European Parliament approves the DSM Copyright Directive Proposal

In yesterday’s session, the European Parliament approved the proposed Directive on Copyright in the Digital Single Market [see our previous comments here, here, and a more detailed position paper, here]. MEPs voted 438-226 with 39 abstentions.

Here is the text passed – a compromise solution that slightly changes from the previous version rejected by the European Parliament back in July.

Among the most controversial provisions:

  • the text and data mining (TDM) exception has been confirmed in its original structure (limited to research organizations). The new version adds an optional additional TDM exception (Article 3a) that applies in favor of lawful users except such TDM usage has been expressly reserved by the right holder.
  • the ancillary right for press publishers (art. 11) has been slightly amended:

1. Member States shall provide publishers of press publications with the rights provided for in Article 2 and Article 3(2) of Directive 2001/29/EC so that they may obtain fair and proportionate remuneration for the digital use of  their press publications by information society service providers.

1a. The rights referred to in paragraph 1 shall not prevent legitimate private and non-commercial use of press publications by individual users.

[…]

2a. The rights referred to in paragraph 1 shall not extend to mere hyperlinks which are accompanied by individual words.

4. The rights referred to in paragraph 1 shall expire 5 years after the publication of the press publication. This term shall be calculated from the first day of January of the year following the date of publication. The right referred to in paragraph 1 shall not apply with retroactive effect.

Recital 33 specifies that “the protection shall also not extend to factual information which is reported in journalistic articles from a press publication and will therefore not prevent anyone from reporting such factual information”. This seems a bit in contrast with the provision of 2a that allows reporting only “individual words”.

  • As regards article 13, filtering obligations have been only apparently removed, since in case right holders are not happy to license their contents, UGC platforms shall cooperate to block such contents

1. Without prejudice to Article 3(1) and (2) of Directive 2001/29/EC, online content sharing service providers perform an act of communication to the public.  They shall therefore conclude fair and appropriate licensing agreements with right holders.

2. Licensing agreements which are concluded by online content sharing service providers with right holders for the acts of communication referred to in paragraph 1, shall cover the liability for works uploaded by the users of such online content sharing services in line with the terms and conditions set out in the licensing agreement, provided that such users do not act for commercial purposes.

2a. Member States shall provide that where right holders do not wish to conclude licensing agreements, online content sharing service providers and right holders shall cooperate in good faith in order to ensure that unauthorised protected works or other subject matter are not available on their services. Cooperation between online content service providers and right holders shall not lead to preventing the availability of non-infringing works or other protected subject matter, including those covered by an exception or limitation to copyright. […]

Article 2(4b) sets out a very complex definition of the UGC platforms affected, taking into account the CJEU case law: “‘online content sharing service provider’ means a provider of an information society service one of the main purposes of which is to store and give access to the public to a significant amount of copyright protected works or other protected subject-matter uploaded by its users, which the service optimises and promotes for profit making purposes“. Recital 37a adds that this is “including amongst others displaying, tagging, curating, sequencing, the uploaded works or other subject-matter, irrespective of the means used therefor, and therefore act in an active way.” It then excludes from the definition of online content sharing service providers microenterprises and small sized enterprises, as well as service non-commercial providers such as online encyclopaedia or providers of online services where the content is uploaded with the authorisation of all right holders concerned, such as educational or scientific repositories.

Article 12a protecting sport event organizers has been introduced at a later stage (with no impact assessment).

This compromized version shows some slight improvements, despite the original defects of the Proposal still remain unsolved. Now the trilogue negotiations amongst the Parliament, the Council and the Commission will start.

Francesco Banterle

 

Early thoughts on behavioral advertising and the GDPR: a matter of discrimination?

How is behavioral advertising affected by the new EU General data protection regulation (GDPR)? This is probably one of the trickiest part of the new piece of legislation.

In its 2010 opinion (here), the group of EU data protection authorities (WP29) defined -online- behavioral advertising as “the tracking of users when they surf the Internet and the building of profiles over time, which are later used to provide them with advertising matching their interests”. The advertising matching is the result of an automated processing of personal data and is traditionally included in the concept of “profiling”.

When does personalized advertising entails profiling?

The threshold of profiling in perzonalized advertising is not always straightforward. The WP29 opinion distinguished among:

  1. Contextual advertising: advertising content selected based on the content currently being viewed by a user. E.g., for a search engine, the content derived from (i) the search keywords or (ii) the user’s IP address if connected to geographical location. It does not entail profiling.
  2. Segmented advertising: advertising content selected based on known characteristics of the data subject (age, sex, location, etc.), which the data subject has provided at the sign up or registration stage. It does not entail profiling.
  3. Behavioral advertising: advertising content selected based on user’s interests derived or inferred from his behavior. It entails profiling. In a recent decision (here), the Italian Garante stated that behavioral advertising entails profiling when the segmentation of the public is based both on generic data (sex, age, location) and the purchase history, as displaying different advertisement based on this data causes a diversification in the treatment of customers. This can be therefore an example of minimum level of profiling in personalized advertising.

