Urs: “The internet has a memory like an elephant.”

Yep.

The article also mentions that Steve Jobs has recently blamed the major labels for obliging Apple to impose DRM protection on iTunes, and that he would be happy to sell non-DRM’ed music.  EFF’s Jason Shultz doubts that this statement could be taken at face value.

At the current state of play it doesn’t seem to make much business sense to try to bind consumers to iPods through iTunes:  First, the vast majority of songs played on iPods is not DRMed, and–as anti-DRM activists rightly claim–it is logically impossible to prevent the use of non-DRMed music by selling DRMed music.  Second, iPods somehow appear to be cooler than a) iTunes files and b) MP3 players of Apple’s competitors, and they’re expensive:  If a consumer wants to replace her iPod, I surmise that it would be cheaper in most cases to replace it by a no-name player and either burn-and-rip her iTunes or buy the respective songs at another online music store, than buying a new iPod.

My take on the story is that Steve Jobs’ statement is compatible with Apple’s business interests–at least in the short or mid-term.  The situation would only be different if a) the next generation of iPods is a flop or if b) non-DRMed music were not available anymore.

So this is a good occasion to muse about a framework for legal research into this extremely exciting topic. Having that framework is not an accomplishment itself, but it might be useful in order to frame research questions more precisely and discover possible lacunae in existing scholarship on the topic.

The following categories might be a useful starting point for a more sophisticated taxonomy. They are of course interrelated and not entirely separable from one another, and the situations where this tentative framework could be useful might be even rare.

Here are my suggestions:

• Our law applied to legal issues of MMORPGs of our world, in particular to the game provider and his customers. This could be anything from the law of contracts (EULA/terms of service), business method patents, new legal forms for MMORPGs, etc.

• Our law applied to things that happen in virtual worlds. From this perspective, virtual worlds are all about information law because they are not much more than information. Research topics could include the copyrightability of goods created in virtual worlds, libel and slander in virtual worlds, etc.

• The law of virtual worlds, as created by their residents. Basically, this could be any field of law that could be created from scratch by the residents of a virtual world. Subjects would include the constitution of and constitutional rights in virtual worlds, virtual land and chattels, the emergence of informal or formal criminal law in virtual worlds, etc.

• What looks like the most interesting to me is the last category: The relationship between the law of virtual worlds and our law. Virtual worlds and their law—ultimately as parts of this world we live in and our law—do interact with this world, not only vice versa. How this happens could be analyzed, for instance, from the perspective of Talcott Parsons’ and Niklas Luhmann’s systems theory. But the field is much broader: We could ask, for instance, what the relationship between (real world) code and the law in virtual worlds is: e.g., if the code of the game permits theft or rape in the virtual world, can or should that be illegal in the physical world and/or in the virtual world? Or, last but not least, the border can be crossed by teaching law, like Charlie Nesson’s extension school course and his planned moot court in Second Life.

I admit I’m too (1) busy, (2) lazy, (x) tired to do a reality check with this framework. If you, dear reader, want to do it, that would be great–I would suggest that you start with the 1400+ blog posts on virtual worlds at HLS and see whether it makes sense to categorize them within the framework.  A notice of your results would be greatly appreciated.

 ”Dear Mr. Haeusermann,
We have taken over the ____ portal beginning of November, which included an address database. We wrote to the people in the database once, and at the same time deleted the addresses.
[apologies]“

So far so good.

The conference on data protection was a big success, as the organizers were able to gather the crème of Swiss data protection lawyers. One of the lessons learned from the keynotes of Prof. Herbert Burkert (President of the FIR-HSG), Prof. Rainer J. Schweizer (President of the Federal Data Protection and Transparency Commission and member of the board of the FIR-HSG), Sig. Tiziana Mona (Member of the Federal Data Protection and Transparency Commission), and Hanspeter Thür (the Federal Data Protection and Information Commissioner) is that individual enforcement of data protection law (e.g. what I did vis-à-vis the spammer) is important, but other regulatory instruments can be more effective.

• As a first example, the Data Protection Commissioner may publish recommendations which are directed at the private sector and have covered fields such as the collection of data by property management companies, spamming, or the use of biometrical access controls by recreational facilities. Mr. Thür explained that these recommendations, though not binding, regularly provoke intense reactions (both positive and negative) from the public. He also has the impression that the recommendations have a much broader impact than court decisions (which are quite rare, btw).
• Second, in the fields of national security and the war on organized crime, the access right of individuals cannot but hamper these (largely) legitimate ends. In a recent judgment, which is currently on appeal with the Federal Supreme Court, the Data Protection and Transparency Commission decided on the basis of the European Convention on Human Rights that the access right has to prevail. That case is extremely interesting, and I’ll get back to it next year after the verdict of the Supreme Court. In essence, the Commission found the statutory mechanisms, by which individuals can have the lawfulness of data processing checked, ineffective and thus unconstitutional. Where the necessity of enforcement of data protection law by individuals results in crippled information rights, it seems to be a better idea to create institutional safeguards, for instance regular data protection audits with law enforcement and national security agencies by an independent, but trustworthy institution (e.g. the Data Protection Commissioner).

My first example is spamming, one of the digital scourges of mankind, and a phenomenon which has become recently under suspicion of deepening the digital divide between digital natives and older people (twenty-something +).

Lately, I received one of the few “domestic” spam emails, that is, one from a Swiss million pixel website. As spamming is not clearly illegal in Switzerland yet–an anti-spam amendment to the Unfair Competition Act is under way–, I decided to test that company’s data protection compliance:

Under Swiss (and European) law, every person whose data (i.e. information on an identifiable person) are processed, has an unconditional right of access ot these data, including the right to know the purpose of processing, the categories of data processed, the persons involved in the processing of data, the source of their data, etc. (Art. 8 of the Swiss Data Protection Act [in English]–its EU equivalent, though with a different scope, is Art. 12 of the Data Protection Directive 95/46/EC.)

The data controller has thirty days to respond to a request; the information must be given free of charge (with very narrow exceptions); and a violation of the right of access by the controller is punishable by a fine and/or up to 90 days of imprisonment.

This morning, I sent the spammer a request pursuant to Art. 8 Data Protection Act, mainly because I wonder how he got my email address, but also because requests like mine are apt to make spamming horribly expensive: It is hardly conceivable that these requests can be processed automatically. So, if only a small percentage of spammees “ask back”, they can make spamming prohibitively expensive, and probably even drive a SME out of business.

To conclude: the regulatory burden Art. 8 Data Protection Act creates can be a very effective weapon, which can be used against legitimate and illegitimate businesses.