Παρασκευή 29 Φεβρουαρίου 2008

Τα RFID-Tags και η προστασία της ιδιωτικότητας








Η ανίχνευση ραδιοσυχνοτήτων είναι μια αυτόματη μέθοδος ταυτοποίησης που βασίζεται στην αποθήκευση και αυτόματη ανάκτηση δεδομένων μέσω συστημάτων αναγνώρισης με ραδιοσυχνότητες (RFID tag) ή ανεπαφικών πλινθίων (RFID chips) ή πομποδεκτών. Ένα τέτοιο σύστημα αποτελείται από ένα ηλεκτρονικό κύκλωμα που τοποθετείται σε ένα αντικείμενο, το οποίο αποθηκεύει τον σειριακό αριθμό αναγνώρισης και άλλες πληροφορίες, και έναν δέκτη που εντοπίζει το κύκλωμα και "διαβάζει" τα στοιχεία που το κύκλωμα αποθηκεύει.

Η ανάγνωση δεδομένων από το RFID tag γίνεται από απόσταση 10 εκατοστών έως και μερικών μέτρων, με τη βοήθεια ενός αναγνώστη. Επίσης, διακρίνονται σε παθητικά και ενεργητικά, από τα οποία τα πρώρα τροφοδοτούνται με ενέργεια από τον πομποδέκτη, ενώ τα δεύτερα, έχουν αυτόνομη τροφοδοσία.

Οι εφαρμογές των RFID tags διευρύνονται συνεχώς, τελευταία δε χρησιμοποιούνται στα βιομετρικά διαβατήρια της ΕΕ, ενώ αναμένεται να διευρυνθεί περαιτέρω η χρήση τους.

Παρά τα θετικά στοιχεία που προσφέρει η τεχνολογία αυτή, συνεπάγεται μια σειρά από προβλήματα που πρέπει να αντιμετωπισθούν. Πέρα από τα προβλήματα ασφάλειας δεδομένων που μπορούν να προκύψουν από την υποκλοπή δεδομένων (skimming), η οποία συνιστά σημαντικό κίνδυνο, ανακύπτουν ζητήματα προστασίας προσωπικών δεδομένων

Το δίκαιο προστασίας προσωπικών δεδομένων, δηλ. ο ν. 2472/1997 στη χώρα μας, ο οποίος
αποτελεί την πράξη εφαρμογής της οδηγίας 95/46/ΕΟΚ, βρίσκει εφαρμογή όταν τα εν λόγω κυκλώματα έχουν αποθηκευμένα προσωπικά δεδομένα ή όταν δεν έχουν αποθηκευμένα τέτοια δεδομένα, αλλά χρησιμεύουν στην ταυτοτοποίηση φυσικών προσώπων.

Σε αυτή την περίπτωση, η επεξεργασία προσωπικών δεδομένων πρέπει να λαμβάνει χώρα με σεβασμό των κανόνων του δικαίου προστασίας των εν λόγω δεδομένων (βλ. σχετικά Article 29 Working Group, Working Document on data protection issues related to RFID technology). Ειδικότερα, πρέπει να εξασφαλίζεται ότι τα δεδομένα είναι πρόσφορα, αναγκαία και όχι περισσότερα από όσα χρειάζεται για την επίτευξη του σκοπού της επεξεργασίας, να είναι ακριβή και να μη διατηρούνται για περισσότερο από όσο απαιτείται (βλ. άρθρο 4 ν. 2472/1997). Επίσης, θα πρέπει να διασφαλίζεται η ασφάλεια δεδομένων, κατά τρόπο ώστε να είναι αδύνατη η υποκλοπή δεδομένων, πράγμα που γίνεται με τη χρησιμοποίηση κρυπτογράφησης.

Επιπλέον, η επεξεργασία θα πρέπει να είναι νόμιμη, δηλ. σύμφωνη με το άρθρο 5 του ν. 2472/1997, που σημαίνει ότι θα πρέπει να στηρίζεται στη συγκατάθεση του υποκειμένου των δεδομένων, ή σε κάποια άλλη προϋπόθεση, όπως το έννομο συμφέρον του υπεύθυνου της επεξεργασίας. Επίσης, θα πρέπει να ενημερώνονται τα υποκείμενα των δεδομένων για την επεξεργασία και τις επιμέρους συνθήκες αυτής.

Σε ειδικές περιπτώσεις, θα πρέπει να γίνει στάθμιση των εκάστοτε δεδομένων. Έτσι, λ.χ., η παρακολούθηση των εργαζομένων με παρόμοια συστήματα δεν μπορεί να θεωρηθεί θεμιτή μέθοδος, ενώ η χρήση της για την παρακολούθηση της μετακίνησης προσώπων θα είναι οριακά νόμιμη, εφόσον και μόνο εξυπηρετεί έναν θεμιτό και νόμιμο σκοπό. Γίνεται μνεία της υπ΄αριθ. 52/2003 απόφασης της Αρχής, με την οποία σε συναφή περίπτωση, κρίθηκε μη νόμιμη η επεξεργασία βιομετρικών στοιχείων με σκοπό την ασφάλεια των πτήσεων (βλ. ΠοινΔικ 2004, 37).

Σημαντική είναι η δράση της Ευρωπαϊκής Επιτροπής, η οποία δεν έχει μείνει απαθής μπροστά στα ζητήματα που ανακύπτουν από τις εφαρμογές της νέας αυτής τεχνολογίας, αλλά κινητοποιεί τους ενδιαφερόμενους φορείς μέσα από τον δικτυακό τόπο Information Society. Ειδικότερα, η Επιτροπή διοργάνωσε ημερίδες και ειδικές δράσεις για το ζήτημα, αλλά και διαβούλευση μέσω του δικτυακού τόπου www.rfidconsultation.eu, ενώ οργανώνει δημόσια διαβούλευση στην οποία μπορεί κάθε ενδιαφερόμενος να συμμετέχει (κάνε κλικ εδώ).