Behavioral advertising and profiling under the Data Protection Directive

The Data Protection Directive (95/46/EC) did not specifically regulate the concept of profiling, though it already posed attention to automated data processing (which could include profiling). Article 15 was stressing that each individual should have the right not to be subject to decisions solely based on automated processing of data if they might (i) produce legal effects or (ii) significantly affect him. It left rooms for Member States to allow exceptions only in case this automated processing is (i) necessary for the performance of an agreement or (ii) authorized under national law. But behavioral advertising has not been generally included under the scope of this provision.

…and the GDPR

In the GDPR, profiling takes center stage as one of the main type of automated processing. The GDPR introduces a legal definition of profiling (Art. 4.4), that is based on the automated evaluation of individuals’ aspects to analyze or predict his/her situation, preferences, interests, reliability, behavior, location or movement. And adds right to explanation for individuals (Art. 13.2.f) and to require human intervention (art. 22.3).

Art. 22 GDPR also updates Art. 15 of Data Protection Directive, by adding “profiling” among the processing operations entailing automated decisions one has the right not to be subject to, i.e. when it might (i) produce legal effects or (ii) similarly significantly affect individuals. And introduces consent as a new legal ground for this automated processing. However, given the high risk entailed, it requires an “explicit” consent. Other legal grounds, e.g., legitimate interest, cannot be invoked. This profiling/automated processing is thus compared to special (risky) categories of personal data regulated by Art. 9 GDPR, for which “explicit” consent shall be sought.

What type of profiling entails a significant effect? Is this applicable to behavioral advertising?

Some guidance can be taken from the regime of the Data Protection Impact Assessment (“DPIA”) required for processing activities resulting in high risk. Indeed, Art. 35 GDPR states that a DPIA is in particular required in case of “systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person”. This provision basically recalls Art. 22 GDPR.

big bother eye.png

The WP29 guidelines on DPIA (here) mention as an example of profiling that does not significant affect individuals (meaning, not resulting in high risk): “An e-commerce website displaying adverts for vintage car parts involving limited profiling based on past purchases behaviour on certain parts of its website”. Probably not the most illuminating example, but in sum: profiling not systematic nor extensive. The guidelines then list the elements entailing a high risk:

  1. the use of a new technology;
  2. the time factor, i.e., the duration of the processing. For instance, in line with this, the Italian DPA (“Garante”) –in a landmark 2005 decision about loyalty programs– identified a maximum retention period for customer profiling data and their use for marketing of respectively 1 and 2 years (here). Retaining profiling data for longer periods entails a high risk and requires the Garante’s prior check –once the GDPR applies a DPIA would be required instead–;
  3. the large scale of data processed;
  4. matching or combining datasets.

An example of processing raising an high risk is: “The gathering of public social media profiles data to be used by private companies generating profiles for contact directories”. The use of social capturing tools to profile and match customer data on a large scale can be thus relevant.

“Strong” v “soft” profiling and the risk of discrimination in behavioral advertising

Based on this, one may apparently distinguish between a sort of “strong” and “soft” profiling, subject to different regimes. But the guidelines continue stating that a risk occurs also when processing may lead to discrimination against individuals.

This point is quite obscure, particularly if applied to behavioral advertising. Many say that behavioral advertising cannot have significant effects on individuals (see here and here). However, it is worthy noting that the UK DPA (“ICO”), in its public consultation about profiling (here – yet still provisional), warned about potential risks for individual fundamental rights connected even to behavioral advertising:

Profiling technologies are regularly used in marketing. Many organisations believe that advertising does not generally have a significant adverse effect on people. This might not be the case if, for example, the use of profiling in connection with marketing activities leads to unfair discrimination. One study conducted by the Ohio State University revealed that behaviourally targeted adverts can have psychological consequences and affect individuals’ self-perception. This can make these adverts more effective than ones relying on traditional demographic or psychographic targeting. For example, if individuals believe that they receive advertising as a result of their online behaviour, an advert for diet products and gym membership might spur them on to join an exercise class and improve their fitness levels. Conversely it may make them feel that they are unhealthy or need to lose weight. This could potentially lead to feelings of low self-esteem”.

One may argue that any kind of customer segmentation and profiling –resulting in different contents showed to individual– entails discrimination. It is probably too extreme. Profiling entails diversification in the treatment of individuals. It is for sure an act of processing (as it has an effect on individuals) though does not necessarily discriminate. But this risk shall not be underestimated: based on the opinions above, it appears that attention should be given to the possible effects (price discrimination, psychological effects, etc.) the envisaged targeted marketing campaigns can cause, considering the type products advertised, the way they are advertised, the type of segmentation and matching of interests, the scale, etc. Intrusive effects of profiling shall thus being considered. Not an easy exercise, but as profiling techniques are dramatically increasing their capacity of analyzing individual intimate aspects (e.g., AI advances are used to spot signs of sexuality, see here) authorities are calling for broader protection of individual fundamental rights.

What are the practical consequences?

“Risky” (or “strong”) profiling is subject to stricter formalities, requires a DPIA and explicit consent. This apply to behavioral advertising as well.

