Polish IP & IT law » legal regulations on computers networks

Archive for: legal regulations on computers networks

Telecommunications law, case I OSK 1079/10

August 3rd, 2010, Tomasz Rychlicki

This is the continuation of a story described in “Personal data protection, case II SA/Wa 1598/09“. The Supreme Administrative Court in its order of 15 July 2010 case file I OSK 1079/10 decided to stay the execution of the decision issued by the Inspector General for Personal Data Protection (GIODO) and ruled that the Polish Act of 16 July 2000, Telecommunications Law – TLA – (in Polish: Prawo telekomunikacyjne), published in Journal of Laws (Dziennik Ustaw) No 171, item 1800 with later amendments, provides broader protection of personal data because of telecommunications confidentiality, than the provisions of the Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), Journal of Laws (Dziennik Ustaw) of 29 October 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with later amendments.

The Court held that the disclosure of IP addresses which enable identification of specific individuals, that was ordered during administrative proceedings initiated with regard to disclosure of such data, while such proceedings did not ended with judgment in force, may violate the provisions of Article 160 of the TLA.

Article 160.
1. An entity participating in the performance of telecommunications activities within public networks and entities cooperating with it shall keep the telecommunications confidentiality.
2. Entities referred to in paragraph 1 shall maintain due diligence, within the scope justified by technical or economic reasons, while securing telecommunications equipment, telecommunications networks and data collections from disclosing the telecommunications confidentiality.
3. A person coming into possession of a message not meant to be read by him/her when using radio or terminal equipment shall keep the telecommunications confidentiality. The provisions of Article 159 (3) and (4) shall respectively apply.
4. The recording of a message acquired in a manner described in paragraph 3 by a body executing control of telecommunications activities in order to document a violation of a provision of the Act, shall not be a violation of the telecommunications confidentiality.

While assessing the validity of the request to stay the execution of GIODO’s decision to disclose the requested IP address at this stage of proceedings, the Court agreed with the author of the cassation complaint, that the execution of the questioned decision at this stage makes it impossible to reverse the actions taken after the disclosure of the IP addresses, and such action should be seen as causing the effects that are difficult to reverse according to Article 61(3) of the Act on the Law on proceedings before administrative courts – PBAC – (in Polish: Prawo o postępowaniu przed sądami administracyjnymi) of 30 August 2002, Journal of Laws (Dziennik Ustaw) No 153, item 1270, with later amendments.

§ 1 Filing a complaint does not stay the execution of the act or actions.

(…)

§ 3 After the delivery of a complaint to the court, the court may issue at the request of the applicant, the order to stay the execution, in whole or in part of the act or actions referred to in § 1, if there is a risk of causing significant damage or cause to be difficult to reverse, with the exception of the provisions of local law which entered into force, unless the special Act excludes the stay of their execution. The refusal to stay the execution of the act or actions by the authority, does not deprive the applicant of action to the court. This also applies to acts issued or adopted in all proceedings conducted within the same case.

The SAC held that if the Supreme Administrative Court would agree with the cassation complaint filed against the judgment of the Voivodeship Administrative Court of 3 February 2010 case file II SA/Wa 1598/09, the effects of the execution of the questioned decision could not be reversed, because the IP address identifying a specific person is available to another participant in the proceedings. Accordingly, the court held that the correct solution at this stage of proceedings, is to stay the execution of the questioned decision also with a view to the impact of which its execution might result in, as well as the nature of the protection of personal data resulting from the relevant regulations such as, inter alia, the TLA.

Internet domains, case I C 2179/09

April 26th, 2010, Tomasz Rychlicki

On 2 March 2010, the District Court in Białystok I Civil Division, issued in absentia judgment, case file I C 2179/09, in which it ordered the defendant, a natural person known as “domain name investor” to discontinue the use of tygodnikpowszechny.pl domain name. The court ordered the defendant to publish a full-page paid ad in a weekly magazine, and two ads in two nationwide newspapers (Gazeta Wyborcza and Rzeczpospolita), with an apology defined by the Court. The court also ordered the defendant to pay the amount of 25000 PLN as compensation for infringement of personal rights of Tygodnik Powszechny sp. z o.o. company, and the amount of 15000 PLN as damages for infringement of personal rights of Father Adam Boniecki, the editor of Tygodnik Powszechny. These amounts should be transferred to Fundacji Polska Akcja Humanitarna (the Fundation Polish Humanitarian Action). The court ruled the judgment to be immediately enforceable. The judgment is final.

The court held that the use of Internet domain name may constitute a violation of personal rights taking into account the content which is visible at a website available under a given domain name. The questioned domain name was parked and directed to a website with advertising links. Such content, including texts, which were the visualization of sponsored links, constituted in Court’s opinion an infringement of personal rights.

This judgment is very important for Polish and foreign companies which became the target of cybersquatting if we consider that the Polish case law on personal rights, for instance the Appellate Court in Poznań in a judgment of 22 October 1991, case file I ACr 400/90, already established the rule that the firm under which the company conducts its business, has the same meaning in legal relations, as the name of an individual person.

See also “Polish case law on domain names“.

