In the European Union (“EU”), “everyone has the right to the protection of personal data concerning him or her” under the Charter of Fundamental Rights. Intellectual property is also protected as a fundamental right under the Charter, as is freedom of speech. These rights can sometimes conflict. In two previous posts on cases about linking to Playboy pictures and the inspiration for Jeff Koons’ sculptures, we discussed how freedom of expression has been used as a defense to copyright infringement. But IP rights can also come into conflict with data protection.
On May 25, 2018, the General Data Protection Regulation (the “GDPR”) will apply in all Member States of the European Union (“EU”), and will replace the 95/46/CE Directive (“the Directive”).
Why You Can’t Ignore the GDPR
U.S. in-house lawyers should know at least two things about GDPR.
1. Extraterritorial Effect
The GDPR extends the application of EU legislation to companies outside the EU, in that it will apply to entities established outside the EU that offer goods or services to individuals in the EU and/or monitor the behavior of data subjects within the EU.
In practice, it means that many U.S. companies that did not have to comply with the Directive will now have to comply with the GDPR. U.S. companies may already have some familiarity with EU data protection rules if they had access to personal data collected in the EU, due to the restrictions on data transfers to countries outside the EU (they have to use the EU-US Privacy Shield or other transfer tools). However, the requirements will be more stringent once they are directly subject to European rules.
2. Increased Sanctions
The GDPR considerably increases the sanctions and penalties in the event of non-compliance. The maximum amount of financial sanctions is increased up to 4% of total worldwide annual sales or 20 million euros, whichever is the greater. Therefore, compliance with the GDPR should be taken all the more seriously.
IP Rights vs. GDPR
Some of the GDPR obligations are of specific interest for IP practitioners because they can conflict with IP rights.
1. The Right of Access v. Protection of IP Rights
The “right of access” already exists under EU law in the Directive. Pursuant to the right of access, individuals (in the data protection jargon, they are called “data subjects”) can obtain a copy of all the personal data that has been collected about them.
What kind of information are data subjects entitled to? Recently, a French journalist who had been using Tinder, the dating app, for a few years, exercised her right of access and asked Tinder to send her all her data. She explained in an article published in the Guardian, that Tinder “sent [her] 800 pages of [her] deepest, darkest secrets” but refused to give her the information on how her matches were personalized using her information. They objected that “[their] matching tools are a core part of [their] technology and intellectual property, and [they] are ultimately unable to share information about [their] proprietary tools.” To our knowledge, the journalist did not consider going to Court with this request, so we don’t know how a judge would react, but Tinder’s objection does have a legal basis.
GDPR provides, as a derogation to the exercise of the right of access, that it “should not adversely affect the rights or freedoms of others,” including trade secrets and intellectual property rights, in particular with respect to software. As in the Tinder example, these considerations will limit the information available to a data subject, but will not justify a refusal to provide any information.
2. The Right to Portability v. Protection of IP Rights
The right to portability is a new right that did not exist before the GDPR. It is essentially designed to help data subjects switch from one supplier to another. Data subjects have the right to receive their personal data in a structured, commonly used and machine readable format, which they can then forward to someone else.
Because that “someone else” may be a competitor, the right to portability raises issues for those who may take the view that providing personal data in a “reusable way for potential competitors” would be an infringement of their IP rights or, at the least, a disclosure of their know-how. As with the right of access, the GDPR provides that the exercise of this right “should not adversely affect the rights and freedoms of others,” which include IP rights.
In practice, one should keep in mind that the scope of data portability is limited to the raw personal data provided by the data subjects themselves, and should not include data which is inferred or derived from the raw data. This is important, because proprietary technology normally comes into play after the raw data is collected from data subjects, to transform that raw data into more valuable information.
3. Data Protection Requirements v. Digital Management Rights and Profiling
Owners and distributors of copyright protected content on the Internet often have access to their customer’s personal data, and the ability to monitor user activity with respect to, for example, the downloading of songs or ebooks. These companies may use this information to engage in “profiling,” i.e., using data to make a series of statistical deductions to analyze current behaviors and preferences and to predict future behaviors and preferences.
IP practitioners should be aware that the European Data Protection Authorities do not like profiling at all. According to the Guidelines of the Article 29 Working Party (an advisory body on which representatives of the Data Protection Authorities of all Member States sit), “profiling can perpetuate existing stereotypes and social segregation. It can also lock a person into a specific category and restrict them to their suggested preferences. This can undermine their freedom to choose, for example, certain products or services such as books, music or newsfeeds. It can lead to inaccurate predictions, denial of services and goods and unjustified discrimination in some cases“.
For companies that use profiling, it is important to keep in mind the following GDPR requirements:
- All processing activities must have a legal basis, such as the consent of the data subjects or the fact that the profiling is necessary in order to provide the service. For example, the insertion of a unique identifier in a content protected by copyright via a Digital Rights Management scheme should not be linked to an individual except to the extent that this link is necessary for the performance of the service or if the individual has been informed and has consented to it.
- You cannot use personal data for purposes that are not compatible with the purpose for which the data was originally collected. For example, if you sell goods to customers who pay with credit cards, you may collect their name and address but you cannot use them later for marketing purposes.
- Personal data should not be stored longer than is necessary to fulfill the purpose for which such data is processed. For example, if you collect personal data about your customers, you must delete that data as soon as it is no longer necessary for billing purposes or any other purposes (after-sale services) consented to by the customers. You cannot keep the data “just in case” one of them might misuse your IP.
4. Privacy v. Enforcement of IP Rights
IP practitioners know that, when it comes to enforcing IP rights, it can be challenging to identify infringers and the various actors involved in the distribution chain, especially for products sold on the internet. When IP owners conduct investigations to identify potential infringers, they are collecting and processing personal data. For example, when contents are made available on peer-to-peer platforms, IP owners can collect user IP addresses and combine them with publicly available data (e.g. using Whois to identify a domain name registrant). In some circumstances, they may also be able to collect information held by third parties, such as internet service providers or banks.
These situations create a potential conflict between, on the one hand, the protection of IP rights and, on the other hand, the protection of data, which requires that data be only processed when there are appropriate safeguards and transparency.
EU Directive 2004/48 on the enforcement of intellectual property rights (which is not being changed by introduction of GDPR) requires Member States to ensure that in IP infringement proceedings, national courts may order infringers or persons who have been involved in the production or sale of the goods, to disclose information regarding the origin and distribution networks of such goods. However, this is without prejudice to provisions governing the processing of personal data. EU Member States legislations and national courts (under the control of the Court of Justice of the European Union) will therefore have to find a fair balance between data protection and IP protection.