TMT 2019

Last Updated June 13, 2019

Czech Republic

Law and Practice

Authors



Rowan Legal is engaged by clients including top Czech banks and insurance companies, the largest e-commerce group in Central and Eastern Europe, two out of the three largest Czech telco operators and several large IT companies and big data analytics businesses, among others. The team advises on IT and licensing, and on claims from wrongful IT implementations. In telecommunications matters, the team primarily supports clients with the legal aspects of telecommunications services provisions and compliance with regulatory requirements, including the GDPR or representation before the Czech Telecommunications Office. The firm has the largest data protection team in the Czech Republic, which conducts audits and due diligence in the field of privacy law, leads a broad range of GDPR implementation projects, reviews internal data processing systems and rules, advises on all aspects of data processing, and represents clients before the Czech Data Protection Office and in informal discussions with the regulator. The firm is also active in the field of IT law, and focuses particularly on regulations that introduce innovative technical solutions, such as PSD2 and eIDAS.

There are not many laws or regulations that would specifically regulate cloud computing in the Czech Republic. One of them is Act No 181/2014 Coll, on cybersecurity, as amended (the 'Cybersecurity Act'), and the related Decree of the National Cyber and Information Security Agency No 82/2018 Coll, on security measures, cybersecurity incidents, reactive measures, formalities of submissions in cybersecurity and on data liquidation (the 'Cybersecurity Decree'). The Cybersecurity Act represents a transposition of the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. These two pieces of legislation list cloud computing as one of the areas which require special security measures to ensure the security of the information in information systems. Cloud services providers have obligations as digital service providers under the Cybersecurity Act. In particular, the Cybersecurity Act contains requirements on contracts between public authorities in the specific sectors (see below) and cloud services providers. The Cybersecurity Decree further prescribes the method of the liquidation of confidential data stored in cloud.

Cloud computing is also one of the information society services and as such it is regulated by Act No 480/2004 Coll, on certain services of the information society, as amended (the 'Information Society Services Act') which represents a transposition of the Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. Cloud computing is not explicitly mentioned in the Information Society Services Act, but it falls within the definition of the information society service. The Information Society Services Act regulates the liability of cloud services providers for the content of user’s data stored in cloud, if such content breaches law and/or rights of third persons (such as copyright).

Several industries are subject to greater restrictions in terms of the use of cloud computing. These restrictions are set by the Cybersecurity Act, which applies to:

  • providers of electronic communication services and providers of electronic communication networks;
  • operators of significant networks (ie, networks that secure direct foreign connection to communication networks or direct connection to critical infrastructure);
  • administrators and operators of information systems of critical information infrastructure;
  • administrators and operators of communication systems of critical information infrastructure;
  • administrators and operators of significant information systems (ie, information systems operated by a public authority in which the confidentiality breach might restrict or endanger the exercise of responsibilities of the public authority);
  • administrators and operators of essential services information systems (essential services are services in energy, transport, banking, financial markets, healthcare, water management, digital infrastructure and chemistry sectors);
  • operators of essential services;
  • digital service providers.

Even in case of industries where law does not specifically regulate the use of cloud services, cloud computing must not be used in a way that would jeopardise the fulfilment of other legal duties, such as confidentiality. Examples of the sectors where cloud computing must be used with caution are legal or medical services, where the providers are bound by the duty of confidentiality towards the data of their clients/patients. The use of cloud is not forbidden in these sectors, but practitioners in these areas should be especially careful when selecting cloud services provider.

Processing of personal data in the Czech Republic falls within the scope of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR), and therefore the rules for processing are consistent with the rules applicable elsewhere in the EU.

In general, it is possible to use cloud services to process personal data. If cloud is used, it is always necessary to observe the general principles of the GDPR and comply with duties stemming from the GDPR. With respect to the technology used for data processing, such as cloud computing, data controllers are always obliged to use a suitable technical solution and employ trustworthy cloud services providers for ensuring level of security appropriate to the risk, nature of data, current state of the art etc.