There is no definition of “explicit” in the GDPR. The WP29 (here) defined it as:  “all situations where individuals are presented with a proposal to agree or disagree to a particular use … and they respond actively … orally or in writing […] by engaging in an affirmative action to express their desire to accept a form of data processing. In the on-line environment explicit consent may be given […] through clickable buttons depending on the context, sending confirmatory emails, clicking on icons, etc.” An active choice shall be thus required.

What about behavioral advertising based on tracking cookies?

An explicit consent would require an opt-in for the use of tracking cookies. In the past, EU DPAs have exempted tracking cookies from explicit consents (see for instance the Italian Garante and the ICO decisions, here and here). Similarly, Recital 32 GDPR lists as a form of “express” consent (though not “explicit”) the setting of the browser. This seems evidently addressing the use of cookies. Some further guidance on the consent through the set up of browsers will be surely given under the e-Privacy Regulation. The current draft (here), at Art. 4a (former art. 9) and Recitals 20-22, provides further details on how browser settings will be presumably confirmed as a form of consent (though they are abandoning “cookie banner/cookie walls” solution endorsing advanced browsers settings “privacy by design” instead). But, based on the above, this kind of consent would be difficulty allow “strong” profiling (though e-Privacy Regulation is lex specialis and some guidelines will help).

Behavioral advertising and legitimate interest

On the other hand, “soft” profiling can be also based on “normal” consent, or on legitimate interest. This is clearly confirmed by Article 21 GDPR, that is however stressing that if profiling is based on legitimate interest controllers must grant data subjects with “objection rights”. The WP29 (see the guidance on legitimate interests, here) has already stated that: “controllers may have a legitimate interest in getting to know their customers’ preferences so as to enable them to better personalise their offers and ultimately, offer products and services that better meet the needs and desires of the customers.” Although it then excluded that legitimate interest can justify certain “excessive” behavioral advertising practices (see our past analysis here).

There is for sure a legitimate interest of companies in matching promotional communications to individual preferences and interests. This is the future of advertising as well as one of the main business models for free services. Without personalisation many services would loose appeal and users nowadays are expecting a certain level of personalization based on their interests. Conditioning behavioral advertising to consent collection can be burdensome. And consent does not always represent a real safeguard. For this reason, some are calling for more flexible interpretation of the above rules to avoid the risk of having Europe’s advertising market (as well as data intelligence industry) limited and less competing compared to other countries (that do not subject profiling to consent).

This shall be however balanced with the right to privacy and to have personal data processed fairly, which is a fundamental right under the EU Charter (art. 8).

The final answer is left to the balance between the conflicting interests of companies and individuals. A balancing test for measuring the legitimate interest and excluding significant effects and discrimination shall be of crucial importance. This fits in with the spirit of the new accountability principle, that leaves to data controllers the ultimate decision on how to treat the risks of the concrete processing. Data controllers shall put in place privacy safeguards. As balancing tools, transparency and granular control for individuals on how personal data are processed will play a key role, together with an real analysis of potential risks. These efforts should concretely mitigate privacy risks in behavioral advertising.

Let’s see how EU authorities guidelines on profiling (expected before December) will clarify these aspects and ultimately discrimination risks.

Francesco Banterle

The partial remedies introduced by the EU Commission’s Proposal for a Directive on copyright in the Digital Single Market of 14 September 2016

InfoSoc’s unbalanced approach has been only partially – very partially – remedied by the Proposal for a Directive on copyright in the Digital Single Market of 14 September 2016 (here). Let us go through its main tenets.

  1. New mandatory exceptions

The Proposal envisages the extension of the range of mandatory exceptions to:

  1. “reproductions and extractions made by research organizations in order to carry out text and data mining…for the purpose of scientific research” (Art. 3);
  2. “the digital use of works…for the sole purpose of illustration for teaching, to the extent justified by the non-commercial purpose…” (Art. 4, dictating further restrictive conditions for the enjoyment of the exception; emphasis added);
  3. making copies, by cultural heritage institutions, of works permanently in their collections, for the sole purpose of preservation of such works (Art. 5).

These extensions deserve approval, of course, as they ‘upgrade’ to mandatory exceptions that InfoSoc provides as discretionary (Art. 5,2.c, e, and 3,a). But their impact is weakened by their persistent subjection – as all other exceptions and limitations foreseen by InfoSoc – to the barrier of the (in)famous three-step test which allows the copyright holder to oppose in judiciary sitting the actual enjoyment of the exceptions. Moreover, they are equally subject to the criterion of ‘strict interpretation’, also dictated by InfoSoc (confirmed by Art. 6 of the Proposal). Thus, for example, the ‘new’ exceptions under a), b) and c) would not allow either the market exploitation by research organizations of the fruits (reports) of their work, or the chance of Universities and other teaching institutions to edit and publish texts assembling lessons and other fruits of their educational activities.

Now, in all the cases where the public interest to spread culture and information may marry with economic exploitation (at times, however, non lucrative in proper sense: cultural heritage institutions, for instance, are bound to invest their incomes in institutional activities), wouldn’t be wiser – and truly consistent with the proclaimed aim to enhance the diffusion of culture and information – to adopt a mechanism of open paying access, instead than across-the board holding fast to the excludent paradigm?

