Background of the case
The young Austrian Maximiliano Schrems – law student and resident in Ireland – made a complaint in 2011 to the Irish Commissioner for Data Protection against the social network Facebook, for transfer of their data from the servers of Facebook in Ireland to the servers of Facebook Inc. located in the United States for further processing.
In his claim, Schrems – based on the facts and evidence provided by Edward Snowden through which, the former agent revealed how the United States operated in global surveillance-, alleged that said country did not offer adequate protection to the personal data that received from users in the countries that are members of the EU, and did not even contain a process for the selection and treatment of these data, but rather took them in large quantities and thus processed them, using them for purposes other than those that truly informed the users of the social network –in their eagerness to fight terrorism-.
This motivated Schrems to request a ban on his data being transferred to the servers of Facebook Inc. The Irish body rejected Schrems’ proposal, based on Decision 2000/520 / EC, of July 26, 2000S, considering that The United States complied with an adequate level of protection. However, Schrems appealed this decision to the highest court in Ireland – the High Court -, which finally held that the United States made excessive interference with the personal data that was transferred to its territory.
The decision of the CJEU. Schrems´ I judgment.
The High Court asked the European Court to issue a preliminary ruling regarding the issue of whether said decision -2000/520/EC- is valid and whether it makes it impossible – or not – for the national authorities of the countries of the European Union to carry out a correct control regarding the personal data that is transferred from an European country – in this case, Ireland – to a third state. Finally, the European Court ruled that, although the EC decision 2000/520 prescribes that the United States has an adequate level of protection, the truth is that also the national organizations responsible for ensuring the protection of the data of its inhabitants, they are empowered to carry out this control, although the invalidity of a Decision – in this case, the one adopted by the European Commission – can only be declared by the CJEU.
Finally, the European Court, in order to rule as it did –declaring the invalidation of the EC decision-, taking into account, not what was established by the Commission’s Decision, but, in factual terms, whether the privacy of the data owners was protected when transferred to the United States. In other words, when making such an assessment, the third country is not required to have a regulatory framework and a level of protection identical to that of the EU; more than anything, that this third country provides an adequate protection framework for the data of the holders.
For all these reasons, it declared Decision 520/2000 invalid based on the following arguments:
1) That there was an interference with the right to privacy;
2) Declared that said interference meant a violation of the essential content of the right to privacy.
Due to the judgment issued by the CJEU that invalidated decision 520/2000 of the European Commission regarding what is known as “safe harbor”, regarding the transfer of data to the United States, it was adopted within this framework, the so-called decision 1250/2016, better known as “Privacy Shield”.
The purpose of this decision is summarized as follows:
– Acknowledges that the EU-EE Privacy Shield comprised of the privacy principles applicable to certified United States organizations (companies) and related commitments made by the Department of Commerce and other United States authorities, it provides an adequate level of protection for personal data transferred from the EU to these organizations.
– This means that personal data can be freely transferred to organizations in the United States included in the “Privacy Shield List”, which is prepared and published by the United States Department of Commerce.
– The application of the Privacy Shield guarantees the right to respect for privacy and the right to the protection of personal data of all persons in the EU whose personal data is transferred through the Privacy Shield.
– It also guarantees legal certainty for companies that rely on your application to transfer personal data from the EU to US organizations certified by the Privacy Shield.
Precisely this decision is the one that was declared invalid in the judgment of the Schrems II Case, issued by the CJEU on 07/16/2020, which will be subsequently commented.
Guide of Impact on the Personal Data Protection
On January 29, to commemorate the International Data Protection Day, the control authorities of the countries of Argentina and Uruguay prepared a Guide for the study of Impact on the Personal Data Protection. Hose main objectives are:
1) minimize the risks of projects faced by entities –publics and privates- that manage personal data.
2) the implementation and standardization of preventive rules to which these entities must comply when carrying out said projects.
3) By developing an Impact Assessment, comply with current regulations on the matter.