It has also been established by Article 29 Data Protection Working Party (in its Opinion 05/2012 on Cloud Computing) that with respect to storing data in the cloud (which is a data processing operation), the cloud client acts as a data controller and the cloud provider is considered as a data processor. Any use of cloud services for personal data processing must therefore be governed by a data processing contract that meets the requirements of the GDPR.

The issues arising in the context of the processing of personal data in cloud are similar to those faced by the rest of the EU. One of these issues is the distribution of responsibility for data processing between the cloud client (as the data controller) and the cloud services provider (as the data processor), especially in cases where cloud services are provided as a ready-made solution. In these cases, the possibility of the client to oversee or even control the data processing is lowered, although as the data controller, the client still has obligations and responsibilities under the GDPR.

Another highly problematic issue is using cloud services with servers located outside the EU territory. Storing data in third countries is possible only if the third country where the servers are located obtained the so-called adequacy decision of the Commission (meaning that the level of data protection in such country is substantially the same as in the EU), if additional guarantees of the data safety and security are provided, or if other specific conditions set by the GDPR apply.

Blockchain technology does not have a binding definition or a specific regulation in Czech law; therefore, only general laws and principles (eg, from the areas of tax, financial, contract, property or criminal law) apply to it. However, changes to the current legislation, especially the legislation concerning securities (ie, security tokens and the definition of securities) that would accommodate the blockchain technology, are being discussed between digital industry initiatives and the legislators.

Possible adoption of the blockchain-specific legislation is currently complicated by the fact that there are still many uncertainties surrounding the technology and its basic proclaimed characteristics, ie, immutability, security and transparency.

The blockchain’s characteristics depend, to a large extent, on the type of blockchain technology (ie, private, public or hybrid blockchain). Prior to the launch of any blockchain technology, regardless of its type, a thorough assessment is necessary.

The main risks of blockchain technology are currently related to data privacy, cybersecurity and smooth operation.

The liability for the blockchain itself is currently unclear. One possible interpretation of blockchain is that all or some of its participants form a society; that is, the association of persons led by a common purpose (in this case, the operation of the blockchain network). In such a case, the liability is shared between all members of the society.

The liability for the transactions conducted via blockchain (including smart contracts) will be governed by the Civil Code (Act No 89/2012 Coll, as amended).

Intellectual property might concern both the content stored on the blockchain and the blockchain itself. Blockchain could also be used in the field of intellectual property, especially for the administration of databases for collective rights management.

The content of blockchain might be protected as a database by copyright or by a sui generis database-protection right, if the conditions for copyright protection are met. As to the blockchain itself, public blockchains typically operate under the open-source licence, whereas blockchains might be proprietary. In both cases, a software copyright protection also applies. In addition to copyright protection, inventions based on blockchain might be eligible for patents (if they meet the general patentability criteria).

With respect to data privacy, the main attention needs to be paid to personal data which falls under the GDPR protection. As to the personal data on blockchain, the current perception of public keys which are vital for functioning of the blockchain as (pseudonymous) personal data means that blockchain will always contain some personal data. Other personal data might be stored directly on blockchain (in plain text or protected by various levels of encryption), or it might be stored separately off-chain (in such a case, blockchain would contain only a pointer to the actual location of the data).

Privacy challenges differ for public and private blockchains. Public blockchains are more problematic in this respect, mainly because the responsibility for data processing is not allocated to a single entity (instead, all nodes participating in the blockchain act as data controllers). In the case of private blockchains the identification of an entity that can qualify as the data controller is easier, because even though there can also be multiple nodes, private blockchains are controlled by a single entity or a consortium). Other issues include the limited possibility to permanently erase or to rectify personal data stored on blockchain, which is contrary to the 'right to be forgotten' granted by the GDPR.