The Max Planck Institute (MPI) went further and affirmed that data mining exception should apply also to commercial uses “as far as concerns content to which the persons performing the mining have lawful access” (see MPI position paper available here). Data mining relates to new analysis techniques to process large amounts of data, particularly to identify correlations and trends, which can be helpful in different sectors (health, marketing, IoT, etc.). In this regards, as acknowledged by Recital 8 “text and data mining may involve acts protected by copyright and/or by the sui generis database right, notably the reproduction of works or other subject-matter and/or the extraction of contents from a database”. Therefore, a general data mining exception would limit copyright and database rights. In this regard, the MPI says instead that data mining should be regarded as a normal use of a work, not requiring further authorization once a lawful access to the work is obtained. On the contrary, the new exception should be extended to cover data mining for research purposes even in cases of unauthorized access to protected works, i.e. research organizations should be able to carry out data mining without having to acquire access to the protected works.

We agree on that view. We however add that, in light of the concurring collective interests, data mining for commercial purposes should not in any case be subject to exclusive rights but rather to a regime of open paying access: business entities should be able to carry out data mining without having to acquire a general access to the protected works but rather by paying a reasonable fee/compensation.

  1. Use of out-of-commerce works by cultural heritage institutions

The Proposal provides for non-exclusive licences stipulated by collective management organizations with cultural heritage institutions for the digitisation, distribution communication and making available to the public of out-of-commerce works whose copyright belongs also to right holders not represented by the collective management organization – and this with cross-border effect (Arts 7-8).

The mechanism that empowers cultural institutions to (store and also) publish works ‘out-of-commerce’ is quite precarious, as the rightholders “may at any time object to their works…be deemed to be out of commerce and exclude the application of the licence to their works” (Art. 7,1.c). And this, without any obligation to resume the publication of the ‘forgotten’ works. As matter of fact, in its weakness, the new regime apparently amounts to a tentative compromise solution with the principle, recently re-stated by the CJEU in interpreting InfoSoc, whereby collecting societies cannot by their own initiative (i.e. substituting themselves to authors) authorize cultural institutions to digitise, store, communicate and make available to the public out-of-commerce works (CJEU, 11 November 2016, case C-301/15, Soulier and Doke).

  1. New rights on press publications against digital uses

The Proposal introduces (Art. 11) a new right, lasting 20 years, in favour of newspapers and magazines publishers to bar third parties (except the authors of the articles) from unauthorized extraction and online exploitation of even short, even very short (‘snippets’), parts of published articles.

This provision represents a ‘hardened’ version of the German Copyright Law which – possibly on the blueprint of an ancient jurisprudence of French origin – instead condoned the extraction and use of ‘imperceptible thefts’ (‘larcins imperceptibles’).

This right is commonly labelled “ancillary”: in truth it is a straight copyright (albeit with a reduced term) since it simply confirms the faculty of copyright holders’ (newspapers and magazine publishers) to grant or deny the authorization to exploit derivative works. Excerpts are indeed ‘reductions’, typically derivative works (hence included in the provision of Art. 12 of Berne Convention): works ultimately similar to the ‘condensed (sic.) books’ traditionally published by the American magazine Reader’s Digest. And the extreme brevity of the extracted text does not per se deny – particularly considering the typical ultra-synthetic mode of today’s digital communications – that the ‘snippet’ can well feature an ‘informational product’ as such apt to be sold and/or draw advertising revenues. Thus subtracted to the publishers of the original article.

However, the basic weakness of the new provision consists, again, in shaping a straight excluding right (just grazed by the research/teaching exception), i.e. remaining stuck to a proprietary approach to facts-assembling (are we introducing copyright on information and facts?). Which (contrast with Feist’s liberal inspiration aside) represents an objective factor of slowdown of the circulation of culture and information.

Once again, wouldn’t it have been wiser to adopt an ‘open paying access’ scheme in dealing with (derivative) commercial journalistic uses of copyrighted materials? For example by sharing part of the actual incomes generated by the derivative uses, if any.

In sum, the trumpet-announced ‘new copyright for the digital age’ is still fundamentally the old closed monad, just renovated with a few narrow windows. This indeed seems the solution adopted also for User Generated Contents (“UGCs”).

  1. Mandatory cooperation between ISPs and copyright holders on UGCs

The Proposal (Art. 13) tries to regulate UGC platforms. It imposes ISPs to “take measures to ensure the functioning of agreements concluded with rightholders for the use of their works or other subject-matter or to prevent the availability on their services of works or other subject-matter identified by rightholders through the cooperation with the service providers”.

As regard the imposition of agreements concluded with rightholders for the use of their works the Proposal is justified as it compensate copyright holders by placing on ISPs the burden of the unauthorised use of protected works on UGC platforms (which ISPs monetize), possibly by sharing part of advertising revenues.