Ιωάννης Ιγγλεζάκης

Πέμπτη 28 Φεβρουαρίου 2008

Συμφωνία Στρατηγικής Συνεργασίας Ελληνικής Κυβέρνησης και Microsoft

Με το ν. 3640/2008 (βλ. το κείμενο του νόμου) κυρώθηκε η συμφωνία στρατηγικής συνεργασίας μεταξύ της Ελληνικής Δημοκρατίας και της εταιρίας Microsoft. Σύμφωνα με την αιτιολογική έκθεση του Νόμου, η συμφωνία αυτή πρόκειται να αποφέρει οικονομικά οφέλη για τη χώρα μας, αλλά και την επιτάχυνση των στόχων της ψηφιακής στρατηγικής. Στη συμφωνία προβλέπεται η ίδρυση κέντρου καινοτομίας, στο πλαίσιου του οποίου θα αναπτυχθούν τεχνολογίες λογισμικού, αλλά και συμμετοχή της ακαδημαϊκής κοινότητας στις δράσεις της παραπάνω εταιρίας.
Κεντρικό σημείο της συμφωνίας είναι η παροχή αδειών της Microsoft, τις οποίες θα αποκτά το Ελληνικό Δημόσιο μέσω διαγωνισμών, αλλά και η συμβολή της στην παροχή τεχνογνωσίας για την ανάπτυξη της ηλεκτρονικής διακυβέρνησης, με την υποστήριξη της κεντρικής κυβέρνησης, αλλά και των δήμων, στους οποίους παρέχονται δωρεάν εργαλεία λογισμικού για την ανάπτυξη εφαρμογών ηλεκτρονικής διακυβέρνησης.
Είναι αναντίρρητο ότι παρόμοιες συμφωνίες παρέχουν πολλά πλεονεκτήματα για το Δημόσιο, καθ' όσον θέτουν τις βάσεις για τη συνεργασία με τον γίγαντα του λογισμικού που είναι η εταιρία Microsoft.
Ωστόσο, είναι επίσης γεγονός ότι η ηλεκτρονική διακυβέρνηση μπορεί να προωθηθεί και με την αξιοποίηση του ανοικτού λογισμικού ή λογισμικού ανοικτού κώδικα (open source software), λύση την οποία έχουν ήδη υιοθετήσει κυβερνήσεις και οργανισμοί τοπικής αυτοδιοίκησης, στο εξωτερικό. Ειδικότερα, με τη χρήση του ανοικτού λειτουργικού συστήματος LINUX και λογισμικού εφαρμογών που θα στηρίζεται στη φιλοσοφία του ανοικτού και ελεύθερου λογισμικού, μειώνεται αισθητά το κόστος υλοποίησης σχετικών εφαρμογών και παύει η εξάρτηση από εταιρίες ιδιοκτησιακού λογισμικού.
Κατά την άποψή μας, συνεπώς, η αξιοποίηση των ωφελημάτων από την παραπάνω συμφωνία και από τη συνεργασία με την παραπάνω εταιρία, θα πρέπει να λαμβάνει χώρα, παράλληλα με την αξιοποίηση των πλεονεκτημάτων που παρέχει και το ανοικτό λογισμικό.

Ιωάννης Ιγγλεζάκης

Νέα καταδίκη της Microsoft από την Ευρωπαϊκή Επιτροπή για παραβίαση ανταγωνισμού

Η Επιτροπή επέβαλλε πρόστιμο 899 εκ. ευρώ σε βάρος της εταιρίας Microsoft λόγω μη συμμόρφωσης με προηγούμενη απόφασή της, από τον Μάρτιο του 2004 (βλ. IP/04/382). Με την απόφασή της, ειδικότερα, η Επιτροπή διαπιστώνει ότι η παραπάνω εταιρία έθετε υπερβολικές χρεώσεις για την παροχή πρόσβασης στην τεκμηρίωση των συστημάτων διασυνδέσεων για διακομιστές work group. Η προηγούμενη απόφαση επικυρώθηκε με απόφαση του ΠΕΚ τον Σεπιτέμβριο (βλ. CJE/07/63), στην οποία κρίθηκε ότι η εν λόγω εταιρία προέβη σε κατάχρηση δεσπόζουσας θέσης, σύμφωνα με το άρθρο 82 ΣυνθΕΚ και με την οποία η τελευταία υποχρεώθηκε να παρέχει πληροφορίες για τα συστήματα διασυνδέσεων σε διακομιστές work group, σε λογικές τιμές. Σύμφωνα με την Επίτροπο Neelie Kroes, η εταιρία Microsoft, ήταν η μόνη εταιρία που δεν συμμορφώθηκε με απόφαση της Επιτροπής.


Για περισσότερες πληροφορίες βλ.

http://ec.europa.eu/comm/competition/antitrust/cases/microsoft/index.html

Δευτέρα 25 Φεβρουαρίου 2008

ΠΡΟΣΩΠΙΚΑ ΔΕΔΟΜΕΝΑ ΣΕ DVD

Ευρεία δημοσιότητα έχει λάβει η άσκηση ποινικής δίωξης κατά των προσώπων που διακινούσαν ή εμπλέκονταν στη διακίνηση του DVD με απόσπασμα από οπτικοακουστικό υλικό, στην υπόθεση που έχει γνωστή ως "υπόθεση Ζαχόπουλου".

Από όσα διαρρέουν στον Τύπο, διαφαίνεται ότι ο ν. 2472/1997 χρησιμοποιείται - "εργαλειακά", θα λέγαμε - για την απόδοση κατηγοριών σε βαθμό, μάλιστα, κακουργήματος. Εδώ θα πρέπει να γίνουν ορισμένες διευκρινίσεις.

Ειδικότερα, δεν ερευνήθηκε και δεν τεκμηριώνεται, εάν εφαρμόζεται στη συγκεκριμένη υπόθεση ο ν. 2472/1997 και αν, συνεπώς, δύνανται να ασκηθούν ποινικές διώξεις με βάση το νόμο αυτό. Για να εφαρμόζεται ο παραπάνω νόμος, θα πρέπει να υφίσταται αυτοματοποιημένη επεξεργασία ή μη αυτοματοποιημένη επεξεργασία, αλλά τα προσωπικά δεδομένα να περιλαμβάνονται σε αρχείο (άρθρο 3 § 1 ν. 2472/1997).

Έτσι, τίθεται το ερώτημα εάν η καταγραφή σε βίντεο συνιστά αυτοματοποιημένη επεξεργασία δεδομένων. Πράγματι, σύμφωνα με την κρατούσα άποψη, η εγγραφή και η αναπαραγωγή βιντεολήψεων, δεν συνιστά αυτοματοποιημένη επεξεργασία, παρά μόνο εάν χρησιμοποιείται αυτοματοποιημένο σύστημα επεξεργασίας (βλ. Dammann, σε: Dammann/Simitis, EG-Datenschutzkommentar, Baden-Baden 1997, Artikel 3, αριθ. 3), γεγονός που δεν έχει συμβεί στη συγκεκριμένη. Περαιτέρω, δεν πληρούται ούτε η δεύτερη προϋπόθεση για την εφαρμογή του ν. 2472/1997, δηλ. να περιλαμβάνεται το οπτικοακουστικό αυτό υλικό σε αρχείο, εφόσον δεν υφίσταται αρχείο, στο οποίο να περιλαμβάνεται η βιντεοκασσέτα.

Συνεπώς, η άσκηση ποινικών διώξεων με βάση το νόμο 2472/1997 είναι αστήρικτη, όσον αφορά τα συγκεκριμένα πραγματικά περιστατικά.