A possible technical solution to the problem of GDPR compliance consists of more privacy-protecting private blockchains. Although certain issues outlined above (mainly the complicated data erasure) apply also to private blockchains, they are not inherently incompatible with the GDPR - the compatibility depends on the design of each blockchain-based solution, and a thorough assessment on a case-by-case basis is necessary. Due to the implications of the blockchain technology for data privacy, off-chain storage of personal data is recommended in any case.

As to the non-personal data stored on blockchain, the suitability of the technology depends on the nature of the data. Given the distributed and transparent nature of blockchain (at least in its public form), it is not suitable for confidential data and transactions.

No matter what service should be provided, Service Level Agreements (SLAs) in the Czech Republic have no legal definition and are considered as an innominate contract under the Civil Code (ie, there are no essential elements of the contract prescribed by the law). All obligations and duties are arising from the contract, with the exception of services regulated by the Cybersecurity Act (services falling under the Cybersecurity Act regulation are listed in the section dealing with cloud computing).

Providing blockchain services does not change the nature of SLAs. There are no additional regulatory requirements for blockchain service levels. From a practical point of view, different SLAs will be needed for the service, providing the service on the platform or application level and on the blockchain protocol level itself.

Given the inherently transnational nature of blockchain, jurisdictional issues are likely to arise. Any disputes regarding the jurisdiction will have to be resolved by the application of the conflict of law rules which, in the Czech Republic, include Act No 91/2012 Coll, on international private law, Regulation (EC) No 593/2008 of the European Parliament and of the Council on the law applicable to contractual obligations (Rome I), Regulation (EC) No 864/2007 of the European Parliament and of the Council on the law applicable to non-contractual obligations (Rome II), Regulation (EU) No 1215/2012 of the European Parliament and of the Council on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters and relevant international treaties (Brussels I bis).

Big data, machine learning and artificial intelligence are closely connected and would often be found together in one project. Given that big data serves as input that enables both artificial intelligence and more specifically machine learning, the following considers the challenges of big data, then artificial intelligence and finally machine learning as one of the main applications of artificial intelligence.

When working with so-called big data, it is necessary to consider primarily personal data protection. If the data set contains data of an identified or identifiable person, data processing is regulated by the GDPR. The data protection principles are explained in greater detail below; they apply also to the processing of big data. Because processing of big data involves working with large quantities of data and insights gained from them can significantly affect data subjects (eg, when used for algorithmic decision-making), it can usually be classified as high-risk processing under the GDPR. Therefore, corresponding obligations (such as the obligation to carry out a data protection impact assessment or data-breach notifications) will apply to controllers and processors of big data.

A particular issue for big data processing in terms of the GDPR is the compliance with the purpose limitation principle, which goes contrary to the very nature of big data analysis (ie, analysing data of high volume and variety for obtaining new insights in unforeseen areas). A possible solution is a complete and irreversible anonymisation of data (in which case the GDPR would not apply), but that is increasingly difficult when sophisticated data-analysis tools are used and almost impossible where large sets of data relating to single data subjects are collected.

It is also necessary to distinguish between open and proprietary data, as the latter might be protected, as, for example, a trade secret under the Civil Code or protection of a database under the Copyright Act (Act No 121/2000 Coll, as amended).

Machine learning, as one of the most advanced uses of artificial intelligence, brings additional challenges on top of those already described in connection with big data and AI themselves. Machine learning, especially when used as a basis for decision-making mechanisms, can touch even fundamental rights. Such algorithms have been known to lead to unintentional discrimination; for example, based on the data sets used for machine learning.

Decision-making which is based on machine learning also leads to the well-known “black-box” problem of opacity of the algorithms used, and conflict between intellectual property rights (mostly trade secret) and transparency.

From the data protection perspective, automated decision-making may be performed if necessary for the contract performance, if authorised by law or if based on explicit consent. Further, persons who are subject to algorithmic decision-making (including profiling) have special rights, such as the right to request a human intervention.