However, the Proposal raises some concerns as it seems – again – dictated exclusively by the tentative of expanding the copyright scope. First, it is not coordinated with E-Commerce Directive and its safe harbour provisions: who are the ISPs concerned? What about “passive” ISPs and the ban of monitoring obligations on the net? In fact, a general obligation to prevent the availability on their services of works or other subject-matter identified by rightholders through the cooperation with the service providers should be imposed exclusively on “active” providers and should be carefully intended as a exception of the net neutrality principle.

Second, albeit the copyright scope is extended over the e-commerce safe harbours, there is no attempt to expand and adapt the existing framework of copyright exceptions to the online environment. And this despite the fragmented and restrictive implementation of InfoSoc’s exceptions list. This is particularly the case of those exceptions that could better fit online uses, i.e., quotation right (Infosoc Art. 5,3.d), parody (Art. 5,3.k) and incidental inclusion of works in other materials (Art. 5,3.i). In most cases restrictively transposed into national laws (where implemented). In other words, the formalized obligation to monitor UGC platforms is not balanced by any legal tools to safeguard new fair uses deserving areas of freedom. Additionally, online monitoring programs used by copyright holders – that would in fact be supported by the Proposal – can difficulty distinguish “fair” uses. Thus, it should have been advisable at least imposing to Member States to fully transpose all InfoSoc exceptions without reducing their scope. With no need to recall what already observed about the three-step test and the need of adapting it as a balancing criterion rather than an exclusive restrictive mechanism.

  1. Fair remuneration in contracts of authors and performers

An innovation that deserves full approval is instead the modified regime of contractual relations authors-publishers that allows the former to request not only an improvement of the level of royalties previously agreed upon, but also (read Art. 14.1 and 2, in functional connection with Art. 15), a fair share of the revenues from the ‘other’ sources of income, i.e. advertising, commercial offers, public representations, etc. In case of disagreement, the dispute author/publisher might be entrusted to ADR (Art. 16).

Realistically, though, the chances to achieve such revisions will depend on general agreements stipulated by collecting societies and publishers’ associations – ultimately, by said societies and the major ‘platforms’.

However, this provision is of high systemic relevance, as it allows alterations of the contractually agreed balance of the parties’ interests beyond the classical boundary of exceptional/unforeseeable new supervening circumstances of dramatic economic impact. And, above all, it fills a manifest lacuna of the InfoSoc Directive, which, as hinted above, is missed: the chance of a regulatory support of new ‘business models’ of dissemination of the works associated with the advent of the Internet and digital technology. Models often characterized by no payment obligation for the user for the enjoyment of single works disseminated online, and where the commercial revenues stem in whole or in part from advertising and the sale of various services and other similar sources. Hence, InfoSoc failed also to defend the legitimate rights of authors to obtain their slice of the pie of these other commercial revenues however stemming from the exploitation, direct or indirect, of their works – especially vis-à-vis ‘free’ online distribution models.

“Data ownership” in the big data era: some thoughts on the new Bird&Bird White Paper – what’s next for the EU?

Few days ago, a Bird&Bird team (Benoit Van Asbroeck, Julien Debussche, and Jasmien César) published a white paper about “Data Ownership” in the EU legal framework (available here).

The paper is issued within the Toreador Project (Trustworthy model-aware analytics data platform – a three-year big data research project funded by the EU Commission), and fits within the EU Commission’s strategy towards data.

The White Paper makes a thorough analysis of the EU acquis on data ownership. In sum, the paper affirms that:

  1. no EU legislation directly regulating ownership in data exists;
  2. a number of legislations provides other forms of protection to certain data. In particular the IP law area, namely: database rights; copyright; and trade secrets. However, none of these provides an adequate protection of ownership in data (e.g., sui generis right does not protect data as such; trade secrets require information to remain secret, etc.);
  3. EU case-law does not acknowledge an ownership right in data, with minor exceptions at national level where Courts occasionally addressed the data ownership issue;
  4. scholars are suggesting a new interpretation of current civil law provisions;
  5. while the paper does not provide an extensive examine of data protection legislation, it suggests that personal data is not necessarily owned by individuals. Instead, an ownership right in personal data for data controllers can be recognised, although subject to the individuals’ control.

The paper concludes that the current legal framework does not sufficiently deal with all issues related to data. Indeed, the data ownership is complicatdata-cycleed by the data value cycle which can involve numerous stakeholders (ISPs, IT providers, data providers such as marketplaces, data analytics service providers, data-driven services, etc.). Actors involved in the data value chain have no certainty as to the ownership of the data they process. Hence, the data ownership issue would require a new solution. The paper suggests creating a non-exclusive and flexible ownership right in datasets, with a data traceability obligation as a safeguard. 

Many points of this White Paper are in line with our view. In a paper presented in a conference about a holistic approach on personal data held by the Max Plank Institute in October 2016 (some slides are available here), I analysed the interface between IP rights (database sui generis right and trade secrets) and data protection rules. The latter in fact allow data controllers to exercise control over data, thus creating a semi ownership regime (though some scholars say it should be seen as a sort of licence on personal data granted by individuals). And I concluded that this interface produces an ownership regime on data, which can be strong although it cannot cover all situations. Residual areas are currently regulated by contract or by technology measures.

