte, verneombud og eksperter, hovedsakelig i perioden oktober 2011 til og med november 2012. Representanter for de ansatte (tillitsvalgte og verneombud) ble intervjuet i større grad enn representanter for virksomhetsledelsen. Tilstanden – hovedtendenser Det er liten tvil om at innføring og bruk av feltteknologi, og den økende behandlingen av opplysninger om de ansatte som dette innebærer, var en av de viktigste teknisk-organisatoriske endringene som virksomhetene i studien hadde gjennomført (eller var i ferd med å gjennomføre) i løpet av de siste årene. I mange av virksomhetene kan utviklingen beskrives som til dels dramatisk, det vil si at innføring av feltteknologi førte til at det ble registrert langt flere og mer detaljerte opplysninger om de ansatte nå enn for bare to, tre eller fire år siden. Funnene indikerer at spørsmål om arbeidsgivers rett til å innsamle disse opplysningene og hensynet til de ansattes personvern stod høyt på agendaen når feltteknologi ble innført – dette er det viktigste stridstemaet i de 50 virksomhetene som deltok i studien. Funnene indikerer også at bruken av feltteknologi var mer problematisk enn antallet tvistesaker som ble rapportert inn til sentralapparatet i arbeidstaker- og arbeidsgiverorganisasjonene skulle tyde på (organisasjonene rapporterte at de sjelden fikk inn slike saker fra sine medlemmer). Isteden ble sakene liggende på lokalt nivå – i hver enkelt virksomhet – hvor de ble forsøkt løst av partene i virksomhetene, eller sakene forble uløste og bidro til et mer anstrengt forhold mellom arbeidsgivere og arbeidstakere. Flertallet av de som deltok i studien – representanter for leverandørbransjen, virksomhetsledere, tillitsvalgte og verneombud – mente at bruken av feltteknologi reiste vanskelige utfordringer knyttet til hvor grensen mellom legitim kontroll av ansatte og personvernkrenkende overvåking skal trekkes. Det var ikke overraskende at de ulike aktørene hadde forskjellige og til dels motstridende oppfatninger av hvor grensen burde trekkes. Det var heller ikke overraskende at leverandører og virksomhetsledere jevnt over hadde en høyere toleransegrense for bruk av feltteknologi – og la større vekt på arbeidsgivers rett til å behandle opplysninger om ansatte enn på hensynet til personvernet – enn hva tillitsvalgte og verneombud gjorde. Likevel hadde ledelsen i et mindre antall virksomheter (5-6) gjort en betydelig innsats for å hindre at innføring og bruk av feltteknologi i for stor grad skulle skje på bekostning av de ansattes personvern. Anvendelse av feltteknologi Ulike typer feltteknologi ble anvendt i elektroyrkene (energiforsyning og elektroinstallasjon), den kommunale hjemmetjenesten, sikkerhet (vekterbransjen), 87 Yulex 2013 renhold, kollektivtransport (buss og trikk), varetransport og veidrift. De mest avanserte feltteknologiproduktene kunne både øke synligheten til ansatte i felten, legge til rette for sentralisert styring av arbeidsinnsatsen og tilby desentralisert tilgang til virksomhetenes datasystemer. Selv om noen typer feltteknologi hadde vært brukt i mange år i enkelte av bransjene, var det vanligste at bruken var av nyere dato, alt fra tre-fire år til noen få måneder (enkelte virksomheter var i ferd med å innføre feltteknologi da studien ble gjennomført). De mest typiske feltteknologiprodukter som var i bruk, registrerte opplysninger om de ansatte ved hjelp av satellittposisjonering og sporing (elektronisk kjørebok og flåtestyring) eller ved bruk av håndholdte dataenheter (PDA, for eksempel strekkode- eller RFID-skannere, smarttelefoner eller bærbar pc). Produktene kunne inneholde tekniske funksjoner som bevegelsessensorer (g-sensorer), integrasjoner mot datanettverk i kjøretøy eller digitale fartsskrivere, kommunikasjon mellom ansatte og ledere, m.m. Mange av produktene var i tillegg integrert mot interne datasystemer i virksomhetene, for eksempel ordrehåndtering, HR-systemer, økonomi/regnskap, journalsystemer, planleggingsverktøy, lager- og delebestillingsmoduler, osv. Synliggjøring, styring og tilgang Synliggjøring av ansatte i felten karakteriserte bruken av feltteknologi i alle bransjene. Dette var imidlertid mest fremtredende i virksomheter hvor ulike former for satellittposisjonering og sporing (elektroniske kjørebøker eller flåtestyring) ble benyttet. Spesielt i elektroyrkene, hvor virksomhetene ønsket å bruke elektroniske kjørebøker for å styrke kontrollen med privat kjøring av firmabiler, var synliggjøring av atferd viktig. Synliggjøring var også viktig innenfor renhold og i vekterbransjen, hvor håndholdte dataenheter ble brukt til å dokumentere arbeidsutførelsen. Det samme kan i noen grad sies for kollektivtransport, spesielt rutebilselskaper, og veidrift. Her ble det rapportert at synliggjøring av arbeidsutførelsen gjennom dokumentasjon av blant annet punktlighet, tomgangskjøring, brøyting og salting var viktig i forhold til oppdragsgiverne (for eksempel fylkeskommunale kollektivtransportbestillere). Sentralisert styring av ansatte i felten var særlig fremtredende i bransjer og virksomheter hvor flåtestyring (av typen GPS Realtime Waste Management) ble anvendt. Dette gjaldt i første rekke innenfor elektroyrkene og i varetransport. Spesielt innenfor varetransport var styringsambisjonene store. Det kom blant annet til uttrykk ved at opplysninger i flåtestyringssystemene ble sammenstilt med opplysninger registrert ved bruk av andre typer feltteknologi, for eksempel digitale fartsskrivere og temperatursensorer. Liknende ambisjoner gjorde seg gjeldende innenfor kollektivtransport og veivedlikehold, men uten at systemene ble brukt like aktivt til styring av de ansatte og arbeidsutførelsen. I bransjer hvor 88 Kontroll og overvåking i arbeidslivet det primært ble anvendt håndholdte dataenheter, for eksempel i renhold og vekterbransjen, hadde arbeidsgiverne få ambisjoner om sterkere styring av egne ansatte. Her var det mer aktuelt å benytte registrerte opplysninger til kontroll av arbeidsutførelsen opp mot vilkår i kontrakter eller tjenestestandarder, det vil si å dokumentere overfor kundene av jobben var utført slik som avtalt. Desentralisert tilgang til interne datasystemer karakteriserte bruken av feltteknologi i bransjer og virksomheter hvor håndholdte dataenheter (PDA eller smarttelefoner) ble anvendt som arbeidsverktøy av de ansatte. Den kommunale hjemmetjenesten er typeeksemplet på denne bruken av feltteknologi. Her var tilgang til interne datasystemer – arbeidslister, brukeropplysninger, journalnotater, rutinebeskrivelser og medisinske håndbøker – kjernefunksjonaliteten. Liknende bruk av håndholdte dataenheter var også vanlig i elektroyrkene. Overvåking og misbruk De ansattes opplevelse av å bli overvåket og episoder med misbruk av opplysninger om ansatte, spesielt formålsutglidning eller brudd på regler i lokale avtaler/ protokoller (som regulerte virksomhetenes behandling av opplysninger om ansatte), varierte en del mellom bransjene. Nedenfor følger en kort oppsummering av de viktigste brukererfaringene. Overvåking og episoder med misbruk ble rapportert å være størst i bransjer hvor produkter basert på satellittposisjonering og sporing – elektroniske kjørebøker eller flåtestyring – ble mest brukt. Dette gjaldt i første rekke innenfor elektroyrkene og i varetransport. Spesielt i elektroyrkene ble det rapportert om stor motstand mot elektroniske kjørebøker og flåtestyring. Det ble samtidig meldt om en del tilfeller hvor opplysninger ble brukt til å kontrollere de ansattes arbeidsutførelse/arbeidstiden, blant annet ved å sammenholde opplysninger fra ulike datakilder (spesielt med tanke på å kontrollere de ansattes egenrapporterte arbeidstid eller hvor lenge de hadde oppholdt seg hos ulike kunder). I varetransport var skepsisen mot feltteknologi også markant, særlig etter som flere av virksomhetene registrerte mange ulike typer opplysninger om sjåførene, og fordi det ble rapportert om få begrensninger på hva ledelsen kunne bruke opplysningene til. Motstanden var imidlertid mindre organisert enn i elektrofagene. Den virket i hovedsak å eksistere som frustrasjoner på sjåførnivå, og ble i liten grad løftet opp på partsnivå i virksomhetene. I rutebilbransjen ble det rapportert om færre tilfeller av påstått misbruk av opplysninger, men enkelte tillitsvalgte og verneombud mente at sjåførene kunne oppleve overvåkingen som ubehagelig. I disse bransjene – elektro, varetransport og rutebil – var mistanker om misbruk av opplysninger mer utbredt enn forekomsten av konkrete eksempler på misbruk. Årsaken til dette var sannsynligvis at tillitsvalgte eller ansatte vanligvis hadde få muligheter til å sjekke hvordan ledelsen håndterte opplysninger regis89 Yulex 2013 trert i elektroniske kjørebøker eller i flåtestyringssystemer. Det kan derfor hevdes at mistankene trolig fikk næring av at den informasjonsmessige integriteten var forholdsvis lav, det vil si at de ansattes kontroll med registreringen og den videre behandlingen av egne opplysninger var begrenset. Det virket som begrenset kontroll med egne opplysninger førte til at enkelte tillitsvalgte (og verneombud) hadde begynt å tvile på at ledelsen håndterte opplysningene på en akseptabel måte. Trikk og veidrift avvek fra tendensene i de tre nevnte bransjene. Også i disse bransjene var systemer for satellittposisjonering og sporing i bruk, men erfaringene ble hevdet å være relativt positive: få (eller ingen) rapporter om at ansatte opplevde seg overvåket eller episoder med påstått misbruk av opplysninger. Dette hang trolig sammen med flere forhold, blant annet at opplysningene ble oppfattet som lite personlige og at de ansatte så seg tjent med at bruken av feltteknologi styrket virksomhetens kontroll med eksterne kontraktører.14 Opplevelsen av å bli overvåket og antallet episoder med misbruk av opplysninger om ansatte, virket generelt sett å være minst i bransjer hvor håndholdte dataenheter ble brukt til registrering av opplysninger om de ansatte: renhold, den kommunale hjemmetjenesten og vekterbransjen. Til forskjell fra satellittposisjonering og sporing, som ble oppfattet som ledelsens verktøy, ble håndholdte dataenheter i større grad oppfattet som de ansattes arbeidsredskap. Den informasjonsmessige integriteten kan derfor sies å være større enn ved bruk av systemer for satellittposisjonering og sporing: de ansatte hadde mer kontroll med hvilke opplysninger som ble registrert om dem. Men til tross for at håndholdte dataenheter førte til at de ansatte fikk større kontroll med selve registreringen av opplysninger, var kontrollen med hva som skjedde med opplysningene etter at de var overført til arbeidsgivernes datasystemer likevel begrenset. Tillitsvalgte og verneombud kunne derfor ikke være sikre på hva ledelsen faktisk anvendte opplysningene til, hvem som hadde tilgang til opplysningene eller hvor lenge de ble lagret. I vekterbransjen ble det i tillegg rapportert om episoder hvor ledelsen ønsket å innhente opplysninger fra ansatte registrert hos kunder og oppdragsgivere (tredjeparter, se diskusjon nedenfor). I den kommunale hjemmetjenesten virket det som bruken av håndholdte dataenheter ikke ble tolket som et kontrolltiltak. Dette til tross for at de tillitsvalgte mente at enhetene kunne brukes til kontroll, blant annet av de ansattes tidsbruk. Enkelte tillitsvalgte hadde eksempler på dette, men det ble ikke rapportert om 14 Det var innenfor veidrift at eksterne kontraktører – virksomheter som utførte oppgaver på vegne av hovedentreprenøren – ble oppfattet som et problem. Her ble det hevdet at eksterne kontraktører hadde en tendens til å overrapportere produksjonsdata, for eksempel brøyting eller salting av veistrekninger. Dette fikk eksterne kontraktører til å fremstå som mer effektive enn ansatte hos hovedentreprenøren, men med innføring av feltteknologi kunne rapporterte produksjonsdata kontrolleres opp mot faktisk utført arbeid. Forventningen som ble uttrykt var at dette ville vise at hovedentreprenørens ansatte ikke var mindre effektive enn den innleide arbeidskraften. 90 Kontroll og overvåking i arbeidslivet at de ansatte følte seg overvåket av ledelsen. I andre bransjer, primært vekterbransjen, var holdningene til håndholdte dataenheter mer kritisk. Her var tillitsvalgte og verneombud opptatt av at dette arbeidsredskapet også kunne bli brukt til kontroll og overvåking, og viste til flere eksempler på at dette hadde skjedd. Det samme kan i noen grad sies innenfor renhold. Her var det enkelte tillitsvalgte som meldte at de var bekymret for økende tidsregistrering og at dette kunne føre til høyere arbeidspress for de ansatte. Tredjepartskontroll Innføring av feltteknologi kunne føre til større innslag av tredjepartskontroll, det vil si at andre enn arbeidsgiver registrerte eller hadde tilgang til opplysninger om de ansatte. Dette var i særlig grad tilfelle der hvor oppgaver ble satt ut på anbud eller ansatte utførte arbeid hos kunder, spesielt i rutebilnæringen, varetransport, trikk, veidrift og vekterbransjen. Tredjepartskontroll forekom også innenfor elektroyrkene og renhold. I rutebilnæringen, trikk, veidrift og renhold ble tredjepartskontroll i liten grad problematisert. Det ble for eksempel ikke referert til episoder hvor arbeidsgiver ønsket at tredjeparter (kunder eller oppdragsgivere) utleverte opplysninger om ansatte (registrert i kameraovervåknings- eller adgangskontrollsystemer) til arbeidsgiverne. I varetransport, vekterbransjen og elektroyrkene ble det imidlertid rapportert om at tredjepartskontroll kunne være en ekstra belastning for de ansatte, det vil si enda en aktør (i tillegg til arbeidsgiver) som registrerte eller hadde tilgang til opplysninger om dem. Her ble det rapportert om episoder hvor arbeidsgiver ba om tilgang til opplysninger om ansatte registrert hos kunder/oppdragsgivere, eller at kunder/oppdragsgivere selv brukte opplysningene til kontroll av arbeidsgivers ansatte. Det kunne for eksempel skje ved at kunder/oppdragsgivere sjekket egne overvåkingskameraer for å kontrollere den innleide arbeidskraftens jobbutførelse, eller ved at kundene/oppdragsgiverne fikk tilgang til arbeidsgivers flåtestyringssystem (egen webinnlogging og tilgang til utvalgte deler av systemet). Tillitsvalgte og verneombud mente at de hadde liten innflytelse over omfanget av tredjepartskontroll, og at dette skapte usikkerhet om hvordan tredjeparter (i samarbeid med arbeidsgiverne) anvendte opplysninger om de ansatte. Begrunnelser og motargumenter Virksomhetenes begrunnelser for innføring av feltteknologi varierte avhengig av hvilke produkter det var snakk om og hvilke bransjer de ble anvendt i. Bruken av enkelte typer feltteknologi kunne for eksempel være frivillig (valgt av virksomhetene selv), mens bruken av andre typer feltteknologi var lovpålagt, for eksempel digitale fartsskrivere i yrkestransport eller temperatursensorer ved 91 Yulex 2013 termotransport. Enkelte typer feltteknologi hadde få og spesifikke formål, for eksempel elektroniske kjørebøker (etterlevelse av skatteregler), mens andre typer feltteknologi kunne ha mange og til dels upresise formål, for eksempel flåtestyring (rasjonalisering, effektivisering, kvalitetsforbedring, personellsikkerhet, arbeidsdokumentasjon, miljøhensyn, drivstoffreduksjon, osv.). Det var likevel fire begrunnelser (eller formål) som pekte seg ut som særlig viktige på tvers av produkter og bransjer. De viktigste begrunnelsene Den viktigste (og hyppigst forekommende) begrunnelsen av rasjonalisering og effektivisering av driften. Dette skulle i første rekke oppnås gjennom mer sentralisert planlegging og styring av arbeidsutførelsen, for eksempel ved at kjøretider og kjøreruter kunne legges opp på bedre måter enn tidligere, eller ved at responstiden ved hasteoppdrag kunne reduseres. Det samme formålet skulle også oppnås ved at ansatte fikk tilgang til og registrerte viktig informasjon om oppdrag (eller kunder/brukere) i interne datasystemer uten at de trengte å komme tilbake til kontoret. Økt kvalitet på tjenesteytingen, mer nøyaktig dokumentasjon på utført arbeid og mer fornøyde kunder/oppdragsgivere var andre formål som ble nevnt i tilknytning til rasjonaliserings- og effektiviseringsbegrunnelsene. Bedre dokumentasjon av arbeidsutførelsen var en begrunnelse som ble nevnt i de fleste bransjene. Dette var imidlertid spesielt viktig der hvor arbeidet ble utført på kontrakt og hvor det lett kunne oppstå tvil om jobben var utført. Dokumentasjon av arbeidet var derfor spesielt avgjørende innenfor renhold, vekterbransjen og veidrift, men ble også nevnt som viktig i elektroyrkene, rutebilnæringen, varetransport og hjemmetjenesten. Dokumentasjonen kunne i noen grad være lovpålagt, for eksempel kjøre- og hviletider i varetransport, men var i hovedsak selvvalgte og «defensive tiltak», det vil si opplysninger som var «kjekt å ha» i tilfelle klager/spørsmål fra kunder eller oppdragsgivere. Økt personellsikkerhet var et formål som ble nevnt i de fleste bransjene, men med et visst unntak for renhold og hjemmetjenesten. Sikkerhetsbegrunnelsen bestod i at det skulle bli enklere å lokalisere ansatte dersom de ble utsatt for ulykker, voldsepisoder eller andre typer nødsituasjoner. Det skulle i tillegg føre til at assistanse kunne tilkalles og sendes ut raskere enn tidligere. Bedre regeletterlevelse var en begrunnelse som i særlig grad ble vektlagt der hvor kjøretøy (firmabiler eller lastebiler) inngikk som en del av arbeidsutførelsen. Elektronisk kjørebok ble for eksempel anvendt innenfor flere av bransjene for å dokumentere overholdelse av firmabilreglene i skattelovgivningen, og i varetransport ble flere systemer anvendt for å overholde lovpålagte krav (spesielt digitale fartsskrivere, temperatursensorer og alkolås). I hjemmetjenesten kunne elektronisk registrering av direkte brukertid (antallet minutter som brukerne av 92 Kontroll og overvåking i arbeidslivet tjenestene hadde krav på iht. kommunale vedtak) ses på som en form for regeletterlevelse – dokumentere at brukerne fikk den vedtatte hjelpen. De viktigste motargumentene De viktigste motargumentene knyttet seg til overvåking og misbruk av opplysninger om ansatte. Ovenfor har vi sett at styrken som tillitsvalgte og verneombud fremsatte disse motargumentene med varierte noe mellom de ulike produktene og bransjene. I tillegg til overvåking og misbruk av opplysninger, ble følgende motargumenter hyppigst nevnt: • Maktforskyvning: Dette handlet om at registrering av opplysninger om ansatte ved hjelp av feltteknologi kunne føre til at den sterke parten (arbeidsgiveren) styrket sin posisjon vis-a-vis den svakere parten (arbeidstakerne). Her ble det nevnt at ansatte og tillitsvalgte kunne bli mer engstelige eller tilbakeholdne med å fremsette kritiske synspunkter overfor ledelsen når de visste at ledelsen hadde tilgang til detaljerte opplysninger om hvordan de utførte arbeidet sitt. Bekymringen bestod dels i at opplysningene kunne bli brukt til å straffe kritiske røster i virksomheten, og dels i at ledere kunne bruke opplysningene til å kvitte seg med ansatte som de av andre grunner oppfattet som problematiske eller brysomme. • Redusert tillit: Dette handlet om at økt registrering av opplysninger av ansatte ble opplevd som mistillit, det vil si at ledelsen ikke lenger stolte på at de ansatte gjorde jobben sin. Flere tillitsvalgte og verneombud mente dessuten at bruk av feltteknologi hadde ført til at de ansatte fikk mindre tillit til ledelsen. Dette gjeldt spesielt i virksomheter hvor det hadde forekommet episoder med misbruk av opplysninger om ansatte, eller der hvor innføringsprosessen ble beskrevet som problematisk. • Endret arbeidssituasjon: Dette handlet om at bruken av feltteknologi, spesielt dersom den ble brukt til økt kontroll med og styring av arbeidsutførelsen, ville påvirke måten jobben ble utført på – og den enkeltes opplevelse av eget arbeid – på en negativ måte. Flere tillitsvalgte og verneombud mente at autonomien og selvstendigheten til de ansatte ville bli mindre, mens andre fryktet mer tidspress og høyere arbeidstempo. Fellesnevneren var bekymringen for at de ansatte i mindre grad enn før ville ha innflytelse over innholdet i sin egen arbeidshverdag. • Mindre trivsel: Dette handlet om at redusert innflytelse over egen arbeidshverdag kunne føre til større mistrivsel i jobben (eventuelt høyere sykefravær). Større mistrivsel kunne dels gå ut over de ansattes produktivitet og dels kvaliteten på det arbeidet som ble utført. Det kunne også føre til at de ansatte ble mindre lojale overfor arbeidsgiveren, det vil si at de ikke lenger var like villige til å gjøre en ekstra innsats dersom det var behov for det. 93 Yulex 2013 Ikke alle tillitsvalgte og verneombud sa seg enige i disse motargumentene, men hevdet at bruken av feltteknologi i liten grad hadde påvirket maktforhold, tilliten, arbeidssituasjonen eller trivselen i særlig grad. De mente også at feltteknologi neppe hadde ført til rasjonalisering eller effektivisering av driften. Slike synspunkter ble spesielt fremmet av tillitsvalgte og verneombud i virksomheter hvor forholdet til ledelsen ble beskrevet som meget godt, hvor det ikke hadde vært kjente episoder med misbruk av opplysninger og hvor bruken av feltteknologi var en forutsetning for å vinne anbud og sikre arbeidsplassene. Men også disse røstene var skeptiske til feltteknologi og registrering av opplysninger dersom bruken ikke var regulert gjennom lokale avtaler/protokoller som ble overholdt av begge parter. Lover og avtaler Omkring halvparten av virksomhetene som deltok i studien hadde ikke – eller hadde i begrenset grad – fulgt reglene i arbeidsmiljøloven (kapittel ni) om informasjon til de ansatte og drøfting med tillitsvalgte forut for innføringen av feltteknologi. Den vanligste mangelen var at drøftinger med de tillitsvalgte enten ikke hadde blitt gjennomført eller hadde skjedd på et såpass sent tidspunkt at deres muligheter for påvirkning hvordan feltteknologien skulle brukes var begrenset. Det ble rapportert at drøftelser vanligvis hadde kommet i stand etter press eller krav fra den lokale klubben. Bare i noen få virksomheter ble det rapportert om at ledelsen hadde tatt initiativet til dette. Dette gjaldt imidlertid bare ved innføring av produkter basert på satellittposisjonering og sporing (primært elektroniske kjørebøker og flåtestyring). Langt færre virksomheter hadde overholdt arbeidsmiljølovens saksbehandlingsregler ved innføring av håndholdte dataenheter (selv om enhetene registrerte opplysninger som kunne bli anvendt til kontroll av ansatte). Det innebar at mange av de virksomhetene som hadde fulgt reglene ved innføring av elektronisk kjørebok eller flåtestyring likevel ikke hadde gjort det samme ved innføring av annen type feltteknologi. Det var bare i vekterbransjen at virksomhetene hadde lagt arbeidsmiljølovens kapittel ni til grunn ved innføring av håndholdte dataenheter. I de andre bransjene hadde bare noen relativt få virksomheter gjort tilsvarende. Samtidig virket behovet for lokale avtaler/protokoller å bli oppfattet som mindre presserende ved bruk av håndholdte dataenheter, trolig fordi dataenhetene i mindre grad ble assosiert med kontroll og overvåking enn hva tilfellet var med systemer for satellittposisjonering og sporing. I det store flertallet av virksomhetene hadde innføring av feltteknologi og behandlingen av opplysninger om ansatte sitt grunnlag i styringsretten: arbeidsgivers oppfatning om at de hadde en ensidig rett til å iverksette kontroll av de ansattes arbeidsutførelse. Styringsretten hadde enten blitt brukt ved å instruere de ansatte om å ta teknologien i bruk, eller ved at den ble brukt som «trumfkort» der hvor de 94 Kontroll og overvåking i arbeidslivet ansatte motsatte seg innføring av feltteknologi. I noen virksomheter ble det henvist til at tilsvarende systemer var innført i konkurrerende virksomheter, og at bruken derfor både var lovlig og nødvendig for å sikre bedriftenes fremtid. Bare i noen få virksomheter hadde feltteknologi (primært elektroniske kjørebøker) blitt innført med grunnlag i samtykke fra de ansatte. Flertallet av de tillitsvalgte foretrakk mer bruk av samtykke fra de ansatte. Ledere mente derimot at styringsretten – og deres egne vurderinger av tiltakenes saklighet og forholdsmessighet – fortsatt burde være grunnlaget for innføringen og behandlingen av opplysninger om ansatte. Avtaler eller protokoller som regulerte ledelsens behandling av opplysninger om de ansatte forelå i omkring hver tredje av de virksomhetene som deltok i studien. Flertallet av avtalene/protokollene omfattet produkter basert på satellittposisjonering og sporing. Avtaler som omfattet opplysninger registrert ved hjelp av håndholdte dataenheter fantes primært i vekterbransjen. Forskjellene i avtaleinnholdet var relativt store.15 To punkter gikk imidlertid igjen: formålsangivelse (ofte med forsikringer om at opplysningene ikke skulle brukes mot de ansatte) og tilgangsstyring (angivelse av hvilke ledere/personell som kunne sjekke registrerte opplysninger). Selv om flere av avtalene var forholdsvis kortfattede, kan det likevel sies at der hvor avtaler/protokoller eksisterte var virksomhetene noe bedre skikket til å overholde reglene i personopplysningsloven med forskrift enn i virksomheter hvor avtaler/protokoller ikke fantes. Generelt sett virket avtalene/protokollene å ha en trippel verdi i virksomhetene. For det første ga det de ansatte noe større sikkerhet for at opplysninger om dem ble behandlet på en akseptabel måte. For det andre ga det virksomhetene noe større sikkerhet for at behandlingen av opplysninger om ansatte til en viss grad var i overensstemmelse med regulatoriske krav (personopplysningsloven med forskrift). For det tredje virket det som forhandlinger om avtaler/protokoller hadde bevisstgjort og styrket begge parters kompetanse på spørsmål knyttet til overvåking, kontroll og personvern. Til tross for at både ledere, tillitsvalgte og verneombud vanligvis var tilfredse med at avtaler/protokoller var inngått, fantes det skeptikere, spesielt blant de tillitsvalgte. Her ble det påpekt at tillitsvalgte og ansatte hadde få muligheter til å sjekke om lederne overholdt reglene i avtalene, og enkelte tvilte på at eventuelle overtramp ville få særlige konsekvenser for vedkommende leder. Disse røstene mente derfor at avtalene/protokollene kunne vise seg å være lite verdt for de ansatte. Oppsummering Funnene som er drøftet i dette kapitlet indikerer at arbeidslivet er i ferd med å bli mer gjennomsiktig: ansatte kan i økende grad observeres, kontrolleres og 15 For nærmere drøftelser, se Schartum 2013. 95 Yulex 2013 styres på dataskjermer. Studien indikerer også at ansatte som jobber utenfor fast arbeidssted trolig er minst like utsatt for elektronisk kontroll og overvåking som ansatte med fast arbeidssted. Dette er en viktig observasjon. For dersom det er noen arbeidstakergrupper som man i utgangspunktet skulle tro var skjermet mot arbeidsgivers «granskende blikk», så er det ansatte som er utenfor arbeidsgivers fysiske kontroll i løpet av arbeidsdagen. Når også disse arbeidstakergruppene er gjenstand for til dels omfattende elektronisk kontroll og overvåking, forsterkes bilde av et arbeidsliv som er blitt mer gjennomsiktig. Litteratur Allmer, Thomas (2012): Towards a Critical Theory of Surveillance in International Capitalism. Frankfurt am Main: Peter Lang. Ball, Kristie (2010): «Workplace Surveillance: an Overview.» I Labur History, Vol. 51, Issue 1, s. 87-106. Berkvens, Jan (2009): “The Role of Trade Associations: Data Protection as a Negotiable Issue.” I Serge Gutwirth et al. (red.): Reinventing Data Protection? Milton Keynes: Springer. Bing, Jon (2009): «Samtykke til behandling av personopplysninger i arbeidsforhold.» I Helge Aune et al. (red.): Arbeid og rett. Festskrift til henning Jakhellns 70-årsdag. Oslo: Cappelen Akademiske Forlag. Blekeli, Ragnar D. (1977): “Hva er personvern?” I Ragnar D. Blekeli og Knut S. Selmer (red.): Data og personvern. Oslo: Universitetsforlaget. Bodie, Matthew og Samuel Estreicher (2007): Workplace Discrimination, Privacy and Security in an Age of Terrorism. The Hague: Kluwer Law. Borchgrevink, Mette (2011): Om avgrensning av arbeidsgivers styringsrett på grunn av arbeidstakers personvern. Complex 5/11. Oslo: Unipub. Bråten, Mona (2010): Kontroll og overvåking i arbeidslivet. Oslo: Fafo-rapport nr. 22. Bråten, Mona (2008): Personvern under press – hvor går grensene i arbeidslivet? Oslo: Fafo-rapport nr. 34. Bråten, Mona og Tommy Tranvik (2012): Kontroll med ansatte utenfor fast arbeidssted. Ansattes erfaringer med feltteknologi. Oslo: Fafo-rapport nr. 50. Edvardsen, Kjetil (2011): «Kommentar til innlegg om overvåking i arbeidslivet.» I Juristkontakt nr. 7, s. 53-54. Grint, Keith (2005): The Sociology of Work. Cambridge: Polity Press. 96 Kontroll og overvåking i arbeidslivet Hansson, Sven O. og Elin Palm (red.) (2005): The Ethics of Workplace Privacy. Brussels: P.I.E. Peter Lang. Holman, David et al. (red.) (2003): The New Workplace. A Guide to the Human Impact of Modern Working Practices. Chichester: Wiley. Nedberg, Mari H. (2011): «Fra krysspress til illusorisk vern av arbeidstakers rettigheter?» I Juristkontakt nr. 6, s. 48-49. Neyland, Daniel (2009): «Surveillance, Accountability and Organisational Failure: the Story of Jean Charles de Menezes.» I Benjamin J. Goold og Daniel Neyland (red.): New Directions in Surveillance and Privacy. Cullompton: Willian Publishing. Ravlum, Inger-Anne (2004): Makt, beslutninger og integritet. IKT og personvern i transport. Oslo: TØI-rapport 703/2004. Schartum, Dag W. (2013): Rettslige aspekter ved feltteknologi i arbeidslivet. Complex 3/13. Oslo: Unipub. Schartum, Dag W. og Lee Bygrave (2011): Personvern i informasjonssamfunnet. En innføring i vern av personopplysninger. Bergen: Fagbokforlaget. Sennett, Richard (2003): Respect. The Formation of Character in a World of Inequality. London: Allen Lane. Sennett, Richard (1999): The Corrosion of Character. The Personal Consequences of Work in the New Economy. New York: W. W. Norton. Swell, Graham (2012): «Organizations, Employees and Surveillance.» I Kirstie Ball et al.: Routledge Handbook of Surveillance Studies. London: Routledge. Swell, Graham et al. (2012): “Working Under Intensive Surveillance. When does ‘Measuring Everything That Moves’ Become Intolerable?” I Human Relations, 65 (2), s. 189-215. Tranvik, Tommy (2013): Det gjennomsiktige arbeidslivet. Erfaringer med feltteknologi i utvalgte yrker. Complex 2/2013. Oslo: UniPub. Westin, Alan (1967): Privacy and Freedom. New York: Atheneum. Zuboff, Shoshana (1988): In the Age of the Smart Machine. The Future of Work and Power. Oxford: Heinemann. Øvstedal, Liv et al. (2010): Personvern og trafikk: Personvernet i intelligente transportsystemer (ITS). Trondheim: SINTEF. 97 Utilizing Security Risk Analysis and Security Testing in the Legal Domain1 Samson Yoseph Esayas Norwegian Research Center for Computers and Law, University of Oslo {[email protected]} Abstract. In recent years, businesses have faced large regulatory fines as a result of information security breaches. This signifies the need for businesses to account for legal issues when addressing their information security risks and to ensure that their day-to-day business operations do not violate legal norms of relevance to information security, such as data privacy laws. This paper offers a twofold contribution to this issue. First, it purposes that organizations’ security risk analysis should be accompanied by an assessment of the legal implications of identified security risks. This enables organizations understand the associated legal risks they would face if the identified security risks were to materialize and prioritize the risks accordingly. Second, the paper underlines the need for security testing to support compliance checking. Particularly, the use of conformance testing would enhance organizations’ level of assurance regarding their compliance with legal norms of relevance to information security. Keywords: legal risk analysis, compliance checking, testing, security testing, security risk analysis 1 Introduction and Motivation The interaction of law and technology has been a subject of substantial research for some time, particularly since the creation of the Internet. Lawrence Lessig’s “Code is Law” [1] and Reidenberg’s “Lex Informatica” [2] are prominent works on how technology affects law and vice versa. The underlying idea behind such works is that there can and should be an understanding between the law and technology. It is not the aim of this paper to grapple with such a vast field of research and, thus, discussions are limited only to the area of risk management. 