Artificial intelligence is currently used in many 'smart' devices, such as robots or autonomous vehicles. Apart from the data-related issues, which are the same as for big data, the main challenge for such devices is liability for their operation. In Czech law, there is no special category of 'autonomous electronic agents', nor are there plans to form such a category. For now, AI devices are considered to be 'things', and any harm or damage caused by the faults of such devices or by their use is regulated by the relevant Civil Code provisions.

Depending on the circumstances, the liability for the damage can rest with the manufacturer, distributor or other persons in the supply chain or with the person who used the device. If the damage was caused by the device that is not faulty, the liability rests with the owner or the person who neglected to oversee the device.

AI can also raise significant legal issues when it is used for machine learning and especially for automated decision-making (see below).

Collection of personal data by IoT devices falls under the GDPR, and as such it needs to comply with the personal data processing principles outlined in the relevant section. In the context of IoT devices, one of the main complications perceived is ensuring data security and having a legal title for the processing, such as performance of the contract or a free and informed consent of users with data processing.

Machine-to-machine communication and its secrecy should be specifically regulated by the prospective EU-wide ePrivacy Regulation. The regulation has not been adopted yet; until it is, the Information Society Services Act and Act No 127/2005 Coll, on electronic communications and on changes of certain related acts, as amended (the 'Electronic Communications Act') apply to such communication. The Electronic Communications Act implements Directive 2002/19/EC of the European Parliament and of the Council of 7 March 2002 on access to, and interconnection of, electronic communications networks and associated facilities, the Directive 2002/20/EC of the European Parliament and of the Council of 7 March 2002 on the authorisation of electronic communications networks and services, the Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services and the Directive 2002/22/EC of the European Parliament and of the Council of 7 March 2002 on universal service and users’ rights relating to electronic communications networks and services (which are to be replaced by the Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code with effect from 21 December 2020), the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, the Commission Directive 2002/77/EC of 16 September 2002 on competition in the markets for electronic communications networks and services and the Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment.

Due to their complexity, IT service agreements fall within more than one of the specified types of contract under the Civil Code (they contain elements of a contract of work, contract of agency and possibly also other types of contract).

IT service agreements typically need to deal with several challenging issues, both related to general contractual terms and to the specific subject matter. With respect to contractual terms, the nature of IT services leads to the difficulties in specifying the licence terms, data ownership, co-operation obligations, reasons for termination of the contract, process of termination and exit or complicated dispute resolution during the provision of services.

With respect to the subject matter, the most challenging part of any IT service agreement is specifying the subject matter of the agreement in such a way that does not leave room for any doubts as to the desired output of contractor’s activity under such agreement (such as availability) and defining service levels and faults that may occur during the service, including remedies and response time. In the absence of such specific definition, it may be difficult for both parties to raise claims (either by the customer in respect of contractor’s faulty performance of the contract, or by the contractor in respect of customer’s failure to pay for a performance which is according to the contract).

In the case of a contract between private entities (provided that one of the parties is not a consumer), the parties have a wide autonomy as to the terms of the contract, including price or contractual penalties. The only legal requirements for a valid contract are that the contract must express free and clear will of the parties, must be sufficiently clear as to its subject matter and must be made by authorised representatives of the parties.

Other rules need to be taken into account in specific cases. For the rules on cybersecurity and personal data processing, see the relevant sections above.

The rules regarding data protection in the Czech Republic differ depending on the type of data and the data subject. It is necessary to distinguish between data belonging to individuals and companies, and between personal and other data.

The differences are further explained below.

Data about companies are not personal data and their protection is limited. Companies can protect their sensitive information as a trade secret and the Civil Code provides the protection of the goodwill and reputation of companies. Further, the Information Society Services Act grants protection against unsolicited commercial communication (spam).

Individuals (regardless of their possible status as a consumer or an entrepreneur), on the other hand, enjoy protection of their personal data granted by the GDPR. In addition, the Civil Code protects the name, personality, physical appearance and name of individuals. The protection of these personal traits might overlap with the personal data protection. The protection against unsolicited commercial communication granted by the Information Society Services Act also applies to individuals.