Social networking sites, case I C 1272/09

March 19th, 2010, Tomasz Rychlicki

The District Court in Wrocław in a judgment of 18 March 2010, case file I C 1272/09, ruled that the advertising of one of the Polish banks that promoted payment cards in such a way that it used profile pictures of users of nasza-klasa.pl website infringed their personal rights. A user who logged into his or her profile was presented with an advertising that showed his or her face/image placed on credit card together with a slogan “your card for your personal account may look like this”. The Court held that users agreed to the provisions of the terms of service, but the permission to use their pictures concerned solely the purpose of social networking, not advertising. The Court ordered the owner of nasza-klasa.pl to pay the plaintiff 5000 PLN as a compensation. This judgment is not yet final.

Internet websites, case I C 1532/09

March 13th, 2010, Tomasz Rychlicki

The Observatory of Media Freedom in Poland run by the Helsinki Foundation for Human Rights reported on a case of Augustyn Ormanty, the mayor of Kalwaria Zebrzydowska town, who sued Tomasz Baluś, the administrator of naszakalwaria.pl website, for personal rights infringement after he found that the website hosted defamatory comments directed to his person. Mr. Ormanty decided to request the court to order the removal of 18 comments because he received negative response from Tomasz Baluś who claimed that these questioned statements put in the form of comments to information published at his website, are the individual opinions of people who wrote it, for the content of which, Tomasz Baluś is not responsible, because they are owned by their authors.

The District Court I Civil division in Kraków in a judgment of 11 MArch 2010, case file I C 1532/09, ruled that naszakalwaria.pl website cannot be deemed as the press according to provisions of the Polish Act of 26 January 1984 on Press law – APL – (in Polish: ustawa Prawo prasowe), Journal of Laws (Dziennik Ustaw) No. 5, item 24, with later amendmets, because it did not meet the criterion of periodicity.

The court noted that naszakalwaria.pl website is rather a collection of publications and serves as a wall on which people are able to post their comments. The court emphasized that the purpose of Internet portals, such as naszakalwaria.pl is primarily to initiate and shape public debate on issues important to the local community. The court added that the Internet is, in principle, free from control and could be subject to control only, if it fits the regulation provided in the APL.

The court also stated that Augustyn Ormanty failed to prove that the offensive – in his opinion – comments related to the facts. According to the Court, they were rather opinions, which in principle cannot be judged based on the criterion of truth and falsehood.

In addition, the court held that Tomasz Baluś had a limited capacity for meticulousy checking and editing of the entries appearing on the forum of his website because of their large numbers. The court stated that the measures taken by the Mr. Baluś to search and control the entries for vulgarity and to remove obviously insulting comments were sufficient.

According to the Court, Mr. Ormanty had a possibility and the right to request the removal of comments he found insulting, based on provisions of article 14 the Polish Act of 18 July 2002 on Providing Services by Electronic Means – PSEM – (in Polish: ustwa o świadczeniu usłóg droga elektroniczną), Journal of Laws (Dziennik Ustaw) No. 144, item. 1204, as amended.

1. A person who gives access to the contents of a network IT system to a customer, where the customer stores data, is not aware of the illegal features of the data or activity connected with the data and upon receiving an official notification or credible information about the illegal features of the data or activity connected with it, immediately bars access to the data, shall not be responsible for the data.
2. A Service provider who has received the official notification of an illegal character of the stored data that was supplied by the customer, and prevented the access to the data, shall not be liable to the customer for damages resulting from preventing access to such data.
3. A service provider who has received credible information of the illegal character of the stored data supplied by the customer and prevented access to the data, shall not be liable to the customer for the damage resulting from preventing access to such data, if it has immediately notified the customer of the intention to prevent access to data.

The court pointed out to the argument stating that the mayor is a public figure who must reckon with the fact that its activities may be subject to criticism. As a public figure, Mr. Ormanty should show greater resistance to critical opinions, negatively evaluating the performance of the functions entrusted to him.

In conclusion, the Court added that the law has not kept pace with the development of modern technology and therefore, it does not precisely regulate the issues of freedom of expression in the Internet. Therefore, the careful evaluation of such situations, is entrusted to the judges. Their task is to ensure and guarantee the freedom of expression in similar cases.

Social networking sites, case I A Ca 1202/09

March 3rd, 2010, Tomasz Rychlicki

Nasza-Klasa.pl website is a very popular Polish social networking service bringing together classmates. It provides its users with a possibility to contact and search for old friends. In 2008, an unknown person created an account for the name of Dariusz B., The fake profile included his personal data: name, place of residence, phone number, age and images. This account was set without the knowledge and the consent of Dariusz B. Many offensive comments were sent from this fake account to other users of the portal. These comments provoked negative emotions and responses from its recipients. Dariusz B. and his wife, tried to apologize to every person they met. Dariusz B. was also forced to change his phone number, and met with harsh comments from friends, and especially from the strangers. Maria B. – wife of Dariusz B. contacted Nasza-Klasa.pl by e-mails with the request to remove or to block the fake account. When it did not bring any results, they brought a lawsuit against Nasza-Klasa.pl.

Nasza-Klasa.pl was found responsible by both the District and the Apellate courts because it has not removed, or at least not immediately blocked the fake account, created in the name of Dariusz B., thereby making violations of his personal interests possible.