1 This paper is presented at the 1st International Workshop on Risk Assessment and Risk-driven Testing (RISK) in Istanbul. The paper will be published by Springer in the LNCS series. 99 Yulex 2013 Conventionally, legal services are often sought reactively, that is, when a problem has already occurred, and the main focus is on the identification of an applicable law to a given case (“da mihi factum dabo tibi ius”) [3]. Such an approach has not always been viewed as satisfactory because disputes and litigation consume time and resources that could otherwise be used more productively. Legal action is costly and drains productivity, damages businesses’ reputations, and impedes businesses’ ability to prosper, destroying the value they create long before they collect on any judgment [4]. Subsequently, the focus has evolved toward proactive legal risk management in which compliance or avoiding non-compliance is the priority through identifying and anticipating probable or potential future problems and planning for mitigating these problems. This is particularly relevant in the area of information security, which is attributable to several possible factors: First, the damage caused by a security risk might not be reversed by winning a case or through monetary restitution. In other words, losses occurring as a result of most security breaches, particularly those involving sensitive personal data of customers, often lead to loss of customer trust and loss of reputation through negative publicity. Therefore, organizations should attempt to prevent such risks, not remedy them after they occur. Second, the pressure for corporate compliance started to increase as regulators set new requirements and increasingly imposed large fines on organizations that mishandled sensitive data through negligence or failure to exercise due care [5]. Furthermore, legislators and regulators began to compel businesses to conduct legal risk analysis in some areas. For example, according to a recent opinion of the Article 29 Working Party2 regarding cloud computing, cloud users have to undertake a comprehensive and thorough risk analysis, paying special attention to the legal risks regarding data protection, mainly security obligations and international transfers, before opting to go to the cloud [6]. Therefore, in some areas, conducting legal risk analysis is no longer a voluntary exercise. However, the lack of a generally accepted methodology for legal risk management has proven to be a challenge for some time [3]. In this regard, Mahler [7] put forth a solid foundation by developing a legal risk management methodology based on the ISO31000 steps, where legal risks are identified, their likelihood is assessed, and the consequences are evaluated and then treated in a proactive way. Fig. 1 shows Mahler’s [7] methodology for the management of legal risks. 2 The Article 29 Working Party is an organ established under Article 20 of the European Data Protection Directive. It plays, mainly, an advisory role with regard to data protection issues. 100 Utilizing Security Risk Analysis and Security Testing in the Legal Domain Fig. 1. Legal risk management process Research has shown that the most important factor in the effective management of legal risks is having robust and clearly defined processes to evaluate risk on a continuous basis [8]. Such processes, the research emphasizes, must be specific to legal risk management and should enable better reporting, ensuring that critical risks are made visible to the right people as early as possible [8]. Mahler’s [7] methodology remains an important contribution to this field. However, a particular challenge for assessing risks resulting from legal norms of relevance to information security3 is that the analysis often involves technical measures. The relationship is bi-directional in the sense that the identification, assessment, and treatment of legal risks related to information security relies on an understanding of the security risks and measures. Similarly, legal norms of relevance to information security often prescribe security requirements that security risk analysts 3 I do not attempt to define which laws would fall under such a category, but for the purposes of this paper, legal norms of relevance to security could be defined as the rules that govern information and information systems. 101 Yulex 2013 ought to heed. However, lawyers often lack the technical expertise needed to assess technical risks, and technical experts may lack detailed information about the legal security requirements and the legal consequences of technical problems [7]. This has triggered a research interest in approaching legal and security risks in an integrated manner. A study by Vraalsen et al. [9] confirms that “legal and technical risks can and should be considered jointly.” Addressing technical risks might involve a variety of measures. The most common are undertaking security risk assessment and security testing. This paper examines how security risk analysis and security testing could be used in the legal context. In so doing, it addresses two aspects; first, it considers how the results of a security risk analysis could be used as a basis for legal risk analysis. According to a recent Harvard Business Review survey, security and privacy have become significant areas of concern over the past three years [5]. The research has indicated that regulation concerning information security and privacy is becoming increasingly demanding and the regulatory fines and penalties are becoming increasingly stringent [5]. Failure to deal with information security risks is not only costly in terms of finances and damage to the company and brand, but these regulatory penalties are also quite large [5]. Therefore, from a risk management perspective, it is important that organizations are able to understand, from their legal standing, what it would entail if a certain information security risk were to materialize. One way of doing this is to perform an assessment of what the information security risks mean from the legal perspective of the organization after such risks are identified through a security risk analysis. Section 2 addresses how this could be achieved through the use of security risks documented in the CORAS4 threat diagram. In addition, businesses face a remarkable array of new and often contradictory laws and regulations dealing with information security. To comply with such an array of regulatory requirements, a business must not only implement measures that ensure compliance but must also have a means to ascertain that the measures taken have the desired effect. Therefore, providing techniques to assess the degree of compliance with a given regulatory requirement is a key objective in every business process platform. Section 3 examines an approach in which checking compliance with legal norms of relevance to security is supported by conformance testing. In doing this, it maintains that an organization will be able to check their compliance with such norms more efficiently if they follow a riskbased approach. 4 The CORAS tool is a graphical language used in risk analysis with constructs, such as threats, vulnerabilities, risks, unwanted incidents, threat scenarios, and assets. It enables communication among experts from different disciplines as well as the documentation of risk assessment results. 102 Utilizing Security Risk Analysis and Security Testing in the Legal Domain 2 Security Risk Analysis as the Basis for Legal Risk Analysis Vraalsen et al. [9] state that a legal risk analysis in an ICT context would benefit from being carried out jointly by experts from different disciplines, including legal experts, security experts, system developers, and users. However, as the diversity of the experts expands, it becomes more complex for communication and understanding between these stakeholders, partly because different domains (IT and law) utilize their own vocabulary [10]. One possible way to address this problem is through a common communication language that can easily be understood by all stakeholders. The CORAS language for threat modeling has been designed to mitigate this problem in the security domain. The language supports the communication and common understanding between personnel of various backgrounds, facilitate the risk analysis process and the documentation of the results [11]. Furthermore, it has been further extended to include also legal aspects. Vraalsen et al. [9] examined the possibility of specifying legal threat scenarios using the CORAS threat diagram. A more extensive work has been done by Lund et al. [11] where they successfully showed that the CORAS threat diagram can be used to model legal risks. As a result, the CORAS tool has been extended to include “Legal CORAS” by introducing a construct for specifying legal norms, which enables the modeling of legal risks [11]. This section builds on those works in the sense that it will use the CORAS tool to demonstrate how security risk analysis can provide input in assessing legal risks related to information security. Before proceeding to that discussion, it is important to briefly introduce what is meant by legal risk. Mahler [7] defines legal risk as a risk that has a legal issue as its source. Legal issue is defined as a set of facts that are assessed under a set of legal norms [7]. According to Mahler [7], and drawn from the ISO 31000 definition of risk, legal risk involves uncertainty regarding both facts and legal norms. The distinction between legal and factual uncertainty is important because the application of every legal norm consists of an antecedent (if A) and a consequent (then B) [10]. This implies that for a certain legal norm to come into operation against or in favor of someone, one has to apply the norm to a given set of facts and evaluate the results as either beneficial or detrimental for the assets or objectives of the stakeholder [10]. If the consequent (B) is negative for the stakeholder, it then becomes important to determine whether the norm will be triggered [10]. That is where these two uncertainties arise, which include, first, whether the set of facts (A) is or will be true (factual uncertainty) and, second, whether the application of the norm to the set of facts (A) then renders the consequence (B) - the legal uncertainty. In short, the legal uncertainty is the uncertainty of whether a legal norm actually applies to given factual circumstances whereas the 103 Yulex 2013 factual uncertainty is the uncertainty of whether the given circumstances will actually occur and thereby trigger the legal norm [11]. Therefore, the significance of a legal norm depends on the combined estimates of these two notions of uncertainties [11]. Fig. 2 shows the relationship between factual and legal uncertainty. Fig. 2. Factual and legal uncertainty (adapted from [10]) In the figure above, the identification of legal risks involves identifying both legal and factual uncertainty. The present section shows that security risk analysis could provide the antecedent (factual uncertainty) for the purposes of legal risk analysis in information security context. By assessing the factual uncertainty under a set of applicable legal norms, one can obtain the legal threat scenario resulting from the particular security risk, which provides the factual circumstances for the legal risk analysis. Such an approach, along with the benefit to the legal risk analysis, enables security experts and organizations in general understand the legal implications of a particular security risk. One of the motivations for bringing the security risk and legal risk analysis together pertains to the criteria for measuring the consequence value of information security risks. Often the criterion for measuring the consequences value of information security risk is through the number of records affected by the incident. However, from a legal standpoint, although the number of records affected are also important, other factors could be given more weight. For e.g. the UK Information Commissioner’s Office (ICO), one of the few data protection authorities that publishes data breaches and regulatory measures taken [11], imposed £100000 a regulatory fine for breach of the obligation to take appropriate technical and organizational measures under the Privacy Act, which implements the EU Directive 104 Utilizing Security Risk Analysis and Security Testing in the Legal Domain 95/46.5 The breach affected only one record containing information relating to a sex abuse of a child, which is left in a public place [11]. Whereas the ICO imposed only £1000 for a breach that affected 6000 records containing sensitive personal data of individuals following a DDOS attack and £60000 for a breach that affected 24,000 records containing sensitive personal data [11]. The difference between these cases lies mainly in the kind of data affected by the breach, how the breach occurs, the likely consequent harm6 of the breach to data subjects and perhaps the hands to which the data fell after the breach (whether it is publicly available or is in private hands).7 Meanwhile, there is little space within the security risk analysis to consider these issues. This implies that what organizations might consider as a low security risk could have a devastating legal consequence. In other words, being effective in managing security risks might not always imply a low risk from organization’s legal stand point.8 Therefore, organizations need to take account of the legal aspects as well when dealing with their security risks. One way of doing this would be to take the identified security risks as a basis for legal risk analysis and assess the legal implications of such risks. This would avoid the possibility, as noted above, where a security risk that might be considered as a low risk from inflicting a devastating legal consequence. Perhaps the legal risk implications could also be jointly considered in prioritizing security risks, when necessary. The CORAS threat diagram is used to present the claim as follows. Fig. 3. CORAS threat diagram The figure above shows a simple CORAS threat diagram where a hacker breaks into a system making use of the insufficient access control in place and obtains access to customer database that leads to the unwanted incidents of payment data 5 6 7 8 Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to processing of personal data and the free movement of such data [1995] OJ L281. The UK Privacy Act has a clause that obliges the consideration whether the breach would “likely cause damage or distress” to the data subjects [11]. Hence, in the legal context, these facts have received more weight than the number of records affected. For e.g. the First-Tier Tribunal reversed a decision of the ICO on a regulatory fine on the ground that files containing personal information, which are disposed in a garbage bin does not fulfill the criteria ‘likely to cause damage or distress’ to the data subjects [11]. 105 Yulex 2013 leaking to third party and personally identifiable information leaking to third party. Fig. 4 demonstrates how a legal threat scenario could be derived from the unwanted incidents in the above threat diagram. For example, the first unwanted incident could give rise to the following legal threat scenario. Fig. 4. CORAS legal threat diagram The unwanted incident personally identifiable information leaks to third party within the security risk analysis constitutes the factual uncertainty for the purposes of the legal risk analysis as depicted in Fig. 4. This factual uncertainty, including its likelihood, is captured from the unwanted incident within the security threat diagram in Fig. 3. That factual circumstance is then assessed under the specific legal norm—in the above example, Article 17 of the data protection Directive— to obtain the legal threat scenario client not compliant with EU data protection Directive. In this regard, a relevant question to ask includes: would Article 17 of the EU data protection Directive apply if personally identifiable information leaks to a third party? That involves an analysis of the legal requirements under Article 17 of the data protection Directive along with the likelihood of personally identifiable information leaking to third party (the factual uncertainty). This is followed by the analysis whether the application of Article 17 to the facts render the client liable to pay damage in accordance to Article 23 of the same Directive.9 Then, the likelihoods of the factual and legal uncertainty have to be combined to determine the likelihood of the consequent becoming true. This is because, as explained above, it is through the combination of the legal uncertainty and the factual uncertainty that one would be able to estimate the likelihood of the unwanted incidents that the antecedent may lead to. Once this estimation is done, the consequent will be annotated with a likelihood value [12]. As in Fig. 4, the likelihood value for the consequent lies in the intersection between the likelihoods the factual and legal uncertainty. If the likelihoods the 9 This is relevant because, the application of the legal norm to the facts does not always give rise to the unwanted incident because there might be exceptions that can exempt the client from legal liability or another third party could be held liable for the damage. In addition, there is the possibility that the victims might not bring a legal action against the company. 106 Utilizing Security Risk Analysis and Security Testing in the Legal Domain factual and legal uncertainty happens to be similar, as in Fig. 4, the consequent could also be annotated with a similar likelihood. However, if the likelihoods of the factual and legal uncertainty are different, one can take the higher likelihood. Alternatively, organizations can establish their own criteria for combining likelihoods. Lund et al [12] have examined how quantitative likelihood values of the legal and factual uncertainties should be combined. According to them, quantitative likelihood values have to be multiplied to obtain the aggregate likelihood of the consequent [12]. Nevertheless, it might not always be easy to measure the likelihood of a legal uncertainty. It is in this way that legal risk analysis can benefit from the results obtained from the security risk analysis. However, it is more important in the sense that it gives an overall picture of what the security risks mean from the legal perspective of the organization. For example, viewed from the standpoint of security experts, some risks could be of equal relevance if they have the similar likelihoods and consequences. However, adding the legal picture to that might change that perspective. To illustrate this, let us examine the legal risk scenario for the other unwanted incident in the security risk analysis. This follows a similar approach as discussed above where the unwanted payment data leaks to third party is captured from security threat diagram in Fig. 3 to derive the legal threat scenario client not compliant with EU payment services Directive in Fig. 5. Fig. 5. CORAS legal threat diagram As shown in Fig. 3, the unwanted incidents personally identifiable information leaks to third party and payment data leaks to third party have the same likelihood and consequence value, which could mean that they are of equal importance from the perspective of security experts.10 However, if the legal risk is added into that picture, as in Fig. 4 and Fig. 5, it becomes clear that the second unwanted incident, that is, payment data leaks to third party, is more important than the first unwanted incident from the legal standing of the organization. This remains the 10 This might not always be the case. This is because, for example, the organization might put different value for personally identifiable information as an asset than the customer payment data. 107 Yulex 2013 case despite both having the same likelihood and consequences from a security standpoint. This is because, as shown in Fig. 4 and Fig. 5, from a legal context, the second (withdrawal of authorization) puts the organization at a higher risk than the first (regulatory fine), although some regulatory fines could also endanger the very existence of the organization. The underlying idea behind such an approach is that organizations should be able to understand what legal problems they would face if these security risks were to materialize and then take appropriate measures to address such legal problems in advance. Considering both the security and legal risk together would help organizations determine where to focus their resources. In turn, taking consideration of the legal implications, organizations might be able to prioritize some security risks over others. In addition, such an approach is essential with regard to organizations’ compliance to data breach notification requirements. Across EU, there are mandatory breach notification requirements in some sectors such as the telecom business.11 Many member states have extended such obligations to other sectors domestically. For example, Germany implements a data breach notification with regard to bank and credit data, telecommunication data and data collected online, data related to criminal offense and other particularly sensitive data [13]. The Royal Decree 1720/2007 in Spain requires data controllers to implement, as part of their security policy, provisions related to a procedure of notification [13]. Furthermore, currently in the US, 46 States have data breach notification requirements [14]. And more importantly, the draft General Data Protection Regulation12 has a mandatory provision regarding the notification of data breaches. For e.g. Articles 31 and 32 of the draft Regulation requires a notification of any data breach to the authorities. Such breach should be notified both to the authorities and data subjects when the data breach is likely to adversely affect the protection of the personal data, or the privacy, the rights or the legitimate interests of the data subject. Such determination would only be made after taking consideration of the details of the security breach at hand. Therefore, an integrated approach for dealing security and legal matters together will enable for assessing which of the identified security risks, if materialized, would need notification to the authorities or both to the authorities and data subjects. In this regard, the security risk analysis is essential in providing essential inputs such as the nature of the data that has been breached (financial, health, etc.), nature of the breach (widespread, 11 COMMISSION REGULATION (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications. 12 Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). 108 Utilizing Security Risk Analysis and Security Testing in the Legal Domain or an isolated incident; technical, human error, or theft), and security level (has the data been encrypted).13 Considering the data breach notification requirements during the security risks analysis is particularly important because such laws require organizations notify the breach within a matter of hours or very few days at most.14 However, if organizations manage to address such compliance issues in advance during the security risk analysis, it would avoid a possible last minute rush and confusion in determining which risks to report once a security breach occurs. Furthermore, the security risk analysis becomes essential when we look at the content of the notification that the regulations require. For example, the General Data Protection Regulation, under its Article 31, states that the content of the notification should at least include the nature of the personal data breach, the categories and number of data subjects concerned and the categories and number of data records concerned. Attaching the data breach notification requirement to security risk analysis would enable organizations to import such content easily from the latter. Therefore, the best time to address issues of data breach notification is when conducting a security risk analysis. In the above example, considering the nature of the data under threat, and the nature of the threat, the organization might put in place a mechanism to notify both the data protection authority and the data subjects with regard to the second risk (because it involves financial data) and to notify only the authority with regard to the first risk (because it affects only the names of individuals). In addition, measures could be taken such as establishing a communication channel between the security experts and legal team when a security breach occurs so that the organization would be able to comply with the notification requirements in the given short time. Such an approach may also contribute to the identification of interdisciplinary solutions to the security and legal risks. In other words, security risk analysis could benefit from the legal domain in the sense that legal treatments could be applied in treating security risks such as through a contract of (limiting liability), insurance, and persecuting offenders that interfere with the security system. Similarly, it may be possible to reduce the likelihood of normative events through non-legal remedies, such as an improved IT system [9]. 13 A survey by ENISA [14] shows that a risk-based approach to information breach notifications as essential means to balance the interest of breach notification fatigue for data controllers and the interest survey by the breach. 14 For example, Article 2 of the REGULATION (EU) No 611/2013 states that organizations should notify any breach ‘no later than 24 hours after the detection of the personal data breach’. 109 Yulex 2013 3 Testing for Checking Compliance In the legal context, both assessing risks and placing controls might not be adequate on their own. This is because controls may not always exert the intended or assumed modifying effect. It is also important to make certain that appropriate controls, conducts, and behaviors are being checked, ensuring that undesirable conduct does not occur. Nevertheless, this is not an easy task, mainly for the following reasons: First, there is often a misalignment in the lifecycles of business operations and regulatory requirements in terms of time, governance, or stakeholders in the sense that business operations are designed mainly based on business objectives, whereas regulatory requirements are dictated by external sources and at different times [15]. Hence, it is often the case that compliance requirements cannot simply be incorporated into the initial design of process models [15]. Second, there is the likelihood of conflicts, inconsistencies, and redundancies between the business operations of organizations and their regulatory requirements [15]. Third, business operations change from time to time to satisfy the dynamic business needs and so are regulatory requirements, although the latter occurs less often than the former. Therefore, organizations face the daunting task of checking their compliance regularly. Moreover, there are also laws requiring organizations to check their compliance regularly. For example, the very recent draft European Data Protection draft Regulation15 Article 30 (1) states that: “Organizations should implement appropriate technical and organizational measures to ensure the security of personal information, which includes: (e) a process for regularly testing, assessing and evaluating the effectiveness of security policies, procedures and plans put in place to ensure ongoing effectiveness.” The above provision is particularly important because it requires organizations to conduct some testing. This section underlines the need for technical testing to support organizations’ compliance with legal norms of relevance to security.16 This is essential because checking compliance with information security obligations (policies) often involves checking the adequacy and effectiveness of 15 An update to the proposal for General Data Protection Regulation has come out in October 22, 2013. Inofficial consolidated version after Libe Committee vote provided by the Rapporteur 22 October 2013, is available http://www.janalbrecht.eu/fileadmin/material/Dokumente/DPRRegulation-inofficial-consolidated-LIBE.pdf. 16 This forms part of an ongoing research project in which we are evaluating the possibility of an integrated methodology for risk and compliance management. The integration between risk management and compliance in general opens for a potential integration where compliance (legal) requirements will be accounted in the risk analysis in general including security risk analysis. This is because regulations have their entire base on the necessity to protect different stakeholders from risks and need to be considered in the risk analysis. 110 Utilizing Security Risk Analysis and Security Testing in the Legal Domain the technical control measures. This implies that organizations will not be able to obtain the required level of assurance regarding their compliance with such obligations unless their compliance checking is corroborated with some kind of technical testing. Despite this, organizations often do not bring their technical expertise in checking their compliance with legal norms of relevance to security. This could be attributed to the fact that there is no specific technical (security) testing that is designated as relevant for legal purposes. Therefore, the main contribution of this section will be to identify the security testing which is relevant to check compliance with legal norms of relevance to security and how compliance checking could be attached methodologically to a risk analysis so that it improves the efficiency of the compliance checking and perhaps the legal risk analysis. This is particularly relevant because in order to regularly check everything is next to impossible. At the same time to check compliance randomly might be ineffective. Therefore, organizations need to be selective in what and how to check. That is where a risk-based approach becomes essential. Often organizations implement different measures but are unable to ascertain whether the implemented measures adequately prevent unwanted behaviors within the organization. And, from a legal standpoint, it is more important for organizations to make sure that the implemented controls achieve their intended objectives. If not, they run the risk of falling afoul of the law. Moreover, organizations should be able to check, in an efficient manner, that they are in compliance with legal norms of relevance to security. This is because the cost of implementing compliance measures and an inspection policy is often significant [16]. Whereas resources available for compliance checking are not unlimited. In this respect, following a risk-based approach to compliance checking becomes essential. This is because, the (legal) risk analysis could support organizations’ decisions on where to focus their resources in order to get the necessary assurance that they are in compliance. Apart from that, the testing could also be used as a source for identifying new risks. Müller, and Supatgiat [16] have examined a risk based-approach toward compliance management where they assess the risk of non-compliance (in terms of costs), the cost of the measure that needs to be implemented in order to comply, the cost of checking the effectiveness of the measure, and the likelihood of the auditor spotting the non-compliance [16]. They employed a mathematical formula to capture all these factors, in terms of cost [16]. This enables organizations to allocate their compliance resources efficiently on those rules that pose high non-compliance risks and taking account of the likelihood of being spotted by auditors. However, their approach is purely quantitative and relies on complex mathematical approach, which makes it hardly understandable for lawyers. Furthermore, their approach does not provide a systematic methodology on how such risks can be identified, assessed and evaluated. 