Processing of non-personal data is not regulated by any general law. However, the processing of some types of data is regulated by a special legislation (the general data protection legislation is dealt with separately). For example, the Electronic Communications Act regulates storing and use of service and location data which are created or stored in the course of provision of public electronic communications services.

The processing of personal data is governed by the main principles set by the GDPR; that is, the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and accountability. In addition, other principles apply, such as data protection by design and by default. These principles provide the framework for the rights of data subject and corresponding obligations of data controllers and data processors.

In the case of the use of resources provided by the employer to the employee, it is necessary to establish a balance between employer’s right to protect its property and employee’s right to privacy (with respect to personal data of employees, the GDPR applies).

This balance is provided by Act No 262/2006 Coll, the Labour Code, as amended (the 'Labour Code'). The Labour Code specifically stipulates that without employer’s consent, employees cannot use tools provided by the employer (including computers, phones and other IT and telecommunication devices) for personal purposes. The employer is entitled to reasonably monitor that employees observe this provision.

However, the Labour Code protects the privacy of employees as well, by stating that the employer must not, without a serious reason, invade the privacy of employees in the workplace by open or secret surveillance, recording or interception of phone calls, monitoring employees’ location (when using employer’s vehicles), checking employees’ electronic or physical mail, controlling web browsing history, etc. The serious reason justifying the monitoring can be the protection of health and safety or property of the employer, other employees or third persons. Even then, the monitoring must be reasonable and proportionate to the reason justifying it. For example, the employer might find out (by monitoring the employer’s computer) that the employee uses the work computer for private communication but is not entitled to read the content of such communication.

Employees must be informed about any monitoring activities of the employer in advance. It is advisable to include the rules on computer resources and data protection in employment contracts, internal directives or collective agreement (in case that employees are represented by a trade union).

Telecommunications are regulated by the Electronic Communications Act. Telecommunications are one example of electronic communications, together with radio and television broadcasting and similar services.

The Electronic Communications Act is technology neutral and therefore does not list any specific technologies. It covers all services which are usually provided for payment and whose provision consists wholly or mostly in the transmission of signal over electronic communications networks, such as classic telephony, voice-over-IP, instant messaging or RFID. The Electronic Communications Act does not relate to the services that consist only in the provision or editing of content.

Running of electronic communication networks or provision of electronic communication services must be notified to the regulatory authority (the Czech Telecommunications Office) in advance. The administrative fee for such notification is CZK1,000.

The Czech Telecommunications Office issues measures of general nature which are binding for all entrepreneurs running networks or providing services falling within the scope of a given measure.

Apart from the measures of general nature, the Czech Telecommunications Office also issues individual approvals; for example, for the use of certain radio frequencies or for assigning of numbers, number lines, codes and addresses.

Providing audiovisual services such as TV or radio by private operators is regulated by Act No 231/2001 Coll, on the radio and television broadcasting, as amended (the 'Broadcasting Act'). On-demand audiovisual services are regulated by a special legislation, Act No 132/2010 Coll, on the on-demand audiovisual media services and on amendment of certain acts (the 'On-demand Audio-visual Services Act'). Broadcasting and on-demand services differ significantly in terms of requirements for their providing. Both the Broadcasting Act and the On-demand Audio-visual Services Act implement the Directive 2010/13/EU of the European Parliament and of the Council of 10 March 2010 on the co-ordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services.

Radio and TV Broadcasting

Radio and television broadcasting are subject to a licence; the licensing procedure differs for terrestrial broadcasting and for a group of other broadcasting systems (which includes satellite, cable and specific broadcasting systems and terrestrial digital broadcasting). The main difference is that for the second category, the licensing process is simplified, and the licence has to be granted if the applicant meets all legal requirements. In the first category, the applicant is not legally entitled to the licence, even if it meets the requirements.