The Appellate Court in Wrocław in a judgment of 15 January 2010, case file I A Ca 1202/09, DOC file, ruled that nature of the infringement performed by Nasza-Klasa.pl was to allow a third party to encroach on personal rights of Dariusz B., by not fulfilling its obligations under the Polish Act of 18 July 2002 on Providing Services by Electronic Means – PSEM – (in Polish: ustwa o świadczeniu usłóg droga elektroniczną), Journal of Laws (Dziennik Ustaw) No. 144, item. 1204, as amended.

Article 14
1. A person who gives access to the contents of a network IT system to a customer, where the customer stores data, is not aware of the illegal features of the data or activity connected with the data and upon receiving an official notification or credible information about the illegal features of the data or activity connected with it, immediately bars access to the data, shall not be responsible for the data.

2. A Service provider who has received the official notification of an illegal character of the stored data that was supplied by the customer, and prevented the access to the data, shall not be liable to the customer for damages resulting from preventing access to such data.

3. A service provider who has received credible information of the illegal character of the stored data supplied by the customer and prevented access to the data, shall not be liable to the customer for the damage resulting from preventing access to such data, if it has immediately notified the customer of the intention to prevent access to data.

Nasza-Klasa.pl did not immediately block, and then delete the questioned fake account. Therefore, it forced Dariusz B. to bear a humiliating behavior caused by another person, which in consequence violated his serenity, good mood, sense of personal dignity, i.e. his personal interests.

Internet domains, case Ico 203/09

February 14th, 2010, Tomasz Rychlicki

As polite fans would probably say, the condition of Polish football is at least “debatable”, and others might use more crude words. The corruption and inefficient management of the Polish national football leagues are the tip of the Iceberg. This situation causes frustration of many people who try to blame the Polish Football Association (PZPN) for all their miseries. Some of these people decided to take matters into their own hands. They formed the Association of Defenders and Supporters of the Polish Football. They registered koniecpzpn.pl (end of Polish Football Association) as an Internet domain name and started to host a website with critical publications on PZPN under that domain. One didn’t need to wait too long before lawyers representing the Polish Football Association entered “the game”. New players acting on behalf of the Polish Football Association requested the court to issue a preliminary injunction in order to secure the case for the future action for trade mark protection and for the protection of personal rights.

The District Court in Lódż, I Civil Division, in its order of 14 January 2010, case file Ico 203/09, decided to grant the injunction and ordered the prohibition of placing at koniecpzpn.pl website the following trade marks owned by the PZPN: R-142616, R-170024, R-188961 i R-188962, the Court also ordered a block on the access to the content of the website available under www.koniecpzpn.pl domain name. The Court set the PZPN a two-week deadline for lodging the petition instituting proceedings for trade mark protection and the protection of personal rights under the pain of withdrawing the injunction in case no lawsuit was filed by that date.

See also “Polish case law on domain names“.

Personal data protection, case I OSK 667/09

February 13th, 2010, Tomasz Rychlicki

On 15 January 2008, Tomasz W. filed with the General Inspector for Personal Data Protection (GIODO) a complaint concerning an unauthorized processing of personal data carried out by the Polish company Nasza Klasa Sp. z o.o. from Wroclaw, the owner of nasza-klasa.pl website. He informed the GIODO, that this very popular Polish website on classmates, hosts a photo featuring his image together with a list of names of other photographed people attached to it. Tomasz W. has repeatedly appealed to the website administrators with the request to remove his name from the list. However, he received no response from Nasza Klasa company.

As a result of the investigation, the GIODO found that on 31 December 2007, a registered user of nasza-klasa.pl posted classmates’ photo featuring students of a primary school. On the same day, another registered user, placed the names of people who were portrayed at the photograph – including the name and surname of Tomasz W. On 2, 9 and 14 January 2008, Tomasz W. requested Nasza Klasa Sp. z o.o. the removal of his personal data.

In a decision of 27 May 2008, case file DOLiS/DEC-314/08/13239, the GIODO, relying on the provisions of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), Journal of Laws (Dziennik Ustaw) of 29 October 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with later amendments, ruled that information on the applicant’s full name, school and class to which he attended, together with his image, are personal data and the data collector is Nasza Klasa Sp. z o.o.

However, the GIODO also ruled that it should be borne in mind that according to the provision of the Polish Act of 18 July 2002 on Providing Services by Electronic Means – PSEM – (in Polish: ustwa o świadczeniu usłóg droga elektroniczną), Journal of Laws (Dziennik Ustaw) No. 144, item. 1204, as amended, Nasza Klasa sp. z o.o. provides electronic services for registered users of the portal website, consisting of the storage of data of these users in the computer system. This activity is the condition to legalize the processing of personal data in accordance with article 23(1) pt. 5 of the PPD. In addition, the GIODO found that in this case the applicant’s rights have not been violated, because the access to its data was limited to a group of people registered on nasza-klasa.pl website.

Tomasz W. asked the GIODO for the retrial. He pointed out that the reasons for the decision have many contradictions, inconsistencies and is ambiguous. He accused the GIODO of laconic and cursory treatment of his case. He again emphasized that his personal data have been published on the nasza-klasa.pl website without his knowledge or consent, in violation of his civil rights and liberties.

After the rehearing of the case, the GIODO annulled the contested decision, and discontinued the proceedings. GIODO claimed that the re-examination of the case leads to the conclusion that the disputed information about Tomasy W. did not fall within the definition of personal data. The name and surname have been given under his old image from many years ago. Hence, the combination of photos from the past, with a name and surname of a person and a primary school, which such person attended did not allow for the identification of a person without excessive costs and time. The findings that the disputed information is not personal data within the meaning of the PPD caused the proceedings in the matter to be groundless and on the basis of article 105 § 1 of the APC, it had to be discontinued.