111 Yulex 2013 Fig. 6 shows the interaction between legal risk analysis and testing in the legal context. Compliance checking is commonly referred to as auditing [17]. Therefore, in the legal context, we refer to audit testing. Doing so would avoid some confusion as audit testing also involves nontechnical testing. The primary goal of audit testing is to assure organizations that they are in compliance with legal norms of relevance to security. Fig. 6. Testing and legal risk analysis In the context of information security, it is common that testing and risk analysis support each other. This could occur, for example, through risk-based testing. Such an approach is believed to improve the effectiveness of testing. Similarly, as in the figure above, legal risk analysis can be used to identify which areas of 112 Utilizing Security Risk Analysis and Security Testing in the Legal Domain an organization should be tested to ascertain its compliance with legal norms of relevance to security. Therefore, legal risk analysis will provide input when planning the test, that is, what to test and how to test it. A risk-based approach toward auditing enables efficient allocation of resources to high risk departments or areas. Depending on the test results and the nature of the gap identified through testing, one can either opt for a second iteration of legal risk analysis or the test could be followed by a much simplified approach, which is referred as deficiency management, in which the gaps are addressed without going through the formal procedures of risk management or are marked for close follow-up. Audit testing can involve both technical and non-technical testing. The technical testing which is relevant for the legal context is referred to as conformance testing in the Common Criteria [18], where the evaluator/tester is required to devise and conduct tests with the objective of confirming that the target of evaluation (TOE) operates in accordance with its design representations, including, but not limited to, the functional specifications. The main goal of such an approach is to gain confidence in correct operation through representative testing, rather than to conduct every possible test [18]. In this regard, the legal risk analysis can be used to identify such a representative sample. From a legal perspective, conformance testing enhances the assurance given to organizations that they are in compliance with their information security obligations. For example, for the purposes legal norms of relevance to security, this would involve the evaluation of the correct implementation of the technical measures in place that protect information, control individual access to information, and guard against unauthorized access to data transmitted over a communications network. Equally relevant, from a legal perspective, is that organizations should be able to demonstrate that they are compliant with such legal rules. Therefore, certifications for tested controls will also ease organizations’ need to demonstrate compliance with information security obligations. Nontechnical testing involves evaluating and testing effectiveness in the implementation of policies, procedures, and business processes implemented to adhere to legal norms.17 This could be done, for instance, by selecting high risk departments and reviewing their implemented policies and procedures to determine whether there is a gap between those policies and procedures and the compliance requirements through observation of business procedures and inquiry into and examination of different documentations and interactions. It also involves evaluating documented administrative procedures pertaining to the selection and execution of certain compliance measures. For example, for the purposes of 17 Although it may not reflect the conventional usage within the technical sphere to refer such tasks as testing, it is not uncommon to encounter such reference. For example, the Organizations of the Treadway Commission (COSO) refers to compliance measures as ‘‘controls’’ and to the inspection policy as ‘‘testing’’ the controls [16]. Similarly, privacy regulations refer to compliance measures as ‘‘access control measures’’ and to inspections as ‘‘testing’’ the controls [16]. 113 Yulex 2013 legal norms of relevance to information security, non-technical testing involves checking physical computer systems and related buildings and equipment for protection from fire and other natural environmental hazards, as well as intrusion. Ultimately, it is important to point out that such tasks could be automated with the support of tools. In this regard, the ongoing work in RASEN18 is expected to contribute to the effective use of such methods. In that project, we are evaluating the integration of risk assessment, risk management, and testing tools, where a risk management tool automatically initiates testing at certain time intervals, with details of who, what, and how to test; the testers conduct their tests and report their test results to that tool. Such integration would also enable the results of a risk assessment conducted in the CORAS tool to be imported to the risk management tool. This would provide organizations with a platform for integrating the above presented approaches supported by these tools. Furthermore, the project offers the platform to test the above discussed approaches using real life scenarios. 4 Conclusion As the regulatory requirements in the area of information security become increasingly stringent and as the regulatory fines for such breaches increase, organizations need to address technical and legal risks together. This paper identified a potential point of synergy between legal risk and security risk analysis as well as compliance checking and security testing. It has been shown that when assessing risks resulting from legal norms of relevance to information security, security risk analysis can be used as a basis, allowing organizations to understand the legal implications of their security risks. In addition, it is indicated that checking compliance with legal norms of relevance to information security significantly benefits from the support of security testing. In particular, the use of conformance testing enhances the level of assurance given to organization that they are in compliance with such obligations. Furthermore, it has been indicated that a risk-based approach to compliance checking improves the efficiency of organizations in allocating their resources to high risk areas or departments. If needed, the testing could also be used to identify new risks, which could be followed by another iteration of legal risk analysis or a simplified approach i.e. deficiency management. 18 RASEN (316853) is an EC funded project with the main objective of strengthening European organizations’ ability to conduct security assessments of large scale networked systems through the combination of security risk assessment and security testing, taking into account the context in which the system is used, such as liability, legal and organizational issues as well as technical issues. See further http://www.rasen-project.eu/. 114 Utilizing Security Risk Analysis and Security Testing in the Legal Domain Acknowledgments. This work has been funded by the European Commission via the RASEN (316853) project. Thanks are also due to Tobias Mahler for his continuous guidance and support. References [1] Lessing, L.: CODE 2.0. Basic Books, New York (2006). [2] Reidenberg, J.: Lex Informatica: The Formulation of Information Policy Rules Through Technology. Texas Law Review 76, 553-593 (1998). [3] Mahler, T., Bing, J.: Contractual Risk Management in an ICT Context – Searching for a Possible Interface between Legal Methods and Risk Analysis. Scandinavian Studies in Law 49, 340-357 (2006). [4] Haapio, H.: Introduction to Proactive Law: A Business Lawyer’s View. Scandinavian Studies in Law 49, 21-34 (2006). [5] Harvard Business Review Analytic Services.: Meeting the Cyber Risk Challenge. (2012). http://www.computerweekly.com/blogs/public-sector/ Meeting%20the%20Cyber%20Risk%20Challenge%20-%20Harvard%20 Business%20Review%20-%20Zurich%20Insurance%20group.pdf. [6] Article 29 Data Protection Working Party.: Opinion 05/2012 on Cloud Computing (WP196). (2012). [7] Mahler, T.: Legal Risk Management: Developing and Evaluating Elements of a Method for Proactive Legal Analyses, with a Particular Focus on Contracts. University of Oslo, PhD thesis, (2010). [8] Practical Law Company.: Benchmarking survey: Legal risk and compliance. (2009). http://www.bakermckenzie.com/files/Publication/a2a678d5-cefd490e-832f-336bac345d92/Presentation/PublicationAttachment/fa757c2be9d0-447d-b65d-3b75101f8d92/london_rmc_importance_rms_survey_2009.pdf. [9] Vraalsen, F., Lund, M.S., Mahler, T., Parent, X., Stølen, K..: Specifying Legal Risk Scenarios Using the CORAS Threat Modelling Language: Experiences and the Way Forward. In: Herrmann, P. et al. (eds.): iTrust 2005. LNCS, vol. 3477, pp. 45–60. Springer, Heidelberg (2005). [10] Mahler, T.: DEFINING LEGAL RISK. Paper presented at the conference “Commercial Contracting for Strategic Advantage – Potentials and Prospects”, Turku University of Applied Sciences 2007, Conference Proceedings, pp. 10-31. 115 Yulex 2013 [11] Breach Watch website: http://breachwatch.com/ico-fines/ [12] Lund, M.S., Solhaug, B., Stølen, K..: Model-Driven Risk Analysis: the CORAS Approach. Springer, Berlin Heidelberg (2011). [13] European Network and Information Security Agency (ENISA).: Data Protection Notification in the EU. (2011) http://www.google.no/url?sa=t &rct=j&q=&esrc=s&source=web&cd=6&cad=rja&ved=0CFQQFjAF&u rl=http%3A%2F%2Fwww.enisa.europa.eu%2Fact%2Fit%2Flibrary%2Fde liverables%2Fdbn%2Fat_download%2FfullReport&ei=jGZ7UszFGcLWs wa6_IHQDg&usg=AFQjCNF-xhsOCTKZgUBhhPkcPv4PQc1o4w&sig2= 1m6OK7FfXnz952Cr_XVvow&bvm=bv.56146854,d.Yms [14] National Conference of State Legislatures.: http://www.ncsl.org/research/ telecommunications-and-information-technology/security-breach-notification-laws.aspx [15] Governatori, G., Hoffmann, J., Sadiq, S., Weber, I.: Detecting Regulatory Compliance for Business Process Models through Semantic Annotations. In: Ardagna, D. et al. (eds.): BPM 2008 Workshops. LNBIP vol. 17, pp. 5–17. Springer, Heidelberg (2009). [16] Müller, S., Supatgiat, C.: A quantitative optimization model for dynamic risk-based compliance management. IBM Journal of Research and Development 51(3/4), 295-308 (2007). [17] Werf J.M., Verbeek, E., Aalst, W.M.P.: Context-Aware Compliance Checking. In: Barros, A., Gal, A. Kindler, E. (eds.): BPM 2012. LNCS, vol. 7481, pp. 98–113. Springer, Heidelberg (2012). [18] Common Criteria.: Common Criteria for Information Technology Security Evaluation: Part 3: Security assurance components. Version 3.1, Revision 4, September 2012. CCMB-2012-09-003. 116 Benchmarking eGovernment Quality – Whose Quality Are We Measuring?1 Arild Jansen, Section for eGovernment, University of Oslo, Norway, [email protected], Svein Ølnes, Western Norway Research Centre), Norway, [email protected] Abstract. This paper analyses the results of several years of benchmarking of public online services in Norway. We compare these data, which are showing significant differences in measured quality between small and larger municipalities, with results from a comprehensive survey measuring citizens’ satisfaction with public services. Finding that these observed differences are not supported by the user survey, we have to ask: whose quality are we really measuring? Many evaluation systems rely on similar heuristic methods, e.g. the EU’s eGovernment benchmark 2012 framework, while the Danish benchmarking system has a different approach. The paper argues for a multi-dimensional approach to evaluation of public websites and gives some suggestions for this. Keywords: Quality, Heuristics, Benchmarking, Evaluation, eGovernment 1 Introduction Given the high priority of digital public service provision, their quality in general is important. Evaluating digital services is thus of crucial importance to assure that the overall goals have been reached. Several benchmarking systems have been applied; many of them are of great importance. Most notably, the EU’s eGovernment Benchmark 2012 [1] is an important tool for evaluating the effect of EU initiatives and the different national ICT polities. However, critics have also argued that the EU benchmarking system needs a thorough rework [2]. Schellong [3] in his evaluation of the EU’s eGovernment benchmarking system, points to several troubling issues and suggests a number of improvements. Norway is among the countries with a long history of evaluating public websites, which has been carried out annually since then 2001. The Norwegian framework is built on a set of general indicators common for all websites, using expert based heuristics, and there have been relatively small changes during the last 10 1 Paper presented at EGOV 2013, Koblenz, September 16-19 2013. 117 Yulex 2013 years. This framework is partly in line with the EU benchmarking system, but different from e.g. the Danish benchmarking system where domain specific indicators are used [4]. Bannister [5] points to several problems with benchmarking in general: Firstly, any ranking system needs a final single scale and the ability to compute a score on that scale. Secondly, if what one is ranking a concept or a mental state (e.g. attitude) rather than something concrete, it becomes necessary to use. psychometric type tools. Bannister emphasizes that the answers to these question will vary with the context. This paper compares the results from the Norwegian evaluations of public websites with a comprehensive citizen survey and finds that there are diverging conceptions of quality. Such findings provides arguments for asking whether the quality criteria’s formulated in the Norwegian evaluations, and partly included in the EU eGovernment benchmarking, reflect a different conception of quality than the one that is perceived by the end users. Heuristic based evaluation systems for public websites are necessary to raise the awareness of common design principles, but may not be sufficient to assure quality to the end users. On the other hand, Denmark uses a combination of automated and manually assessed indicators [8], and in addition a short user survey Our main research question is accordingly: What quality is measured in the various benchmarking systems and for whom are we evaluating? Furthermore, developing benchmarking systems must be according to some overall objective. A sub-question is thus: Are the objectives of evaluations compatible, and are the methods used adequate? Brief on our research approach: This work is based on an inductive approach, in which we use data from various benchmarks and evaluations: i) the Norwegian evaluation of public web sites from 2007 to 2011 [6], ii) a survey among users of Norwegian public services from 2009/2010 [7]. Furthermore, we have carried out a limited literature review based on relevant literature from the eGovernment Reference Library (EGRL). The insights gained from these results are used as reference when analysing the criteria used the Danish “Bedst på nettet” [8] and the EU’s benchmarking system [1]. Through these comparisons, we suggest some guidelines for developing more adequate frameworks for measuring quality of information and public e-services. Our focus is on the quality of available online services, and not on the broader issue such as benchmarking capabilities of eGovernment across nations. The structure of the paper is as follows. In chapter 2 we discuss the quality concept as well as different heuristic models for evaluations. In chapter 3 we analyse the results from the Norwegian quality evaluations, fuelling our question 118 Benchmarking eGovernment Quality – Whose Quality Are We Measuring? of whose quality we are measuring. Chapter 4 conclude by suggesting a broader approach to quality assessment of eGovernment online services. 2 Can We Measure Quality? Few words have been more used and misused than quality. Public as well as private companies emphasize the importance of increased quality of services, but very often they fail to define what quality means. Some definitions can illustrate this: • a system’s capability to satisfy needs, expectations and requests [9] • the proportion between expected and experienced yield of a system [10]: These definitions emphasize different aspects of quality. The first one looks at measuring the difference between what is specified and what is measured or registered through ‘objective’ criteria while the other is based on experienced properties, that is, ‘a subjective evaluation from the individual user concerned’. ISO-8402 of the ISO-9000 standard is guidelines for quality management and quality assurance and uses this definition of quality: “Quality is defined as the total sum of properties a unit carries and that concerns its ability to satisfy explicitly expressed or implied needs”. Dahlbom and Mathiassen [9] held that quality is then often measured and analysed into a number of factors, such as correctness, reliability, efficiency, integrity, usability, flexibility, interoperability, portability etc. Each of these factors as more or less explicitly defined in order to give a precise meaning of the term used. However some of these factors may contradict each other [9, p140]. In general, we may use two different forms of evaluation, one based on metrics, measuring objective measurable attributes (criteria), and one based on perceived quality. This is rather depending on competence and individual judgement, which may also include aesthetic factor (e.g. how a webpage looks), and symbolic aspects as part of the overall quality; Symbolism has to do with its social use, e.g. as a mean for communicating the culture of an organisation. In this respect, understanding quality must also include cultural aspects and even a political dimension (interests and power), which is about why we evaluate and how the results will be used. Accordingly, quality criteria must conform to the overall goals, and furthermore the needs of important user groups and other stakeholders. 2.1 Heuristic Models for Measuring Quality Measuring quality of websites does often rely on using heuristic methods, which have become the most used approach for expert-oriented evaluations [14]. 119 Yulex 2013 Kahneman [15] offers this definition of heuristics: “A simple procedure that helps find adequate, though often imperfect, answers to difficult questions”. A more practical definition concerning the use in website evaluations is “all the sets of process guides, principles, criteria, tips and tricks, and guidelines that are available to support web designer” [16]. It should be added that in the on-going process of developing and broadening the scope of public website evaluation the focus has shifted from almost solely assessing usability issues to add more and more governmental issues such as the level of digital service provisions. The heuristic method for evaluating website quality was developed by Nielsen and Molich in the early 1990s [17]. In a heuristic evaluation, one or more experts check a given website using a predefined set of evaluation criteria, the heuristics [14]. The heuristics developed by Nielsen and Molich were primarily aimed at evaluating user interfaces, and consist of ten basic principles derived from studies of problems found in dealing with user interfaces. However, although the heuristic model involving an expert evaluation is much used, we do not know very much about how heuristics function [14]. Donker-Kuijer et. al. [14] analysed five e-Government heuristics with respect to a) context of use, (b) the information they cover, (c) their validity, and (d) their presentation format (ibid). Their conclusions were that the government heuristics are very complex documents difficult for (end) users to read and comprehend. Also information about the foundations of the heuristics is often missing making it difficult to judge the quality of the heuristics. Compliance with the heuristics is also in many cases difficult to check because it requires an extensive amount of automated and (manual) expert evaluation techniques. All in all the authors seriously doubt if the examined heuristics aid the experts in their work. De Jong and van der Geest [16] thus distinguish between these four foundations for heuristics: 1. Standards-based heuristics 2. Theory-based heuristics 3. Research-based heuristics 4. Practitioners’ heuristics Heuristic models have their weaknesses and limitations, but for large scale screening of website quality there are hardly any alternatives. For measuring the usability aspects there are methods like user testing. In his book Usability Engineering [18] Jakob Nielsen discusses the usability of a system and refers to concepts like user friendliness, usability and usefulness which can all be viewed as different dimensions of system acceptability. One of his main arguments is that different categories of users, different user situations and individually different preferences make usability testing difficult. He points to three main dimensions: • experience with computers and relevant computer systems in general • experience with the actual system (novice – expert) 120 Benchmarking eGovernment Quality – Whose Quality Are We Measuring? • knowledge and competence in the actual domain where the system is used The heuristic methods are especially suited for evaluating usability. Nielsen [18] has formulated 10 heuristic principles for usability, derived from the usability properties listed above. Nielsen points to problems with user testing in general where the results will differ because of different user categories as mentioned above. We agree with Nielsen that user tests should take into account all the three dimensions. 2.2 Using Heuristics when Measuring Quality of Public Services Norway has been evaluating public websites since 2001 and the number has risen from around 500 to more than 700, of which approximately 430 are municipality sites and the rest various governmental agencies’ websites. This work is based on the following definition of quality: “The quality of websites in this project is defined as that public information and services on the Internet must meet a predefined standard or level that can satisfy some central user needs”.[11] The central guidelines for the development of quality assessment indicators are: • the Governmental ICT policy [12] • Relevant laws, regulations and principles for public administration • Widely accepted standards and guidelines on the web (= heuristics), formulated by the W3C, especially their recommendations for web accessibility, expressed through the recent Web Content Accessibility 2.0 Guidelines (WCAG) [13]. The overall structure of quality indicators has been based on these three dimensions: i) Accessibility, ii) Usability, iii) Useful services. Similarly, the Danish benchmarking system (Bedst paa nettet) started out in 2001 as an expert evaluation based on a mainly heuristic set of criteria. Gradually it has shifted the focus to the citizens with the introduction of user surveys, after having tried both sector specific criteria sets and self-evaluations. The 2012 benchmarking consist of an accessibility evaluation, Webtjek, which is a combination of automated and manually assessed indicators [8]. In addition to the screening it also consists of a user survey of eight questions which all municipalities and governmental agencies must carry out in order to participate in the contest. EU’s benchmarking system has been a cornerstone of the Commission’s ”open method of coordination” since the Lisbon meeting introducing the first eEurope plan [3]. It has been regarded a success due to its influence on the eGovernment progress and polities in the EU. However, it has also been criticized for being too focused on the supply side of eGovernment and not really user oriented. The “Insight Report” [26] presents the findings of the 2012 eGovernment survey. The 121 Yulex 2013 framework for this survey is rather complex and include three main areas: i) A demand-side citizen view of public services, ii) Three life-event assessments of very relevant customer experiences, iii) Assessment of five key technology enablers, the foundations on which services can be delivered in a more consistent manner. In each country two mystery shoppers assessed these life events against seven criteria. In the demand-side citizen survey 28,000 internet-using citizens where asked 27 questions about 19 common citizen services. These questions includes eGovernment use and channel preferences, furthermore barriers, eGovernment satisfaction: and finally fulfillment and benefits: reasons for using eGovernment services and indicating whether governments are able to meet expectations citizens do have. It cannot be questioned that the results from this survey is very interesting and useful for the work to improve improving online services, both oat a national and an international level. However, whether these data should be used for comparison between countries is questionable, being based on subjective and (volatile) criteria. 2.3 Assessment and Benchmarking of e-Government Initiatives Benchmarking of governmental websites and national e-government initiatives has been conducted in a number of years. There are several well-established surveys on e-government e.g. CapGemini [19], United Nations [20]»eventplace»:»New York»,»URL»:»http://unpan1.un.org/intradoc/groups/public/ documents/un/unpan028607.pdf»,»number»:»ST/ESA/PAD/SER.E/112»,»auth or»:[{«family»:»United Nations»,»given»:»»}],»issued»:{«date-parts»:[[2008]]}}} ],»schema»:»https://github.com/citation-style-language/schema/raw/master/cslcitation.json»} , and West [20]. These surveys employ different assessment models for e-readiness, digital divide and other relevant factors, leading to varying conclusions on the global state of e-government. The grounds for these efforts are well illustrated by a statement from the EU report [21]: “The ministerial declaration on the eGovernment conference, together with benchmarking survey should give political momentum to the development of online public services and to the identification of the needs for these services at pan-European level. This will have to be complemented by a focus on back-office re-organization, the creation electronic marketplaces for public procurement and investment in new equipment in administration”. Although eGovernment benchmarks are derived from political goals and decisions, their results generate in many cases political discussions and may lead to 122 Benchmarking eGovernment Quality – Whose Quality Are We Measuring? new political decisions. In itself it is not a problem; that is what benchmarking systems are developed for, but if the results are not comparable, it can be a serious problem. Schellong [3] shows that the rankings in three major eGovernment benchmarks (EUeGovBe, UN and Brown/Brookings) differ rather remarkable, almost dramatically. This shows that comparisons of benchmarks e.g. between countries is not only difficult but often downright wrong, as Schellong[3] andBannister [5] warns. 3 Results from the Norwegian Quality Evaluations Below we present the results from two different studies; (a) the results from the expert evaluation of public websites 2007 to 2011 [6], and (b) a user survey targeted at the users of public websites [7]. 3.1 Expert Evaluations of Websites 2007 - 2011 The set of indicators used for expert evaluation of public websites in Norway has only modest changes from 2007 to 2011. The indicators are divided into three subsets, as listed in the following table. The table also show the number of indicators and the maximum score in points per subset. 