Licence for providing audiovisual services can be obtained by legal or natural persons who meet the legal requirements (ie, they have the full legal capacity, do not have a criminal record, are not in arrears with payment of taxes, public health insurance and social insurance). Applicants for a licence also cannot be in connection with public broadcasters or public office-holders (if such office-holder would be in the conflict of interests). Persons domiciled outside the Czech Republic must appoint a representative in the Czech Republic.

The application for a licence must contain general identifying information of the applicant and its members (in the case that the applicant is a legal person). It must also specify the time and territorial scope of the broadcasting, content of the programme (in the case of a TV programme, also the part of broadcasting time reserved for European content), a business plan and technical information (depending on the method of broadcasting).

The licence is granted for a fixed time period, up to seven years for radio broadcasting and up to 12 years for TV broadcasting. The licence can be renewed.

Applying for a licence is subject to administrative fees, depending on the type of licence sought (for national and regional TV licence, the fee is CZK90,000 for the first application and each renewal; for local TV licence, the fee is CZK50,000 for the first application and each renewal; for radio licence, the fee is CZK25,000 for the first application and each renewal).

On-demand Services

On-demand audiovisual services are not subject to the licence, but their provision must be notified to the regulatory authority, which is the Council for Radio and Television Broadcasting.

The regulations of the provision of audiovisual services might apply to online video channels, provided that they constitute an on-demand service as regulated by the On-demand Audio-visual Services Act (ie, a service that enables users to choose from a catalogue of programmes of informative, entertaining or educating nature and watch them at a time selected by the user). In addition to such regulation, where applicable, when operating a video channel (eg, on YouTube or a similar platform), it is necessary to observe the terms of the given service, and to follow other applicable laws (especially laws regulating copyright).

The use of encryption is not mandatory for private entities, even in the case of personal data. However, encryption is one of the privacy-protecting methods recommended by the GDPR (other possible methods include data pseudonymisation, access restrictions or technical and organisational measures). Similarly, for activities that fall under the Cybersecurity Act scope, the Cybersecurity Decree lists encryption among possible methods of the compliance with the applicable legislation.

If the interception of communication is ordered by the police, persons providing public communication networks and public electronic communication services, which use encryption, are obliged to make sure that the content of communication is comprehensible in the end-points used for the interception of communication.

Upon the police order, the providers of public mobile telephony services might also be obliged to disable the operation of end devices that enable encryption, encoding or other method of ensuring secrecy of the content of the communication by the user (if such disabling is technically possible).

Other than that, there is no specific legislation that would prohibit encryption, require companies to de-cipher encrypted data or require mandatory 'back door' to encryption.

The use of encryption can significantly improve an organisation’s position, especially in the case of data security breach. In such cases, it is generally necessary to notify the local data protection authority and in more serious cases also data subjects. However, if the data is encrypted and the key necessary for decryption has not been obtained by the attacker, the data remains safe and the risks connected with such breach are minimal. Obligations related to security breach and potential penalties are therefore also minimal.

Rowan Legal

GEMINI A
Na Pankráci 1683/127
140 00 Prague 4

+420 224 216 212

+420 224 215 823

praha@rowanlegal.com www.rowanlegal.com
Author Business Card

Law and Practice

Authors



Rowan Legal is engaged by clients including top Czech banks and insurance companies, the largest e-commerce group in Central and Eastern Europe, two out of the three largest Czech telco operators and several large IT companies and big data analytics businesses, among others. The team advises on IT and licensing, and on claims from wrongful IT implementations. In telecommunications matters, the team primarily supports clients with the legal aspects of telecommunications services provisions and compliance with regulatory requirements, including the GDPR or representation before the Czech Telecommunications Office. The firm has the largest data protection team in the Czech Republic, which conducts audits and due diligence in the field of privacy law, leads a broad range of GDPR implementation projects, reviews internal data processing systems and rules, advises on all aspects of data processing, and represents clients before the Czech Data Protection Office and in informal discussions with the regulator. The firm is also active in the field of IT law, and focuses particularly on regulations that introduce innovative technical solutions, such as PSD2 and eIDAS.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.