Tomasz W. lodged a complaint with the Viovodeship Administrative Court (VAC) in Warsaw. The complainant asked for annulment of the decision of first and second instance. Tomasz W. claimed the violation of the substantive law, i.e. article 6(1) of the PPD, through its improper interpretation, of article 32(1) pt 7 and 8 of that Act, by recognizing that Tomasz W. is not entitled to request cessation of the processing of his data and the right to object, and a breach of article 7 of the APC by not explaining all the relvant facts. Tomasz W. disagreed with the statement of the GIODO that questioned information about his person is not personal data within the meaning of the PPD. He stated that any information about an identified or identifiable individual is personal data. Furthermore, he argued that the claim of the GIODO that the data are available only for specific people – registered users of the portal is not acceptable, because nasza-klasa.pl has no mechanisms for verification of users identity, which makes the questioned data easily accessible for everyone. Moreover, Tomasz W. also argued that a registered user who does not know him would have some difficulty in identifying his person but such obstacles would not happen to a person who knows about Tomasy W., and is looking for additional information.

The Voivodeship Administrative Court in a judgment of 3 March 2009, case file II SA/Wa 1495/08, ruled that the GIODO erred in its decisions, because information about the name and surname of Tomasz W., combined with information about the name and address of the primary school and the determination of the class to which he attended in 1978/79, even if it was thirty years ago, are personal data. According to the Court provisions of article 1 of the PPD introduced the principle of autonomy of human information, meaning the protection of information about human being. This provision is a kind of emanation of the general right guaranteed by the Polish Constitution in article 47, according to which “Everyone shall have the right to legal protection of his private and family life, of his honour and good reputation and to make decisions about his personal life”. This means that the protection of personal data is related to the protection of privacy rights. This follows from the wording of article 6 of the PPD, indicating that the personal data concern identified or identifiable natural or legal person and that the identifiable is a person is one whose identity can be determined. From wording of that provisions the VAC concluded that personal data are data that identify a person’s identity.

VAC also relied on the content of recital 12 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which emphasized the protection of all data relating to a person, and therefore also information about someones past.

(12) Whereas the protection principles must apply to all processing of personal data by any person whose activities are governed by Community law; whereas there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses

However, in recital 26 of the abovementioned Directive states that data protection rules must apply to any information concerning an identified or identifiable person. In order to determine whether a person is identifiable, all the means which can be used by the controller or any other person to identify a person, should be taken into the account. The rules of data protection do not apply to data rendered anonymously in such a way that a subject of the data can not be identified. The identification of a given person concerns also past information about a specific human being, by which information one can learn about such person’s identity. Accordingly, the VAC held that European law means the protection of personal data as the protection of all the facts concerning the past of a particular person, which corresponds with the content of article 6(2) of the PDP. So this means that such data would also be protected.

Referring to the foregoing facts of Tomasz W. case, the VAC ruled that that nasza-klasa.pl website published his image and name. In the opinion of the court these are the personal data which are protected by the PPD, because on their basis one is able to identify given person.

Nasza Klasa sp. z o.o. filed a cassation complaint with the Supreme Administrative Court (SAC) challenging in entirety the judgment of the VAC. The Supreme Administrative Court in a judgment of 18 November 2009, case file I OSK 667/09, rejected the complaint.

The SAC held that the primary issue arising in this case was whether a classmates’ picture that was taken thirty years ago, at which Tomasz W. is potrayed, in the circumstances of the case, can be analyzed to determine his identity without necessarily involving excessive resources or time, and therefore, whether the data disclosed in the photo in question, constitutes personal data within the meaning of article 6 of the PPD, and whether it should be protected.

The concept of “personal data” on the Polish law includes any information concerning an individual if it is possible to define its identity and its identification. Personal data is a set of messages about a particular person such integrated that it allows for its individualization. It includes at least information necessary for identification (name, surname, place of residence), but this is not restricted, because it also include further information, strengthening the degree of identification. Such information will also include pictures of the individual, even if they were taken in the past, allowing to identify a person. In a situation where such a photograph is presented with a name and surname of the person portrayed, in a place accessible to an unlimited number of entities, it must be considered that it constitutes personal data subject to protection under the PPD. Mainly, the objective evaluation criteria decides for the qualification of given information as personal data, but it also should comprise of all information, including extralinguistic (context), to which third party may have or has an access. A different approach to the presented issues would maginalize the importance of the laws and it would not relate to its designated function.

Thus it should be considered that the image of Tomasz W. portrayed at the photograph that was taken 30 years ago, affixed with the class, his name and surname, and then published at nasz-klasa.pl website constitutes personal data within the meaning of article 6(2) of the PPD, and the cassation complaint was not justified. The SAC also noted that the consent for the processing of personal data cannot be in any way implied.