2007 Subset Accessibility Usability Useful services Total No. of indicators 11 14 7 32 2011 Max. points 27 37 28 92 No. of indicators 11 12 10 33 Max. points 28 30 35 93 Table 1: Indicator set in 2007 and 2011 The usability indicators are mostly based on the heuristic principles for usability formulated by Nielsen [18]. The last set of indicators, useful services, looks at the service provision from a user’s point of view. The only weighting in the set is in the maximum number of points for each indicator. The table above shows that useful services have been given priority over accessibility and especially usability over the period of five years. This reflects the strategy at the national level where provision of digital services to the citizens has been given an increasingly higher priority. The weight on accessibility has re- 123 Yulex 2013 mained almost constant and only usability has lost weight compared to the other subsets. The following table gives the results for the 2007 and the 2011 evaluations and the change in percentage points for this period. The municipalities are divided in three groups after their population: up to 5.000, from 5–20.000, and more than 20.000 people. [27]. The labels ‘medium’ and ‘large’ must be seen with respect to the general size of Norwegian municipalities. Most of them are small by any measures. Table 2: Total score for municipality websites after size (percentage of max. points) Municipality group Small municipalities (< 5 000) (N = 226 in 2007 and 229 in 2011) Med. sized munic. (5 000 – 20 000) (N = 148 in 2007 and 2011) Large municipalities (> 20 000) (N = 52 both in 2007 and 2011) Average, all municipalities 2007 2011 Change (% points) 46.6 58.4 11.8 50.7 66.1 15.4 58.4 72.0 13.6 49.5 62.7 13.2 Significant differences both between municipality sizes and years (95 % confidence interval) The results in the table above show that the large municipalities scored better than small and medium sized municipalities and they have also had the greatest improvement the last five years in terms of quality of websites as measured with this evaluation system. The difference in quality of websites between small, medium sized, and large municipalities is increasing. Part of this difference can probably be attributed to the increasing weight put on useful services, which in 2011 counted for 37.6 % of the maximum score in 2011 compared to 30.4 % of the 2007 indicator set. 3.2 Survey among Users of Public Services Norway also undertakes a comprehensive user survey of public services with 3-4 years intervals. The last published survey is from 2009/2010 and comprises questions from a range of governmental bodies and municipalities [7]. It is a large survey with questions from many sectors and services. The survey consisted of two main parts, where the first part was sent to some 30.000 citizens above 18 years and the response rate was 42 %. The second part of the service was sent to those of the respondents of the first part that had some experience with any of 124 Benchmarking eGovernment Quality – Whose Quality Are We Measuring? the chosen public services during the latest year. Part two of the survey was sent to 11.135 of the originally 30.000 citizens, and the response rate was 60 % (ibid.). Of special relevance for this paper is the question of satisfaction with digital municipality services grouped after size of municipality. The results from 2009/2010 show that there are no significant difference in satisfaction between citizens from small municipalities and citizens from larger ones. In services like planning and building permissions and care for elderly people, citizens from small municipalities give higher score than citizens from larger municipalities. But in services like kindergarten and primary school the result is opposite; citizens from larger municipalities are more satisfied than citizens from smaller municipalities. All in all the users’ satisfaction with digital services cannot help us explaining the differences in quality observed in the expert evaluations of the websites. This could very well be an example of what Jakob Nielsen calls the first rule of usability: “Don’t listen to the users, watch them work”2. These results make it necessary to ask: what quality we are evaluating, and for whom? 3.2 Better Quality for the Users? The objective for evaluating public websites in Norway as well as in Denmark has been to stimulate quality improvement. The results from Norway presented above show that there have been improvements from the evaluation in 2007 to the last undertaken in 2011, in terms of overall score on the quality indicators. Analysis of the same evaluation for the first years 2001-2003 also show a significant improvement in quality [11]. Thus, main objective of the evaluation project seems to have been met. We cannot assure that this really is an indication of better digital services for the users. The results from the user survey described above do not confirm these results; in particular they do not give support for the observed difference in measured quality between small and large municipalities. So what is virtually measured in the evaluations of public websites? The problems with the heuristics which the evaluations is built on, is that they do not necessarily coincide with the genuine user needs and their behaviour. An important aspect that is missing in the expert evaluations is their context, as these evaluations are all carried out through expert testing, which is clearly different from the context of a typical user. Usability testing would be an obvious response to the problems of the expert-based heuristics and the context problem. But given the number of websites and the vast, accumulated amount of information on them, regular usability testing would not be feasible. Of the three main categories of indicators used in 2http://www.nngroup.com/articles/first-rule-of-usability-dont-listen-to-users/ 125 Yulex 2013 Norwegian evaluations, the accessibility category is the least difficult to assess given the general and widely used heuristics derived from W3C’s WCAG work. The more we assess usability and usefulness of websites, the more difficult it gets because our expert-based heuristics have difficulties in capturing the needs and the experiences of a real user. 4 Evaluating Public Websites: What Answers Do We Really Get? Our main research question was “what quality is measured in the various benchmarking systems and for whom are we evaluating? The discussion above shows that the various evaluation and benchmarking frameworks that have been used in the past 10-15 years produce rather different, if not contradicting results in terms of scores and ranking of the different countries. E.g. Schellong [3] shows that the rankings in three major eGovernment benchmarks differ significantly. At a national level, both the two different evaluations of public websites in Norway as well the Danish are not compatible, but they all produce relevant results. Such differences are not themselves problematic, as they can be attributed to different approaches (methods): the criteria are not compatible and the samples represent distinct universes. The first aspect concerns what type of measurement method do we use (as questionnaires, interviews or heuristics involving users or experts, etc.). Another is aspect is scope: what is to be measured, which is determined by its purpose. The third one is scale, which implies limiting the sociodemographic reach of an evaluation, and what is to be assessed and compared. However, the way such results are used creates a lot of confusion and often misleading conclusion, when not taking into consideration the context of the evaluations. In this way they can be a misleading basis for political priorities. The other research question was: Are the objectives of the evaluations compatible, and are the methods used adequate? Our understanding of quality is closely linked to fulfilling overall goals and supporting (political) priorities, and has to include various perspectives and dimensions. However, there is often a lack of a clear connection between the purpose of an evaluation and what dimension(s) or perspectives that shall be evaluated. This is illustrated by the multi-functional character of a municipal website: both to serve the democratic ideals, to mainly focus on service-delivery (customer-orientation) in the service provisions and as well as to include emphasize the efficiency perspective. These goals are not necessarily compatible. In that respect, we believe that the last EU benchmark is an improvement, but it does still create some confusion. Our first suggestion is thus: 126 Benchmarking eGovernment Quality – Whose Quality Are We Measuring? 1. The design of evaluation framework should be compatible with the specific goals and priorities that are defined. Measuring quality should not rely on one single method or approach, but cover different perspectives, and include both objective and subjective criteria depending on the purpose of the measurements. This requires different approaches including formal methods as measurements based on well-defined metrics along with more heuristic based evaluations and user testing etc. Important in this work is to design detailed user scenarios and different user settings in which the website is to be evaluated. These different perspectives do have important implications for how we define the quality requirements. This point is illustrated by the EU benchmark framework, based on a “eGovernment “Progress diamond“ including 4 dimensions: i) Better eGovernment, ii) Efficient eGovernment processes, iii) Egovernment Building blocks and iv) eGovernment empowerment. Our second suggestion is then: 2. The selection of quality criteria set should reflect the perspectives that are the primary target for the evaluations. Is standardisation one way to go? We do agree that a “mild standardisation” in the benchmarking approach (criteria set, methods used, type of heuristics, etc.) can be an efficient way of help improving the quality of public web sites and it can also be an efficient instrument to ensure that public bodies follow standards; either formally approved standards or recommended standards. It presupposes, however, that such standards as well as the arguments for such standards are widely recognised, which also imply that the objectives are well defined and accepted. However, we emphasize that the indicator sets should include more criteria than those the existing evaluations are based on. We furthermore claim that these evaluations should be supplemented with other types of testing in order to get a more comprehensive picture of a web site. The experiences from such testing can then be used to further develop these indicator sets. Usability tests of a selection of the evaluated websites would give valuable feedback to the development of indicators. Surveys among users and those responsible for the work with the websites are also valuable methods that can give a richer picture and complement the overall quality issue. It is then important to bring these methods together in a common framework, and not separating them in different projects and processes as is currently done in Norway. Our third suggestion is thus: 3. Evaluation or assessment frameworks should combine multiple methods and techniques, and should be used in ways that allows for learning and knowledge accumulation within this field. 127 Yulex 2013 There is clearly need for more research, e.g. in where different methods of quality assessment are combined and the effects ultimately measured on real users. There is a need to combine heuristic methods (expert evaluations), usability tests, and user surveys to try to find a link between these. Such research should also help inform practitioners and not least decision-makers (politicians, etc.) about the usefulness as well as the limitations of various benchmark approaches. References [1] Cap Gemini, IDC, Sogeti, IDC, IS-practice and IndiGov, RAND Europe, and Danish Technological Institute, “eGovernment Benchmark Framework 20122015 Method Paper,” European Commission DG Communications Networks, Content and Technology, Brussels, SMART 2012/0034-1, Jul. 2012. [2] Grönlund Å., “Ten Years of E-Government: The ‘End of History’ and New Beginning,” in Electronic Government - 9th IFIP WG 8.5 International Conference, EGOV 2010, Lausanne, Switzerland, August 29 - September 2, 2010, Proceedings, Springer Berlin/Heidelberg, 2010, pp. 11–24. [3] Schellong A., “EU eGovernment Benchmarking 2010+ General remarks on the future of benchmarking Digital Government in the EU,” Dec. 2009. [4] Videnskapsministeriet, “e-Service på borgernes premisser? Statusrapport for Bedst på Nettet 2002.” [5] Bannister F., “The curse of the benchmark: an assessment of the validity and value of e-government comparisons,” International Review of Administrative Sciences, vol. 73, no. 2, pp. 171–188, 2007. [6] Difi, “Kvalitet på nett,” Kvalitet på nett. 2012. [7] Difi, “Innbyggerundersøkelsen Del 2,” Agency for Public Management and eGovernment (Difi), Oslo, 2010:14, 2010. [8] Digitaliseringsstyrelsen, “Bedst på Nettet - Vurderingsgrundlag 2012,” Digitaliseringsstyrelsen, Copenhagen, 2012. [9] Dahlbom B. and L. Mathiassen, Computers in context. Basil Blackwell, 1993. [10] Braa K. and L. Øgrim, “Critical View of the Application of the ISO Standard for Quality Assurance,” Information Systems Journal, vol. 5, no. 4, pp. 253–269, 1995. 128 Benchmarking eGovernment Quality – Whose Quality Are We Measuring? [11] Jansen A. and S. Ølnes, “Quality assessment and benchmarking of Norwegian public web sites,” in 4th European Conference on E-Government, Dublin, 2004, pp. 17–18. [12] Ministry of Government Administration, Reform and Church Affairs, “På nett med innbyggerne - Regjeringens digitaliseringsprogram,” Ministry of Government Administration, Reform and Church Affairs, Oslo, 2012. [13] W3C, “Web Content Accessibility Guidelines (WCAG) - W3C Recommendation.” W3C, Dec-2008. [14] Donker-Kuijer M. W., de Jong M., and L. Lentz, “Usable guidelines for usable websites? - An analysis of five e-government heuristics,” Government Information Quarterly, vol. 27, no. 3, pp. 254–263, 2010. [15] Kahneman D., Thinking, fast and slow. Farrar, Straus and Giroux, 2011. [16] de Jong M. and T. van der Geest, “Characterizing web heuristics,” Technical Communication, vol. 47, no. 3, pp. 311–326, Aug. 2000. [17] Nielsen J., “Heuristic evaluation,” in Usability Inspection Methods, New York, N.Y.: John Wiley, 1994. [18] Nielsen J., Usability Engineering. San Diego, CA: Academic Press, 1993. [19] Cap Gemini, Rand Europe, Sogeti, and DTi, “Method Paper 2010,” European Commission, Directorate General Information Society and Media, 2010. [20] United Nations, “UN eGovernment Survey 2008: From eGovernment to Connected Governance,” United Nations, New York, ST/ESA/PAD/ SER.E/112, 2008. [21] West D., “State and federal electronic government in the United States, 2008,” The Brookings Institution. Governance Studies, 2008. [23]Grönlund Å., Electronic government: design, applications and management. IGI Global, 2002. [26]See Public Services Online ‘Digital by Default or by Detour? Assessing User Centric eGovernment performance in Europe – eGovernment Benchmark 2012 [27] Langørgen A. and R. Aaberge, “Gruppering av kommuner etter folkemengde og økonomiske rammebetingelser 2008,” Statistics Norway, Oslo, 8/2011, 2011. 129 Legal definitions and semantic interoperability in electronic government Dag Wiese Schartum 1 Introductory remarks This article is based on the assumption that inadequate legislation methods constitute a problem within areas of law where legislation will be implemented by means of ICT-based systems in the government sector (“eGovernment systems”). I discuss drafting of legislation when it is clear that the law will be implemented by means of eGovernment systems, in particular ICT systems performing a high degree of automated collection and further processing of data in individual cases.1 The relation between legislation and ICT government systems to implement this legislation is, of course, many-sided. Here I highlight questions regarding only the choice of words and phrases and their definition. As an introductory comment, I will remind the reader about the very central role legal regulations have within the area of government administration. Individual decisions in government administration will almost always have legal bases and implications. When eGovernment systems are developed, input, processing and output must to a large degree be evaluated within a legal framework. The question is whether this legal framework is, or could develop to be, compatible with technological requirements (and vice versa). Words in legislation describing factual bases of decisions in individual cases (e.g. “live-in partner”, “residence” and “wage earnings”) may often not be understood in terms of colloquial language, but must be interpreted pursuant to relevant legal sources which establish the legally correct definitions. Easy and reliable access to legal definitions2 or other clarifications of legal concepts is thus a crucial first step for everyone with ambitions of mapping the semantics of such legislation, for instance with the aim to develop ICT systems and exchange data between government agencies. 1 2 Such as cases concerning various taxes and duties, social benefits, admission to the educational system etc. When parties of cases are individuals, many of the legal concepts relate to personal information which comes under personal data legislation. Data protection and privacy questions, however, will not be addressed in this article. 131 Yulex 2013 Because they describe basic aspects of citizens’ lives, some words and the corresponding types of data are used in several legal decision-making processes.3 Information regarding identity (name, personal identity number etc), connections to other individuals (relationship, marriage, employment, etc.) and sources of income (wage earnings, social benefits, pensions, etc.) are among the types of data which are often bases of individual decisions. Other types have more specialized use (“residence permit”, “unemployed”, etc.), while a third group is highly specialized and corresponds most likely to information needs of very few government agencies (“patent number”, “date of bankruptcy petition”). The initial expectation, however, should be that most types of government data are relevant and of potential use to at least two government agencies – sometimes several. In other words, there is seemingly a great potential of designing eGovernment systems for sharing such information. This is an important reason why semantic interoperability and reuse of data is a central objective of EU and of many European governments.4 In this article I discuss questions of semantic interoperability within administrative law and eGovernment information systems or, in other words, the important overlapping area between semantics as a general topic and legal interoperability.5 My contribution is not based on the view that semantic interoperability between legal instruments is always a possible and sensible strategy. Within some areas, needs exist to choose definitions of terms which are different from existing and almost identical definitions. Sometimes politicians may find differences necessary in order to express something which yields fair and political acceptable results. If so, the consequence may be that reuse of existing information resources will not be desirable, and time and expenses of information processing may thus rise. Having said this, it is important to add that lack of awareness, methods and tools may make it difficult to identify and choose semantic interoperability in legislation relating to public administration even when it is possible and desirable to do so. This article is based on the firm assumption that, in many cases, there are unexploited potentials of data sharing and reuse, and that often this is not due to valid political and legal grounds but result from lacking awareness and capabilities.6 3 4 5 6 Corresponding situations arise regarding information about businesses, but the discussions here will primarily concern private citizens Cf European Interoperability Framework (EIF) for European public services, v. 2. In public administration there are, of course, semantic questions not related to law (although very many questions are), and there are questions of legal interoperability not related to semantics which I will not elaborate on here. Questions of concepts denoting facts are certainly not the only category of concept within this overlapping area between law and semantics. Equally important and interesting is the issue of questions relating to concepts denoting operations, i.e., how factual information should be processed. Here, however, I will emphasize the first category of semantics. 132 Legal definitions and semantic interoperability in electronic government The major empirical material on which the following discussion is based, is an examination of all new Norwegian laws in the period 2007–2010 with identification of the extent to which and the way the legislator has established legal definitions, that is, occurrences where the meaning of legal terms is decided in a statute.7 To the extent that words and phrases are fully defined in a statutory text, concepts are to a large degree fixed and only to a limited extent open for interpretation. Thus, legal definitions represent an important statutory technique with direct effects and potentials for the development of adequate information systems in government administration. 2 Interoperability and the law Interoperability between eGovernment systems is often seen as comprising four layers: technological, semantic, organizational, legal and political.8 One aspect of legal interoperability concerns legal semantic questions.9 Here, I understand semantic interoperability as the ability to exchange information and to mutually use the information which has been exchanged.10 One of the questions on the layer of legal interoperability is the extent to which information based on legally defined concepts can be exchanged. We may partly talk about horizontal legal-semantic interoperability, that is, use of the same concepts with one uniform definition in different Acts.11 Another aspect is the degree of semantic interoperability in statutory hierarchies, meaning between Acts of Parliament, secondary regulatory levels and instruments of their implementation. Such vertical legal-semantic interoperability exists if uniform definitions are established from top to bottom; for example, Acts, regulations, government’s internal guidelines on application of the law, as well as forms and eGovernment systems developed to implement the law. Here, I will not discuss 7 See Dag Wiese Schartum: Legaldefinisjoner i nyere norske lover [Legal Definitions in Novel Norwegian Laws]. Unipub forlag 2011 (ISBN 9788272261381), CompLex (6/11). Definitions could also be part of preparatory works of the law, cf section 6 (below). 8 See, European Interoperability Framework (EIF) for European public services, v. 2, section 4.1. 9 In contrast to the explanation of legal interoperability in European Interoperability Framework (EIF) for European public services, v. 2, section 4.3, I will claim that this concept should give room for more than exchange of data and also include other aspects of coherence and compatibility between laws, for instance regarding overall statutory structure, external and internal reference structures between/ within laws etc; that is, other qualities which determine how difficult it is to understand the interplay between related laws. 10 Cf the European Interoperability Framework (EIF) for European public services, v. 2, section 4.5, which describes semantic interoperability as ”the meaning of data elements and the relationship between them”, including ”developing vocabulary to describe data exchanges” and ensuring ”that data elements are understood in the same way by communicating parties”. 11 Data definition in Act 1 is equal to definition in Act 2 (DAct1 = DAct2). 133 Yulex 2013 the vertical aspects in any detail, but only observe it as a basic requirement to legislation and appurtenant eGovernment systems. Contrary to the horizontal aspects of legal-semantic interoperability, the vertical aspects are often beyond discussion with no strong remonstrance.12 Figure 1. Horizontal and vertical aspects of legal semantic interoperability Legal interoperability within the semantic field should first and foremost be the result of the legislative process and not only, or primarily, be a question which is solved in the course of implementation. In Norway, modernization of public administration is first and foremost on the technological agenda. Related legal initiatives are to a large extent about removing juridical obstacles and paving the way for desired computerized solutions.13 Such reactive approaches may of course be necessary. This article is based on the view that laws should as far as possible be drafted to fit with technological and administrative models and processes from the start. My research on legal concepts and their definitions therefore to a large extent concern how the legislative process ought to be in order to prepare the ground for development of eGovernment systems designed to implement legislation. 12 But certainly not without problems; see Dag Wiese Schartum: Om forholdet mellom forvaltningslover og tilknyttede skjemaer [On the Connection Between Administrative Laws and Related Forms]. Lov og rett 2011 ;Volume 50.(9), 551-566. 13 See, Norwegian eGovernment Program - Digitization public sector services, section 3.9, available from http://www.regjeringen.no/en/dep/fad.htm. 134 Legal definitions and semantic interoperability in electronic government 3 Legal definitions and the vague nature of legal concepts In many ways, administrative law is about the art of handling vagueness and discretion in natural language. When passed, statutory texts are open for interpretation and often with considerable manoeuvring room for those applying the law. This uncertainty may be intended and could be the result of the admission that it is difficult to formulate a clear and fixed rule regarding, for example, a difficult problem area undergoing rapid development. Even if they do not clearly admit it, legislators may decide on the basis of the view that “you never know about the future”, and thus have rather low ambitions as to the degree of preciseness of legal concepts. Instead of clarifying every possible question of how terms may be interpreted in every type of future situation, legislators may trust that the context will give sufficient guidance and rely on the assumption that those applying the law will have sufficient competence to make reasonable choices in the future. If no known individual case makes an interpretation question topical, it may furthermore be regarded as too theoretical to be solved. Legislators may thus choose to trust that courts of justice and other actors of the legal system will identify problems and solve them in due time, and to the extent questions of interpretation should prove to be of practical significance. It is important to understand the interaction between legislators and other actors of the legal system in order to explain the rather “shocking” degree of uncertainty and need to interpret statutory texts. The fact that the judiciary, appellate authorities and legal theory may analyse and solve various questions over time, represents a technique to adapt law to actual situations, and not only presuppose situations which have been predicted in the legislative process. With regard to legal concepts in statute law, this may, in other words, be seen as a continuous definition process: It starts with rather vague concepts and continues with continuously increased precision over the years, and – probably – ends up as relatively well-defined concepts. Viewed in this way, application of the law implies a dynamic process of concept definition where various actors of the legal system take part in a continuous and rather open deliberative process. 135 Yulex 2013 In contrast, establishing legal definitions, that is, more or less fixing the meanings of terms and phrases in laws implies that much of the definition process precedes implementation. Thus, semantic and legal flexibility/uncertainty is exchanged with a higher degree of semantic rigidity/certainty, implying that the ground is better prepared for establishment of information systems. Figure 2. Traditional development of legal definitions over time Figure 2 illustrates how definitions in statutory law (DS) may be rudimentary and handed over to case law for complementation over time (cf DCL1 -3). To the extent that individual fairness and political flexibility and control are prioritized, such a continuous process of definition and redefinition could be considered reasonable and even valuable. However, emphasis on efficiency of case processing, automation and lowering of administrative costs provides an argument for choosing predefined and relatively fixed legal concepts. In this event, the significance of case law will be reduced (but may not be eliminated). When legal-semantic interoperability is an aim, it is required to have a high degree of precise definitions already in the regulatory process. Instead, the regulatory process should yield results in harmony with requirements of the eGovernment system which is necessary for the implementation of the law. Thus, such definition processes must be system driven, that is, the degree of definition must be decided on the basis of system needs (and not the needs of a case-by-case approach).14 Most legal terms are not explicitly defined.15 Only a small selection of words and phrases in laws are defined on the statutory level. However, the results of my investigations demonstrate that legal definitions in Norwegian legislation are usually not designed to solve every definition issue related to the words and phrases in question. Thus, they both cover situations when only a few definitional 14 The distinction between case-driven and system-driven interpretation of legal sources was introduced in Dag Wiese Schartum: Fra lovtekst til programkode [From Wording of an Act to Programming Code], (August 2012), available from http://www.uio.no/studier/emner/jus/afin/ FINF4001/h12/pensumliste.xml. 15 But could partly be defined by its context and by means of amplifying statements. 136 Legal definitions and semantic interoperability in electronic government elements are established in the statutory text and situations when a “complete” definition is stated.16 Development of eGovernment systems may give grounds for definitions that are as complete as possible, preferably defined in ways which fully answer questions of interpretation required to develop efficient information system as part of implementation of the relevant law. 4 Primary and derived legal definitions Legal definitions are usually placed in one of the first sections/articles of the instrument but may also be placed in other parts of a body of rules.17 The scope of such definitions is typically the legal instrument in which definitions are made, but as a rule, definitions must be understood as applying to subordinate legislation and other related legal instruments.18 Within Norwegian legislation, only a small selection of words and phrases are defined in each law, often numbering no more than five to ten. My investigation of all legal definitions contained in all novel Acts of Parliament in Norway during the period 2007 – 2010, showed that legal definitions existed in 35 of 53 laws, that is, in the majority of occurrences. Almost all novel Acts of a certain complexity and volume contained legal definitions.19 Legal definitions in my investigation comprised words and phrases commonly occurring in the Norwegian language, as well as expressions especially designed for a specific legal purpose. Even if defined words are commonly used, there were several examples of legal definitions clearly deviating from definitions of the same word in dictionaries. However in the majority of cases, definitions were within the scope of what could be commonly accepted in the Norwegian language. The investigation showed that legal definitions were generally more detailed than similar definitions in dictionaries. Moreover, legal definitions frequently contain formal definitional elements, that is, elements referring to something which has been manifested because it is decided or officially registered. It is possible to distinguish between at least three groups of such formal elements in legal definitions:20 16 One requirement to a «system driven» approach should probably be that a great number of definitional elements are decided. 17 A similar technique is applied, for example, in EU directives and regulations, and in various conventions, etc. 18 Cf vertical legal semantic aspects as shown in section 2 (above). 19 The total number of definitions was 210, implying an average of six definitions per Act There was relatively great variation between the Acts, ranging from only a couple of definitions to up to 40. 20 Cf Jon Bing: Om tolking av enkeltord – særlig i lovtekst [On Interpretation of Single Words – Particularly in Statutory Texts], In: Anders Bratholm m.fl. (red), Samfunn Rett Rettferdighet Festskrift til Torstein Eckhoffs 70-årsdag, Tano, Oslo 1986, 131-143. 