Ιωάνης Ιγγλεζάκης

Κυριακή 24 Φεβρουαρίου 2008

Open source software


Open source software is defined as computer software which source code is available under a license that meets the open source definition. This permits users to use, change, and improve the software, and to redistribute it in modified or unmodified form. Those rights granted to users by the licenses of open source software would otherwise be prohibited by copyright. Therefore, it becomes apparent that open source software constitutes a challenge for copyright law, which is based on the assumption that intellectual creations are to be protected with absolute rights.

The idea of free software developed out of the need expressed by programmers to be able to adapt existing software to their specific requests. That was not possible, since proprietary software was not supplied with the source code and, so, changes could not be performed. In addition, legal holders did not provide any permission to adaptation of software and so, changes in the source code would infringe author’s rights.

In order to overcome such problems, the Free Software Foundation was founded by Richard Stallman in 1983 in the USA, with the objective of developing free software, i.e. software available with source code to everyone and free of charge. The idea was to allow users of software to profit from the further development made by others, since the modifications are in turn made available free of charge.

The aim of this FSF was to promote free dissemination of software and secure this freedom in legal terms. In this context, free does not mean free of charge. According to Stallman, free software refers to freedom, not to price. And more particularly, free software is a matter of the users' freedom to run, copy, distribute, study, change and improve the software.

More precisely, four kinds of freedom for the users of the software are included in the definition of free software:

  • The freedom to run the program, for any purpose.
  • The freedom to study how the program works, and adapt it to your needs. Access to the source code is a precondition for this.
  • The freedom to redistribute copies so you can help your neighbour.
  • The freedom to improve the program, and release your improvements to the public, so that the whole community benefits. Access to the source code is, again, a precondition for this.

To safeguard the open character of free software, a new concept was evolved, the concept of ‘copyleft’. More precisely, putting a computer program in the public domain would mean that anyone could include it in its derivative software, which could have a proprietary and not an open character, and this would contravene with the objective of free software development. Therefore, a new concept had to be invented, one that would use copyright law to protect the free character of the software. In the words of Stalmann:

To copyleft a program, we first state that it is copyrighted; then we add distribution terms, which are a legal instrument that gives everyone the rights to use, modify, and redistribute the program’s code or any program derived from it but only if the distribution terms are unchanged.

The concept of free software was further developed in 1997, with the formation of the open source concept, which is more liberal than free software and allows software to be included more appropriately in proprietary programs. This would allow the recognition of open source software by commercial software developers and as a result, lead to its wider acceptance.

In order for any computer program to fall within the qualification of open source, it should comply with the definition of open source software. In more particular, the OSD contains the following provisions:

1. Free Redistribution

The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources. The license shall not require a royalty or other fee for such sale.

An OSD license may not restrict any third party from including the software as a part of their product.

2. Source Code

The program must include source code, and must allow distribution in source code as well as compiled form. Where some form of a product is not distributed with source code, there must be a well-publicized means of obtaining the source code for no more than a reasonable reproduction cost preferably, downloading via the Internet without charge. The source code must be the preferred form in which a programmer would modify the program. Deliberately obfuscated source code is not allowed. Intermediate forms such as the output of a preprocessor or translator are not allowed.

3. Derived Works

The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software.

4. Integrity of The Author's Source Code

The license may restrict source-code from being distributed in modified form only if the license allows the distribution of "patch files" with the source code for the purpose of modifying the program at build time. The license must explicitly permit distribution of software built from modified source code. The license may require derived works to carry a different name or version number from the original software.

5. No Discrimination Against Persons or Groups

The license must not discriminate against any person or group of persons.

6. No Discrimination Against Fields of Endeavor

The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

7. Distribution of License

The rights attached to the program must apply to all to whom the program is redistributed without the need for execution of an additional license by those parties.

8. License Must Not Be Specific to a Product

The rights attached to the program must not depend on the program's being part of a particular software distribution. If the program is extracted from that distribution and used or distributed within the terms of the program's license, all parties to whom the program is redistributed should have the same rights as those that are granted in conjunction with the original software distribution.

9. License Must Not Restrict Other Software

The license must not place restrictions on other software that is distributed along with the licensed software. For example, the license must not insist that all other programs distributed on the same medium must be open-source software.

10. License Must Be Technology-Neutral

No provision of the license may be predicated on any individual technology or style of interface.

Licences

Furthermore, open source software is made available under a particular license. Currently, the OSI website lists 65 types of licenses, which are more or less restrictive, in the sense that they allow the creation of proprietary programs from the original code or keep the derivative code in control.

The most important and highly restrictive license is the General Public License. The main features of the GPL is that it is persistent, for all the derivative works must be licensed under the same GPL and has viral effect, which means that if a piece of GPL code is included in a new program incorporating both open and closed source code, then the resulting program must become open under the GPL.

The terms and conditions of the GPL

Any licensee who adheres to the terms and conditions is given permission to modify the work, as well as to copy and redistribute the work or any derivative version. The licensee is allowed to charge a fee for this service, or do this free of charge. This latter point distinguishes the GPL from software licenses that prohibit commercial redistribution. The FSF argues that free software should not place restrictions on commercial use, and the GPL explicitly states that GPL works may be sold at any price.

The GPL additionally states that a distributor may not impose "further restrictions on the rights granted by the GPL". This forbids activities such as distributing of the software under a non-disclosure agreement or contract. Distributors under the GPL also grant a license for any of their patents practiced by the software, to practice those patents in GPL software.

Section three of the license requires that programs distributed as pre-compiled binaries are accompanied by a copy of the source code, a written offer to distribute the source code via the same mechanism as the pre-compiled binary or the written offer to obtain the source code that you got when you received the pre-compiled binary under the GPL.

The right to redistribute is granted only if the distribution is licensed under the terms of the GPL and includes, or unconditionally offers to include at the moment of distribution, the source code.

Advantages of OS

It is argued that open source brings about significant advantages compared with proprietary developing projects. These refer to economic and technical rationales. Collaborative work and peer-to-peer review of open source means that research and development costs are reduced. Furthermore, the result is better quality of code and thus, open source software offers more reliability to users and software developers.

Regarding the question what motivates people to write free software it could be said that while traditional closed source programming offers immediate payoff, the open source model has some other strengths, such as customisation and bug-fixing. In more particular, the participation in an open source project is more meaningful to a programmer if it brings a personal benefit, i.e. to tailor a piece of code to suit his own project.

Of course, the motivation to write free software could not be an expression of “neighbourly love” or the necessity to treat software as public property, as the activists of the Free Software Foundation claim. Actually, the aim is to break the privileges of intellectual property and thus to ensure free exchange of information. This in turn, would weaken the position of companies like Microsoft, which act like monopolies in the software marketplace. It is a logical consequence, therefore, for such companies to feel threatened by open source initiatives.