The SAC also stressed the fact the Internet as a source of information is increasing on a unknown scale and importance. It provides an access to specific information to a vast number of persons and allows for any of its processing within the meaning of the PPD. At the same time there are not yet developed appropriate mechanisms for the protection of individual rights when those rights have been violated as a result of the disclosure of information on the Internet. Then, it is a great role of law enforcement bodies, including the Inspector General for Personal Data Protection in creating practice to comply with applicable laws also on the Internet. It is an unacceptablr situation in which the entity seeks to remove its image from a particular website, and the administration fails to take action to ensure the protection of civil rights. The image is one of the very personal property rights and lack of consent to its publication, if it is not a public person, is a sufficient reason to believe that regulations of the PPD apply, if the conditions set in the article 6(2) of the PPD have been met.

See also my posts entitled “Polish regulations on personal data protection” and “Polish case law on personal data protection“.

Personal data protection, case II SA/Wa 71/07

February 12th, 2010, Tomasz Rychlicki

A lawyer representing one Polish entrepreneur, and as you already know personal data of the parties are removed from Polish courts’ judgments, requested the General Inspector for Personal Data Protection (GIODO) to issue an order to Home.pl company from Szczecin, to disclose personal data such as name, surname, the firm, address, office’s seat, phone number and e-mail address of a person, which had only published its caller id, and who registered a certain Internet domain name. The lawyer stated that his client is claiming the right to use the questioned domain name and the requested information is necessary for the initation of the arbitration proceedings before the Court of Conciliation at the the Polish Chamber of Information Technology and Telecommunications.

Home.pl refused to provide the abovementioned personal data, arguing that the parties of the legal relationship arising from the fact of the registration and maintenance of Internet domain names are the Research and Academic Computer Network (in Polish: Naukowa i Akademicka Sieć Komputerowa) – the national registry of the .pl domain, and the domain name subscriber.

The GIODO performed an investigation based on the administrative proceedings regulations. The GIODO did an inspection of the Company’s headquarters and found that Home.pl maintains a separate collection of data of subscribers who have registered their domain names in NASK through Home.pl services. NASK is the national domain name registrar, while Home.pl arranges for the registration and maintenance of Internet domain names. Home.pl represents an applicant for the domain name registration before NASK. A natural or legal person and Home.pl have to establish a legal relationship based on a registration contract in order to register the domain name in NASK. The legal relationship is based on registering and maintaining of the internet domain name. The GIODO found that in this case, the contested domain name was registered by a natural person.

In September 2006, the General Inspector for Personal Data Protection issued an administrative decision which ordered Home.pl to disclose personal data of the individual who registered the Internet domain name in question, the name, surname, address, phone number and e-mail address. Home.pl requested for a retrial of the case. The GIODO upheld the decision and Home.pl filed a complaint with the Voivodeship Administrative Court (VAC) in Warsaw.

The Court in a judgment of 30 Novmeber 2007, case file II SA/Wa 71/07 ruled that the complaint was based on articles 29(2) in connection with article 22 of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), Journal of Laws (Dziennik Ustaw) of 29 October 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with later amendments.

Article 29
1. In case of providing the access to the data for the purposes other than including into the data filing system, the controller shall disclose the data kept in the data filing system to persons or subjects authorised by the law.
2. Personal data, exclusive of data referred to in Article 27 paragraph 1, may also be disclosed, for the purposes other than including into the data filing system, to persons and subjects other than those referred to in paragraph 1 above, provided that such persons or subjects present reliably their reasons for being granted the access to the data and that granting such access will not violate the rights and freedoms of the data subjects.
3. Personal data are disclosed at written and justified requests, unless the provisions of another law state otherwise. Such requests should include information allowing for identification of the requested personal data within the filing system and indicating their scope and purpose.
4. Disclosed personal data shall be used only pursuant to the purpose for which they have been disclosed.
(…)
Article 22
The proceedings with respect to the matters regulated by this Act shall be conducted pursuant to the provisions of the Code of Administrative Procedure, unless other provisions of the law state otherwise.

According to the VAC, provisions of article 29(1) and (2) allow third parties to request the disclosure of personal data for purposes other than inclusion in the collection. It should be noted that these provisions being in force until 1 May 2004, gave no grounds to demand the disclosure if the controller was the private sector. This situation changed after the amendment of 22 January 2004.

The VAC noted that the request for disclosure of personal data may be filed by any person i.e. natural person, any organizational unit, both public and private. It is important that the possesion of personal data is necessary to achieve intended goals, and the request for personal data is credible and reasonable. Such request does not require a collector to disclosure personal data because it must assess whether the conditions have been met to provide such data according to provisions of articles 29 of the PPD.

1. In case of providing the access to the data for the purposes other than including into the data filing system, the controller shall disclose the data kept in the data filing system to persons or subjects authorised by the law.
2. Personal data, exclusive of data referred to in Article 27 paragraph 1, may also be disclosed, for the purposes other than including into the data filing system, to persons and subjects other than those referred to in paragraph 1 above, provided that such persons or subjects present reliably their reasons for being granted the access to the data and that granting such access will not violate the rights and freedoms of the data subjects.
3. Personal data are disclosed at written and justified requests, unless the provisions of another law state otherwise. Such requests should include information allowing for identification of the requested personal data within the filing system and indicating their scope and purpose.
4. Disclosed personal data shall be used only pursuant to the purpose for which they have been disclosed.

However, the VAC stressed that fact that collector’s discretion cannot mean its arbitrariness. In the case of the unfounded refusal to provide personal data according article 29 (2) of the PPD, the General Inspector for Personal Data Protection shall have the right – in accordance with article 18(1) pt. 2 of the PPD – to require the disclosure of personal data.