137 Yulex 2013 1. Measurable and quantifiable indicators/variables (e.g. length, weight, time, amount etc); 2. Physical phenomena and conditions which are recognized as notorious facts or which could be objectively observed (e.g. gender, physical conditions, chemical compositions); and 3. Final authoritative decisions, regarding formal positions (such as Member of Parliament, lawful spouse, owner), established rights and obligations (eligibility to a concrete benefit, decision regarding tax liability) and other decisions with a significant bearing on a person’s legal situation (e.g. a decision regarding residence, i.e., a piece of information registered in specific information system etc). Category 3) is particularly comprehensive and heterogeneous, and here I will not explore details. In cases of “authoritative decisions” – as in categories 1) and 2) – it will be possible to ascertain beyond reasonable doubt whether or not something is legally true or valid (e.g. that a person has the right to receive a certain benefit, if duty to pay a certain tax exists, etc). Of course, in a small minority of cases it could happen that a person is transsexual, that decisions regarding benefits, etc. are incorrect and that erroneous facts are registered in a government information system. Our assumption may nevertheless be that indicators, conditions and decisions in categories 1) – 3) typically are relatively fixed, and at least much less uncertain than in situations where correct interpretation of, for example, “supports a child”, “too heavy”, “owns a fortune” have not been established by a final authoritative decision or registration. Figure 3. Primary and derived definitions 138 Legal definitions and semantic interoperability in electronic government In line with the observation and categorization mentioned above, it is thinkable that legal definitions are constructed by means of such formal and relatively fixed elements. “Domicile” could be defined, for instance, as “the place where a person has his/her true, fixed, permanent home, and to which, whenever the person is absent, he/she has the intention of returning.” As point of departure, such a definition is obviously open to dispute, and it would require a lot of effort to examine the conditions, for instance regarding a person’s intentions. When this question is settled and a domicile is established as a result of an authoritative decision, it would be possible to introduce legal definitions which build on this decision/ establishment of facts. Thus, a derived legal definition of domicile may be, for example, “the place where a person has his/her home according to legally valid information in the National Register.” The meaning of “domicile” could in other words be fixed by referring to what has been established as part of registration in an authoritative information source (or a decision). Figure 3 (above) illustrates how a primary definition in statutory law (D1S), including supplementary definitional elements in preparatory works primary (D1PW), may be shared in several Acts (D1S-derived in Act A –D). It may be difficult, however, to draft all laws on the basis of one defined word or phrase that describes where people live. It might be necessary to have different but similar expressions in the National Register Act and the Immigration Act describing where people live. If so, construction of overlapping (modular) definitions21 should be considered, by introducing a new definition (D2, cf figure 4, below) which partly contains the same definitional elements as in D1. In this event, the same word defined in different ways in the two Acts should be avoided. Instead of introducing a synonymous phrase (e.g. ”place of residence”) the legislator should consider using terms identifying the relationship between the two concepts. For instance one definition may relate to “formal domicile” and the other to “actual domicile”. Subsequent legislation may, in such a case, choose between two primary definitions – or more. The point is that a relatively small selection of primary legal definitions may cover the need for definitions in a relatively great number of laws. An example from my investigation of legal definitions in Norwegian legislation may illustrate the potentials of a modular approach distinguishing between primary and derived legal definitions. The concept “employee” [arbeidstaker] is defined in seven Acts of Parliament. Three of these definitions are identical, implying that we have four different legal understandings of the same word. However, all existing definitions contain some common definitional elements. On top of that, the definitions contain additional definitional elements and may therefore be designed as the joint definition plus special definitional elements. 21 About a modular approach, see Dag Wiese Schartum: Sharing information between government institutions - Some legal challenges, in: van der Hov og Groothuis (eds.) Innovating Government, Information Technology and Law Series vol. 20, Springer 2011. 139 Yulex 2013 5 Selection of terms to be defined In guidelines from the Norwegian Ministry of Justice, it is advised that legal definitions should be used in situations with a particular need for strict concepts and in cases when concepts have a basic function in the relevant law. 22 However the Ministry does not specify further what should be regarded as a “particular need” and “basic function”. Legislation is many-sided, and it is obviously hard to formulate general and simple rules to govern which types of words and phrases should be subject to legal definition. If we restrict the discussion to the area of eGovernment, however, it would probably be feasible to formulate some general guidelines. Information systems of government agencies which process data in the course of decision-making in individual cases contain typically well formalized types of data describing each case. System requirements regarding input data about, for example, people’s “income”, “matrimonial status” (“married”, “divorced”, “live-inpartner” etc), or the fact that a person is the “supporter of children under 18 years”, etc., are established as part of the system development process. Formalization comprises elements such as the establishment of mandatory input data, requirements regarding the number of digits in input codes, various cross-checks of inputs (e.g. consistency checks and probability checks), etc. However, as long as input data are registered manually, such formal requirements are not on the level of what we reasonably can call definitions, because they only deal with representation in the data system and not the semantic content: For instance, we may decide that “income” is a mandatory type of data and that it may be represented by Arabic numerals, but without defining the type of assets included in the term. Norwegian laws contain a very limited number of explicit legal definitions of words and phrases denoting input data to government data systems. Thus, system developers using law as the source for data models in eGovernment systems do not have many clear definitions to apply. Clearly, lawyers may find definitional elements scattered around in relevant legal sources (case law, preparatory works, administrative practice etc), but these will require time-consuming expert effort from lawyers, and the conclusions will easily be disputable. One possible response is to transform questions of defining legal words and phrases from a problem of applying the law to a problem of making the law. The basis of data input for eGovernment systems could, in other words, be defined by statute to a much greater extent than currently. Automated processing of data in eGovernment systems does not come as a surprise, but is very often an obvious consequence of novel legislation, and is always a result when existing legislation relating to automated public administra22 See, Ministry of Justice and the Police, Lovteknikk og lovforberedelse. Veiledning om lov- og forskriftsarbeid [Statutory Technique and Preparation of Laws], Justis- og politidepartementet 2000, section 7.4. 140 Legal definitions and semantic interoperability in electronic government tion is amended. Uncertainty as to the degree of automation, etc., does not change this fundamental fact. If the question is posed in this situation as to which words and phrases should be considered for legal definition, some answers and grounds could be indicated, in my view. Rule of law and predictability could obviously be held as grounds for requiring strict concepts in laws, and in particular as part of eGovernment systems which implement laws. This is especially true regarding systems producing individual decisions pursuant to highly automated routines. A high degree of automation will make this argument stronger due to reduced control by people. Words and phrases denoting a factual basis for individual decisions are of fundamental relevance, and should therefore always be considered for legal definitions. The previously mentioned legal concepts, “domicile”, “income”, “married” and “live-in-partner” denote information on which individual decisions dependent, and which thus should be considered for legal definition. Some definitions could be derived from other pieces of legislation, while other definitions may be legally defined in a primary mode, cf the distinction in section 4 (above). Ffor instance, there will almost never be a need for an alternative definition of “married” in the Marriage Act, while “income” occurs with numerous definitions and may often be linked up as a derived definition. Unless there are well-founded reasons for another conclusion, all input data required in eGovernment systems with law as a source should, in my view, be considered for definition. Such a policy would strongly promote semantic interoperability within the legal domain. My argument does not imply that such legal definitions should be designed to be as exhaustive and strict as possible. When one decides how definitions should be carried out, the most important factors are probably choice of definition technique, organization of the regulatory process and tools, see the next sections. 6 Definition techniques Definition statements in statutory texts may create expectations of exhaustive identification of definitional elements, something which would imply that all/ most issues of interpretation of the word or phrase in question will be solved. My investigation of legal definitions in Norwegian legislation showed that in order to be fully informed of every aspect of the defined term, it was in most cases necessary to consult the preparatory works of the Act in question. Such further delimitations and explanations in preparatory writings were often comprehensive. Frequently they contained further references to other documents, making it necessary to read former, repealed legislation, other Acts of Parliament in force and various legal instruments of the European Union. 141 Yulex 2013 Full information pertaining to the defined words and phrases could only be attained, in other words, from reading the statutory definition itself, explanations in preparatory works, plus one or several documents within other parts of the legal domain. Although definitions were apparently simple when worded in the statutory text, legal definitions in Norwegian laws only expose a fraction of relevant definitional elements. Such definitions are not designed to make application of the law simple. If the objective is to establish clear definitions of words and phrases, such a practice is obviously inappropriate. On the other hand, this does not necessarily imply that all definitional elements should be found in the law itself. Other legislative techniques must also be considered. Given the dynamic nature of the legal system, the choice of legislative technique has considerable significance. The evolution of legal definitions as a result of application of the law (case law, etc.) is problematic for designers of eGovernment systems. If, for instance, a data system is designed to automatically collect caserelevant data from specific databases in another government agency, and the system is able to do so because the statutory definitions are identical, it will obviously be a problem if case law gradually formulates deviating definitional elements on the basis of considerations of object clauses, new policy considerations, etc. If this happens, establishment of manual routines to handle cases covered by such new definition considerations is a possible option as an emergency solution, but will probably only be a quick and not a very lasting fix. There is at least one realistic approach to such problems caused by the dynamic nature of law, cf below. In my view, legal definitions should always be established by combining statutory definitions and definitional elements in preparatory works.23 Here, there should be no “either/or” discussion, but rather a determination of the desirable mix between the two types of definition techniques. Argumentative legal weight of statutory text is generally greater than the weight of statements and clarifications in preparatory works, and the first mentioned technique thus represents the most stable and lasting way of defining a legal term. However, stability is not the only important consideration. Equally important is a certain flexibility and the possibility to adapt to changing circumstances. When primary legal definitions are placed as integrated elements in several laws,24 this will increase the probability that changed political considerations related to one of these acts will create needs to amend the joint definition. If that happens, it is important to avoid that this results in a breaking out from the interoperable pattern. Placing definitional elements in preparatory works creates the possibility for such flexibility. In preparatory works, for instance, it could for be stated that certain definitional elements may be taken under consideration, but without intro23 Or alternatively in texts with similar functions, for instance in preambles of EU directives and regulations. 24 Cf derived definitions in section 4 (above). 142 Legal definitions and semantic interoperability in electronic government ducing these elements as strictly binding. Statements in preparatory works could furthermore accentuate the relevance of semantic compatibility and administrative considerations regarding electronic exchange of data. Such statements may only reduce the probability of case law developments that break with joint definitions. It would not be acceptable if the legislator tried to stop courts of justice’s from controlling that legally based words and phrases are correctly implemented: Courts should always in principle have the competence to decide on the basis of concrete interpretation in individual cases and thereby be a guarantee for a minimum degree of fairness in legislation. Stable and effective eGovernment systems could only be one of several considerations. To the extent that definitional elements are given in preparatory works, it is crucial that these elements are collected and jointly presented. Contrary to what my investigation showed, definitional elements should not be scattered around in several documents making it necessary to go on a treasure hunt through various sources. The degree of semantic interoperability, in other words, should be easy to assess by consulting the wording of the Act and a separate explanatory section of preparatory works where all definitional elements on that level are collected and commented. 7 Organization of the regulatory process Observed from the outside, laws leave the regulatory process when they have been sent to government administration for implementation. Development of eGovernment systems required by legislation is seemingly a task of a technological nature – and to a large extent this is true. However, important parts of this development should also be seen as a continued regulatory process – with the important difference that the formal regulators have left the scene. The fact that the regulatory process is continued is not more surprising than the fact that secondary law is established after the Act is passed. In both situations, the task is to bring the often rather general and lofty provisions of the Act “down to earth” and translate abstract rules into concrete conditions, procedures etc. For instance, the design of eGovernment systems could be about finding out how the phrase “supporter of child under the age of 18” in the provisions of an Act should be interpreted in order to identify whether or not it is necessary to collect this information manually, or alternatively, if automatic collection is possible, from existing databases which match with the legally required definition. Definition differences are not necessarily politically unavoidable: For instance the legislator has defined “live-in-partner” as “two people with a joint address living in a marriage-like, established and stable relationship”, while available information resources are based on the definition “two people sharing accommo143 Yulex 2013 dation and living in a marriage-like relationship with the intention to continue to live together.” Although there are differences between these two definitions, this does not mean that drafting it would have been politically unacceptable if one used only one of the definitions in both laws. If a single acceptible definition corresponds to that of a machine-readable source and the other is unique and requires expensive manual collection of data, it may very well be that the legislator would choose the definition represented in the digital source – if only they knew that these sources existed. One obvious challenge for the legislator is to discover that a choice exists between two or more defined machine-readable data resources. There are many ways of mapping available digital data with the required legal definitions. One possible model is to establish a task force with special competences and responsibility to perform such analyses as part of the legislative process. Draft legislation could, in other words, be analysed by people who investigate existing legal definitions, as well as administrative and technological consequences of using existing words or introducing new ones. The task force could then give their result as input to the drafting committee. Arguments and consequences of legislative choices will in this way be better understood, and possibilities of optimizing information systems will be enhanced. Possibilities of choosing definitions which yield a politically acceptable and fair result, and which at the same time represent an appropriate solution regarding system design and effective automated processes, depends on the legislator’s awareness of existing alternatives. In Norway, and probably in most other countries, the legislator will often not know which concepts applied in the proposed statutory text are already defined in existing regulations. Furthermore, they will not know the existing definitions that match definitions in available ICT-based information systems. This kind of insight typically arises after the law is passed and implementation has started or, to put it bluntly: too late. Special tools may change the picture. 8 Law-making tools ICT tools are probably necessary in order to change the regulatory process in ways which improve the capability of interoperability considerations on the lawmaker’s side of the table. Currently, no such special tools have been developed to facilitate the lawmaking process in Norway.25 Change from hand-made rules to lawmaking tools entails not only questions of how to deal with legal definitions, 25 A prototype tool ”Regelverkshjelpen” [Regulation Aid] is under development in a collaboration between Norwegian Research Center for Computers and Law (NRCCL), the Lawdata Foundation [Stiftelsen Lovdata] and the Norwegian Ministry for Justice and Public Security. 144 Legal definitions and semantic interoperability in electronic government but constitutes answers to general needs and sets of possibilities for supporting the regulatory process. Regarding legal definitions, a simple and concrete indication of a possible element of such a tool may take the much used definition of “personal data” as an example. “Personal data” is defined in the Norwegian Data Protection Act:26 “personal data: any information and assessments that may be linked to a natural person”. Additional clarifications in the preparatory works of the Act are integral parts of a 530-word explanatory text in the bill written without structure to ease retrieval of definitional elements etc. When clearly analysed and structured, the following six supplementing elements can be identified (represented here as keywords): • Marks of identification • Ways and efforts of identification • Significance of the object clause of the Act • Limitations regarding legal persons • Limitations regarding deceased persons • Relation to a definition in the Public Administration Act My point here is that although the legislator has a choice of where to place definitional elements, these elements should be made available without regard to which part of the regulatory process they refer to. Thus definitional elements in preparatory works should be formalized in a semi-structured way so that each element is easy to identify, understand and display together with the relevant legal definition of the Act. Even if a concept is not defined in the Act, definitional elements in preparatory works should be identified and made easy available together with occurrences of the statutory term in question. Such a complete and easy overview of how legislators understand statutory concepts would be of great importance to developers of eGovernment systems. We can, of course, hope that participants in the legislative process will do analyses of existing legal definitions and search in available information resources without the help of any particular method or tool. The chances for getting effectual results, however, will increase if aids exist. Here I will not go into any detailed discussion of possible methods and tools, merely outline some simple starting points. First and foremost, it is important to build a library of legal definitions which could be made available by means of a law-drafting tool. My investigation of legal definitions in recent Norwegian legislation shows that placing and wording of such definitions allows automatic retrieval of a very high percentage of legal definitions.27 26 The national definition is based on article 2 (a) of the Data Protection Directive (95/46/EC). 27 Roughly more than 90% could probably be found by automatic means. Mapping of 100% of existing definitions will require scrutiny and manual effort, but total coverage is probably not important as part of establishment of a general library of definitions. 145 Yulex 2013 Mapping existing definitions is necessary in order to create a basic library of existing definitions that could be expanded on the basis of future regulatory processes. The idea is to develop a tool which is integrated with the editor used to draft statutory texts, and which automatically searches through the library of existing legal definitions and displays possible existing definitions of words/phrases that are used in the draft text. Equally important is the idea that such a tool should facilitate collection of new legal definitions, that is, support the establishment of a library of definitions that will be updated in every case of a new legal definition. The goal should be to create a general collection of existing legal definitions that is as up-to-date as possible. Identification of every legal definition with full reference to all definitional elements regardless of where these elements are placed makes it possible to highlight occurrences of legal definitions in a legal text and to display these elements to the reader. The tool can collect and order present definitional elements from several sources. 9 Conclusion Legislation should always be drafted with implementation in mind. Otherwise legislators will probably often find that legislation is put into force in ways that deviate from their intentions. Legislation which presupposes eGovernment systems must be tuned to fit some of the basic technological requirements and potentials. One of the potentials which should be considered as part of the legislative process is data sharing between several government agencies and the prerequisites for this to happen. Today, the Norwegian government has interoperability and data sharing as an important political goal. However, they seem to believe that data sharing is a technological and administrative issue, whereas it should be obvious that interoperability is a regulatory and legal issue: Legislators may run the risk of drafting legislation without considering the effects on the possibility to realize efficient eGovernment systems as expected in government administrative modernisation schemes. If so, they will probably continue to produce obstacles and unnecessary problems for systems development and implementation. The only sound solution, in my view, is to extend the legislative process so that the consequences for implementation in eGovernment systems of proposed legal texts are assessed as part of the legislative process. In my mind, there are not sufficient grounds to defer dealing with these questions and relegate them to system developers who are then forced to «blindly» handle political and legal choices. 146 The contractual network of the Domain Name System1 Emily M. Weitzenboeck 1.1 Introduction The Internet Corporation for Assigned Names and Numbers (ICANN) is tasked with the management and coordination of the Domain Name System (DNS). Through its so-called IANA functions,2 ICANN is also responsible for the root zone management for the DNS and the global coordination of the Internet Protocol (IP) address space.3 It is thus no wonder that ICANN has been called one of the governors of the Internet.4 The main objective of ICANN’s coordination of the DNS is to ensure that every Internet address is unique and that the users of the Internet can find all valid addresses. A domain name is a unique identifier for an IP address or number in a mnemonic form. Thus, instead of writing 129.240.178.65, one writes the more meaningful www.uio.no. The day-to-day responsibility for the administration of the DNS is in the hands of IANA. 1 2 3 4 The work presented here is based on a working paper by the author on the hybrid network structure of ICANN and the DNS. It is written within the framework of the Igov2 research project (http://www.jus.uio.no/ifp/english/research/projects/internet-governance/) which is jointly funded by the Norwegian Research Council and UNINETT Norid AS. ICANN carries out the IANA-functions under a renewable contract with the US Department of Commerce (DOC). See http://www.ntia.doc.gov/page/iana-functions-purchase-order. Unless otherwise stated, all websites have been last accessed on 14 November 2013. See further http://www.iana.org/. L A Bygrave and T Michaelsen, “Governors of the Internet” in L Bygrave and J Bing, Internet Governance: Infrastructure and Institutions (OUP 2009) 92-125. There are several other governors, both private and public bodies such as the Internet Sociery (ISOC) which provides an organizational umbrella for Internet standards development and funds the Internet Engineering Task Force (IETF) which is the main Internet standard development body and is another governor. In addition, there is the Internet Architecture Board (IAB) which presides over the development of Internet standards; the Internet Engineering Steering Group (IESG) which manages and oversees the technical operation of the IETF; the Internet Research Task Force (IRTF) which focuses on long-term research issues; the World Wide Web Consortium (W3C) which develops standards for the web; and the Internet Assigned Numbers Authority (IANA) discussed above. See further on these bodies ibid 95-114. 147 Yulex 2013 There are two categories of top level domain names: generic top-level domains (gTLDs)5 and the set of two letter country code top-level domains (ccTLDs). The initial general framework of the DNS system structure and delegation was documented by Jon Postel in RFC 1591.6 Since May 1999, ICANN/IANA follows ICP-1: Internet Domain Name System Structure and Delegation which lays down IANA’s current practices in administering inter alia RFC 1591. With the opening of the top-level domain in the new gTLD program, 1930 applications for new gTLDs were filed in spring 2012. Since November 2009, ccTLDs may apply for Internationalized Domain Names (IDNs) in scripts other than US-ASCII.7 The new gTLD program also allows for the first time the addition of IDN gTLDs into the root zone.8 The DNS forms a tree-like hierarchy. Each TLD includes many second-level domains (such as ‘uio’ in www.uio.no); each second-level domain can include a number of third-level domains (such as ‘jus’ in www.jus.uio.no), and so on. A TLD is operated by a registry, a second-level TLD is operated by a registrar and a domain name holder is known as a registrant. A registry operates a database for registration of domain names in the domain it administers. A registrar facilitates the actual registration of domain names. Some entities combine both registry and registrar functions such as the .no and .eu domains.9 Governance of the gTLD namespace is contractual, with a web of contracts spun between respectively ICANN, a registry, registrar, data escrow provider and eventually between the registrants and their registrar. The management of the ccTLD varies with some countries having opted for a formal contractual arrangement with ICANN whilst others have preferred an informal arrangement. Some countries also have statutory regulation of their ccTLD. The regulatory framework of the gTLD and the ccTLD namespace are examined in more detail in the following two sections. 1.2 Contractual network of the gTLD namespace ICANN uses a portfolio of contracts in the governance of the gTLD. An analysis of ICANN’s gTLD agreements shows that ICANN tends to use a standard-format 5 6 7 8 9 As at 8 October 2013, there are 60 in ASCII (the American Standard Code for Information Interchange – ASCII – is a character-encoding scheme originally based on the English alphabet). See http://www.icann.org/en/about/agreements/registries. On RFC 1591, L Bygrave, S Schiavetta, H Thunem, A B Lange and E Phillips, ‘The naming game: Governance of the Domain Name System’ in L Bygrave and J Bing, Internet Governance: Infrastructure and Institutions (OUP 2009) 158, 186-187. See further http://www.icann.org/en/resources/idn. See further http://www.icann.org/en/resources/idn/fast-track/string-evaluation-completion. See further Bygrave et al (n 6) 150. 148 The contractual network of the Domain Name System set of agreements which varies depending on whether the registry is sponsored10 or not. This use of a standard format applies also to the new gTLD Registry Agreement published in July 2013 with regards to the new gTLDs to be approved under the new gTLD program. One advantage of this is that it makes for easier compliance management by ICANN of all these intertwined agreements. The registry agreements (RA) under the old system contain as one of their appendices a standard format Registry-Registrar agreement (RRA) which the registry is bound (through a clause in the ICANN-Registry agreement) to use with its registrars. An important clause of the registry-registrar agreement is the obligation on the registrar to follow ICANN’s dispute resolution policy. The new gTLD Registry Agreement does not contain a draft of such standard contract. However, the Registry is bound, through a clause in the new gTLD Registry agreement, to use a uniform non-discriminatory agreement with all accredited registrars, such agreement to also be known as the Registry-Registrar Agreement. Every gTLD registry must also enter into a Registry Data Escrow Agreement with ICANN and a third party data escrow provider. ICANN also has a contractual relationship with the (second-level) gTLD registrars through its registrar accreditation system and the use of a Registrar Accreditation Agreement (RAA). This is the case both under the old system and in the case of new gTLDs to be delegated under the new program where a new RRA was approved in June 2013. In its turn, the standard registry-registrar agreement in the old system and the new gTLD Registry Agreement both contain various obligations on the registrar with regards to its relationship with those wishing to register a second-level or third-level domain name (known as registrants). A prospective registrar must also undertake to submit an electronic copy of their registration database to ICANN or else to an ICANN-approved third-party data escrow provider.11 The above discussion clearly shows that there is a network of contracts between ICANN, a gTLD registry, its registrar and each of the latter’s registrants. The situation is apt to get even more complex because in the case of the (currently pending) new gTLDs, the gTLD Applicant Guidebook allows ICANN-accredited registrars to apply for a gTLD, subject to certain requirements and restrictions.12 10 Sponsored TLDs are set up for use by a particular community or industry such as .cat (for the Catalan linguistic and cultural community on the Internet) and .mobi (for users and producers of mobile telecommunications services). 