The Legal validity of open source licenses

As the open source initiative depends on copyright, it has been long disputed whether non-proprietary licenses used to control open source works are legally valid and whether this initiative would withstand legal attacks. It is encouraging that there is a increasing number of software projects using free and opens source software licenses; sourceforge which functions as a repository for open source software lists more than 160,000 projects and 1,700,000 users.

Legal analysis of such licenses both in the States and in Europe carried out in the literature indicated their validity. The most important development is, however, that their validity has been tested before the courts and was thereby recognized.

The first case was in 2002, when a developer of non-proprietary database software named MySQL sued NuSpehre, a software company that was believed was using its source code to produce proprietary software, for copyright and trademark infringement in US district court. The case was settled out of court, and so, the GPL did not receive a judicial review, however, at the hearing Judge "saw no reason" that the GPL would not be enforceable.

The next case was the lawsuit of SCO against IBM, in which the claimant alleged that IBM was infringing its intellectual property over the UNIX kernel by including it in Linux. SCO also sent a letter to 1350 corporations using Linux warning that this was un unauthorised derivate if Unix. However, on August 10, 2007, it has been ruled out that Novell, not the SCO Group, was the rightful owner of the copyrights covering the Unix operating system. Consequently, Novell announced they have no interest in suing people over Unix, and so the legal uncertainty over Linux ended.

In another occasion, the FSF was suited in an US district court in Indiana, by a US citizen who claimed that the GPL is an illegal attempt to fix prices at zero. This case was dismissed for it did not constituted a valid anti-trust claim. Notably, the court noted that "the GPL encourages, rather than discourages, free competition and the distribution of computer operating systems, the benefits of which directly pass to consumers.

In Europe, the validity of the GPL was put to test in the courts of Germany. In 2004 the Munich District Court held that the license conditions of the GNU General Public License were standard terms of business and could be included in a contract with a commercial software company, and so it granted the claimant, netfilter/iptabels, an injunction against Sitecom, a company which distributed netfilter’s software in violation of the terms of the GPL. In another case, the gpl-violations.org project prevailed in court litigation against D-Link Germany GmbH regarding D-Link's alleged inappropriate and copyright infringing use of parts of the Linux Kernel. The court provided legal precedent, according to which the GPL is valid and will stand up in court.

"EU." - Top level domain names

On 22 April 2002, the Regulation 733/2002 of the European Parliament and of the Council on the Implementation of the Internet Top Level Domain ".eu" was adopted. It introduced the first Top Level Domain for use of the European Community. Potential domain name holders and those who will benefit, are individual residents in the EU and also, organisations and companies established within its territory.

The .eu TLD was created in order to reinforce the European brand and to promote a common internet identity for European Union citizens. Its main objective is to establish a European electronic marketplace and promote the information society within the EU.

The aforementioned Regulation is complemented by Regulation 874/2002 'laying down public policy rules concerning the implementation and functions of the .eu top level domain name and the principles governing registration' and by Regulation 1654/2005 amending Regulation 874/2004.

The 'eu.' TLD is managed by Eurid. EURid is a not-for-profit organisation, established in Belgium, and has been selected by the European Commission to operate the new .eu top level domain. It is accessible over the Internet at: http://www.eurid.eu/

ELECTRONIC SIGNATURES


I. Introduction

A modern regulatory framework regarding electronic communication and transactions is considered essential to establishing legal certainty in the field of e-commerce. Τhe nature of the Internet as an open network raises concerns about the confidentiality and security of electronic communication, which hinder the exploitation of the net as a platform for conducting commerce[1]. Electronic signatures and related services that allow data authentication can, therefore, play an important role in this aspect by ensuring security and trust in electronic transactions[2].

The European Directive 1999/93/EC lays down the rule of legal recognition of electronic signatures[3]; the Directive provides the legal framework for e-signatures and Certification Service Providers and defines two levels of security that organizations may apply to e-signatures depending on the sensitivity of the transaction, that is a) the simple e-signatures, which provide a minimum level of security and b) the advanced electronic signatures, which provide a higher level of security and can be used as a substitute of a hand-written signature[4].

In order for a signature to be qualified as an advanced signature, certain requirements should be fulfilled (Article 5 Para. 1 of the Directive). These requirements concern the technical function of the signature software and the existence of a qualified certificate, which is provided by a certification service provider who meets certain criteria. As it is obvious, the legal regulations concerning the certification of e-signatures and the accreditation of service providers are of great importance.

II. Implementation of the Directive 1999/93/EC in Greece

1. General Background

Greece implemented the European Directive 1999/93/EC by enacting specific legislation, which is complementary to the relevant provisions of civil and civil procedural law. The Presidential Decree 150/2001 (Official Journal A/125, 25-6-2001), which transposed the relevant provisions of the Directive into Greek law, establishes the principle of recognition of electronic signatures as hand-written signatures; thus, it provides for a legal framework for the provision of certification services and specifies the liability status of certification service providers. The Decree reflects faithfully the provisions of the Directive, but it also brings about considerable modifications of the provisions on the legal validity of documents and their evidential value[5].

Regulations of electronic signatures in Greece are also found in the law No. 2672/1998. Article 14 of the law allows for the exchange of public documents by electronic means, especially via e-mail. This regulation, however, did not entered into force until the enactment of the Decree 150/2001, since it presupposed a Presidential Decree regulating all details, which are necessary for the use of digital signatures[6].

2. The legal effect of electronic signatures

Article 3 provides that advanced electronic signatures, which are based on a qualified certificate and are created by a secure-signature-creation device, are equated as to their effect, i.e. the legal validity and the probative effect, to hand-written signatures in paper documents.

Furthermore, Article 3 Para. 2 states that electronic signatures, which do not meet the above-mentioned requirements, shall not be denied legal effectiveness and admissibility.

The Decree adopts, likewise as the European Directive, a two-tier system of electronic signatures, which consists firstly, of “simple” and secondly, of “advanced” electronic signatures. Simple signatures are not denied validity solely on the grounds that they are in electronic form or are not certified. Nevertheless, simple electronic signatures can be denied recognition for any other reason. Advanced signatures, on the other hand, are treated as equivalent to manuscript signatures.

However, the precise legal effects of advanced and simple electronic signatures are not clearly defined and should be investigated.

3. Advanced electronic signatures

Firstly, regarding the legal validity of advanced electronic signatures, the law does not provide for which kinds of documents can advanced electronic signatures be used for. Therefore, one should take into account the provision of Article 7 of the Draft Law on Electronic Commerce, which will be soon enacted[7]. According to this provision, contracts can be concluded by electronic means, with the exception of: (a) contracts that create or transfer rights in real estate, (b) contracts requiring by law the involvement of courts, public authorities or professions exercising public authority and, (c) contracts governed by family law or by the law of succession.

