IT Security as a Fundamental Right in Europe - and as a Justification in Competition and Intellectual Property Law?

IT Security as a Fundamental Right in
Europe - and as a Justification in
Competition and Intellectual Property
Law?
Dipl.-Jur. Dennis Jlussi
EICAR Paris, 10 May 2010

TOC
• Introduction: About the IRI and myself
• Look back: Cybercrime Convention and Justifications
• Possible violations of Intellectual Property law
• Possible violations of Competition Law
• Justifications in law?
• Fundamental rights development
• Fundamental rights as a justification?

About the IRI
• Since 1983 – the first IT law institute in Germany, among the first
ones in Europe
• Areas of law (incomplete): IT contracts, IT security, IT procurement, Privacy &
Data Protection, eCommerce, Copyright and Open Source, Geodata, Cybercrime,
Health Data, Patents, Telecommunications, Press/Media…
• 2 chairs, around 40 institute members
• 10 close European Partnerships
• Bologna, Glasgow, Leuven, London, Namur, Oslo, Rovaniemi, Stockholm, Vienna,
Zaragoza
• Teaching
• Specialisation Studies (SP7), EULISP (int. Master/LL.M.), In Situ (int. Summer
School), GR.I.T. (Executive). Coming soon: int. Bachelor Programme
• Research
• Third-Party-Funding by public and private entities

About Myself
• Studies of Political Science and Law in Potsdam and Hannover
• Since 2007 member of the IRI
• Focus:
• IT Security Law
• Data Protection in Telecommunications
• eCommerce
• Research on Cybercrime Convention / German Penal Law
at Volkswagen AG (CISO)
• Today’s topic is “work in progress”

Look back: Cybercrime Convention and Justification
• EICAR Information Security Summit, Munich 2007
• EICAR Conference, Laval 2008
• EICAR publications by Christian Hawellek and myself on risks
in penal law.

CoE Convention on Cybercrime
• Signed in Budapest in 2001
• Entry into force 2005
• 46 signatory states
• including all EU member states
• including Canada, Japan and the U.S. (CoE observer members)
• 28 ratifications (as of 19 March 2010), including France and Germany
• “Core” cybercrime in Articles 2-6
• Articles 2 to 5 also transposed into EU law
(Framework Decision 2005/222/JHA)
• Other offences, Liability, Procedure
• Is international public law � no direct effect, requires
implementation

Cybercrime Convention: Substantive Provisions
• Article 2: Illegal Access
• Each Party shall adopt such legislative and other measures as may be
necessary to establish as criminal offences under its domestic law,
when committed intentionally, the access to the whole or any part of a
computer system without right. A Party may require that the offence
be committed by infringing security measures, with the intent of
obtaining computer data or other dishonest intent, or in relation to a
computer system that is connected to another computer system.

Cybercrime Convention: Substantive Provisions
• Article 3: Illegal Interception
• Each Party shall adopt such legislative and other measures as may be
necessary to establish as criminal offences under its domestic law,
when committed intentionally, the interception without right, made
by technical means, of non-public transmissions of computer data to,
from or within a computer system, including electromagnetic emissions
from a computer system carrying such computer data. A Party may
require that the offence be committed with dishonest intent, or in
relation to a computer system that is connected to another computer
system.

Cybercrime Convention: Substantive Provisions
• Article 4: Data Interference
(1) Each Party shall adopt such legislative and other measures as may be
necessary to establish as criminal offences under its domestic law,
when committed intentionally, the damaging, deletion, deterioration,
alteration or suppression of computer data without right.
(2) A Party may reserve the right to require that the conduct described in
paragraph 1 result in serious harm.

Cybercrime Convention: Substantive Provisions
• Article 5: System Interference
• Each Party shall adopt such legislative and other measures as may be
necessary to establish as criminal offences under its domestic law,
when committed intentionally, the serious hindering without right of
the functioning of a computer system by inputting, transmitting,
damaging, deleting, deteriorating, altering or suppressing computer
data.

Cybercrime Convention: Substantive Provisions
• Article 6 – Misuse of devices
(1) Each Party shall adopt such legislative […] measures […] necessary to establish as
criminal offences […], when committed intentionally and without right:
a) the production, sale, procurement for use, import, distribution or otherwise
making available of:
i. a device, including a computer program, designed or adapted primarily for
the purpose of committing any of the offences established in accordance
with Articles 2 through 5;
ii. a computer password, access code, or similar data by which the whole or
any part of a computer system is capable of being accessed,
with intent that it be used for the purpose of committing any of the offences
established in Articles 2 through 5; and
b) the possession of an item […], with intent that it be used for the purpose of
committing any of the offences established in Articles 2 through 5. […]
(2) 2 This article shall not be interpreted as imposing criminal liability where the
production, sale, procurement for use, import, distribution or otherwise making available
or possession referred to in paragraph 1 of this article is not for the purpose of
committing an offence established in accordance with Articles 2 through 5 of this
Convention, such as for the authorised testing or protection of a computer system.

Cybercrime Convention: Justification
• For Articles 1-5
• Authorisation by the owner of the computer system/data
• For article 6
• If for authorised testing, no criminal intent.
• News since 2008
• German Constitutional Court
• Decision of 18 May 2009 (non-acceptance of constitutional
complaints)
• Very close to what we presented

Possible Violations of
Intellectual Property Law
(Copyright)

Principles of Copyright
• Moral Rights
• Not (or less) in common law jurisdictions (copyright vs. droit d’auteur)
• Protect the connection of an author/artist and the work
• attribution, access, protection against disfiguration
• Economic Rights
• Right for exclusive exploitation (product monopoly)
• Author/artist has the exclusive right to decide on exploitation
• publish, rental, copy, exhibit, perform, broadcast, distribute, make
available, translate, transpose, edit...
• Rights are executed by the author, by licensees or by collection
societies

Principles of copyright
• Threshold of originality
• copyright protects artistic work
• some originality is required
• expression?
• lower requirement for art, higher requirement for ‘applied art’ (works
that are not made for looking at them)
• ‘pragmatic’ approach: threshold protects public domain