Nordic IPT Law Bulletin - October

IT & Telecom

Sweden

A new Swedish Electronic Communications Act (2022:482)

On June 3, 2022, the new Swedish Electronic Communications Act (2022:482) entered into force, replacing the current Electronic Communications Act The Act applies to electronic communication networks and electronic communication services with associated facilities as well as services and other radio use. In contrast to the previous legislation, the Act applies to providers of number-independent interpersonal communication services, such as providers of e-mail services.

In practice, the Act will be applicable when a provider of public electronic communications assesses what appropriate and proportionate technical and organizational measures must be taken to manage risks that threaten the security of the networks and services.

Furthermore, the Act sets out security requirements, authorizes the supervisory authority to consider competition implications during its procedures regarding permits to use radio transmitters. Violations of the Act such as failure to report security incidents with a significant impact on network and services to the Swedish Post and Telecom Authority (Post- och Telestyrelsen), can result in a sanction fee ranging between 5 000 SEK and 10 000 000 SEK.
 

Norway

The Norwegian Media Authority (NMA) urged companies in the gambling market to reduce the intensity of advertisement

The NMA also ordered Norwegian TV distributers to stop the advertisement of foreign gambling sites as of 15 August. The Norwegian Lottery Authority decided to impose a compulsory fine of NOK 1,200,000.00 per day on Trannel International Limited. Trannel, which is a subsidiary of Kindred Group, does not have permission from the Norwegian authorities to offer gambling in Norway.

Norwegian Ministry of Culture and Equality presented changes to the Norwegian Broadcasting Act for public consultation

The proposed changes were made as a follow up on changes to the EU's Audiovisual Media Services Directive. One of the proposed changes is that streaming services will have to invest in Norwegian movies and series.

Intellectual Property and media

EU Legislation - Sweden/Denmark/Norway/Finland

EU Media Freedom Act

In September, the European Commission issued its proposal for the previously announced European Media Freedom Act. The Act, which is proposed to take the form of a regulation, is designed to safeguard media freedom and pluralism in the union. The Regulation includes safeguards against political interference in editorial decisions and against surveillance of the media. Furthermore it focuses on the independence and stable funding of public service media and ownership transparency in the media sector.
 

Finland

The Supreme Court ruling on reasonable copyright compensation

The copyright organisation for music creators, composers, and publishers, Teosto Ry, had issued invoices to a television company regarding the compensations based on the use of works protected by copyright. The television company claimed that the prices charged by Teosto Ry were not reasonable as required by Section 35 of the Act on the Collective Management of Copyright (1494/2916). The Market Court then confirmed that a reasonable amount was lower than the amount invoiced by Teosto Ry and paid by the television company. The Supreme Court in ruling KKO 2022:44, ordered Teosto Ry to return the copyright compensation paid to it by the television company to the extent that it exceeded the reasonable amount of copyright compensation.

The Supreme Court ruling on information about telecom subscribers related to copyright infringement

A company had demanded that a telecommunications company be obliged to hand over to the company the contact information of 34 telecom subscriptions, from which, according to the company, a significant amount of material protected by the company's copyright had been made available to the public without the company's consent. The Market Court ordered the telecommunications company to hand over the contact information for five telecom subscriptions, rejecting the application in other parts. The Supreme Court, in case KKO 2022:47, ruled that the telecommunications company must hand over all requested contact information and that the disclosure of the contact information in question is in accordance with the goal of achieving a fair balance between the copyright holder's right to access information and the protection of the privacy of users of telecommunication services. 

Implementation of the DSM Copyright Directive in Finland 

DSM Directive (2019/790/EU)
The Government Proposal for implementing changes required by the DSM Directive was provided to the Finnish Parliament in April 2022 and is still being processed in the parliament committees.

Norway

Risk of confusion between Ghostbastards and Bastard Burger

Both trademarks covered the same goods/services (which the parties also agreed upon). The Borgarting Appellate Court, in case LB-2022-34258, like the District Court, concluded that there was no similarity of characteristics which entailed a risk of confusion

Marketing law

Sweden

New ruling confirms Environmental claims in marketing must be substantiated

The Swedish Superior Patent and Market Court published a new ruling (case no. PMT 1782-21) in September 2022 regarding breach of the Swedish Marketing Act, stating that environmental claims and labels must be explained. The Court ruled that the information must be provided in an easily accessible and clear manner in close proximity to the labels and claims. It is insufficient to post such information only on one's own website when marketing takes place elsewhere. Failure to inform about the meaning of e.g. a certification means that the marketing is misleading and in violation of the Swedish Marketing Act.

Market disruption charge for unauthorized marketing practices

Further, in October, the Swedish Patent and Market Court imposed a market disruption charge of 1 000 000 SEK (approx. EUR 100 000) in case no. PMT 15306-21 due to a Electricity Company's unauthorized marketing practices, including sending payment requirements without any prior order.

Denmark

Focus on influencers’ insufficient advertisement marking

In the recent years the Danish Consumer Ombudsman has been focusing on how influencers can affect their followers through advertising.