Furthermore, as regards the probative effect of electronic signatures, it is clear that the law establishes a legal fiction, according to which, documents with electronic signature are equated as to their effect to private documents. Consequently, the advanced electronic signature in a document satisfies the concept of the private document (Article 443 of Greek Code of Civil Procedure)[8], which has probative weight on the part of the issuer, the submission of rebuttal evidence being allowed, according to the provision of Art. 445 Code of Civil Procedure.

4. Simple electronic signatures

The legal validity and the admissibility as evidence of simple signatures has been recognised in the past by the jurisprudence of Greek courts even before the enactment of the Decree[9]. The jurisprudence has recognised the probative effect of electronic documents, which are deemed as mechanical representations, according to Art. 444 par. 3 Code of Civil Procedure, which states that mechanical representations are considered as private documents, having therefore the effects of the latter under the law.

More generally, it has been ruled out that documents (e.g. bankbooks, printouts, etc.) containing records of electronic representations are considered as mechanical representations, pursuant to Art. 444 par. 3 Code of Civ. Proc[10].

However, it must be noted that prerequisite for the probative effect of electronic documents regarded as equal to private documents is the recognition or proof of their genuineness (Art. 445 Code of Civ. Proc.). In the case of an electronic document, the confirmation of the issuer of an electronic document can be attained by elements, which are functionally equivalent to a hand-written signature, such as a (simple) electronic signature.

Therefore, electronic documents, which bear an electronic signature that does not fulfil the criteria set out in the definition of the advanced electronic signature, are not denied legal effectiveness and admissibility as evidence. Simple electronic signatures can be used, thus, in deeds and contracts, which are not required to have a hand-written signature.

III. Accreditation and Supervision of Certificate Providers – Liability Issues

The Decree 150/2001 contains regulations concerning the provision of certification services, the conditions of offer for advanced certification services, the liability of certification service providers, voluntary accreditation and also, the supervision of certification service providers by the National Telecommunications and Post Commission (EETT)[11].

The specific details concerning certification services have been regulated by the Regulation No 248/71 of 15.3.2002 of the EETT. With the enactment of the Regulation, the infrastructure, which was necessary, in order to attain full operation of the certification system, has been created and the system is already working[12].

According to the principle of free market access, stated in Article 4 par. 4 of the Decree 150/2001 and in Article 3 par. 1 of the EETT Regulation, certification service providers are not subject to a prior authorisation from the state or any other measure of equivalent effect (see also Article 3 par. 1 of the Directive 1999/93).

Nevertheless, every certification service provider is obliged to notify EETT of his activity and in particular, to send a notification containing the following information, which will be recorded in the register of certification service providers with establishment in Greece: a) name/trade name, address, telephone, fax number, e-mail address, Web Page, b) legal form, legal representatives and eventually, proxy attorney, c) VAT number, d) offered services.

The EETT holds a register of certification service providers established in Greece (Article 10 of the EETT Regulation) and can control the conformity of certification service providers with the provisions of the Decree 150/2001 and the Regulation (Article 12).

More stringent provisions apply for qualified signatures. In particular, the certification service provider, who issues qualified certificates, is under the obligation to submit a statement called Certification Practice Statement to the EETT; in this statement, the provider describes the procedure for the issuance of certificates and/or the provision of other certification services (Articles 10, 2 of EETT Regulation)[13]. Furthermore, the provider should conform to the requirements set out in Annexes I and II of the Decree 150/2001, which are identical with the Annexes in the Directive 1999/93, and send a statement that he complies with these requirements and further documents.

The providers, who issue qualified certifications, are due to provide evidence that as regards the issuance of the certificates they conform with Annexes I and II of the Decree 150/2001 (Article 3 par. 3 EETT Regulation). A provider is deemed to issue qualified certificates, if he proves that the certificates, which he issues, are conformity with recognised norms and standards (Article 3 par. 4 EETT Regulation).

Furthermore, certification service providers have to keep a file in document or/and in electronic format, containing the sum of data regarding the qualified certificates that the providers issue or administer; more specifically, these data include the time of issuance, annulment, suspension and expiration (article 7 EETT Regulation).

It is also important to note that the certification service provider before the concluding of a contract with a person who applies for a qualified certificate, should inform this person about his liability and responsibility as an owner of a qualified certificate, his obligations to store and protect the signature-creation data, the consequences arising from the publication of the signature-creation data, the certification policy and the Certification Practice Statement etc. (Article 8 EETT Regulation).

The above-mentioned provisions shape the limits of the liability of the certification service provider. The latter will be held responsible, in case he does not fulfil the requirements provided for qualified certificates. It is worth noting that the burden of proof lies on the provider, not on the signatory (Article 6 of Decree 150/2001)[14].

IV. Conclusion

The Greek legal framework concerning E-signatures is developed in conformity with the terms of the Directive 1999/93/EC. The relevant provisions of the presidential Decree No 150/2001 are in force since the National Telecommunications and Post Commission (EETT) enacted the Regulation No 248/71 of 15.3.2002, which regulated specific issues concerning the certification services for e-signatures, and a market for certification has already been created in Greece.



[1] European Commission, DG XIII, Ensuring Security and Trust in Electronic Communication, Towards A European Framework for Digital Signatures And Encryption, COM (97) 503, p. 1 et seq.

[2] See J. Angel, Why use Digital Signatures for Electronic Commerce?, JILT 1999 (2)

[3] OJEC no L 13 of 19.01.2000.

[4] See C. Spyrelli, Electronic Signatures: A Transatlantic Bridge? An EU and US Legal Approach Towards Electronic Authentication, JILT 2002(2), 8-9

[5] Cf. S. Stavridou, Greek Law on E-Signatures, CRi 5/2001, 155.

[6] Cf. I. Iglezakis, Regulations of Digital Signatures. The European Directive 1999/93/EC and the National Laws, Episkopissi Emporikou Dikaiou 2000, 638 [in Greek].

[7] Cf. S. Koussoulis, Regulating Electronic Commerce, RHDI 2002, 357-358; E. Zervogianni, Recent Legal Initiatives for the Regulation of E-Commerce in Greece, RHDI 2001, 605 et seq. (609).

[8] See K. Christodoulou, Electronic Documents and Electronic Contracts, 2001, 43-73 [in Greek].

[9] See e.g. Athens Single-Member Court of First Instance 1327/2001 [payment order on the basis of an e-mail], published in: Dike International (2001) 457 ff. See also I. Iglezakis, Electronic Documents as Legal Means of Evidence in Greece, to be published in RHDI 2002.