Property in data challenges civil law principles: information has public nature; property and IP rights are subject to the numerus clausus principle; and res incorporales are generally not included in property rights. Whether a new right on data should be created is debated (in a recent public consultation promoted by the EU Commission, here, the market answered “no”). We however agree that such possible new right should not be exclusive nor absolute. An exclusive right would risk blocking access to data. Access to data appears crucial in this data driven-economy. Big data requires data reuse, data enrichment, and access to multiple sources of raw information (in certain cases, we won’t be surprised to think about big data as essential facilities). At the current stage, it is impossible to predict where value will be created. Thus, a flexible approach to data is welcomed.

In this context, instead of a property rule, a liability rule appears more balanced. In other words, in certain cases the new right should entitle the data owner to receive payment for its data but would not allow him to exclude other from its access. This solution should be introduced for commercial uses of data only. Research uses should instead remain free, in line with the approach taken by the proposed Directive on copyright in the Digital Single Market (here).

Francesco Banterle

IP addresses as personal data under the CJEU, French Supreme Court, and the GDPR approach: towards an expanding protection of data

Are IP addresses personal data? The answer has been debated in recent times.

An IP (internet protocol) address is a series of digits assigned to a networked device to facilitate its communication over the internet. IP addresses do not directly reveal the identity of users: additional information is necessary to identify them. However they can show some patterns of user behaviour. Static IP addresses are invariable and allow continuous identification. Dynamic IP addresses are provisional and change each time there is a new connection.

A study commissioned by the EU Commission (available here) revealed how EU members’ traditions with regard to the IP address “personal” nature have substantially diverged.

Recently, in the Breyer case (full text here), the CJEU held that under Directive EC/95/46 (“Privacy Directive”) IP addresses can be personal data. The action was brought by Mr Patrick Breyer, a member of the German Pirate Party. He objected that websites of Federal German institutions store visitors’ IP addresses with the aim of preventing cyber-attacks and allowing criminal proceedings. Eventually, the Bundesgerichtshof asked the CJEU whether in that context (where only internet service providers – ISP – hold data to identify users) ‘dynamic’ IP addresses constitute personal data.

A personal data is any information relating to an identified or identifiable individual, including in by reference to an identification number. Recital 26 of Privacy Directive says that to determine whether a person is identifiable, account should be taken of all the means “likely reasonably” to be used either by the controller (or by any other person) to identify him/her. It is not required that all the information necessary to identify the data subject is in the hands of one person. The possibility to reach the data with reasonable efforts is enough. Thus, the CJEU held that, since the website owner is able to contact the competent authority, so that the latter orders the ISP to disclose additional data on the individual, the website owner has the means which may likely reasonably be used to identify the data subject on the basis of the IP address. In light of this, a dynamic IP address can constitute personal data.

The Court thus embraced an extensive interpretation, previously suggested by the Article 29 Working Party (see opinion 4/2007 on the concept of personal data, p. 16).

Personal nature of IP addresses has been recently confirmed by the French Cour de Cassation (French text here), which held – although briefly – that “les adresses IP, qui permettent d’identifier indirectement une personne physique, sont des données à caractère personnel”.

In this context, the General Data Protection Regulation (“GDPR”) has strengthened this approach. It has specifically recognized that online identifiers, including IP addresses, may potentially identify users and create profiles, especially when combined with unique identifiers (e.g., usernames, see Recital 30). Therefore, the GDPR now explicitly includes online identifiers in the definition of personal data (Article 4). Thus, apparently the rule set by the GDPR could be as follows: IP addresses (likewise online identifiers) are presumed to be personal data unless under the circumstances a data controller can demonstrate that it does not have means “likely reasonably” to identify individuals. However, based on Breyer such proof will not be easily reached.

Finally, as a confirmation of the tendency to expand the definition of data deserving protection, the e-Privacy Regulation proposal (available here, which should repeal Directive 2002/58/EC) seems in line with the GDPR’s approach. The draft includes metadata (e.g. time of a call and location, numbers called, the websites visited, etc.), which are highly intrusive in the privacy sphere, within the scope of the protected data. Thus, except their use for billing purposes, metadata will require users’ consent to be used.

In sum, the concept of protected data is in the process of being updated and expanded, probably having the IoT and big data in mind, to embrace all aspects of virtual identities. And shall be shortly re-defined also vis-à-vis new tracking techniques.

Francesco Banterle

CJEU, decision of 19 October 2016, C-582/14, Patrick Breyer v. Bundesrepublik

French Supreme Court, decision of 3 November 2016

Trade Secrets Directive: final text agreed between the European Parliament and the Council of Europe

On 15 December 2015 the European Parliament and the Council of Europe, through their respective internal bodies, the Legal Affairs Committee (JURI) and the Committee of Permanent Representatives (COREPER), reached an agreement on the final draft of the Directive (available here, see also our previous comment on the EU Commision’s proposal here).

The final version of the text was endorsed by the JURI on 28th January 2016. The European Parliament shall vote upon it in plenary session. Subsequently, the text shall be submitted to the Council of Europe for final revisions.