1. In case of any breach of the provisions on personal data protection, the Inspector General ex officio or upon a motion of a person concerned, by means of an administrative decision, shall order to restore the proper legal state, and in particular:
(…)
2) to complete, update, correct, disclose, or not to disclose personal data,

Undoubtedly, the request for the disclosure of personal data must be credible and legitimate. Thus, if such request is do not precluded by provisions of article 27 of the PPD, the collector must disclose such data.

1. The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade-union membership, as well as the processing of data concerning health, genetic code, addictions or sex life and data relating to convictions, decisions on penalty, fines and other decisions issued in court or administrative proceedings shall be prohibited.
2. Processing of the data referred to in paragraph 1 above shall not constitute a breach of the Act where:
1) the data subject has given his/her written consent, unless the processing consists in erasure of personal data,
2) the specific provisions of other statute provide for the processing of such data without the data subject’s consent and provide for adequate safeguards,
3) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his/her consent until the establishing of a guardian or a curator,
4) processing is necessary for the purposes of carrying out the statutory objectives of churches and other religious unions, associations, foundations, and other non-profitseeking organisations or institutions with a political, scientific, religious, philosophical, or trade-union aim and provided that the processing relates solely to the members of those organisations or institutions or to the persons who have a regular contact with them in connection with their activity and subject to providing appropriate safeguards of the processed data,
5) processing relates to the data necessary to pursue a legal claim,
6) processing is necessary for the purposes of carrying out the obligations of the controller with regard to employment of his/her employees and other persons, and the scope of processing is provided by the law,
7) processing is required for the purposes of preventive medicine, the provision of care or treatment, where the data are processed by a health professional subject involved in treatment, other health care services, or the management of health care services and subject to providing appropriate safeguards,
8) the processing relates to those data which were made publicly available by the data subject,
9) it is necessary to conduct scientific researches including preparations of a thesis required for graduating from university or receiving a degree; any results of scientific researches shall not be published in a way which allows identifying data subjects,
10) data processing is conducted by a party to exercise the rights and duties resulting from decisions issued in court or administrative proceedings.

The VAC had to consider the question of whether the application met the conditions set in article 29 of the PPD. The Lawyer proved that, the disclosure of personal data of a person who registered the disputed domain because was necessary for the initation of the arbitration proceedings before the Court of Conciliation at the the Polish Chamber of Information Technology and Telecommunications. The Court noted that the arbitration proceedings are held in accordance with article 1188 § 1 of the Civil Proceedings Code – CPC (in Polish: Kodeks Postępowania Cywilnego) of 17 November 1964, Journal of Laws (Dziennik Ustaw) No 43, item 296, with later amendments.

The proceedings before the Court of Conciliation starts with the lodging of the statement of claim (the suit), which means that the suit should comply with the conditions laid down in article 187 § 1 of the CPC. Under that provision, the statement of claim should meet the requirements of the pleading, and it also shall include: clearly defined demand in matters of property rights and the value of the claim, unless the case concerns the amount of money. The suit shall include all facts justifying the request and, if necessary, to justify the jurisdiction of the court. In accordance with article 126 § 1 pt. 1 of the CPC, every pleading shall also contain, inter alia, the designation of the court to which it is addressed, the name or names of the parties, their legal representatives and/or agents. Therefore, the essential element of the claim for infringement of personal rights is to show the person against whom the request is addressed, i.e. the defendant in future proceedings for infringement of personal rights, and defendant’s address. The VAC found that the request in the Home.pl case was fully justified.

The Court also confirmed that Home.pl is the controller within the meaning of article 7(4) of the PPD, because according to the agreement with NASK, Home.pl decides on the purposes and means of the processing of personal data related to people who registered domain names. Thus, the party of the case was Home.pl, not NASK.

Personal data protection, case II SA/Wa 1598/09

February 5th, 2010, Tomasz Rychlicki

According to lawyers representing the singer Maryla Rodowicz, on the forum of one of the Polish portal websites appeared entries with the content which allegedly violated her personal rights (interests). The lawyers requested the owner to reveal IP addresses of users who posted these entries. The administrator of the portal website deleted the disputed entries but did not reveal any of the IP addresses. Lawyers filed a request to the Inspector General for Personal Data Protection (GIODO), who ordered the portal to disclose IPs on the grounds that these numbers are personal data. The owner of the portal again refused. The case went to the Voivodeship Administrative Court (VAC) in Warsaw, which in a judgment of 3 February 2010, case file II SA/Wa 1598/09 upheld the decision of the GIODO. The company who owns the portal may file a cassation to the Supreme Administrative Court (SAC). The VAC judgment provides the interpretation that IP address is a personal data, in accordance with the statutory definition included in article 6 of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), Journal of Laws (Dziennik Ustaw) of October 29, 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of July 6, 2002, No. 101, item 926, with later amendments.

Article 6
1. Within the meaning of the Act personal data shall mean any information relating to an identified or identifiable natural person.
2. An identifiable person is the one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
3. A piece of information shall not be regarded as identifying where the identification requires an unreasonable amount of time, cost and manpower.

The VAC also noted that the IP address is personal data if it is permanently assigned to the specified device and that is used or operated by a specified entity. This dependence makes certain in given situations that there is the possibility of identifying such entity. The Court said that it is true that the same IP address is not sufficient to identify a person who use it, but together with other information a person can be identified.