[10] See Areios Pagos 54/1993, HellDni 1993, 600 et seq; Athens Court of Appeal 807/2000, DEE 2000, 522 et seq.; S. Koussoulis, supra Note 6, 356.

[11] See Stavridou, supra Note 5.

[12] A small number of certification service providers has been registered until 25-2-2003 in the EETT, but it is expected that this number will be increased; see www.eett.gr/gr_pages/telec/eSign/Mitroo/EsignProviders.htm.

[13] The statement contains at the minimum information about the certification services, security mechanisms, the liability of the provider, the infrastructure, privacy and consumer protection mechanisms etc., see Annex I of EETT Regulation.

[14] See D. Maniotis, The electronic formation of contracts and the liability of third parties responsible for the authenticity of the electronic document, 2003 [in Greek], p. 74.

Data protection issues in electronic commerce. The European Regulatory Framework

Paper for the 9th Consumer Law Conference, Athens 2003.

Abstract: This paper briefly examines issues concerning the protection of privacy on the Internet. It discusses the privacy risks, which are posed in the framework of e-commerce and, in particular, the issues of online data collection and online – profiling, credit scoring and online direct advertising (spamming). Also, it provides an overview of the regulatory framework in the European Union and examines the protection afforded by the EU-Directives in the context of e-commerce.

I. Introduction

The Internet is an explosive new medium, which opens up new ways of communication and information exchange between people. It also offers the potential to create new (virtual) markets for conducting commerce, which takes place on a worldwide network and across national frontiers. Electronic commerce (e-commerce) is, indeed, one of the most important applications of Internet technology[1]. Ιt is an outcome of the Internet revolution and its evolution is depending on the features of the new communications and information technologies and their consequences.

Furthermore, e-commerce is a key factor to the development of a global digital economy and presents enormous opportunities for both businesses and consumers[2]. It makes possible to trade at low cost across national frontiers and enables consumers to research, compare and finally, purchase products from their home and workplace.

However, the rapid growth of Internet and e-commerce has created increased threats to privacy, mainly due to the potential of modern technology to keep track of users’ activities on the Internet[3]. Concerns about privacy affect mostly consumers, whose personal data are collected via the Internet and analyzed in order to build detailed profiles of consumers, which are used to predict the individual consumer’s needs and purchasing habits; these profiles enable the advertising companies to target advertising to individual consumers and to their specific interests. Even when personal information is collected directly from the consumer, there is always the risk of the misuse of the data, i.e., that this would be used for other purposes than of which it was collected etc.

Moreover, rating and scoring methods used to determine the creditworthiness of consumers infringe their right to informational self-determination[4], since the consumer has no influence, whatsoever, on this procedure and is subject to a decision based solely on automated processing of data, in the sense of Article 15 Directive 95/46/EC.

Another serious threat to privacy is the flood of unwanted electronic mail (Spam). Spamming, that is the practice of sending unsolicited bulk e-mails, most frequently of a commercial nature[5], is a major annoyance for consumers, who receive large amounts of unwanted e-mails and have to bear the cost of connection time, and a threat to ISPs, who are confronted with increased costs and with users’ complaints[6].

Evidently, these information practices infringe consumers’ right to privacy and hinder the development of e-commerce, since many consumers are opposed to such an extensive collection, storing, use and potential abuse of personal data and therefore, avoid electronic transactions[7]. Therefore, data protection is an important factor in this context, for it is seen as necessary in order to guarantee the growth of e-commerce[8]. In EU-level, the Directive 95/46/EC “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”[9] represents the general framework for data protection. This Directive is complemented by the recently adopted Directive 2002/58/EC “on privacy and electronic communication”[10], which contains specified provisions on the use of advanced technologies, used in order to monitor Internet users’ activities on the Web, and also, on the use of automated calling systems for marketing purposes. These legal instruments provide a regulatory framework that aims at protecting fundamental rights and freedoms in particular with regard to the increasing capacity for automated storage and processing of data relating to Internet users[11]. In this paper we will survey the protection afforded by these EU-Directives in the context of e-commerce. Before that we will give a technical description of the online collection of personal data.

II. Collection of personal information on the Internet

It is well known that Internet is not secure and that all transactions that take place on the net are identifiable. The online environment allows collection and use of information by commercial sites in a far more effective and efficient way than through conventional means. Information about consumers have been available long before the rise of Internet technology through offline sources, such as credit card transactions, phone orders etc. However, this new medium has revolutionized the collection and processing of personal information. In the online environment the possibilities for storing, comparing and linking information to create a detailed picture of a customer’s interests (customer profiles) are enormous[12].

Web sites collect information about consumers for every purchase or supply of a service, such as a subscription, as a condition of payment by credit card or for shipping purposes. The consumer is under the obligation to provide personal details, in order to be authenticated, to give payment guarantees or provide his e-mail or physical address for the delivery of goods or services. Moreover, every visit on the net leaves traces that can be used, without prior knowledge of the user, to build a profile. By every visit in an online shop, every customer’s step through the store is recorded; not only the products, which are observed, but also the rank, in which products are viewed and the relevant time, are being stored[13]. Unless the consumer pays using e-cash or use privacy enhancing technologies to hide his/her IP address, there is no possibility for anonymity[14].

Web sites collect also information from consumers in exchange for a free service, such as free e-mail, stock-portfolios etc. Web sites known as “portals” offer personalized pages with selected information, once the user registers and provides his/her personal information. Some companies are offering free net access in exchange for monitoring users’ activities for advertisers.

Data collection on the Internet takes also place without the prior knowledge of the Internet user. Once the connection with a Web site has been established, the Web site starts collecting information on the visiting Internet user. The Web site is informed about the destination IP-address and also, from which page an Internet user has been transferred. This information on Web site visits is generally stored in the ‘Common Log File’. All the above-mentioned information can be used to create accumulated information on the traffic to and from a Web site and the activities of visitors. Generally, these include the following items[15]:

- Operating system

- Type and version of browser

- Protocols used for Websurfing

- Referring page

- Language preferences

- Cookies

Other devices used to trace the activities of Internet users are the so-called “cookies”. These are small text files that are placed on a user’s hard drive by the Web site that the user is visiting; they store the preferences and other data about the visit to that particular site, allowing a site to identify the user on his/her next visit, check possible passwords, analyze the path during a session and within a site, record transactions, such as articles purchased, customize a site etc[16]. It should be noted that cookies can be used across many different sites and that has led to the development of advertising network companies that track users’ surfing activities and develop profiles of their interests, which are then used to target specific advertising. Another method of tracking Internet users is the use of web bugs, which are invisible images that also place cookies etc[17].

Furthermore, one can name a whole range of ‘spyware’, i.e., software such as ActiveX, CGI-Scrit, Java and Javascript, Session-Ids etc., which can enter the users’ computer without their knowledge in order to gain access to information, to store hidden information or trace the activities of the user[18].

