(English) The Regulation of Information Society Services in Greek Law

The Greek legal order does not follow a convergent approach in the regulation of the telecoms and information society services’ sectors. As a result, electronic communications networks and media content are regulated by different frameworks of law. Thus, information society service providers are defined as undertakings, which provide any service normally provided for remuneration, at a distance (without the parties being simultaneously present,), by electronic means and at the individual request of a recipient of services, i.e. provided through the transmission of data on individual request (see art. 2 παρ. 2 of Presidential Decree 39/2001). “By electronic means” means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means (see art. 1 of Directive 98/34/EC). The provision of information society services is not regulated by electronic communications law, but rather by specific provisions of the legal frameworks regarding e-commerce, intellectual property, data protection, the confidentiality of communications and consumer protection.

“Safe Harbour” Provisions

The legal provisions that regulate the liability of information society service providers for the content transmitted through their networks or hosted by their services can be found in articles 11 – 14 of the Presidential Decree no. 131/2000 (GG 116/A/16-05-2003), which transposed Directive 2000/31/EC into Greek law.

Article 14 of the Decree explicitly states that internet intermediaries have no general obligation to monitor the information which they transmit or store, nor a general obligation to actively seek facts or circumstances indicating illegal activity. As a result, internet intermediaries bear no obligation to adopt preventive measures, such as manual or technological filtering, in order to avoid the execution of illegal acts in their networks and services (see also European Court of Justice, Decision of 16 February 2012, C-360/10, SABAM v NETLOG).

Under specific conditions the Decree establishes a “safe harbour” regime for any undertaking that acts as an internet intermediary. The law divides internet intermediaries in three general categories and provides distinct conditions for the protection of each category of internet intermediaries under the regime. In case that an internet intermediary comes under the “safe harbour” regime, then the latter shall be exempted from any liability both under civil or administrative and criminal law for any acts or omissions of third parties conducted through its networks or in relation to its services.

According to the categorisation mentioned above, internet access providers and, in general, electronic communications network operators that act as mere conduits, will not be held liable for the information transmitted through their networks, on the condition that such providers (see art. 11 of the Presidential Decree no. 131/2000) :

a) do not initiate the transmission;
b) do not select the receiver of the transmission;
c) do not select or modify the information contained in the transmission.

Furthermore, the law exempts from any liability for the information transmitted all internet intermediaries, such as cache server providers, which provide information society services consisting of the automatic, intermediate and temporary storage of information, performed for the sole purpose of making more efficient the information’s onward transmission to recipients of the service upon their request, on the condition that such providers (see art. 12 of the Presidential Decree no. 131/2000) :

a) do not modify the information;
b) comply with conditions on access to the information;
c) comply with rules regarding the updating of the information, specified in a manner widely recognised and used by industry;
d) do not interfere with the lawful use of technology, widely recognised and used by industry, to obtain data on the use of the information.

Finally, the law exempts from any liability for the information hosted all internet intermediaries, which provide information society services consisting of the storage of information provided by recipients of the service, on the condition that such providers (see art. 13 of the Presidential Decree no. 131/2000) :

a) do not have actual knowledge of the illegal activity or information and, as regards claims for damages, are not aware of facts or circumstances from which the illegal activity or information is apparent; and
b) the recipient of the service is not acting under the authority or the control of the provider.

This liability exemption is so extensive as to cover not only internet hosting providers but also internet content providers, such as for instance providers of on line chat, blogging or other social network platforms, online marketplaces and auctions, video and photo sharing websites, website administrators, software distribution websites and news portals.

Nevertheless, the “safe harbour” provisions mentioned above are valid for all types of internet intermediaries without prejudice to the possibility for a court or an administrative authority to order such intermediaries to terminate or to prevent an infringement from taking place through their networks or in relation to their services (see articles 64A and 65 of the Act no. 2121/1993 in transposition of Directives 2001/29/EC and 2004/48/EC).

“Notice & Take Down” Procedures

As exhibited above, articles 12 and 13 of the Presidential Decree no. 131/2000 establish, inter alia, “safe harbour” regimes for caching and hosting internet intermediaries. However, the same provisions also provide for the obligation of internet intermediaries to inform public authorities of any illegal activities that come to their notice. Furthermore, these provisions enforce certain “notice and take down” procedures, which, if not followed, may result in the abrogation of the protecting regime and in full liability for the intermediary concerned.

In particular, without prejudice to the provisions regarding the confidentiality of communications and the protection of personal data internet intermediaries are obliged (a) to promptly inform the competent public authorities of alleged illegal information provided or activities undertaken by recipients of their service and (b) are obliged to communicate to the competent authorities, at their request, information enabling the identification of recipients of their service with whom they have storage agreements (see art. 14 παρ. 2 of the Presidential Decree no. 131/2000).

