ART. 17 OF THE DIGITAL SINGLE MARKET DIRECTIVE: IS THERE A PLACE FOR THE RIGHT TO DATA PROTECTION?
The Copyright Digital Single Market Directive (CDSM Directive) remains to be one of the most discussed topics in European Intellectual Property Law since the time of its adoption in 2019. Furthermore, over the course of time the debates around it do not subside rather escalate.
One of the reasons is indeed the controversial Article 17 (Art. 17) which inter alia brings a shift in intermediary liability system which has remained unchanged for almost 20 years since the introduction of E-Commerce Directive. Now, according to Art. 17, Online Content Sharing Service Providers (OCSSPs) – such as Facebook, YouTube, Instagram, etc. – should enter into license agreements with rightholders and, arguably, to enact automated content recognition systems that would track the copyright-infringing content online (otherwise OCSSPs will be recognized as performing an unauthorized act of communication to the public).
It is considered that the obligation to enact filtering technologies would disproportionately restrict individuals’ fundamental rights and freedoms including but not limited to right to data protection. Further it is explained why and how.
Automated decision-making and unlimited processing of personal data: potential threats
First and foremost, the CDSM Directive itself establishes that the processing of personal data should be carried out in accordance with e-Privacy Directive and General Data Protection regulation (GDPR). It is considered that in case of OCSSPs and Art. 17, users of uploaded works – even if not in all cases, then in most of them, – will be required to register on the platform and create a personal account that would contain personal information linked to a particular user. In turn, when filtering software would process an upload at issue, personal data will be processed as well – simply because metadata is necessary for successful processing handled by filtering software.
The Court of Justice of the European Union (CJEU) jurisprudence has previously established that filters which lead to the monitoring of all information of all users should equate to the prohibited general monitoring under Art. 15 of E-Commerce Directive. Consequent question is whether filtering software under Art. 17 would be technically capable of processing only selected pieces of relevant information, instead of processing all of it (spoiler: no, as such a technological solution just does not exist so far).
In fact, Art. 17 does not impose an obligation on OCSSPs to limit the exercise of filtering mechanisms neither in time, nor in quantity. Therefore, despite the prohibition to process personal data under Art. 17(9), it seems that filtering mechanisms will inevitably lead to the automated processing of data without any limitations in time or type. Such an approach is void in light of EU primary and secondary law, as well as European Court of Human Rights (ECtHR), the jurisprudence of which has established that “never-ending surveillance and technical measures constitute prior restraint” (which is allowed only in exceptional circumstances and cannot be exercised on a permanent basis).
In fact, there is a consequent question whether processing of all information of user would respect the principle of data minimization set in Art. 5(1)(c) GDPR. Presumably, it will not. Excessive amount of personal data processed (i.e. all information provided during the process of registration on the platform) would barely amount to “adequate, relevant and limited” data in relation to the purpose of processing. As a result, users’ freedoms and legitimate interests would be disproportionately restricted.
In such a case, data subject should be given a right to contest the decision and actions of data controller, express its views and ask for a human review. Art. 17, in the sense of paragraph 9, technically provides such an opportunity, however, it is doubtful whether a complaint and redress mechanism applied only ex-post is sufficient in order to properly safeguard users’ freedoms and secure impartiality.
Despite the fact that the deadline for CDSM Directive’s transposition has expired on 7th June, by now CDSM Directive has been fully adopted only in four member states (MSs) (the Netherlands, Hungary, Germany and Malta) – and it is worth mentioning that transposition strategies vary tremendously, thus, calling the aim of the CDSM Directive – i.e. to contribute to the copyright harmonization across the EU and to successfully expand the EU single market from physical realm to digital – in question.
MSs presumably postponed their draft implementation laws because of waiting for Advocate General Saugmandsgaard Øe (AG) opinion on Polish legal action brought to CJEU for annulment of particular provision of Art. 17.
On July 15, 2021 AG released his Opinion, advising CJEU to rule that Art. 17 is compatible with the Charter and should not be annulled (see CJEU press release here). And while MSs continue to come up with diametrically opposite transposition strategies, it seems that long-sought EU harmonization could finally get off the ground in the short future provided that CJEU will follow AG at least on the key issue of compatibility between Art. 17 and the EU Charter of Fundamental Rights.
Author: Jana Beguna
 Julia Reda, Joschka Selinger and Michael Servatius, “Article 17 of the Directive on Copyright in the Digital Single Market: a Fundamental Rights Assessment”, Gesellschaft für Freiheitsrechte e.V. (2020): p. 49.
 Felipe Romero Moreno, “‘Upload filters’ and human rights: implementing Article 17 of the Directive
on Copyright in the Digital Single Market,” International Review of Law 34:2 (2020): 169.
 DSM Directive Implementation Tracker, available at: https://www.notion.so/DSM-Directive-Implementation-Tracker-361cfae48e814440b353b32692bba879