Consequently, these data collection methods are used from marketing companies, which collect data, e.g., by means of technological devices such as cookies and can then establish user profiles based on log file information and cookies. This information is used to customise advertisements depending on the habits and interests of consumers. Not only advertisements referring to the Web site owner of services or offers, but also those issued by third parties which have agreements to support the financial cost of running the server by displaying its publicity[19].

III. Regulations of Online Data Processing

1. Directive 95/46/EC

In the European Union, the collection and processing of personal data is governed by the Directive 95/46/EC. This Directive, which is applicable within EU-law and within the jurisdiction of the member states that have implemented it, applies unambiguously to Internet and e-commerce[20]. According to Recital No 14 of the Directive 2000/31 on electronic commerce it is the data protection directive that applies solely for the protection of individuals with regard to the processing of personal data.

The general rules of the Directive, which deserve special attention hereto, are following[21]:

The legality principle: The processing of personal data is allowed, when the conditions under which the processing is lawful are satisfied. As a basic rule, personal data may be processed only if the data subject has unambiguously given his/her consent (Article 7.a) or when one of the grounds mentioned in Article 7.b-f apply. In the context of e-commerce, processing may be justified on the ground that the data subject has given his/her consent. It could be said that any customer introducing his/her personal data in order to purchase a product or obtain a service, could be considered as consenting to the processing for this purpose[22].

The processing of personal data may also be allowed, if it is necessary for the performance of a contract to which the data subject is party, e.g. the provision of a service, or in order to take steps at the request of the data subject prior to entering into a contract (Article 7.b). Furthermore, the processing of personal data is justified where it is in the legitimate interest of a natural or legal person, provided that the interests of the data subject are not overriding (Article 7.f). This means that if the interest of a person in receiving personal data prevails over the data subject's interest not having his data processed or communicated, data may be processed.

The finality principle: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (Article 6.b). This principle is stressing the fact that processing of personal data in the online environment must serve a specific purpose, e.g. the delivery of a product, and should not take place for other purposes.

Furthermore, navigational data should in principle only be collected by ISPs insofar as they need to provide a service to the user[23]; also, software programs, such as cookies, which are used to monitor the Internet activities of users, must only be used for specific purposes, e.g., to analyse the effectiveness of Web site design and advertising etc., provided that the users are informed about their purposes[24].

Data quality and proportionality: Personal data must be accurate and kept up to date (Article 6.c). They must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed (Article 6.d). Consequently, information should only be collected if it is necessary for the transaction (the scope of the processing). Personal data must also be kept in a form, which permits identification of data subjects for no longer than is necessary for the purposes for which the data are collected (Article 6.e). Therefore, once data are anonymised, they can be used for other purposes, e.g., to measure the performance of a service offered by an ISP[25].

Transparency: The data subjects must be provided with information about the purposes of the processing for which the data are intended and the identity of the controller of the data (Article 10 and 11). This principle is of eminent importance, since the speed of data flows on the Internet has as a consequence that the requirements that the data subject be informed and made aware of the processing of his/her personal data are often ignored[26].

Rights of the data subject: Outside the rules concerning the information to be given to data subjects, they have the right of access to data (Article 12), the right to object at any time on compelling legitimate grounds relating to his particular situation to the procession of data relating to him/her (Article 14) and the right not be subject to a decision, which is based solely on automated processing of data (Article 15).

Restriction of transfer of personal data to third countries: The transfer of personal data to a third country is allowed only if the third country in question ensures an adequate level of protection (Article 25) or in very limited circumstances (Article 26).

Protection of special categories of personal data: The processing of special categories of data that is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life is prohibited, unless the data subject has given his/her explicit consent or the processing is necessary for explicit reasons (Article 8). Sensitive information should not be collected from consumers, even when they consent, except in limited circumstances, where the data are collected for legitimate purposes.

2. Directive 2002/58/EC

The recently adopted Directive 2002/58/EC of 12 July 2002 aims at adapting Directive 97/66/EC[27] concerning the processing of personal data and the protection of privacy in the telecommunications sector to developments in the markets and new technology, mainly to Internet related issues as regards privacy[28].

The Directive lays down the obligation of the provider of a publicly available electronic communications service to take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. (Article 4 paragraph 1). Furthermore, in case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved (Article 4 paragraph 2). ISPs who offer electronic communication services over the Internet should inform user and subscribers of measures they can take to protect the security of communications for instance by using specific types of software or encryption technologies[29].

Article 5 § 1 the Directive states that Member States shall ensure the confidentiality of communications, including both the contents and the data related to such communications (traffic data). Listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, shall be prohibited, except when legally authorised to do so in accordance with Article 15(1). It is made clear that software, which is used to trace data transmitted via the Internet (so-called packet sniffing software) shall be prohibited and that the storage of traffic data, in order to build up users profiles, without their consent, shall also be prohibited.

However, this prohibition does not prevent technical storage, which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality. This means that any automatic, intermediate and transient storage of this information may not be prohibited, in so far as this takes place for the sole purpose of carrying out the transmission in the electronic communications network (from an Internet Service or Access Provider) and provided that the information is not stored for any period longer than is necessary for the transmission and for traffic management purposes, and that during the period of storage the confidentiality remains guaranteed[30]. The regulation of confidentiality does not affect any legally authorised recording of communications and the related traffic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication (Article 5 paragraph 2).

As regards the use of technological devices such as cookies, the Directive provides that only where such devices are intended for a legitimate purpose their use should be allowed with the knowledge of the users concerned[31]. Article 5 paragraph 3 states that: “Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller”.

Therefore, users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment (PC). It is also worth mentioning that information and the right to refuse may be offered once during the same connection and also covering any further use that may be made of those devices during subsequent connections.

However, such devices can be a legitimate toll, e.g., in analysing the effectiveness of Web site design and advertising. Consequently, Article 5 paragraph 3 states that the aforementioned prohibition may not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user”.

Furthermore, the Directive regulates the use of traffic data, i.e., data needed by the protocols to carry out the proper transmission from the sender to the recipient, consisting of information supplied by the sender (e.g. e-mail address of the recipient) and of technical information generated automatically during the processing of the transmission (e.g. date and time)[32]. According to Article 6, “traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication without prejudice to paragraphs 2, 3 and 5 of this Article and Article 15(1)”.

This Article covers all types of transmissions of electronic communications and applies, therefore on the online environment. In particular, processing of header information, data such as the session login data or the list of Web sites visited by an Internet user must be considered as traffic data[33]. Hence, online profiling on the basis of log file information is governed by the provisions of Article 6.