As far as the “notice and take down” procedure for caching internet intermediaries is concerned, the law states that, upon obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network, or access to it has been disabled, or that a court or an administrative authority has ordered such removal or disablement, the caching provider is obliged to act to remove or to disable access to the information it has stored. Such removal should be conducted expeditiously. If the “notice and take down” procedure is not followed, the caching provider shall bear the full liability for the illegal act or omission conducted by the exploitation of its services(see art. 12 παρ. 2ε of the Presidential Decree no. 131/2000).

Finally, in regard to the “notice and take down” procedure for hosting internet intermediaries, the law states that, upon obtaining actual knowledge or awareness of the illegal activity or information or of facts or circumstances from which the illegal activity or information is apparent, the hosting provider is obliged to act to remove or to disable access to the information. Such removal should be conducted expeditiously. If the “notice and take down” procedure is not followed, the hosting provider shall bear the full liability for the illegal act or omission conducted by the exploitation of its services(see art. 13 παρ. 1β of the Presidential Decree no. 131/2000).

In case caching and hosting providers are given notice and do not expeditiously proceed to take down, they may be held to have full civil liability for illegal acts of third parties conducted in relation to their services. Accordingly, in case that such illegal acts constitute criminal offences, caching and hosting providers may face criminal charges as primary or secondary accessories to these acts (see articles 46 and 47 of the Criminal Code). Finally, in case that internet intermediaries in general fail to inform and cooperate with public authorities, as the law prescribes, regarding the investigation and prosecution of any illegal activities that come to their notice, they may face charges for the criminal offence of harbouring a felon (see articles 231 of the Criminal Code).

Intellectual Property Rights’ Implications

As noted above, the “safe harbour” provisions do not prejudice the rights of intellectual property right holders to request administrative measures or judicial protection, so as to order internet intermediaries to terminate or to prevent an infringement from taking place through their networks or in relation to their services. Therefore, relevant to the provision of internet intermediaries’ services are the Acts establishing increased protection for intellectual property rights.

Hence, authors have inter alia the exclusive right to authorise or prohibit any communication to the public of their works, by wire or wireless means, including the making available to the public of their works in such a way that members of the public may access them from a place and at a time individually chosen by them (see article 3 παρ. 1η of the Act no. 2121/1993). Furthermore, trademark right holders have inter alia the exclusive right to use their mark (see article 125 of the Act no. 4072/2012)

On the legal basis mentioned above, right holders have the right to apply for an injunction against intermediaries, whose services are used by a third party to infringe an intellectual property right (see article 64A of the Act no. 2121/1993 and article 154 παρ. 8 of the Act no. 4072/2012, in transposition of article 8 παρ. 3 of Directive 2001/29/EC and in transposition of article 11 παρ. 3 of Directive 2004/48/EC ). Such injuctions may concern the temporary blocking or removal of the infringing content, but they could also involve the imposition of a temporary seizure of the relevant media, infrastructure or databases, creating therefore risks regarding the operation of the service (see articles 683 – 703 of the Code of Civil Procedure).

Right holders also have the right to file an action against intermediaries, whose services are used by a third party to infringe an intellectual property right, and to demand for the the damaging act(s) to be ceased and prohibited from being repeated in the future (see article 65 of the Act no. 2121/1993 and article 150 παρ. 4 of the Act no. 4072/2012, in transposition of 10 παρ. 1 and 11 of Directive 2004/48/EC ). Demands for compensation should not be excluded, especially if the protective provisions of the “safe harbour” regime are deemed as non – applicable due to acts or omissions of the internet intermediary.

Relevant to the above is the Athens Court of First Instance Decision no. 4658/2012, which currently constitutes the most important case law precedent in Greece regarding the liability of internet access providers in the context of copyright law. The decision referred to a case of two websites that provided links to copyright protected musical works. After a petition for a preliminary injuction by several copyright collective societies, by virtue of the decision mentioned above the Athens Court of First Instance ordered all ISPs to block access to the specific ULRs and IP addresses of these websites. The Court rejected the plaintiffs’ requests for the implementation by the ISPs of preventive measures, such as internet filtering. Nevertheless, the Court was not able to clarify the legal, technical and actual differences between the act of hosting a protected work without the permission of the copyright holder and the act of (hyper)linking thereto.

Black List & Blocking Provisions

According to article 52 παρ. 10 of the Act no. 4002/2011, the Gaming Regulatory Commission (GRC) has the power to form a black list of unlicensed gaming websites and order internet access and hosting providers having offices in the country to block their users’ access to them.

Also relevant to the provision of electronic communications and information society services is the power of the GRC under article 4 παρ. 7 of the recent GRC Decision no. 23/3/23-10-2012 (GG 2952/B/05-11-2012) to order hosting providers having offices in the country to disclose any personal data of the persons responsible for the operation and administration of unlicensed gambling websites, hosted by them. Finally, the GRC holds the power to issue regulations on the technical specifications of the operation of servers hosting gambling websites (article 45 παρ. 2 of the Act no. 4002/2011). Such regulations have not yet been issued.