This judgment is not yet final. A cassation complaint may be filed to the Supreme Administrative Court. There was another court’s decision with regard to the aforementioned case and the disclosure of IP addresses. See “Telecommunications law, case I OSK 1079/10“.

The U.S. courts and judges have quite different views on this issue. Read for example Johnson v. Microsoft Corp., 2009 WL 1794400 (W.D. Wash. June 23, 2009).

Data retention in Poland

January 5th, 2010, Tomasz Rychlicki

The Regulation of the Minister of Infrastructure of 28 December 2009 on a detailed specification of data and types of operators of public telecommunications networks or providers of publicly available telecommunications services obliged for its retention and storage, Journal of Laws (Dziennik Ustaw) of 2009, No 226 item 1828, came into force on 1 January 2010. The operators will be obliged to perform so-called data retention for 2 years. They will have to collect data that allows to determine dialed numbers as well as a telephone used. The date and time of the connection, the type and location of the caller will also be loged. The same rules apply to Internet connections. The Regulation implements provisions of the Directive 2006/24/EC, on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC. However, in the article entitled “Służby sprawdzą, skąd i kiedy dzwonimy“, the Polish newspaper Rzeczpospolita reports Maciej Rogalski’s, the vice-president of the Polish Chamber of Information Technology and Telecommunications, statement.

The suppliers of equipment related to the mass memory, use of the possibility of lobbying also within the EU, and have suggested solutions, which have appealed to special services. However, the usefulness of the new regulation is questionable, since the subsequent use of the information collected is like looking for a needle in a haystack.

Was is the Polish-Russian cyberwar?

October 11th, 2009, Tomasz Rychlicki

According to Rzeczpospolita’s article entitled “Cyberattacks on Poland“, the Polish Internal Security Agency thanks to its cyberpatrols prevented tha largest cyberattack on Polish governmental website. The ISA thinks that these organized DDoS attempts were directed from the Russian Federation.

If you are interested in such issues see also my earlier post entitled “Cyberwar or Why States Need an International Law for Information Operations“.

Categories: computer crime | computer law | criminal law | legal regulations on computers networks.

Press law, case VI Ka 202/09

August 3rd, 2009, Tomasz Rychlicki

This is the continuation of a story described in “Press law, case II K 367/08“. The District Court in Słupsk in its judgment of 18 June 2009 case file VI Ka 202/09 held that gby.pl – a portal website operated by Leszek Szymczak constituted press under the Press law, however, comments posted on this website by the Internauts do not constitute a press material for the content of which the website administrator could be held responsible. The District Court held that the posts are not letters to the editor or are not – as the Prosecutor argued – “quasi-letters” to the editor. The court said that the posting process on an internet forum is made automatically, there is no prior moderation of such messages.

The administrator of a portal website, which allows for posting comments, is the hosting service provider and is subject to regulations included in article 14 of the Polish Act of 18 July 2002 on Providing Services by Electronic Means – PSEM – (in Polish: ustwa o świadczeniu usłóg droga elektroniczną), Journal of Laws (Dziennik Ustaw) No. 144, item. 1204, as amended.

1. A person who gives access to the contents of a network IT system to a customer, where the customer stores data, is not aware of the illegal features of the data or activity connected with the data and upon receiving an official notification or credible information about the illegal features of the data or activity connected with it, immediately bars access to the data, shall not be responsible for the data.
2. A Service provider who has received the official notification of an illegal character of the stored data that was supplied by the customer, and prevented the access to the data, shall not be liable to the customer for damages resulting from preventing access to such data.
3. A service provider who has received credible information of the illegal character of the stored data supplied by the customer and prevented access to the data, shall not be liable to the customer for the damage resulting from preventing access to such data, if it has immediately notified the customer of the intention to prevent access to data.

The Court ruled that the service provider cannot be held liable for material posted by its users. The court noted that the decision does not mean that no one should be held liable for the posts that contain an offensive material that is a subject to criminal prosecution. The responsibility for this activity should be borne by a direct perpetrator and the prosecution authorities should identify such persons by using the available technical resources (IP addresses). The Prosecution cannot go after the smallest line of resistance and charge the administrators, instead of the actual perpetrators.

It is out now!

July 14th, 2009, Tomasz Rychlicki

My dear readers. All P.T. readers. I would like to draw your attention to the International Free and Open Source Software Law Review. It is an absolutely free publication on legal aspects of free and open source software. The first issue is available for download (both HTML or PDF versions) directly from its website. There, you’ll find couple of interesting articles. In particular, I recommend Shane Coughlan’s and Andrew Martin Katz’s article titled “Introducing the Risk Grid“. I will also immodestly mention that from the very beginning I was involved in the creation of the IFOSS L. Rev. and I am currently a member of the editorial board. Of course, I invite everyone to write for his periodical. Please do not hesitate to submit your papers.

There is another “Polish theme” in the IFOSS L. Rev. Great logotype and covers for the journal were created pro bono by my good friend Tomasz Politański.

My history, my personal data

March 30th, 2009, Tomasz Rychlicki

There is a really fresh judgment of the Voivodeship Administrative Court in Warsaw of 3 March 2009, case file II SA/Wa 1495/08 regarding the protection of personal data and providing and operating online services such as websites about users’ classmates.