Consequently, paragraph 3 states that the subscriber or user has to give his consent if the provider of a publicly available electronic communications service wants to process his/her traffic data for the purpose of marketing or for the provisions of value added services. The service provider must inform the subscriber or user of the types of traffic data, which are processed for the purposes mentioned above, and the duration or such processing for the purposes of billing and interconnection payments and, prior to obtaining consent, for the purposes of marketing (paragraph 4).

3. Online direct marketing

Directive 2002/58 regulates also the use of automated calling machines, fax machines and e-mail for the purposes of direct marketing. Article 13 paragraph 1 defines that the sending of unsolicited e-mail may only be allowed in respect of subscribers who have given their prior consent. This means that the European legislator has made his choice, adopting an opt-in system.

However, this provision does not apply, when a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, in accordance with Directive 95/46/EC. Article 13 paragraph 2 of Directive 2002/58 states that: “the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details when they are collected and on the occasion of each message in case the customer has not initially refused such use”.

The prohibition of unsolicited e-mail is unconditional in case of unsolicited commercial e-mail disguising or concealing the identity of the sender on whose behalf the communication is made, or when there is not a valid address to which the recipient may send a request that such communication cease (Article 13 paragraph 4).

According to paragraph 5 of article 13, the aforementioned provisions of paragraph 1 and 3 will be only applicable to natural persons. However, Member States shall also ensure that the legitimate interests of subscribers other than natural persons are sufficiently protected with regard to unsolicited communications.

4. Credit scoring

Another issue that deserves attention is the issue of credit scoring. This method is used in e-commerce, where the assessment of the customers’ credit-worthiness cannot be done by interview. The solvency of a person is assessed by means of a statistical - mathematical method, which estimates the creditworthiness of a person. In the context of e-commerce, such methods are used for example, in order to apply a payment option. In more particular, some Web sites offer a different payment method (e.g. cash on delivery or only on advance), depending on the city quarter of the consumers’ domicile[34]. However, the legitimacy of this procedure is questionable, since it infringes the provision of Article 15 of the Directive 95/46, which establishes the right of every person “not to be subject to a decision, which produces legal effects concerning him or significantly affects him and which is based only on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, credit-worthiness, reliability, conduct, etc”[35].

ΙV. Conclusion

In the global information society, privacy risks are increased. Concerns about privacy affect mostly consumers, whose personal data are collected via the Internet without prior knowledge of the persons concerned. The EU-regulations, which establish general rules for the protection of personal data (Directive 95/46/EC) and specific rules for the protection of privacy in the electronic communications sector (Directive 2002/58/EC), constitute a regulatory framework that affords a high level of protection. The provisions of the European Directives impose the obligation of consumer-oriented commercial Web sites to provide consumers the choice as to how their personal data are used. This obligation extends to personal data and to data used for online profiling, such as traffic data and information contained in “cookies”. In the field of online marketing, the European legislator has adopted for an opt-in regime that respects the privacy of Internet users.



[1] W. F. Adkinson, J. Eisenach and T. Lenard, Privacy Online: A Report on the Information Practices and Policies of Commercial Web sites, Special Report, 2002, p. 1, available at .

[2] See, e.g., European Commission's Communication 'A European Initiative in Electronic Commerce', 4; COM (97) 157, available at .

[3] See COUNCIL OF EUROPE, RECOMMENDATION No. R (99) 5, For the Protection of Privacy on the Internet, available at . For an overview of the privacy risks see P. Schaar, Datenschutz im Internet. Die Grundlagen, 2002, p. 12 et seq.

[4] On the right of informational determination (informationelles Selbstbestimmungsrecht) see the decision of the German Federal Constitutional Court, BVerfGE 65, 1. In the USA, this concept has been defined as the right of control, see Alan Westin, Privacy and Freedom, 1967, p. 208.

[5] Commission Nationale de l’Informatique et des Libertés, Electronic mailing and data protection, October 14, 1999. W.K. Khong, Spam Law for the Internet, 2001 (3) The Journal of Information, Law and Technology, available at

[6] J. Kabel, Spam: A Terminal Threat to ISPs? Computer und Recht international 1/2003, p. 6 et seq.

[7] Consumers International, Privacy@net. An international comparative study of consumer privacy on the Internet, 2001, p. 5.

[8] P. Blume, Data protection issues with respect to e-commerce, Computer und Recht international 1/2001, p. 11 et seq.

[9] OJ L 281, 23.11.1995, p. 31.

[10] OJ L 201, 31.7.2002, p. 37.

[11] See, e.g., Directive 2002/58/EC, Recital No 7.

[12] Consumers International, op. cit., p. 12.

[13] H. Buxel, Die sieben Kernprobleme des Online-Profiling aus Nutzerperspektive, Datenschutz und Datensicherheit 2001, p. 579.

[14] Article 29 - Data Protection Working Party, WP 37 ‘Privacy on the Internet - An integrated EU Approach to On-line Data Protection’, p. 66, available at <http//:europa.eu.int/Comm/internal_market/media/dataprot/wpdocs/wp37en.pdf>

.

[15] Article 29 - Data Protection Working Party, WP 37, p. 42.

[16] Article 29 - Data Protection Working Party, WP 37, p. ibid.

[17] R. Hillenbrand-Beck and S. Greß, Datengewinnung im Internet. Cookies und ihre Bewertung unter Berücksichtigung der Novellierung des TDDSG, Datenschutz und Datensicherheit 2001, p. 389 (390); Consumers International, p. 28.

[18] Directive 2002/58/EC, Recital No 24; M. Köhntopp and K. Köhntopp, Datenspuren im Internet, Computer und Recht 2000, p. 248 et seq.

[19] Article 29 - Data Protection Working Party, WP 37, p. 67.

[20] Blume, op. cit., 12.; Schaar, op. cit., p. 34.

[21] See, e.g., Schaar, op. cit., p. 38.

[22] S. Louveaux, Privacy Issues (Esprit Project 27028), p. 11, .

[23] Article 29 - Data Protection Working Party, WP 37, p. 48.

[24] Directive 2002/58/EC, Recital No 25.

[25] Article 29 - Data Protection Working Party, WP 37, p. 48, 49.

[26] Article 29 - Data Protection Working Party, WP 37, p. 47.

[27] OJ L 24 of 30.1.1998, p. 1.

[28] Directive 2002/58, Recital No 4.

[29] Directive 2002/58, Recital No 20.

[30] Directive 2002/58, Recital No 22.

[31] Directive 2002/58, Recital No 24, 25.

[32] M. V. Perez Asinari and S. Louveaux, Proposal for a directive of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector of 12 July 2000 COM (2000) 385, p. 6, .

[33] Op. cit., p. 7.

[34] J. Möller and B. -C. Florax, Kreditwirtschaftliche Scoring-Verfahren, MMR 2002, p. 809.

[35] Op. cit., p. 806 et seq.