11 See section 3.6 of the 2009 version of ICANN’s Registrar Accreditation Agreement at http:// www.icann.org/en/about/agreements/registrars. 12 ICANN may refer an application to a competition authority where the registry-registrar crossownership arrangements raise competition issues – see Applicant Guidebook version of 4 June 2012, Module 1 section 1.2.1 on ‘Registrar cross-ownership’; and Module 5 section 5.1 on ‘Registry Agreement’ at http://newgtlds.icann.org/en/applicants/agb. 149 Yulex 2013 Cross-ownership between registries and registrars will thus be possible under the new gTLD regime.13 In addition, the ICANN-Registry Agreement inter alia also contains as an appendix: (1) a standard draft of a Zone File Access Agreement that a Registry must enter into with any third party requesting zone file access; and (2) a service level agreement or a description of the functional and performance specifications which the Registry undertakes to uphold. gTLD registries maintain DNS zone files that contain resource records for the domain names that are active within those gTLDs. There is not merely a web of contracts in the sense of a set of loosely related contracts between various actors (such as registries, registrars, escrow providers) and ICANN to regulate the gTLD namespace. Some parts of this web actually form a contractual network. As Cafaggi observes, ‘it is not sufficient to have a multiplicity of linked contracts for a contractual network to emerge.’14 More is required: ‘there has to be (1) a strong collective interest to pursue (2) a common objective, and (3) a high level of interdependence among the contracts and the activities performed through contracts.’15 One utility of contractual network theory is that it helps elucidate how contracts are interlinked and hence, whether and the extent to which one can make crossreferences between such contracts to assist in their interpretation. Another utility is that it helps address doctrinal difficulties created by the notion of privity of contract16 or, as it is known in civil law jurisdictions, the relativity of contracts.17 The 13 Current gTLD registry agreements prohibit registries from acquiring directly or indirectly more than 15% of a registrar - see ‘New gTLD Program Explanatory Memorandum: RegistryRegistrar Separation’ of February 2009, chapter 2 at https://archive.icann.org/en/topics/newgtlds/regy-regr-separation-18feb09-en.pdf. 14 F Cafaggi, ‘Contractual networks and contract theory: a research agenda for European contract law’ in F Cafaggi (ed) Contractual networks, inter-firm cooperation and economic growth (Edward Elgar 2011), 74. 15 Cafaggi (n 14) 74. 16 Briefly stated, contractual privity means that contracts are binding only between the parties thereto and cannot be enforced either by or against third parties. However, the Contracts (Rights of Third Parties) Act 1999 introduced an exception to this doctrine in English law such that a third party may acquire enforceable rights under a contract if, and to the extent that, the parties to the contract so intend. See H G Beale (gen ed), Chitty on Contracts - Vol 1: General Principles (including 3rd cumulative supplement of 2011, 30th edn, Sweet & Maxwell 2008) para 18-001. Similarly, most civil law jurisdictions recognise so-called contracts for the benefit of a third party. See, for example, B S Markesinis, H Unberath and A Johnston, The German Law of Contract: A Comparative Treatise (2nd edn, Hart Publishing 2006) 186-203. 17 See, for example, article 1165, French Civil Code. This is also the main rule in Norway – see Rt 1997 p 1322 referred in G Woxholth, Avtalerett (8th edn, Gyldendal Akademisk 2012) 167. 150 The contractual network of the Domain Name System doctrine of privity appears to be a major stumbling block to recognising rights for parties in other linked contracts but who are, technically speaking, extraneous to the bilateral contract that has been breached. A typical example of such an extraneous party would be the registrant vis-à-vis an ICANN-Registry Agreement (RA). In effect, the backbone of the DNS is made up of a set of interdependent bilateral linked contracts. With respect to each respective gTLD, due to the treelike structure of the DNS, there is a vertical linked contractual network between the ICANN-registry agreement (RA), registry-registrar agreement (RRA), and the registration agreement between the registrar and registrant. However, the contractual network is more complex than this, with at least18 two other subnetworks linked to the vertical bilaterally-linked contractual network, namely: 1. The contractual network between ICANN, the registry and the escrow agent which comprises the ICANN-registry agreement (RA) and ICANN’s third party registry data Escrow agreement. 2. A mirror contractual network to that in (1) above between ICANN, the registrar and the escrow agent All the three elements of a contractual network identified by Cafaggi, namely (1) a strong collective interest (2) a common objective and (3) a high level of interdependence, are met in the case of each respective gTLD. There is a strong collective interest of all the various contractual parties to pursue the common objective of regulating and operating the respective gTLD in a manner which works, observing the tree-like structure of the TLD (here the relevant parties are ICANN, the registry, the registrar and the registrant) and ensuring security of the registration data (here the relevant parties are ICANN, the registry, the registrar and the third-party escrow agent). To achieve (1) and (2) aforementioned, there is a high level of interdependence between the various contracts and the activities performed under such contracts, as discussed above. The existence of these contractual networks in Cafaggi’s sense implies that the contracts forming a contractual network could be read together to give coherence to the underlying legal framework such as, for example, to understand the extent of a party’s obligations. Moreover, a strong argument can be made that there is also a contractual network in the whole gTLD namespace or, perhaps more precisely, there are two contractual webs: (1) the contractual web of the gTLDs issued under the old system (i.e. not including the new gTLD program), and (2) the contractual web of the new gTLDs under the new program. This makes for a complex regulatory structure. However, it also highlights the significant help that contractual network theory as proposed by Cafaggi provides in trying to seek coherence in this web. 18 The contractual web becomes more complex in those cases where a registrar has entered into a registrar reseller agreement with a reseller(s) with respect to the resale of domain names to and from registrants. 151 Yulex 2013 From the above it is clear that the preferred regulatory tool for the gTLD namespace is contract. This massive reliance on contract, with ICANN being the focal node of the network, shows the growing influence of ICANN as the principal and dominant actor in the regulation of the gTLD namespace. ICANN is indeed the protagonist here: it is the main drafter of the regulatory mechanisms, that is, of the various contracts used in this web. Not only that, but all of the other actors – whether offering services in the gTLD namespace (e.g. registries, registrars) or wanting to register a gTLD (i.e. registrants) – have little option but to accept such terms with hardly any leeway if they want to operate in the gTLD namespace. 1.3 The ccTLD namespace Historically the delegation of ccTLDs has been informal, with several ccTLDs delegated by Jon Postel without any formal agreement. ICANN has formalized relationships with a few ccTLD managers (e.g. .au, .jp and .ke) through formal ‘Sponsorship Agreements’. Following discussions with ccTLD managers and after considering the ‘Guidelines for ccTLD managers Accountability Framework discussions with ICANN’ developed by the ccNSO, ICANN has sought to document its existing relationship with ccTLDs through the use of either of two mechanisms, in the absence of a formal agreement.19 One option is an Accountability Framework document which not only contains clauses stating the obligations of a ccTLD manager and ICANN, but is also meant to cover dispute resolution and termination. It was designed ‘to cater to those ccTLD managers who require a more “formal” document with ICANN.’20 In actual fact, although it is also meant to cover dispute resolution, some of the ccTLDs chose not to include such a clause in their Accountability Framework.21 The other option is the use of an exchange of letters which has even less formal language than the Accountability Framework. The legal enforceability of such letters is dubious, to say the least. In fact, several exchanges of letters contain a clause stating that the letters ‘will not form the basis for any claim for any legal or equitable relief, or create reliance on the part of either party’ and that ‘nothing contained in this letter shall give rise to any liability, monetary or otherwise’ by one party towards the other. Such clauses appear, for example, in the exchange of letters between ICANN and the ccTLD manager of, respectively, Norway, the UK, 19See http://www.icann.org/en/news/announcements/announcement-12feb06-en.htm. 20Ibid. 21 See clause I in the Accountability Framework with Ecuador, Mexico, Costa Rica (http://www. icann.org/en/about/agreements/cctlds). 152 The contractual network of the Domain Name System Luxembourg, Austria and Brazil.22 Other countries have variants of this clause but the main thrust of such exchange of letters seems to be their declaratory and informal nature. Clauses like the abovementioned make it clear that the parties have no intention to be legally bound and hence such letters are not contractually binding.23 Though not as informal as the exchange of letters, the legal bite of the Accountability Framework is rather weak as it also contains, as one of its standard clauses a ‘no monetary liability’ clause similar to the one found in the exchange of letters. Moreover, as abovementioned, in the case of countries that have opted out of having a dispute resolution clause,24 a further clause was added to emphasise that it was not the intention of the parties to use litigation as a form of dispute resolution and that the parties are to use their best endeavours to resolve any dispute. Most ccTLD managers have opted for either of the abovementioned two informal mechanisms. This is evidence of their reluctance to have a formal, legally binding contract with ICANN regarding their management of the ccTLD. What most ccTLD managers embrace, though, is the principle of subsidiarity. The White Paper recognized the role that national governments have in ‘manag[ing] or establish[ing] policy for their own ccTLDs.’25 This principle was incorporated in both the ICANN’s MOU with the DOC and in other documents,26 most notably RFC 1591, ICP-1 and the GAC ‘Principles and guidelines for the delegation and administration of country code top level domains’. The latter state that: ‘… ccTLD policy should be set locally, unless it can be shown that the issue has global impact and needs to be resolved in an international framework. Most of the ccTLD policy issues are local in nature and should therefore be addressed by the local Internet Community, according to national law.’27 (article 1.2) This principle of subsidiarity has been transposed, practically verbatim, in a number of the ICANN-ccTLD Exchanges of Letters.28 One could say that in such cases subsidiarity applies in lieu of a formal agreement with ICANN. Although the management of a ccTLD is in the hands of the respective ccTLD manager, registrations in the second-level and other levels further from the TLD are managed on lines similar to that of second-level gTLDs, i.e. through agreements between the ccTLD registry and registrars, with the latter assisting regis22 A copy of these letters is available at http://www.icann.org/en/about/agreements/cctlds. 23 Bygrave concurs. See L A Bygrave, ‘Contract versus statute in Internet governance’ in I Brown (ed), Research Handbook on Governance of the Internet (Edward Elgar Publishing 2013) 175. 24 See n 21. 25 See NTIA, ‘Management of Internet Names and Addresses (‘White Paper’), 5 June 1998. 26 See Bygrave et al (n 6)158. 27 http://archive.icann.org/en/committees/gac/gac-cctld-principles.htm. 28 See, for example, the exchange of letters regarding .no, .uk, .lu and .at. Other ccTLD managers like AFNIC (.fr) opted to refer to the GAC principles and guidelines in toto. 153 Yulex 2013 trants in the registration of their domain names. However, in the case of ccTLDs, there is no system of ICANN accreditation of registrars. It is normally the respective ccTLD registry which accredits its registrars. Moreover, as explained above, the role of contracts here is more modest than it is in the regulation of the gTLD namespace.29 In effect, the management of the country-code namespace is in the hands of the ccTLD manager, in the spirit of the principle of subsidiarity abovementioned. Some ccTLDs have a rather liberal policy with the types of domain names registered, and with regards to who is allowed to register a domain name (e.g. Austria). Other ccTLDs are more restrictive in their policy. Thus, for example, to register a domain name under .no, a business must first be registered in the register of business entities in Norway, whereas a private individual may only be registered under the priv.no domain provided he/she is 18 years or older and has a Norwegian identity number.30 Some ccTLD regimes have a statutory footing. Thus, for example, Norway’s Domain Name Regulations,31 issued under the authority of the Electronic Communications Law,32 establish the role of the registry (Norid) and registrars and requires that an applicant for a domain name signs a declaration confirming certain facts (e.g. that the domain name is not in breach of the law, does not infringe third party rights, etc.) It also sets up an ADR committee to hear domain name disputes. Anyone wanting to register a domain name in Norway has to apply via one of Norid’s approved list of .no registrars. The .eu domain is a strange creature sitting among the other country-code top-level domains. The EU is not a federal state like the US but an economic and political partnership between 2833 independent states in Europe, each of which has its own ccTLD. Thus, the assignment of the .eu domain to a registry designated by the European Commission, the executive arm of the EU, makes for curious reading since it blends the use of standards with contract and statutory law of a very special kind, namely EU law. Once the two-letters “eu” were exceptionally reserved as the country code for the European Union in ISO 3166-1,34 this paved the way for ICANN/IANA to delegate .eu as a ccTLD to the entity designated by 29 See also Bygrave (n 23) 180. 30 See further http://www.norid.no/domeneregistrering/registrere.en.html . See also Bygrave et al (n 6) 172-212. 31 Forskrift om domenenavn under norske landkodetoppdomener (abbreviated as domeneforskriften) of 1 August 2003. 32 Lov av 4. juli 2003 nr 83 om elektronisk kommunikasjon (abbreviated as ekomloven). 33 On 1 July 2013, Croatia became the EU’s 28th member. 34See http://www.iso.org/iso/home/standards/country_codes/iso-3166-1_decoding_table.htm#EU. 154 The contractual network of the Domain Name System the EU, viz. EURid. The setting up of the .eu registry, was a result of Regulation35 733/2002,36 which set out how the eventual entity to run the .eu registry would be chosen, what the obligations of the registry shall be, and the policy framework for this domain. EURid was formally set up under Belgian law as a private, not-forprofit organization on 8 April 2003 and was subsequently designated .eu registry through another piece of EU legislation – Decision 2003/375/EC. This was followed by another EU legislation – Regulation 874/2004,37 – which set out in greater detail the public policy rules concerning the implementation and functions of the .eu TLD such as, for example, accreditation of registrars by the registry, applications for second-level domain names, and an ADR procedure to settle domain name disputes. With regards to the formal delegation of the .eu TLD, EURid entered into a Registry Agreement with ICANN. There are a number of provisions in this agreement which are similar to those found in the registry agreements that ICANN uses with gTLD operators, though there also a number of differences. Thus, one of EURid’s obligations is to establish a data escrow policy, though this has to be in accordance with the rules established under EU law, namely article 15 titled “escrow agreement” of Regulation 874/2004. Unlike a gTLD ICANN-registry agreement, EURid’s registrars do not need to be accredited by ICANN but must be accredited by EURid.38 1.4 Closing words The above analysis illustrates the complexity of the regulatory framework of the DNS, both with regards to the types of regulatory mechanisms used – ranging from hard to ‘soft’ law – as well as in the sheer quantity of mechanisms used. A similar intricate regulatory framework may be seen behind the legal structure of ICANN. This issue, as well as the question whether and how these different types of instruments may, if at all, co-exist and interrelate as a coherent regulatory framework are the basis of this author’s current research. 35 It should here be pointed out that the three binding forms of EU legislation are regulations, directives and decisions. Regulations and directives are addressed to all member states of the EU. A regulation is directly applicable without need for national legislation to implement it. On the other hand, a directive must be transposed into national law within a prescribed date. A decision is not of general application but is normally addressed to particular member states, individuals or companies and is binding on those to whom it is addressed. 36 Regulation 733/2002 of 22 April 2002 on the implementation of the .eu Top Level Domain. 37 Regulation 874/2004 of 28 April 2004 laying down public policy rules concerning the implementation and functions of the .eu Top Level Domain and the principles governing registration as variously amended, the latest being through Regulation 560/2009 of 26 June 2009. 38 See article 4 “Accreditation of registrars”, Regulation 874/2004. 155 Would You Like to Own a Generic Top Level Domain? Tobias Mahler1 1 Introduction The domain namespace is currently being strongly expanded by adding more than a thousand new top-level domains (TLDs) to the Internet’s root servers. This is a significant change, compared to the hitherto small number of pre-existing TLDs, which include generic TLDs (gTLDs), such as <.com> and <.info>, and country code TLDs (ccTLDs), for example <.uk> and <.no>. The top level of the domain name system (DNS) has appeared fairly static during most of the Internet’s history. This perception of a static DNS is probably most prevalent amongst Internet users who primarily use the Latin alphabet and who may not have noticed the recent addition of TLDs in non-Latin scripts.2 The dynamics of DNS change will become apparent to many more users with the current introduction of approximately one thousand new TLDs, and the likely addition of more in the next years. The expansion of the domain namespace was enabled by a liberalization of the market for TLDs finally approved in 2011.3 This policy change counts as one of the most fundamental developments in the history of the DNS. In the first phase of this expansion commenced in 2012, any organization in good standing could have applied for virtually any TLD–with a few exceptions.4 Over 1000 applicants have applied for more than 1400 TLD strings, often with several competing applications for the same name. When this round of expansion will be concluded, the namespace will have been extended with new TLDs dedicated to geographical 1 2 3 4 This is a working draft of a paper presented at the Igov2 Symposium, held in Oslo in September 2013. The author wishes to thank the audience for relevant comments. I am also grateful to the members of the IGov2 project at the NRCCL, and in particular Lee Bygrave and Jon Bing, for valuable feedback on an earlier version of this paper. There have been several introductions of new TLDs using scripts other than Latin, such as the <.рф> (in Cyrillic) and other internationalized country code TLDs. See further ICANN’s overview page on Internationalized domain names available at < http://www.icann.org/en/resources/ idn>, last accessed 16.09.2013. The decision to liberalize the namespace was decided by the ICANN board at its Singapore meeting in 2011. The board resolution is available at http://www.icann.org/en/groups/board/ documents/resolutions-20jun11-en.htm, last accessed 16.09.2013. This was based on an earlier ICANN board decision of 26 June 2008. See ICANN, Gtld Applicant Guidebook (2012), Module 2. 157 Yulex 2013 areas (<.london> and <.bavaria>), industries (<.bank> and <.insurance), communities (<.catholic>, in many scripts), brand names (<.microsoft> and <.ibm>) and many generic words (<.music>, <.kids>, <.gay>, etc.). Thus, there seems to exist an interest, at least shared by some, to acquire this new digital asset. Yet, from a legal perspective it is not entirely clear what kind of legal position an applicant for a TLD aspires to and, if successful, acquires. From a technical perspective, a TLD can be characterized as an entry in a database, the root zone file of the DNS. In some sense this seems similar to the registration of domain names. The latter are also entries in the DNS, but at a lower level in the hierarchy of names. While domain names are entered at the second or third level,5 TLDs are entered at the first level—also referred to as the Internet root.6 However, despite this technical similarity, there are many practical differences between the fairly nonbureaucratic domain name registration and the long and complicated process of applying for a TLD. Moreover, successful TLD applicants enter into a fairly complex network of contracts with other DNS actors, as described further below.7 This article focuses on the following question: what legal position is acquired by successful TLD applicants? One might expect that this question should be easy to answer, because there is a contract between the successful applicant—the TLD ‘registry’—and the Internet Corporation for Assigned Names and Numbers (ICANN), which grants these applications. The legal position of TLD registries should be easily understood by reading this contract. However, the gTLD agreement is based on a conceptual framework that has its origin in the technical management of the DNS, rather than in established legal concepts. This is probably because ICANN has a primarily technical focus, and legal issues often come as an after-thought to the technical management. Many of the concepts used for describing the management of the DNS have a fairly clear technical meaning, but are not sufficiently precise to describe the legal and contractual relationship governing the use of a TLD. Therefore, this article examines how some of the technical concepts used in the management of the DNS are reflected in legal and contractual concepts. 2 Overview This article is structured as follows. It first creates a framework for the analysis, both in terms of the technological basis and theoretical background (section 3). Thereafter section 4 provides a theoretical platform for discussing conceptual is5 6 7 For example, under <co.uk> domain names are registered at the third level. See in general Mueller M, Ruling the Root: Internet Governance and the Taming of Cyberspace (MIT Press 2002). See below Section 3. 158 Would You Like to Own a Generic Top Level Domain? sues regarding a right to a gTLD. It addresses the function of concepts in legal reasoning in general, and Ross’ theory of intermediate legal concepts in particular. On the basis of this framework, the subsequent sections discuss a number of possible hypotheses about a right to a gTLD. Would it make sense to say that the gTLD is delegated, in the legal sense, to the TLD holder? This hypothesis is rejected in section 5. Thereafter it is discussed whether a right to a gTLD can be conceptualized differently or, indeed, if there is a possibility that a TLD holder does not acquire any right in the TLD. As elaborated in section 6, there are a few arguments for rejecting the TLD holder any right to a TLD, but these do not carry much weight in the current phase of the development of the DNS. The search for an adequate concept to conceptualize a right in a gTLD continues with section 7, which examines whether there can be a property right in a TLD, and section 8, which focuses on a possible contractual license to use the TLD. Both of the above hypotheses are promising, but ultimately cannot provide an adequate conceptual clarification. As explained in section 9 we are therefore left with the notion of a “designation” as Registry Operator as the most promising conceptual basis for a gTLD right. This notion, it is argued, provides the only foundation for a gTLD right that can be based on the text of the Registry Agreement. Conceptually, it is a rather rather unclear notion, but it does seem to have at least two important consequences. First, as explained in section 10, while it does not give the TLD holder a subjective right to the insertion of the TLD in the DNS, it does oblige ICANN to support this step, within the limits of its authority. Second, as presented in section 11, the designation as Registry Operator has a number of exclusionary effects, which are likely the most valuable element from the perspective of TLD holders. On this basis, section 12 concludes that we can begin to discern the contours of an emerging gTLD right. This right has its basis in the Registry Agreement with ICANN, and it is not a classical intellectual property right. Nevertheless, the gTLD right, if we choose to use this term, gives the TLD holder a relatively comprehensive ability to exclude others from the TLD, and this ability has both factual and legal components. While the introduction of the term “gTLD right” is not without complications and possible pitfalls, because it could lead to confusions with intellectual property rights, it could nevertheless be used to describe in summary fashion the bundle of rights a successful TLD applicant acquires. 3 The Internet root and TLD delegation This Section highlights some of the key organizational and technical concepts that are commonly used to describe the management of the DNS. The DNS is used by anyone viewing a web page or sending an email, but these acts require 159 Yulex 2013 virtually no knowledge of the underlying technical architecture and organizational arrangements in place to ensure its functioning. Put briefly, domain names are alphanumeric strings used to name computers on the Internet.8 As a first approximation we can say that this naming system is necessary for the use of the Internet, because every computer must have a unique identifier. Internet navigation is primarily based on domain names and IP (Internet Protocol) addresses, but the latter are for most practical purposes hidden behind the former. The use of domain names is relatively user-friendly, at least compared with IP addresses such as 10.255.255.255. The dominance of domain names has in recent years been somewhat threatened by alternative and complementary modes of Internet navigation, such as through search engines, apps, social networks and graphical QR codes. Nevertheless, domain names currently still have a central function for a number of Internet applications, not least WWW navigation and the addressing of emails. Moreover, domain names also have an important role in facilitating users’ trust, which is particularly important in the context of, for example, financial services. Internet users may memorize or at least recognize some domain names, and use this to distinguish between genuine and fraudulent websites. For practical reasons, the domain name system is structured hierarchically. The top level of the hierarchy is at the end of the name, reading from left to right. Thus, the domain name <www.icann.org> has as its top level the TLD <.org>. The second level of <www.amazon.com> is “amazon”. Each name designates a domain. This simply means that, functionally, a name server points to an IP address when queried for a name in the domain. Thus, the root servers point to the IP address for “.com”, and name servers for the latter point to the IP address for “amazon.com”. The domain name system represents an island of hierarchy in an otherwise largely non-hierarchical and widely distributed Internet. The creation of a new TLD involves at its core the addition of the TLD string to the Internet’s “root”. 