Following these steps, the European Member States will have 24 months to transpose the Directive. This time period will begin from the date of publication of the Directive in the Official Journal of the European Union, which is not due before March or April 2016.

During the negotiations, one of the main issues of debate between the European Parliament and the Council of Europe concerned the necessity to strike a balance between, on the one hand, the right of information, the freedom of expression and investigative journalism (so-called “whistle-blowing”) and, on the other hand, the protection of trade secrets.

For this purpose, the final text provides for guarantees for the preservation of each of these fundamental rights and strengthens the position of whistle-blowers, by stating, at Art. 1, that the Directive “shall not affect the exercise of the right of freedom of expression and information” and, at art. 4, that “the measures, procedures and remedies provided in this Directive are dismissed when the alleged acquisition, use or disclosure of trade secret was carried outfor revealing a misconduct, wrongdoing or illegal activity, provided that the respondent acted for the purpose of protecting the general public interest”.

Finally, the Directive will guarantee that its rules will not create unjustified barriers to worker’s mobility. Indeed, as underlined by the JURI, the Directive specifies, at Art. 1, that rules protecting trade secrets will not “[limit] employees’ use of the experience and skills honestly acquired in the normal course of their employment”, and that rules should not “[impose] any additional restrictions on employees in their employment contracts other than in accordance with EU or national law”.

Alessandro Massolo

Researcher at Osservatorio di proprietà intellettuale, concorrenza e comunicazioni, LUISS Guido Carli

The EU trademark reform package has been definitively approved

On 15 December 2015 the European Parliament approved on second-reading the reform of the european trademark system. The reform consists first of all of the replacement of the existing Trademarks Directive 2008/95/EC with the new Directive 2015/2436/EU (available here, the “Directive”), which has been published in the Official Journal of the European Union on 23 December 2015.

The Directive entered into force on 12 January 2016, 20 days after its publication, but the Member States will have 3 years to transpose its provisions into their national laws. According to Article 55 of the Directive, Directive 2008/95/EC is repealed but with effect from 15 January 2019.

On the other hand the Regulation (EU) n. 2015/2424 (available here, the “Regulation”), amending the Community Trademark Regulation 2009/207/EC and repealing the Commission Regulation n. 2869/1995 on the fees payable to the OHIM, has been published in the Official Journal of the European Union on 24 December 2015. The Regulation will enter into force on 23 March 2016, 90 days after its publication.

While the provisions of the Regulation concerning community trademarks will obviously directly enter into force, those of the Directive concerning national trademarks may undergo changes during the process of transposition into the various domestic laws (as it happened in Italy, e.g. with the provision concerning the obligation of the licensee to use the trademark to distinguish goods or services identical – in quality – to those placed on the market by the owner or by other licensee, an obligation which was not foreseen by the Directive 2008/95/EC).

The main amendments introduced by the reform (for our previous comment on the reform see here) can be summarized as follows:

  • the replacement of the names “Office for Harmonization in the Internal Market” and “community trademark” with “European Union Intellectual Property Office” (“EUIPO”) and “European Union trade mark” (“EU trade mark”) (Art. 1 point 1 and 7 of the Regulation);
  • the repeal of the requirement of graphic representability from the trademark’s definition and its replacement with the provision that a sign can be represented in any manner, not necessarily graphic, enabling the competent authorities and the public to determine the clear and precise subject matter of the protection afforded to its proprietor (Art. 3 lett. b of the Directive and Art. 1 point 8 of the Regulation);
  • the extension of the absolute grounds of refusal or invalidity of the registration provided for signs constituted by a shape also to signs constituted by «another characteristic», i.e. to signs constituted for example by a smell, a sound or a colour, which will not be registrable if that characteristic is considered imposed by the nature of the product, or necessary to obtain a technical result or giving substantial value to the product; think, for example,  to a  typical alarm sound whose registration is claimed  for home-surveillance apparels (Art. 4.1 lett. e of the Directive and Art. 1 point 8 of the Regulation);
  • the codification of the principles adopted by the CJEU as concerns the renowned trademarks about the application of their protection also when the sign is used for products or services which are identical or similar to those for which the trademark is registered (Art. 5.3 lett. a and 10.2 lett. c of the Directive and Art. 1 point 10 lett. b and point 11 of the Regulation);
  • the addition, to the provision concerning the rights conferred by the registered trademark, of the specification that the owner of the trademark may also prohibit the use of the sign as a trade or company name and the use of the sign in comparative advertising, if made in a way which is contrary to the Directive 2006/114/EC (Art. 10.3 lett. d and f of the Directive and Art. 1 point 11 of the Regulation);
  • the introduction of provisions on the goods in transit in the EU concerning the faculty for the owner of the trademark to prevent third parties from bringing fake goods, in the course of trade, into the Member State where the trademark is registered (Art. 10.4 of the Directive and Art. 1 point 11 of the Regulation);
  • the amendments to the provision concerning the limitation of the effects of a trademark consisting in the specification that the owner is not entitled to prohibit to a third party to use in the course of trade the name or the address if the third party is a natural person (Art. 14.1 of the Directive and Art. 1 point 13 of the Regulation);
  • the addition of the provision that the owner is not entitled to prohibit a third party from using in the course of trade signs or indications which are “not distinctive” (Art. 14.1 of the Directive and Art. 1 point 13 of the Regulation);
  • the provision that applications for EU trademarks can be filed only at the EUIPO (Art. 1 point 25 of the Regulation);
  • the addition of provisions concerning the designation and classification of goods and services according to which they have to be identified by the applicant with sufficient clarity and precision in order to determine the extent of the protection sought (Art. 39 of the Directive and Art. 1 point 28 of the Regulation).