Companies that use influencers who do not mark the advertising sufficiently are subject to fines. This was the case for the car importer Ford.

Ford had appointed 10 Danish celebrities as “ambassadors” for the company. The celebrities posted on their social media profiles pictures of Ford cars while “tagging” Ford in their posts. However simply “tagging” a company is not sufficient to mark an advertisement following the law. Ford was sentenced with a fine of DKK 200,000.

No misleading statement/marketing in a television program and whether a private label is misleading

Case BS-24608/2021-SHR. The Danish Maritime and Commercial High Court, ruling 2 September 2022.

The owner of the company “AllergyCertified”, who certifies cosmetical products with a privately developed label was sued by Tromborg ApS, who produces and sells cosmetical products.

The owner of the label “AllergyCertified” stated in a television program (“Kontant”) that because something is organic or natural (which is the case for Tromborg’s products) it is not necessarily better or healthier.

The Danish Maritime and Commercial High Court found that the statements were not misleading and also not discrediting, as they were general and not specifically aimed at Tromborg. 

Retouched photography bill

The Danish Ministry of Industry, Business and Financial Affairs has proposed a new bill regarding labelling of retouched photography.

All photography used in marketing showing the shape of the body, size or skin shall be labelled if retouched. The bill will apply for all commercials.
 

Finland

The Consumer Ombudsman’s request for the Market Court to impose a penalty fee
The Consumer Ombudsman has deemed that the furniture store Maskun Kalustetalo misleads consumers in its marketing. When marketing furniture, the company creates images of large discounts for consumers by using comparison prices, discount percentages or other expressions referring to discounts in connection with the sales price, which do not give a true picture of Masku Kalustetalo's real price level. The Consumer Ombudsman proposes that the Market Court imposes a penalty fee of one million euros to Masku Kalustetalo for misleading discount marketing.
 

Norway

New regulation on retouched advertising
On July 1, the new regulation on the labelling of retouched advertising entered into force. The regulation states that adverts and commercials where a body shape, size or skin has been changed by retouching or other manipulation, must be marked using a public, standardized label.

Supervision on influencer’s marketing
This fall, 17 Norwegian influencers’ marketing on YouTube have been reviewed by the Norwegian Media Authority (NMA). The NMA's inspection shows that the vast majority of influencer’s clearly inform and label advertisement of products and services in their videos. The few breaches found by the NMA concern that the influencer had labeled the advertisement with a font that was too small, or that the labeling was shown for too short a time on the screen.

Consumer law

Sweden

Implementation on new EU Consumer Legislation - "Omnibus Directive"
Legislative changes have, as per the 1st September 2022, entered into force as a result of the so-called Omnibus Directive (2019/2161/EU). The amendments concerns (i) the Swedish Marketing Act (ii) the Price Information Act, (iii) The Act on Distance Contracts and Off-Premises Contracts, and (iv) the Consumer Contracts Act.

The changes includes:
• New penalty provisions which will increase the Patent and Market Court's possibilities to impose market disruption fines, among other things, violations of the Marketing Act,
• Higher sanction levels,
• Amendments to the Distance Contracts Act regarding, among other things, the scope of the right if withdrawal, and
• Extended information requirements for traders and especially for online marketplaces, e.g. in relation to product ranking and price reductions.
 

Denmark

Electronic gift cards
In the recent months the Danish Consumer Ombudsman has been focusing on consumers rights regarding electronic gift cards.

A company selling digital gift vouchers refused to pay the value of the gift voucher to consumers who ask for it. The Danish Consumer Ombudsman emphasized to the company that it is obliged to pay the value of the gift card in cash to consumers requesting so, according to the Danish Act on Payment Services and Electronic Money. A similar conclusion was reached in a case regarding the Danish Travel Card (Rejsekort).

The Danish Consumer Ombudsman has published a Quick Guide for disbursement of electronic gift cards.
 

Finland

Implementation on new EU Consumer Legislation "Omnibus Directive"
The Omnibus Directive became applicable on 28 May 2022. Several amendments have been made to the Finnish Consumer Protection Act due to the Omnibus Directive and the President of Finland ratified the amendments on 8 July 2022.

Norway

The Norwegian Transparency Act entered into force on 1 July 2022
The act is meant to promote enterprises' respect for human rights and decent working conditions, and also secure the public access to information. The act requires enterprises to conduct due diligence assessments regarding their own business, their supply chain and their business partners to find out where the biggest risks are.

The Norwegian Consumer Authority will monitor compliance with the provisions of the Act.

Data Privacy

EU Legislation - Sweden/Denmark/Norway/Finland

President Biden's Executive Order regarding transfer of personal data between the EU and the US
On the 7th of October the president of the United States signed an executive order, the purpose of which being to enable a free flow of personal data between the United States and the European Union. The executive order aims to comply with the requirements previously extended by the Court of Justice of the European Union ("CJEU") in order to allow transfers from the EU to the US. In general terms, the requirements set forth by the CJEU consists of two main parts, (1) that the United States' surveillance is proportionate within the meaning of Article 52 of the Charter of Fundamental Rights (CFR) and (2) that there is access to judicial redress, as required under Article 47 CFR.
The next step is for the European Commission to assess whether the data privacy regime of the US will meet the requirements for an adequacy decision under Article 45 of the GDPR. The European Commission must also hear from the European Data Protection Board as well as the EU Member States. The formal adoption process is expected to take around six (6) months.
 