9 ICANN uses the term “delegation” for the “process through which the root zone 8 9 Mueller M, ‘Toward an Economics of the Domain Name System’ in Cave M, Majumdar SK and Vogelsang I (eds), Handbook of Telecommunications Economics Volume 2, Technology Evolution and the Internet (Elsevier 2005). In RFC 1034, Mockapetris writes: “Once an organization controls its own zone it can unilaterally change the data in the zone, grow new tree sections connected to the zone, delete existing nodes, or delegate new subzones under its zone”, see Mockapetris PV, ‘Domain Names Concepts and Facilities’ (RFC 1034, 1987) <http://tools.ietf.org/html/rfc1034.html> . Regarding the importance of the Internet root, see Mueller, Ruling the Root: Internet Governance and the Taming of Cyberspace. There are, in fact, many root servers but the authorative one is operated by Verisign, under a contract with the US Department of Commerce, see further Mueller, Ruling the Root: Internet Governance and the Taming of Cyberspace, 47. Regarding the Verisign Cooperative Agreement see the website of the National Telecommunication and Information 160 Would You Like to Own a Generic Top Level Domain? is edited to include a new TLD, and the management of domain name registrations under such TLD is turned over to the registry operator.”10 In essence, successful TLD applicants become registry operators for their respective TLDs. In this role they have authority over the TLD, within the limits set by ICANN. For example they can allow or disallow registration of domain names under the respective TLD, usually via a registrar (i.e., a third party domain name retailer). For example, the registry operator for the TLD <.london> can contract with registrars to sell domain names such as <pizza.london>. Presumably, the registrant for such a name could be a pizza baker in London. Another example of the use of the TLD is when a brand holder registers one of its products within its TLD, for example <prius.toyota>. Conceptually, the management of the top level of the DNS is thus characterized by a focus on the role of a “Registry Operator”, which the respective actor assumes contractually in a Registry Agreement,11 followed by a “delegation”. We are particularly interested in the legal position of Registry Operators, which we will call “TLD holders”. The difference in naming reflects the specific perspective of this paper. ICANN primarily focuses on the role Registry Operators fulfil in the management of the DNS. From the technical and management perspectives, the role of Registry Operator is therefore an adequate conceptualization. However, if we shift perspective towards the legal and economic position held by these actors, it might be useful to speak of “TLD holders” rather than of “Registry Operators”. We are interested in the rights, if any, held by the TLD holder, both from a legal and an economic perspective. From an economic perspective applicants likely consider the TLD a significant investment in an Internet-related asset. An application for a TLD is a very costly process, but if it is successful the TLD will offer a potentially valuable advantage—visibility at the highest level of the domain name system. Each application requires the payment of an application fee of US$ 185.000 plus significant additional costs of preparing the application. Why would anybody invest these amounts, if they did not expect to receive a clear benefit from acquiring rights in a TLD? Applicants for names such as <.toyota> and <.ibm> probably see the investment in a TLD as the acquisition of an asset that improves the visibility of their brand name. While it is technically correct to say that Toyota assumes the role of Registry Operator for the TLD <.toyota>, involving a delegation of the TLD in the Internet root, this description fails to clearly identify the economic function of the transaction, at least from the applicant’s perspective. After the delegation, Administration (NTIA): http://www.ntia.doc.gov/page/verisign-cooperative-agreement, last visited 30. 09. 2013. 10 See ICANN’s new gTLD glossary, available at <http://newgtlds.icann.org/en/applicants/glossary>, last visited 16. 09. 2013. 11 See below, Section 8. 161 Yulex 2013 the “Registry Operator” seems to have an asset or a resource—the TLD—it did not have before, but this aspect is under-communicated in the technical language. Therefore, the term “TLD holder” will here be used for a successful gTLD applicant that is awarded a TLD contract. The term “TLD holder” is intended to be a neutral label for the entity that is awarded a TLD (i.e., the Registry Operator), but the term does not clarify what legal position this entity has. The nature of this position is addressed in the following. 4 Intermediate concepts in legal reasoning The answer to the question ‘what is the legal position of a TLD holder?’ will likely contain one or more legal concepts. Before starting the search for a possible answer to the question, we should therefore take a step back and reflect about the function(s) of concepts in legal reasoning. Legal concepts have a central function for the communication of legal rules, and they provide the semantic basis for legal argumentation and decision-making. Legal reasoning requires us to use a set of basic concepts such as obligation (‘shall’), prohibition (‘shall not’), ownership and right, to mention just a few. In addition, lawmakers and contract drafters often see the need to specify exactly the meaning of certain terms that are relevant for a given context, and lawyers and legal theorists spend a great deal of their time discussing conceptual issues.12 In the context of Internet TLDs, many of the concepts have a technical rather than a legal origin. Yet when we explore the legal position of TLD holders, we require concepts that are related to a conceptual framework with relevance to legal norms. The legal position of a TLD holder could be denoted by using notions such as delegation, exclusive monopoly, property right, license, or perhaps even “gTLD right”. As a first approximation, we are therefore not looking for basic operators such as the deontic notions of obligation or prohibition. We are more likely to find useful concepts amongst the category termed “intermediate legal concepts”. Intermediate legal concepts are useful and important in legal reasoning, and the Danish scholar Alf Ross has famously illustrated this with the concept of “Tû-Tû”.13 Ross exemplifies the idea of intermediate legal concepts by introducing a native tribe on a distant island, which, according to anthropologists, endorses two kinds of rules.14 The first set are rules that state under what conditions something is, or becomes, ‘tû-tû’. In Ross’ example, if someone in the tribe has eaten the 12 See, e.g., Eng S, Analysis of Dis/Agreement with Particular Reference to Law and Legal Theory (Kluwer Academic Publishers 2003). 13 Ross A, ‘Tu-Tu’ [1957] Harvard Law Review 812-25. 14 See further, Sartor G, Legal Reasoning: A Cognitive Approach to the Law (Springer 2005), 553. 162 Would You Like to Own a Generic Top Level Domain? chief ’s food, they have or are tû-tû.15The second set of rules states further normative qualifications or positions that are determined by having ‘tû-tû’. Conceptually, ‘tû-tû’ can be exchanged for a variety of intermediate concepts, such as ’ownership’, which have an intermediate function in the sense that they combine a set of circumstances and legal consequences. You own something because you bought or inherited it, or somehow lawfully acquired it through some other circumstances. And the ownership has certain legal consequences for you—it gives you the legal power to transfer the ownership to somebody else, and the permission to throw it away. It is characteristic for intermediate concepts that they can be omitted from legal reasoning. Thus, for example, you could say that you bought something and therefore you are allowed to discharge yourself of it, without even mentioning the intermediate concept of ownership. The intermediate concept we are looking for in the context of TLDs is simply a semantic notion that summarizes the conditions under which a TLD holder achieves some kind of legal position, and the legal consequences this position implies. It should, however, be noted that we are addressing this at a different level of abstraction and in a different legal context than the one in Ross’ theory of intermediate concepts. We are not looking for an anthropological concept, and we are not focusing on a concept that is generally recognized as valid within a specific legal system. Rather, we are looking for an intermediate concept to summarize the primarily contractual basis and consequences of the position of TLD holders within the global context of the Internet. In the search for a possible intermediate legal concept to adequately describe the TLD holder’s legal position we will refer to the technical context of the DNS, as well as the contractual language governing the use of the TLD. Thus, we will study both the global Internet community’s understanding of “delegation” and examine in detail the contractual foundation of the relation between ICANN and respective TLD holders. 5 Delegation The first candidate for an intermediate concept is “delegation”. Is it adequate to say that a TLD holder is delegated the TLD? This concept has a long history in the management of the DNS; it was introduced during the development of the DNS as a distributed system. As mentioned above, the technical term delegation refers to two distinct aspects:16 The first is the editing of the root zone file, where the TLD is introduced. And second, through 15 Ross, ‘Tu-Tu’ above n 13, 813. 16 See ICANN’s new gTLD glossary, available at <http://newgtlds.icann.org/en/applicants/glossary>, last visited 16. 09. 2013. 163 Yulex 2013 delegation the management of domain name registrations under a TLD is finally ‘turned over’ to the registry operator. Before we address the legal notion of delegation, we first need to consider one possible question about the technical notion of delegation. What does it mean that the management of the TLD is ‘turned over’? Does this only refer to the factual possibility to register domain names under a TLD? Or does this also include the contractual transfer of the responsibility for the TLD? It follows from the sequence of events in a typical delegation, that the management of the TLD is not turned over when the formal agreement for the TLD is signed.17 This is because the signature of the agreement actually happens before the editing of the root, so on the day of signature the TLD still does not ’exist’ in the Internet. Functionally, the management of the TLD is therefore first turned over to the registry operator when the TLD is inserted into the root and points to the registry operator’s name server. Thus, the technical concept of delegation focuses only on the immediate change in the DNS. The next question is whether delegation can also be a meaningful concept to understand the legal position of the TLD holder. Would it be adequate to say that the TLD holder is being delegated a TLD, in the legal sense? Delegation is an intermediate legal concept that is used in a variety of contexts. It usually implies a transfer of a bundle of normative positions from a delegator to a delegate. Depending on the context, the transfer may include legal authority, obligation, and sometimes perhaps also permission. In other words, the delegate becomes authorized or responsible for a delegated act, and the delegation usually includes any powers or permissions needed for executing it. In law, the concept of delegation is used both in contracting—where the power can be delegated—and in the context of managing hierarchical structures. Both of these contexts are considered below, in order to assess whether delegation is an adequate concept to describe the legal consequences of a successful TLD application. The contractual nature of the relation between ICANN and the registry operator might lead some to the misconceived impression that the registry operator becomes an agent of ICANN, through delegation of power. However, there is no support in the Registry Agreement for such an interpretation. We will return to examine the contract language below, but for now it suffices to state that no part of the contract supports the delegation of agency power. Google and Toyota, which both will have their own TLDs, will manage the TLDs on their own behalf and will not become ICANN’s agents. There is also a second context in which delegation is a meaningful legal concept. There are hierarchical organizations, such as governments, where competence and tasks can be delegated, usually from the top to lower levels. Conceptually, 17 See ICANN, Gtld Applicant Guidebook, Section 5, Transition to delegation. 164 Would You Like to Own a Generic Top Level Domain? this understanding is clearly relevant for the technical management of the hierarchical domain name system. However, it is doubtful whether this concept is adequate to describe the legal relationship between ICANN and TLD holders. Is hierarchy an adequate starting point to describe the legal relationship between ICANN and entities such as Toyota, Google, the Vatican, and the Government of Switzerland, all of which have applied for new gTLDs? The perspective of hierarchy clashes with the contractual form of the registry agreement, which is agreed— and sometimes even negotiated—amongst independent parties. Thus, while the concept of delegation is meaningful both in the DNS context and in law, it would be misleading to describe the legal consequences of the registry agreement as a delegation of the TLD. Clearly, delegation—in the technical sense—is a necessary requirement for the use of the TLD by the TLD holder, but this is something slightly different, so we have to look elsewhere for an adequate legal concept. 6 No right to a TLD? So far we have implicitly assumed that TLD holders have some kind of yet unspecified right in the TLD. However, we should also consider the possibility that no such right exists. An argument against any right to a TLD could be based on the technical document RFC 1591 «Domain Name System Structure and Delegation».18 The author of this Request for Comments (RFC)19, Jon Postel, was influential in the development of the domain name system. In Postel’s view, “concerns about rights and ownership of domains are inappropriate”, because Registry Operators20 are «trustees for the delegated domain, and have a duty to serve the community.” Instead of rights, it is appropriate to be concerned about «responsibilities» and «service» to the community.” From the wording of Postel’s memo it is not immediately clear whether this claim is made primarily as a descriptive statement or as a normative statement about what ought to be the rule, or both. In any case it should be mentioned that this memo was written in 1994, which almost counts as ancient history in the 18 Postel J, Rfc 1591 Domain Name System Structure and Delegation (1994). 19 This RFC does not specify an Internet Standard of any kind, it was simply intended as a “memo [that] provides information for the Internet community.” In general, RFC documents are useful in drafting Internet standards and launching new ideas, see Alvestrand H and Lie HW, ‘Development of Core Internet Standards: The Work of Ietf and W3c’ in Bygrave LA and Bing J (eds), Internet Governance: Infrastructure and Institutions (Oxford University Press 2009). 20 Postel speaks of TLD holders not in the current ICANN terminology of “Registry Operators”, but as “designated authorities”. 165 Yulex 2013 Internet context. Its precise legal status is uncertain. In the meantime, there have been instances where country code TLDS, such as <.tv> were sold by a Registry Operator to a third party. Moreover, ICANN’s application process for new TLDs may have created some expectations amongst applicants that they will indeed receive at least some rights in TLDs after a long and costly application process that can involve the transfer of large amounts of money in an auction. Thus, it would be at least counterintuitive if a TLD holder were awarded no degree of protection in ICANN’s management of the DNS. Yet we still need to establish any basis for a right to a gTLD. 7 Property right TLD applicants and holders clearly have an interest in a fairly strong protection of their interest in the TLD. This interest would arguably be best served if they were to receive some kind of property right. The discussion about property rights in TLDs is not new, and parallels a similar discourse about property rights in domain names—as noted below. Already in 1999 the ICANN Governmental Advisory Committee (GAC) declared that “no private intellectual or other property rights inhere to the TLD itself nor accrue to the delegated manager of the TLD as the result of such delegation.”21 This assertion does not seem to have been challenged subsequently, but the GAC did not offer a definition of “property right”, and it did not clarify whether a TLD holder’s interest in a TLD is protected in some other way. There is an interesting parallel to this issue in the debate about the legal protection for domain names. It is clear that domain names as such do not automatically constitute classical intellectual property rights, because they usually do not constitute a copyrightable work, a patentable invention, a trademark or a protectable design, although it may be possible to combine some of these intellectual property rights with domain names. This does not preclude, however, that the right to a domain name can be classified as a property right in some legal systems, as shown below. Domain names are usually registered through a contract between a registrant and a registrar or a registry.22 Yet internationally it is not clear whether registrants thus acquire a property right in a domain name. This is to a large degree due to the different conceptual frameworks surrounding the domain of property law. The legal basis for domain names becomes particularly pertinent when a domain name is somehow challenged by, or transferred to, a third party. 21 ICANN, Communiqué of the Governmental Advisory Committee, Aug. 24, 1999 22 In some contexts, domain names can be registered directly with a ccTLD registry. This is the case, for example, in Finland. 166 Would You Like to Own a Generic Top Level Domain? In the United States, there are court decisions that could be taken as an argument to support an “intangible property” right in domain names. In the case of Kremen v Cohen & Network Solutions, the US Court of Appeals for the 9th Circuit decided in 2003 that a registrant has property right in a domain name, and that this right is accordingly subject to conversion. To establish that tort, a plaintiff must show “ownership or right to possession of property, wrongful disposition of the property right and damages.”23 The case concerned the hijacking of the domain name <sex.com> by Cohen, who had sent a fraudulent letter to Network Solutions, thus achieving the transfer of the domain name. The Court applied a three-part test to determine whether a property right exists: «First, there must be an interest capable of precise definition; second, it must be capable of exclusive possession or control; and third, the putative owner must have established a legitimate claim to exclusivity.»24 According to the Court, domain names satisfy each criterion. It is interesting to revisit the Court’s arguments, because these would generally seem to apply to TLDs too. The Court argued that, like a share of corporate stock or a plot of land, a domain name is a well-defined interest. A registrant decides where on the Internet those who invoke that particular name are sent. Ownership is exclusive in that the registrant alone makes that decision, based on a legitimate claim to exclusivity. Moreover the Court pointed to the fact that, like other forms of property, domain names are valued, bought and sold, and they are even subject to in rem jurisdiction in the US.25 It might be argued that the Court possibly overstated the function of a registration, when it asserted that registering a domain name “is like staking a claim to a plot of land at the title office. It informs others that the domain name is the registrant’s and no one else’s.” It might be contended that the registration of a domain name and an IP address primarily has a technical function, and that the entry of administrative data in the WHOIS database has numerous, albeit rather unclear purposes.26 Disregarding this minor disagreement, the Court’s remaining arguments appear reasonable, if this is the standard for property right. However, in an international context the question is rather whether this definition of “property right” is universal. It is striking that the intermediate legal concept “property right” does not necessarily have the same meaning across, or 23 Kremen v Cohen, US Ct. of App. (9th Cir.), 25.7.2003. See also Burshtein S, ‘Is a Domain Name Property?’ 1 Journal of Intellectual Property Law & Practice 59-63; Rački Marinković A, ‘Domain Names: Towards a New Form of Ip Right’ 6 Journal of Intellectual Property Law & Practice 632-7. 24 See Kremen v Cohen, ibid. The court quoted G.S. Rasmussen, 958 F.2d at 903. 25 See 15 U.S.C. § 1125(d)(2). 26 See Cojocarasu DI, Legal Issues Regarding Whois Databases (Norwegian Research Center for Computers and Law 2009). 167 Yulex 2013 even within, all legal systems.27 And the economic concept of “property right” can be different again.28 A comprehensive study of legal and semantic differences between different concepts of “property rights” across the world is beyond the scope of this article. A convenient illustration of the differences between the US and Germany can nevertheless be found in a recent decision by the German Federal Supreme Court (Bundesgerichtshof). Like the above-mentioned US case of Kremer v Cohen, this case regarded a situation in which the claimant alleged that the defendant had taken his domain name, and claimed damages.29 The defendant in this case was registered in the WHOIS database as the contact person for this domain, and the claimant wanted to change this registration to reflect his name, instead. In deciding this issue the Supreme Court considered the kind of right domain name registrants receive in a domain name. Interestingly, it found that registrants do not have a property right, or even a similar absolute right under the provisions of the German Civil Code. The reasons given in this decision are noteworthy, because they may also have some relevance for any property rights in TLDs, under German law. In order to appreciate these reasons, we must briefly explain the conceptual framework used here. Under the German civil code, property is limited to “things”, and domain names lack the required corporal characteristics, so there cannot be a property right as such (Eigentum) in domain names.30 However, the Civil Code also protects other similar “absolute” rights against infringement. This is based on a distinction between absolute rights that apply against anybody (erga omnes), and relative rights that apply amongst the involved parties (inter partes).31 Under German law absolute rights include, in addition to ownership, a catalogue of other rights including, for example, certain rights in intellectual property, such as holding a copyright. Examples of relative rights include those conferred by a license to use intellectual property, applying only amongst the parties. In applying this conceptual framework, the court argued that there exists a contractually based right to use a domain name, but that this right is relative, akin to a license, rather than absolute, as a property right. The key argument against the existence of an absolute right was that the registration of a domain name is not legally exclusive, but only exclusive in the sense that others are technically excluded from the domain name, because it can only be registered once. The court did not refer to the international 27 Compare the US notion of property right above and the German concept presented below. 28 Regarding the economic concept of property rights see, for example, Posner RA, Economic Analysis of Law (7th edn, Wolters Kluwer for Aspen Publishers 2007), 31. 29 Bundesgerichtshof, 18.01.2012, Az. I ZR 187/10, <gewinn.de>. 30 Cf. Sections 90 and 903 of the German Civil Code. 31 See, e.g., Brox H, Allgemeiner Teil Des Bürgerlichen Gesetzbuchs (18th edn, Carl Heymanns Verlag 1994) 269. 168 Would You Like to Own a Generic Top Level Domain? discourse about the role of code,32 or lex informatica,33 in regulating the Internet, but it might be said that the exclusivity of domain names is based on what in the US discourse has been called “west coast code” (computer code), rather than “east coast code” (legal code). This classification of a domain name right as a relative right does not mean or imply that a domain registrant is excluded from protection under German law. Relative rights are also protected, albeit somewhat more weakly, and there is a possibility to recover a domain name from somebody who has received it without legal basis.34 Thus, the conceptual differences in the US and Germany do not need to lead to different outcomes. The comparison of the cases shows that legal consequences are based on a more complex set of rules, and intermediate concepts, such as ownership, do not necessarily directly determine the outcome of a case. The outcome can be the same, even though one legal system accepts a property right, and the other rejects it. In fact, the German case illustrates why the discussion of property rights of domain names should be embedded in a specific conceptual framework. The abbreviated account of the decision above omitted that the Supreme Court also discussed the concept of property rights in different legal frameworks, comparing notions of “property right” in German civil and constitutional law, and European human rights law. In light of the above conclusion it might appear surprising that the Court doubted that registrants have a property right to the domain name in the sense this concept is used in the German Constitution and in the European Convention on Human Rights and Fundamental Freedoms (ECHR). These instruments employ a different concept of property rights, which do not necessarily correspond to the concept in civil law. The constitutional (and ECHR) protection of property covers both absolute and relative rights, and jurisprudence under both instruments has concluded that domain registrations can constitute property, or “possession”.35 Thus, it is difficult to discuss the intermediate legal concept of property rights in the abstract, detached from the conceptual framework of a specific legal context. In any case, the new gTLD Agreement explicitly foresees in Section 7.12 that it shall not be construed as establishing or granting any property ownership rights or interests in the TLD string. On the other hand it follows from the context of the gTLD program that TLD holders are likely to acquire some other type of legally 32 Lessig L, Code Version 2.0 (Basic Books 2006). 33 Reidenberg J, ‘Lex Informatica: The Formulation of Information Policy Rules through Technology’ 76 Tex L Rev 553 34 The <gewinn.de> decision is a case in point, see above, n 29. 35 European Court of Human Rights, Paeffgen GmbH v Germany, 18.09.2007; German Federal Constitutional Court, GRUR 2005, 261, <adacta.de>. 169 Yulex 2013 relevant position. Therefore, the next sections discuss at a concrete level what right, if any, a TLD holder acquires through a successful application for a TLD. 8 License The next hypothesis to be examined is that TLD holders might get a contractual license to a TLD. We know of licenses in many comparable contexts, including, for example, the use of a frequency in the electromagnetic spectrum for purposes such as broadcasting or wireless telephony. Government agencies can use licenses as a form of regulation that allows the agency some control over a licensee.36 These notions of “license” fit well with a dictionary definition of “license” as permission granted by a competent authority to engage in a business or occupation or in an activity otherwise unlawful.37 In addition, we use the term license outside the regulatory context, for example when certain usage rights in intellectual property are licensed. The concept of license is attractive in the domain name context, because it could enable us to conceptualize ICANN as analogous to a regulatory agency for the domain name system. Much of ICANN’s management of the domain name system shows similarities to government regulation, despite ICANN’s legal form as a private, non-profit corporation established under the laws of California.38 Moreover, the gTLD Registry Agreement also includes some language that could be interpreted to award a license. According to its section 2.1, a Registry Operator shall be entitled to provide specified “Approved Services”. An entitlement to provide Approved Registry Services could be interpreted as a license. It could signify that the TLD holder is licensed to provide Approved Services, and this could potentially be the entitlement for which TLD applicants are prepared to pay large amounts of money. However, a detailed reading of this license might be slightly disappointing for prospective TLD holders. Initially, we should note what is not included amongst the Approved Services: The Registry Agreement does not offer the TLD holder a general license to use the TLD. Instead, the Registry Agreement lists a number of very general services, such as the receipt of data from registrars, the dissemination of zone files and the operation of DNS servers.39 36 Flanagan A, ‘Authorization and Licensing’ in Walden I (ed), Telecommunications Law and Regulation (Oxford University Press 2012). 37 «License.» Merriam-Webster. Merriam-Webster.com. Last visited 23 Sept. 2013. <http://www. merriam-webster.com/dictionary/license>. 38 ICANN is sometimes compared with a government authority, and Weber and Gunnarson have even suggested to embed ICANN in a constitutional framework, see Weber RH and Gunnarson RS, ‘A Constitutional Solution for Internet Governance’ 14 Colum Sci & Tech L Rev 1. 39ICANN, New Gtld Registry Agreement (2013), Section 2.1. 170 Would You Like to Own a Generic Top Level Domain? These are clearly relevant to the operation of a TLD Registry yet they do not explicitly give the TLD holder any specific right in the TLD. Moreover, it is striking to note that none of the listed services would normally require any permission. Absent an explicit prohibition, TLD applicants such as Toyota, Google or the Vatican do not need ICANN’s permission or approval to provide any of these Approved Services. Granted, without the delegation40 of the respective TLD, say <.toyota>, the TLD holder could not provide Approved Registry Services for the respective TLD in the official Internet root.41 Yet this practical barrier must be distinguished from the legal question of whether it would be forbidden to provide these services. No such general prohibition seems to exist. If an organization does not have the TLD <.toyota> in the official Internet root then this is simply a practical barrier. This neither makes it illegal to receive data from Registrars, nor to operate DNS servers. We need to distinguish between the permission to provide services and the factual possibility to provide them, due to Internet architecture–or code, in Lessig’s terminology.42 The latter point is particularly pertinent because there are in fact alternative roots, outside the official ICANN-sanctioned Internet root, where registry name service could be provided without ICANN’s consent.43 For example, there is an existing <.shop> TLD in an alternative DNS root.44 It is worth noting, though, that the use of such alternative roots is not particularly attractive due to the lack of networking effects—few users can be reached through an alternative naming system that is not widely used.45 In summary, the provision of Approved Services would be possible and lawful, without any need for a license, but it would be fairly unattractive without access to a TLD in the official Internet DNS. An interesting question is why ICANN elected to include a license to Approved Services in the Registry Agreement in the first place. This license seems slightly awkward in the above context. Is this license as meaningless and unnecessary as if a baker were to offer a license to put butter on the purchased bread? It is not. At a closer look, this provision in the Registry Agreement does have a clearly relevant function: It limits the TLD holder’s freedom of action, rather than extending it. The provision effectively limits the set of Registry Services that can be provided by a Registry Operator to those listed in the contract. It contractually forbids the TLD holder to provide other Registry Services not agreed by ICANN. In other 40 Delegation in the technical sense, that is, the listing of the TLD in the Internet root. 41 An exception would be the case if a TLD were delegated in an alternative root. See Mueller, Ruling the Root: Internet Governance and the Taming of Cyberspace, 54. 