It is therefore assumed that in accordance with article 6(2) of the Polish Act of 29 August 1997 on the Protection of Personal Data (in Polish: Ustawa o ochronie danych osobowych) not only information on the current situation of an individual decide whether we are dealing with personal data, but also information relating to what one did and who one was in the past. It means that such data are protected under the Act on Protection of Personal Data.

See also my posts entitled “Polish regulations on personal data protection” and “Polish case law on personal data protection“.

Personal rights, case II CSK 539/07

March 27th, 2009, Tomasz Rychlicki

QXL Poland sp. z o.o. is the owner of the allegro.pl auction website which removed the user account of a person (Cezary O.) using the nicknames CezCez, 2cez, 2xcez and espia. The company presented different reasons for its decision to remove the account and tried to justify such action by putting various statements about CezCez on its forum website “Cafe Nowe Allegro”. CezCez did not agree with QXL’s statements and sued. The court of first instance agreed with Cezary O.’s arguments and ruled that QXL Poland make a statement of apology as follows

Allegro.pl wishes to apologize to CezCez for using comments by one of its employees which publicly appeared on the New Cafe Allegro on 17 January 2003,– wording that implied CezCez was dishonest, he lies, he is selfish and that he pursues his own self-interest. These actions and comments affected the good name of CezCez, which was not the intention of QXP Poland.

The above statement was to be published on the Allegro.pl website but both parties appealed. The Appellate Court in Lodz did not share the conclusions of the court of first instance that the username (a nickname) used in internet services is personal right/interests (i.e. intangible personal property) eligible for protection under articles 23 and 24 of the Civil Code – CC – (in Polish: Kodeks Cywilny) of 23 April 1964, Journal of Laws (Dziennik Ustaw) No. 16, item 93, with later amendments.

Article 23
The personal interests of a human being, in particular to health, dignity, freedom, freedom of conscience, surname or pseudonym, image, secrecy of correspondence, inviolability of home, and scientific, artistic, inventor’s and rationalizing achievements, shall be protected by civil law independent of protection envisaged in other provisions.

Article 24
§ 1 The person whose personal rights are threatened by someone else’s action, may require the desist of that action, unless it is not illegal. In the event of the infringement one may also require, the person who committed the violation, to fulfill the actions necessary to remove its effects, in particular, to make a statement of the relevant content and appropriate format. According to the conditions laid down in the Code one may also require monetary compensation or payment of an appropriate amount of money for a social purpose indicated.
§ 2 If as the result of a breach of personal rights one has suffered pecuniary prejudice, the aggrieved person may claim compensation based on general principles.
§ 3 The above shall not prejudice the entitlements provided by other regulations, in particular in copyright law and the patent (invention) law.

The Appellate Court did not agree with the arguments that the user name (a nickname) has parallels with a pseudonym. The case went to the highest court in a further appeal as a cassation complaint. The Supreme Court of Republic of Poland in a judgment of 11 MArch 2008, case file II CSK 539/07, dismissed the case for procedural reasons. However, the SC did not agree with conclusion of the Appellate Court with regard to protection of nicknames or usernames in the digital environment.

The court noted that a username fulfils a variety of functions. First, the creation of a username is a prerequisite to registering on the allegro.pl website in order to obtain its own account and so participate in auctions. A person using such a nickname may be a buyer or a seller. Secondly, a username allows a person to log into Allegro.pl website. In the process of logging in, the user is given a pair of identifiers, such as a username and password. Thirdly, the username/nickname identifies the individual in question in the online environment, in this particular case, in the environment of people using Allegro.pl services.

The individual is therefore recognised as a user using a specific nickname. The Supreme Court could not agree with the position of Court of Appeal that the nickname is purely a technical issue used to personalise the operation. On the contrary it argued, the username/nickname defines and characterises the person who uses such an auction site, bids on it, is the party to a contract of sale, issues comments or is involved in correspondence with other users.

The court found that

In some cases, participations in the auction website by a user using a specific name can be a source of information for other participants who know that this user typically takes part in an auction of that type, bids only to a certain amount of money, only on certain days, in a certain way, does not compete with users using specific names, that the user is honest, efficient and immediately carries out transactions, etc.”
The Supreme Court also ruled that a username identifies a specific natural person. A username consists of a series of signs and letters, and there are no counter-indications that a person who created his or her own username could use his or her own name, surname, artistic pseudonym, pen name, or alias or it could even be a natural person who is the agent and uses the company name (the firm) under which it operates its business.

It appeared to the court that in the assumption of a username by a person rather than his or her own name, the pseudonym (which has so far been used as an example in artistic activities) is meant as the assumption of a nickname in order to allow for individualisation of that particular person. The word “nickname” comes from the Greek language (“pseudonymos”–bearing a false name, falsely named) and it means a first name, last name or another name which someone uses to conceal his real name or surname.

The court found irrelevant the motivation of a person who takes a nickname which is used as a pseudonym only in the “internet environment” or that the nickname may only be associated with the activities of that particular person carried out within the scope of services offered by Allegro.pl, since it may also have a broader meaning and go beyond the services of Allegro.pl. Consequently, the court noted that a username is subject to legal protection on the same basis on which protection is granted for any name, pseudonym or firm name, under which a person has established its business (whether it is a company name or that of a private person). At the same time, the court found no reason to treat a username/nickname as a separate personal right.