Sweden

Permits to process personal data relating to criminal convictions and offences (Art. 10 of the GDPR)
Private companies that are not explicitly allowed under EU or Member State law to process personal data relating to criminal convictions and offences (Article 10 of the GDPR) do not generally have a legal basis to process such data (meaning that the processing would be unlawful). In Sweden, companies are explicitly allowed to process data regarding criminal convictions and offences, inter alia, where it is necessary for compliance with a legal obligation. Where companies are not explicitly allowed, but still wish to process, such personal data, they must apply for a permit from the Swedish Authority for Privacy Protection ("IMY").
During October, the IMY has issued two decisions with permits to process personal data relating to criminal convictions and offences (Article 10 of the GDPR). One permit was issued to a bank relating to its prevention of money laundering and financing of terrorism. The other permit was issued to a company offering background checks in recruitments, of suppliers or customers and in the context of mergers, acquisitions and divestment.

The Swedish Post- and Telecom Authority investigates use of Cookies
The Swedish Post- and Telecom Authority has initiated investigations under the Electronic Communications Act of four website operators. The operators are active in sectors that are important in society and include a bank, two government authorities (the Swedish Consumer Agency and the Swedish Public Health Agency) and a telecom operator. The Post- and Telecom Authority has initiated the investigation by asking the operators a number of questions, which i.a. relate to provided information, consent and sharing of data.

Denmark

The Danish Data Protection Agency has published a memo with a Q&A on the use of Google Analytics
The Danish Data Protection Authority has published a memo with a Q&A on the use of Google Analytics, following a series of decisions from European Data Protection Authorities. The Danish DPA has clarified that Google Analytics cannot legally be used by companies, without implementing a series of measures in addition to the settings provided by Google, as Google is a US entity.

The Danish Data Protection Agency presents two solutions for companies acting in Denmark:

1) Find a solution with further safety measures
2) Seize the use of Google Analytics.

Limits to a data controller’s obligations under data subjects’ right to access
In a specific case, the Danish Data Protection Authority took a closer look at the extent to which a data controller is obliged to review material in order to meet a request for access.

The data subject in the case was a former employee, and the material therefore included a very large number of documents, which were mainly prepared in connection with the data subject's work tasks.

The Data Protection Authority found that a certain “limit of reasonability” exists. Emphasis was laid on the large number of documents and the data subject's refusal to specify their request.
 

Finland

Decision on deficiencies to fulfill data subject requests
The Data Protection Ombudsman in decision 6097/161/21, found deficiencies in Otavamedia Oy’s actions to fulfil data subject requests regarding access to and removal of their personal data. Between 2018 and 2021, eleven cases in total concerning Otavamedia Oy were brought to the Office of the Data Protection Ombudsman. Among other things, the complainants had not received an answer to their requests or inquiries regarding the exercising of their data protection rights. The Data Protection Ombudsman issued Otavamedia Oy a fine of EUR 85,000.

The prosecutor has decided to prosecute the former CEO of Psykoterapiakeskus Vastaamo Oy for a data protection offence
This will be the first major data protection offence trial in Finland after the implementation of the GDPR. Psykoterapiakeskus Vastaamo Oy had been the subject of a data breach and allegedly the management of the company had been aware of the data breach but had not taken any action to remedy it or notify the breach to the authorities.
 

Norway

New ruling on termination of employment and access to employees’ e-mail inboxes
Like the district court, the Borgarting Appel Court in decision LB-2021-164489, of appeal concluded that the dismissal was valid, and that there was therefore no basis for compensation under the Working Environment Act. However, the court of appeal concluded that the rules for access to employees’ e-mails had been breached, giving the employees a basis for compensation under the Personal Data Act and GDPR.

The Norwegian Data Protection Authority (DPA) has carried out several inspections during the summer, most notably towards the Norwegian Correctional Services, Elkjøp Nordic AS and Elkjøp Norge AS. The supervision was carried out through on-site inspections.
 

Other relevant legal topics

EU Legislation - Sweden/Denmark/Norway/Finland

AI – Who is Liable?
In 2021 the European Commission proposed a legal framework on AI that would be applicable to the whole EU, the so called AI-regulation. This regulation is still to be passed by the parliament, but there has been some recent development in this field as the European Commission proposed a new AI Liability-directive on the 28th of September.
The main objective of the AI Liability-directive is to regulate the liability relating to questions on damages caused by AI-based products and systems. The European Commission simultaneously proposed a revision of the product liability directive, to supplement the proposed AI Liability-directive.
These proposals is yet to be adopted by the European Union.