42 Lessig, Code Lessig, Code Version 2.0 43Mueller, Ruling the Root: Internet Governance and the Taming of Cyberspace, 54. 44 See namespace’s alternative root, www.namespace.us, last visited 30.09.2013. 45 Regarding networking effects in the DNS context see Manheim KM and Solum LB, ‘An Economic Analysis of Domain Name Policy’ Loyola-LA Public Law Research Paper No 2003-14 <http:// ssrn.com/paper=410640> , 47. 171 Yulex 2013 words, if a TLD is delegated, the Registry Operator’s freedom to provide Registry Services is limited to those listed in the agreement. This means that the license element in the Registry Agreement does not address whether the TLD holder has any right to the TLD. Concomitantly, this element is not helpful to clarify the kernel of the Registry Operator’s legal interest in the TLD. Therefore, the subsequent section continues to explore whether such a right exists. 9 Designation as Registry Operator TLD applicants may search in vain for an explicit right to the TLD in the Registry Agreement. The wording of the agreement simply states: “ICANN designates Registry Operator as the registry operator for the TLD, subject to the requirements and necessary approvals for delegation of the TLD and entry into the rootzone.”46 It may be surprising to note that the concrete implications of this “designation” are not clearly stated in the agreement. One aspect is that designated Registry Operators count as “contracted parties”, and have special participation rights in ICANN,47 but this is not likely to be at the centre of gTLD applicants’ interests. Applicants for gTLDs will likely be most interested in the following two aspects: first (and most pertinently) whether the designation of an applicant as “Registry Operator” gives this entity a subjective right to have the TLD delegated (in the technical sense); and secondly the degree to which the designation ensures an exclusive use of the TLD for the designated TLD holder. These questions are addressed in the two subsequent sections. 10 No subjective right to delegation The Registry Agreement does not include a subjective right to delegation, but ICANN has an obligation to facilitate the delegation, limited in various ways. In principle, ICANN “shall use commercially reasonable efforts to ensure that the authoritative root will point to the top-level domain nameservers designated by Registry Operator for the TLD”. In practice, ICANN’s IANA department has a process for Registry Operators to submit delegation requests, which are then verified by ICANN and forwarded to the NTIA.48 However, this applies only 46 New gTLD Registry Agreement, Form Approved by ICANN’s NGPC 2 July 2013, Section 1.1. 47 See, e.g., Article X, Section 3 of ICANN’s Bylaws. 48 See User Documentation on Delegating and Redelegating Generic Top-Level Domain (gTLD), available at http://www.icann.org/en/resources/registries/gtld-drd-ui-10sep13-en.pdf, last visited 30 September, 2013. 172 Would You Like to Own a Generic Top Level Domain? “[to] the extent that ICANN is authorized to set policy with regard to an authoritative root server system”, and this authority depends on the above-mentioned IANA contract. If a Registry Operator were given a right to the delegation of a TLD then ICANN would be obligated to delegate the TLD. The reason for not including such a right in the Registry Agreement is arguably that ICANN does not have the power to make direct changes to the Internet’s root servers—it can only make a recommendation. This issue requires a closer look at the practical handling of delegations, and ICANN’s limited role in these. In addition to ICANN, a delegation involves the NTIA of the US Department of Commerce, and the private corporation Verisign, Inc. A comprehensive description of this collaboration between the NTIA and, respectively, ICANN and Verisign is beyond the scope of the present article. However, in short and slightly simplified, the control over the authorative Internet zone file is based on a triangular contractual relationship between the NTIA and, respectively, ICANN and Verisign. Verisign hosts the authoritative root server— and holds the function of root “zone publisher”49—under a contract with NTIA.50 Thus, Verisign effectuates ICANN-authorized changes to the Internet root zone file, as instructed by the NTIA. The relationship between ICANN and the NTIA is specified in the so-called “IANA functions contract”. Under this contract, ICANN fulfils the function of Internet Assigned Numbers Authority (IANA).51 To summarize, ICANN cannot directly insert a TLD into the root zone file, and any obligation to do this would be in vain. According to the IANA contract, ICANN cannot delegate a gTLD itself, but it can “submit its recommendations” to the NTIA.52 Thus, there is no certainty that the NTIA will follow ICANN’s recommendation. The exact limits of the NTIA’s discretion on the matter are far from clear, but it would appear that the NTIA could at least assess whether ICANN has fulfilled its contractual obligations. The IANA contract explicitly states that ICANN has to provide documentation to support the fulfilment of two cumulative criteria.53 First, ICANN has to verify that it followed its own policy framework. This provision appears as a first safety net, as it would seem to give the NTIA at least the power to reject delegation recommendations that were adopted by ICANN in clear conflict with its own 49 See, e.g. Stéphane Van Gelder, blog post Is the Risk Real With the New gTLD Program? (An Interview with Verisign), dated 26.09.2013, available at circleid.com, see http://www.circleid. com/posts/20130926_is_the_risk_real_with_new_gtld_program/. 50 See above, n 8. 51 The IANA Functions Contract is documented on the NTIA website http://www.ntia.doc.gov/ page/iana-functions-purchase-order, last visited 30.09.2013. See further Kevin McGillivray, Transfer of the IANA Functions Contract into a Cooperative Agreement (unpublished). 52 IANA contract, ibid, Section C.2.9.2.d. 53Ibid. 173 Yulex 2013 policy framework. The provision explicitly mentions that this includes whether the “process provided the opportunity for input from relevant stakeholders”, so lack of an opportunity to provide input could lead to a rejection. The second criterion of the same provision54 offers the NTIA yet another safety net, as ICANN also needs to verify that the recommendation “was supportive of the global public interest”. This open-ended criterion could potentially be used to reject a number of unpopular gTLD delegation requests, because the concept of “global public interest” opens for a variety of possible considerations. This is not the place to discuss the NTIA’s powers regarding a delegation recommendation. It suffices to conclude that ICANN lacks the power to effectuate a delegation, and that the success of a delegation recommendation can be somewhat uncertain, although the NTIA can perhaps be expected to act upon most gTLD delegations. This procedural uncertainty is perhaps somewhat under-communicated in the context of the Registry Agreement’s designation as Registry Operator “subject to the requirements and necessary approvals for delegation of the TLD”.55 It follows from the above that the designation as Registry Operator should not be interpreted to convey a direct subjective right to have a TLD delegated. On the other hand, the designation implies some level of exclusivity, which is addressed in the next section. 11 The exclusionary effect of a TLD In a sense, the designated Registry Operator receives a global exclusivity to the TLD for the time of the contract duration, which normally can be renewed for periods of ten years. Once one entity has been designated as the Registry Operator for a TLD, no other entity can achieve the same status. This means that the respective TLD holders for <.merck> and <.app> are in practice protected against claims by other entities that also wish to acquire this TLD. This is an important point, particularly when several entities have an interest in the same name. At the time of writing, both the US and the German brand holders of “Merck” are applying for <.merck>, and they are essentially competing for the indefinite right to exclude the other from using that TLD.56 Similarly, the TLD <.app> is in fact the most applied-for TLD, with originally 12 applicants.57 Contentious applications for the same TLD string are resolved based on a combination of decision-making procedures, including priority due to legal rights or 54Ibid. 55 New gTLD Registry Agreement, Section 1.1. 56 See ICANN’s overview page of gTLD application results, https://gtldresult.icann.org/applicationstatus/viewstatus, last visited September 22nd, 2013. 57 Some of these applicants have withdrawn in the meantime, see ibid. 174 Would You Like to Own a Generic Top Level Domain? relevant community support, but can ultimately be decided via an auction.58 It is outside the scope of this paper to describe the selection process, but it seems relevant here that the winning applicant can in some sense exclude all other interested parties from the TLD. This means that no other entity can compete for the status of Registry Operator during the duration of the Registry Agreement, and as long as the agreement is prolonged. The exclusivity of the TLD holder goes even beyond protection against identical TLD applications, and includes similar applications. The rules for the 2012 application process included two procedures to minimize the possibility of confusion between similar strings. First, all applied-for TLD strings were automatically examined for visual similarity with both existing TLDs and other applications.59 In addition, all existing TLD holders could file an objection for “string confusion” between and an applied-for gTLD and the TLD that it operates.60 Thus, for example, Verisign has filed objections against applications for <.cam>, due to similarity with its TLD <.com>. Due to inconsistent decisions and surprising outcomes of some string similarity assessments, this topic is currently highly debated in ICANN circles61. However, regardless of these current problems it is noteworthy that TLD holders have a possibility to defend their TLDs against applications for similar strings, and this gives them a much more comprehensive right to exclusivity than in the context of simple domain names. It does not imply, on the other hand, that all other interested parties are excluded from registering domain names in the TLD through a registrar. The possibility to register domain names is an independent, second question. The answer to the latter question depends on whether the TLD is operated as an open TLD, where registration via registrars is possible, or as a closed TLD, often called “<.brand>”, where domain names can only be registered for the TLD holder. An example of the latter group is <.toyota>, which will only be open to registrations from the automobile manufacturer. Yet even with this caveat the exclusionary effect of a TLD registry agreement is relatively strong. A TLD holder thus receives some element of global exclusivity for the TLD at the top level of the Internet naming system. This exclusivity is a practical consequence of having a TLD, rather than based on a legal right. By 58ICANN, Gtld Applicant Guidebook, Module 4. 59 See ICANN, Gtld Applicant Guidebook, Module 2, Section 2.2.1. In the 2012 application round this led, for example, to the finding that the applications for <.unicom> and <.unicorn> were too similar, so they were added to a contention set that resolves competing applications. 60 See ICANN, Gtld Applicant Guidebook, Module 3, Section 3.2.2.1.String similarity is amongst the most contentious issues of the current TLD application round, after the panels rejected similarity between singular and plural versions. 61 This issue is still under debate; see Kevin Murphy, blog post “ICANN looking into string confusion confusion” at domainincite.com, dated 18 September 2013, available at http://domainincite. com/14512-icann-looking-into-string-confusion-confusion. 175 Yulex 2013 comparison, a trademark holder receives a legal right to exclusivity, but this is limited to a specific geographical area and a particular context. The trademark holder has a legal monopoly right to use the trademark commercially, which means that this right is broader in scope than the exclusivity inherent in a TLD. The TLD holder can only practically exclude others from holding the role of TLD Registry Operator for the respective TLD, and has a procedural possibility to defend the TLD from similar TLDs. The TLD holder has a limited policy authority over the TLD, but it does not have an exclusive right to register domain names in the TLD, except if it is closed. 12 Conclusion: The Contours of a “gTLD” right? The above discussion has shown that the legal position of a TLD holder is multifaceted and fairly complex. Nevertheless, it would be misconceived to conclude that a TLD holder is without legal protection. Based on the above we can begin to see the contours of an emerging legally relevant position, and for lack of a better name we could call it a “gTLD right”. This right is contractual in nature, of limited duration but renewable,62 and contains a bundle of rights. At the centre of this bundle are ICANN’s obligation to facilitate a delegation, and some measure of exclusivity of a TLD. In addition, the TLD holder has special participation rights in ICANN’s organs.63 This bundle of rights is subject to a number of restrictions expressed in the Registry Agreement, and can be further regulated through new policies to be adopted by ICANN in the future.64 The expression “gTLD right” is here used to describe the bundle of rights a TLD holder receives. The proposed notion is an intermediate concept that connects a number of conditions and legal consequences. It is typical for intermediate concepts that the concept itself can be omitted in legal reasoning. For example, it would be possible and useful to connect the exclusivity consequences of a TLD directly to the successful completion of a TLD application. If one were to use the phrase “gTLD right”, this would simply provide a name for the intermediate status of having a TLD. Given the descriptive intent here, it is not meant to convey any normative argument about what rights a TLD holder ought to have. Nevertheless, as all descriptive concepts, this could be used as a basis for a normative discourse, for example, about the future of TLD management. 62 According to Section 4.2 of the Registry Agreement (above, n 39), the agreement will be renewed for successive periods of ten years, except in cases of fundamental material breach. 63 For example, the ICANN Generic Names Supporting Organization’s Council has a special house for contracted parties, where Registry Operators can have representation within ICANN’s multistakeholder governance processes. 64 See Registry Agreement, Section 2.2. 176 Would You Like to Own a Generic Top Level Domain? The specific implications of a right of a gTLD depend on where in the lifecycle a TLD project is. Initially, applicants for TLDs are likely interested in achieving delegation and fighting off competing applications. Once a TLD has been delegated, TLD holders may be more interested in the exclusionary effects, and in protecting the TLD. Given the renewability of the contract, ICANN cannot easily withdraw the designation except in circumstances warranting a contract termination. One justification for introducing a new intermediate concept would be the simple fact that the TLD holder’s legal position currently does not have a name, despite the significant demand for new gTLDs. On the other hand, the proposed name could be problematic, because it is not used in ICANN documents. Moreover, the expression “gTLD right” simplifies a fairly complex set of issues, which could lead to confusion. In particular, it is possible that some might misunderstand the concept of gTLD right to signify the existence of an intellectual property right. An alternative to introducing a new intermediate concept would therefore be simply to refer to the Registry Agreement as the contract that is constitutive for the TLD holder’s position. However, as the analysis above shows, large parts of the Registry agreement primarily focus on limiting the TLD holder’s right to the TLD, rather than clearly stating the TLD holder’s rights. Moreover, the bundle of rights and entitlements of a TLD holder include protection for the TLD that is based outside the Registry Agreement.65 In particular, the protection against similar TLD applications and the special participation rights in ICANN’s organs transcend the ambit of a usual contractual relation. Therefore, the use of the expression “gTLD right” might be warranted. 65 The possibility to protect the TLD against new similar TLDs is not included in the Registry Agreement, but it follows from the procedures for applying for a gTLD, as specified in the Applicant Guidebook. 177 Forbrukere og internasjonale nettjenester. Amazon- og Netflix-avtalene1 Olav Torvund Avtalevilkårene til Netflix og Amazon illustrerer hvordan forbrukere ofte fratas rettigheter når de inngår avtaler på nett. Det er ofte vanskelig å avgjøre hvor en sak eventuelt skal behandles og hvilket lands lov som gjelder. Resultatet er at det blir vanskelig å håndheve de rettighetene man måtte. Internasjonale avtaler er ikke for amatører. Netflix og Amazon Netflix og Amazon har på hver sin måte illustrert noen av problemene som forbrukere kan møte når de gjør bruk av internasjonale nettjenester. Netflix krever bl.a. i sin avtale at kundene frasier seg retten til å reise sak for domstoler og at tvister skal avgjøres ved voldgift i Delaware. Amazon forbeholder i sine vilkår seg retten til å slette alt man har kjøpt for Kindle, hvis man etter Amazons vurdering har brutt noen av lisensvilkårene. De betaler ikke tilbake for det man har betalt for, men ikke får beholde. Og de nekter å forklare hva slags brudd på lisensvilkårene en kunde eventuelt har gjort seg skyldig i. Det lyder kjent. Det høres ut som det Franz Kafka beskrev i romanen «Prosessen». At Amazon har gjenåpnet kontoen etter mediebråk, fortsatt uten å gi noen forklaring, endrer ikke dette. Netflix har visst sagt at de ikke har ment å frata norske kunder retten til å gå til sak i Norge. Men det er bare å gjenta det jeg pleier å si når noen sier at vi ikke mente det slik: Hvis dere ikke mener det, da er det heller ingen grunn til at det skal stå i kontrakten. Vi må starte med noen enkle utgangspunkter. Når du har klikket på at du har lest kontraktsvilkåene og aksepterer dem, da starter du i motbakke. At du ikke leste vilkårene før du aksepterte dem, er ditt problem. Om du er i godt eller dårlig selskap når du aksepterer uten å lese hva du aksepterer, skal være usagt. Men du havner i alle fall i stort selskap. Jeg har lest en del slike vilkår av profesjonelle grunner. Men når jeg opptrer som forbruker gjør jeg som alle andre: Jeg aksepterer uten å lese de lange og ofte ganske uleselige vilkårene. 1 Artikkelen finnes også på digi.no med tittelen «Dette er ikke for amatører» 227 Yulex 2013 Jurisdiksjon - hvor skal tvist behandles? Et første spørsmål er hvor du skal reise sak. Det er langt viktigere med hjemmebane i en rettslig tvist enn i en fotballkamp. Den som har makten krever gjerne at saken skal behandles hos oss. Spørsmålet om hvor eventuell sak skal reises er et spørsmål om jurisdiksjon. Netflix sier at sak skal behandles ved voldgift i Delaware. Voldgift er en form for privat rettergang som brukes mye i kommersielle avtaler. Men den hindrer at sak kan komme opp for de allminnelige domstoler. I Norge kan det etter voldgiftsloven § 11 ikke inngås forhåndsavtale om voldgift i forbrukersaker, men det kan avtales voldgift når en konflikt først har oppstått. Sett på avstand tror vi at USA er USA, og vi ler av USAnere som tror at Europa er Europa. Det har ikke en gang hørt om EØS-avtalen! Men mye av lovgivningen i USA gis på delstatsnivå. Delaware er en liten delstat på østkysten. Den er kjent for sin selskapsvennlige lovgivning. Derfor er veldig mange selskaper i USA registrert i Delaware. For oss som av og til besøker USA kan det også være nyttig å vite at Delaware er en av de få delstatene i USA hvor det ikke er sales tax, slik at det er et fint sted for shopping. Men det har ikke noe med netthandel å gjøre. Amazon i Europa er et selskap i Luxemburg. Vi tror at vi handler med et selskap i England. Men det er bare engelske, franske, tyske, italienske og spanske nettsider. Hvis vi skal gå til sak mot Amazon i Europa, må sak anlegges i Luxemburg, etter Amazons vilkår. I utgangsunktet kan partene i et kontratsforhold selv bestemme hvor en sak skal behandles. Det kan være i et av landene hvor partene hører hjemme, men man kan også avtale et tredjeland. I internasjonale kommersielle forhold er det ikke helt uvanlig å avtale at sak skal reises i London, selv om ingen av partene driver sin virksomhet der. Det er den domstol hvor sak reises som avgjør om den er kompetent eller ikke, altså om den har juridiksjon. Reises sak ved Oslo tingrett er det Oslo tingrett som avgjør om de er rett instans, og spørsmålet avgjøres etter norske vernetingsregler. Om Oslo tingrett skulle mene at saken hører hjemme ved en engelsk domstol, så vil de avvise saken. Dette kan overprøves i det norske rettssystemet, men ikke av en utenlandsk domstol. Men en norsk domstol kan selvfølgelig ikke pålegge en engelsk domstol å ta saken til behandling. Det avgjør den engelske domstolen selv. Tilsvarende kan en norsk domstol bestemme at den er kompetent og ta saken til behandling, selv om andre lands domstoler skulle komme til at saken ikke hører under norsk jurisdiksjon. En ting er å få en dom. Noe annet er spørsmålet om hva dommen er verdt, i praksis om dommer lar seg fullbyrde. Noen land har jurisdiksjonsregler som klart favoriserer egne borgere. Det er vel ingen overraskelse at USA og Frankrike 228 Forbrukere og internasjonale nettjenester. Amazon- og Netflix-avtalene er blant de land som går lengst her. Kort og unøyaktig har Frankrike regler som innebærer at en franskmann ikke skal behøve å finne seg i å bli saksøkt annet enn for en en fransk domstol. Og en franskmann skal kunne anlegge sak mot alle ved en fransk domstol, uansett hvor i verden saksøkte måtte være. Vive la France! Skulle en franskmann anlegge sak mot et kinesisk selskap ved en fransk domstol, så nytter det nok ikke å komme til Kina med den franske dommen og kreve at denne skal fullbyrdes i Kina mot den kinesiske saksøkte, like lite som man kan komme med en kinesisk dom og kreve at den blir fullbyrdet i Frankrike. Vi har noen internasjonale konvensjoner om anerkjennelse og fullbyrding av utenlandske dommer. Den i praksis viktigste for dette området er Luganokonvensjonen, som regulerer forholdet landene i EØS samt Sveits. Dette er egentlig en påbygning til Brussel-konvensjonen, senere Brussel-forordningen. Men disse gjelder bare innenfor EU, så Lugano-konvensjonen er en påbygning til denne. Men selv om det ikke er så mange EØS-land, så er alle EU-land part i EØS-avtalen med de europeiske stormaktene Norge, Island og Lichtenstein. Etter Lugano-konvensjonen art 16 kan en forbruker anlegge sak mot en næringsdrivende som denne har inngått avtale med, i det land hvor han bor. Og forbrukeren må saksøkes i det land hvor forbrukeren bor. Det er en del nyanser og teknikaliteter her, men de går jeg ikke nærmere inn på. En norsk forbruker kan med andre ord anlegge sak mot europeiske Amazon i Norge, og Luxemburg er konvensjonsforpliktet til å fullbyrde en slk dom i Luxemburg. Men vi vil være prisgitt håndhevelsen i det aktuelle landet. Jeg vet ingen ting om hvor effektivt man kan håndheve forbrukerrettigheter i Luxemburg. Men som eksempel nevner jeg at det har vist seg vanskelig å håndheve forbrukersaker mot Ryanair, fordi den irske håndhevingen av slike saker i Irland er lite effektiv. Mot Netflix blir det vanskeligere. Vi har ingen konvensjon som regulerer dette i forholdet mellom Norge og USA. Sannsynligvis ville en norsk domstol anse seg for kompetent og ta en sak mot Netflix til behandling. Det er ingen tvil om at Netflix markedsfører seg mot norske forbrukere. Det er vanligvis tilstrekkelig til at en norsk domstol vil kune anse seg for kompetent. Det er også dette prinsippet som legges til grunn i USA, så de har liten grunn til å klage over at andre land anvender de sammre regler. Det er neppe så mange saker hvor forbrukere i USA saksøker nettleverandører utenfor USA. Men en konsekvens av at så mange rettsspørsmål håndteres på delstatsnivå, er at de har mange saker hvor spørsmålet kan være om saken f.eks. skal behandles i Delaware eller Ohio. Det er derfor en rikholdig praksis om dette i USA, uten at jeg skal påstå at jeg kjenner detaljene på dette området. Om man får en norsk dom mot Netflix, er det slett ikke sikkert at man vil få den dommen fullbyrdet i Delaware. Men hvis Netflix skulle ha verdier i Norge eller et annet land som anerkjenner norske dommer, vil man gjerne kunne få fullyrdet dommen der. Og som noen norske selskaper har fått erfare hvis de ikke har 229 Yulex 2013 tatt det som fremstår som meningsløse søksmål i USA på alvor: En dom avsagt av en domstol i USA vil gjerne kunne fullbyrdes mot det de måtte ha av verdier i USA. Lovvalg Men spørsmålet om hvilken domstol som skal behandle saken er bare første hinder. Det neste er hvilket lands rett som skal legges til grunn. Det er ikke noe i veien for at en norsk domstol behanler en sak som skal avgjøres etter f.eks. tysk rett. Saken blir mer komplisert ved at de ikke bare må overbevise retten om hva som er de faktiske forhold, men også om hvordan i det tilfellet tysk rett er. Men det lar vi ligge. Dette er et spørsmål om lovvalg. En domstol avgjør lovvalgsspørsmålet etter eget lands lovvalgsregler. En norsk domstol vil alltid avgjøre selve lovvalgsspørsmålet etter norsk rett. På noen områder har vi klare lovvalgsregler. Finansavtaleloven § 3 sier f.eks. at på den lovens område skal norsk rett gjelde for avtale med forbruker. Men vi har ikke noen generelle bestemmelser om dette på forbrukerområdet. Her er det enda mindre konvensjonsregulering. Innenfor EU har man Roma-forordningen om lovvalg i kontrakter. Men denne er bare åpen for land innenfor EU, og det er ikke en tilleggskonvensjon for EØS tilsvarende Luganokonvensjonen. Utenforlandet Norge er derfor ikke med i denne konvensjonen. Partene kan i utgangspunktet avtale hvilket lands rett som gjelder. I Amazonavtalen heter det et den er undelagt Luxemburgsk rett, mens Netflix-avtalen er underlagt Delaware-rett. Etter Roma-forordningen er hovedregelen for forbrukeravtaler at retten i forbrukerens bostedsland skal anvendes. Det kan avtales at et annet lands rett enn forbrukerens skal legges til grunn, men ikke slik at det innebærer at forbrukeren fratas rettigheter han ville ha hatt om hovedregelen om forbrukerens bostedsland hadde vært fulgt. I en tvist med forbruker i annet EU-land ville Amazon i Europa måttet ha akseptert at forbrukeren ikke stilles dårligere enn etter hjemlandets rett. Selv om de ikke vil være noen konvensjonsmessige forpliktelser, er det vanskelig å se at man vil kunne komme med innvendinger om et land utenfor EU baserer seg på det samme prinsippet. Hvis en norsk domstol avsier dom, vil Luxemburg etter Lugano-konvensjonen være forpliktet til å fullbyrde den. Jeg kan ikke se at lovvalgsspørsmålet vil kunne bringes inn i en slik fullbyrdelsessak. Overfor tjenesteleverandør utenfor EU, f.eks. i USA, vil vi ikke ha slike holdepunkter i lovvalgsspørsmålet. 230 Forbrukere og internasjonale nettjenester. Amazon- og Netflix-avtalene Lovvalg om avtaleinngåelse Det er også et annet viktig spørsmål som vil måtte avgjøres etter det lands rett hvor sak reises: Er det inngått noen bindende avtale? Hvis det ikke er inngått noen bindende avtale, da har man heller ikke noen bindende avtale om jurisdiksjon og lovvalg, uansett hva det måtte stå i det som påstås å være en bindende avtale. Spørsmålet om det er inngått en bindende avtale vil behandles etter retten i det land hvor saken behandles, uansett hva som måtte stå i avtalen om jurisdiksjon og lovvalg. Jeg skal ikke her gå inn i spørsmålet om avtalerettslig ugyldighet, bare ta det helt opplagte: Om noen retter en pistol mot hodet ditt og tvinger deg til å skrive under en avtale hvor du fraskriver deg alle rettigheter, at eventuelle tvister skal avgjøres ved voldgift i Mafiosistan hvor din motpart oppnevner voldgiftsretten, og det hele skal avgjøres etter mafiosistansk rett, da har du ikke inngått noen bindende avtale. En norsk domstol kan behandle dette som om ingen avtale er inngått, og andvende de regler som vil gjelde når ikke annet er avtalt. Vil norsk rett være til noen hjelp? Men om nå en norsk domstol skulle ta saken til behandling og anvende norsk rett, hvor havner vi da? Norsk rett er ikke nødvendigvis forbrukerens frelse. Det er ikke vanskelig å finne eksempler på at forbrukere blir lurt av norske tjenesteytere, og at det er vanskelig å komme noen vei med disse sakene også. Vi har ingen lover som regulerer denne type tjenester, slik at vi må falle tilbake til generell kontrakts- og markedsføringsrett. For en del år siden utredet jeg spøsmålet om å la forbrukerkjøpsloven også gjelde for digitale ytelser. Jeg konkluderte med at forbrukerkjøpsloven burde gjelde også for dette. Men Justisdepartementet var ikke enig. Så noe lovforslag i samsvar med mine synspunkter ble ikke fremmet. En slik lov ville ha gitt forbrukeren rettigheter i Amazontilfellet, hvor filene lastets ned. Men en streamingtjeneste ville uansett falle utenfor. Jeg er ikke særlig i tvil om at Amazons vilkår om at de kan slette alt innhold ved påstand om brudd på lisensvilkår uten begrunnelse og uten at man betaler tilbake, ville bli satt til side som urimelig og i strid med avtaleloven § 36. Rett til ensidig å endre avtalen og bare varsle ved at endringene legges ut på nettsiden (Amazon), eller at det ikke varsles i det hele tatt (Netflix), vil nok heller ikke bli opprettholdt. Men dette rekker ikke lenger enn til at man vil være bundet av de vilkår man aksepterte, men ikke senere endringer i forbrukers disfavør. 231 Yulex 2013 Etter markedsføringsloven vil Markedsrådet kunne forby bruk av konkrete avtalevilkår som man finner urimelig. Forbrukerombudet forbereder slike saker, og vil kunne forhandle med det ris bak speilet at de bringer saken inn for Markedsrådet om de ikke kommer til en enighet. Det var dette som var Forbrukerombudets rettslige grunnlag for å ta kampen opp mot Apple for noen år siden, en sak Forbrukerrådet kom godt ut av. Forbrukerombudet har sagt de vil følge Neflix nøye. Men et vedtak i Markedsrådet vil bare forby bruk av disse vilkårene for fremtiden. Det får ikke betydning for allerede inngåtte avtaler. Selv om det er enkelt å inngå en avtale, klikke at man aksepterer vilkårne og betale med kredittkort, så er internasjonale avtaler fortsatt kompliserte og vanskelige å håndheve. De er ikke for amatører. Når global netthandel er så enkelt, også for amatører, er det ikke overraskende at noen føler seg fanget i en felle når problemer oppstår. Lovgivning på internasjonalt nivå er komplisert og tar veldig lang tid. EUs overnasjonalitet gjør det noe enklere å gi forbrukervernregler som i alle fall gjelder innenfor EU/EØS-området. Det er gitt en forordning om forbrukervernsamarbeid, som også er gjort til en del av EØS-avtalen. De løsninger de velger er ikke nødvendigvis de vi ville ha valgt selv. Men det gir i det minste regler som fungerer innenfor sitt område. Det er langt fram før vi har et internasjonalt forbrukervern som fungerer like effektivt som internasjonal netthandel -- om vi noen gang kommer dit. 232
© Copyright 2024 Paperzz