Among all the new provisions, those on the goods in transit in the EU have been so far the most criticized, and are however those which have undergone most changes before the approval of the final text of the Directive and of the Regulation.

Moreover, it is not yet fully clear the significance of the provision according to which the entitlement of the owner shall «lapse» (in the italian text: «si estingue», in the french text «s’éteint», in the german text «erlischt», in the spanish one «extinguirá», etc.) if during the proceedings to determine whether the registered trade mark has been infringed, evidence is provided by the «declarant» (i.e. the defendant, holder of the goods) that the proprietor of the registered trade mark is not entitled to prohibit the placing of the goods on the market in the country of final destination. Probably the only reasonable meaning that can be attributed to this provision is that if that evidence is provided, the owner cannot bring future actions to prohibit the marketing of the same branded goods.

Sara Caselli

The EU trademark reform has reached the final steps

The reform of the European trademark system may become a reality before the end of 2015.

In addition to the Commission Regulation no. 2869/1995 on the fees payable to the Office for Harmonization in the Internal Market, the reform package presented by the Commission on March 2013 focuses, as known, the Trademarks Directive 2008/95/EC and the Community Trademark Regulation 2009/207/EC.

The Commission’s “Proposals” are based on the “Study on the Overall Functioning of the European Trade Mark System” (available here), realized by the Max-Planck Institut of Munich upon request of the same Commission and published on February 2011. The Proposals  aim at  modernizing and  harmonizing the community and national trademark’s systems (by simplifying the registration procedure and intervening on the substantive law) as well as at strengthening the enforcement of  counterfeiting.

On June 10th 2015, the Council’s Permanent Representatives Committee has approved the final compromise texts of the trademark reform package, and on June 16th 2015 the compromise agreement has been voted by the Parliament’s Legal Affairs Committee.

The final text of the Regulation can be found here, while the final text of the Directive is here.

The approved texts are actually not yet absolutely “final” as they still need to go through the legal-linguistic revision before the final endorsement by the Council and by the European Parliament. So, unless there are further delays, while most of the provisions of the Regulation will come into effect in early 2016, the Member States will have three years to transpose the Directive into national law.

The new features introduced by the reform range from formal ones, such as the adoption of the names “european trademark” instead of “community trademark” and “European Intellectual Property Office” instead of “Office for Harmonization in the Internal Market” and the reducing of registration fees, to substantive ones, such as the rejection of the requirement of the graphic representability, the extension of the absolute grounds of refusal or invalidity of the registration provided for signs constituted by a shape to signs constituted by “another characteristic”, the addition to the provision concerning the rights conferred by the registered trademark of the specification that the owner of the trademark may also prohibit the use of the sign in comparative advertising if made in a way which is contrary to the Directive 2006/114/EC and the introduction of provisions on the goods in transit in the EU.

Even if the reform presents some positives, it is not exempt from criticism.

Inter alia, by reducing registration fees of community trademarks it maintains the community and the national trademarks systems in competition.

Also, by extending the provisions on the shape trademarks to sign constituted by other characteristics, the revision makes non-traditional trademarks harder to register. This kind of trademarks will indeed not be registrable if they exclusively consist of a characteristic (such as, for example, a sound or a smell) which can be considered imposed by the nature of the product, or necessary to obtain a technical result or giving substantial value to the product.

But the most discussed and criticized provision is the one providing that the trademark owner is entitled to prevent third parties from bringing fake goods, in the course of trade, into the Member State where the trademark is registered. First of all, because the text has udergone many changes and, secondly, because its last version provides that the entitlement of the owner shall lapse if during the proceedings to determine whether the registered trade mark has been infringed, evidence is provided by the declarant or the holder of the goods that the proprietor of the registered trade mark is not entitled to prohibit the placing of the goods on the market in the country of final destination. This clearly gives trademark owners great power to prevent fake goods transiting through the Community as it will be very difficult for the holder to prove a negative.

In the end, the reform doesn’t take advantage of the occasion to codify consolidated principles affirmed by the EU Court of Justice such as those expressed in the General Motors case (C-375/97), in which the famous trademarks have been defined as registered trademarks known by a significant part of the consumers of the products or services which said marks cover in a substantial part of the EU territory. The provisions on famous trademarks contained in the current Directive and  Regulation do not express such a definition of reputation and this lacuna could have been filled by the reform as the principles expressed in the said case are unanimously shared.

Sara Caselli

* due to a technical error, “steps” was erroneously reported as “jokes” in the title. We apologize.