In cases that, after a prior seven (7) days notice by the GRC, internet access and hosting providers fail to block access to unlicensed gambling websites, the GRC has the power to imposeƒ fines of up to 50.000 € and double the fine in cases of repeated violation of the aforementioned obligation (see article 6 παρ. 2.2 of the recent GRC Decision no. 23/3/23-10-2012).

Net Neutrality Requirements

The Greek Constitution recognises the freedom of information, both passive and active (art. 5A παρ. 1), and the right to participate in the information society, both by accessing its basic infrastructure and its information flows (art. 5A παρ. 2), as fundamental rights.

In specifying these constitutional rights, the law provides that, when taking measures regarding end-users access’ to, or use of, services and applications through electronic communications networks, public authorities are obliged to respect the fundamental rights and freedoms of natural persons, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms and general principles of Community law (see art. 3 παρ. 1 ζ of the Act no. 4070/2012).

Such measures may only be imposed if they are appropriate, proportionate and necessary within a democratic society, and their implementation is subject to adequate procedural safeguards in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms and with general principles of Community law, including effective judicial protection and due process (see art. 3 παρ. 1 ζα of the Act no. 4070/2012).

Accordingly, these measures may only be taken with due respect for the principle of the presumption of innocence and the right to privacy. A prior, fair and impartial procedure shall be guaranteed, including the right to be heard of the person or persons concerned, subject to the need for appropriate conditions and procedural arrangements in duly substantiated cases of urgency in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms. The right to effective and timely judicial review shall also be guaranteed (see art. 3 παρ. 1 ζβ of the Act no. 4070/2012).

The legal obligations exhibited above not only specify constitutional rights but also transpose the net neutrality provisions of Directive 2009/140/EC into Greek law. Therefore, they have superior mandatory power and cannot be transgressed by acts enacted by the Greek Parliament or other legal instruments of an inferior mandatory power, such as administrative decisions of the NTPC or the GRC.

According to article 25 παρ. 1 of the Constitution, fundamental rights produce a horizontal effect between private persons, in cases where major asymmetries of power are observed. The role of internet access and hosting providers in the technical operation of the internet sets them in such a position so as to control access of their end users to the information society, hence making them dependent on the services offered to exercise their fundamental rights. As a consequence, the setting of qualitative or quantitative limits or the blocking of access to the internet by internet access and hosting providers vis a vis the recipients of their services, even if imposed by contractual provisions, may be considered as a violation of fundamental rights and result in liability of the former to the latter.

Law Enforcement Matters

According to article 3 παρ. 2β of the GDPA, data protection law shall not apply to the processing of personal data, which is carried out by judicial and public prosecution authorities and authorities, which act under their supervision, in the framework of attributing justice or for their operational needs, with the aim of verifying crimes which are punished as felonies or misdemeanors with intent, and especially with the aim of verifying crimes against life, against sexual freedom, crimes involving the economic exploitation of sexual life, crimes against personal freedom, against property, against the right to property, violations of legislation regarding drugs, plotting against public order, as well as crimes against minors.

Internet intermediaries normally retain not only data regarding the communications but also personal data of their customers, inter alia for the purposes of providing the relevant internet intermediary services and of billing and collection.

In case that law enforcement authorities request access to the content and the external data (traffic, location etc) of customer communications, the legitimate procedure for access to communication data and lawful interception described in chapter 5.4.2 will have to be followed. Nevertheless, in case that law enforcement authorities request access to ordinary personal data of customers that are not related to their communications, such as name, address etc, and internet intermediaries retain such data, the latter shall be obliged to provide access to them (see article 3 παρ. 2β of the GDPA, Public Prosecutor’s at the Supreme Court Opinion 6/2012). Access shall only be granted by virtue of a relevant Public Prosecutor’s Order in the context of a criminal investigation. Due to the fact that data protection law, and in specific the right of the data subject to be informed, does not apply in the cases provided under article 3 παρ. 2β of the GDPA, the data subjects will not have to be informed by internet intermediaries for the access of law enforcement authorities to their data.

In case that internet intermediaries fail to comply with the procedure mentioned above, they may face charges for the criminal offences of disobedience and of harbouring a felon (see accordingly articles 169 and 231 of the Criminal Code, see also the Public Prosecutor’s at the Supreme Court Opinion no. 6/2012).

The Country of Origin Principle

Article 2 παρ. 1 of the Presidential Decree 131/2003 establishes the country of origin principle in electronic commerce law. According to this principle, the EU member state, where the information society services originate, is responsible for their monitoring and not the member state receiving such services, subject however to the exceptions of article 2 παρ. 3 of the aforementioned Decree.

Thus, an information society service provider, having its main pursuit of economic activities in Greece, shall be capable of doing business throughout the EU, provided that these activities comply with Greek law.