The document begins by enunciating general concepts within which the one that stands out the most, is the meaning of ¨personal data¨ -because of its breadth-, encompassing all kinds of information, not only of individuals but also legal entities, in line with current regulations in the countries of Argentina and Uruguay.
Then, the need and importance of carrying out risk assessments that could affect personal data through its treatment is determined in the different projects or operations carried out by both public and private entities. These evaluations require going through different phases ranging from internal/operational matters, through regulations and security measures to be adopted, until finally reaching the preparation of the guide that will serve as the basis for the treatment of personal data that will be involved in the development of the activities carried out by the company.
Finally, and from the previous phases, the risk analysis that involves the development of the project or operation for the treatment of the data, through the phases of its development, is prepared. It should be noted that not only personal data is involved in any project, but other constitutional rights recognized such as the right to honor, self-image and privacy are collaterally achieved.
Implementation of an EIPD
As a corollary, the implementation of an EIPD in each project that a company develops and that involves the use of personal data is necessary to fully comply with local regulations on data protection. In the event that the risks of data collection and processing are high, it should be weighed if the measures developed, manage to minimize them, or if, on the contrary, they also pose a high risk, to which alternative ways of managing the data should be sought. In this way, the law and its postulates comply.
Conflict about the processing of data protection
Last August, the CJEU settled a new conflict about the processing of data protection, Facebook and the popular “like” icon.
Data protection case
The conflict took place when ¨Fashion ID¨, a German e-commerce company that sells clothing, inserted the “like” Facebook button on its website. This insertion seems to have the consequence that, when a visitor visits the “Fashion ID” website, personal data of that visitor is transmitted to Facebook Ireland. As it was analyzed in this ruling, this transmisión of data is made without the said visitor being aware of it and regardless of whether they are a member of the Facebook social network or if they clicked on the “like” button.
For this reason, ¨Verbraucherzentrale NRW¨, a German public association defending the interests of consumers, made a complaint against ¨Fashion ID¨ for having transmitted to Facebook Ireland personal data of visitors to its website. On one hand, without the consent of the latter and, on the other, breaching the information obligations established in the provisions related to the protection of personal data.
Resolution of the case
Having reached the conflict in the German Court of First Instance, the matter was finally sent to the EU Court of Justice in order to find a final resolution.
After analyzed the case, the CJEU ruled that the administrator of an Internet site with the aforementioned “like” button on its website may be responsible, together with the social network, for the collection and transmission to Facebook of the personal data of visitors to its site.
In this case, it is particular, the joint responsibility is due to the fact that, on one side, the insertion by “Fashion ID” of the “like” button of Facebook on its website allows the fashion site to optimize the advertising for its products by making them more visible on the social network.
On the other hand, Facebook Ireland obtains as a counterpart the power to have this data for its own commercial purposes.
Therefore, such processing operations are carried out in the economic interest of both, “Fashion ID” and Facebook Ireland. Therefore, the company ¨Fashion ID¨, as a co-responsible entity for certain consumer data processing operations that access to its website, must request prior consent for operations in which as co-responsible collects and transmits personal data. However, the CJEU clarified that it will not be responsible, in principle, for the further processing of such personal data made solely by Facebook.
Prior consent to data protection
Furthermore, the CJEU also analyzed for this case one of the exceptions to the obligation to obtain prior consent: ¨legitimate interest¨.
In these cases, the court pointed out that both, the administrator of the website in question and the provider, must pursue a legitimate interest with the collection and transmission of data, which will make such operations justified. So the legitimate interest that justifies one of the actions will not justify the other one.
Conclusion: General Data Protection Regulation
In conclusion, and as we have mentioned in other blog posts since the entry into force of the General Data Protection Regulation last year, the European Union has been implementing through its laws and judicial decisions a strict line of thinking about how It intends that the data of its citizens be treated.
Therefore, any activity that is not within these guidelines cannot be carried out freely, making good legal advice important to avoid sanctions or any other obstacles.
Contact us if you need intellectual property legal advice.
General Data Protection Regulation (GDPR)
On May 25, 2018 the European Union, after its approval in Parliament and its European Council, came into force the General Data Protection Regulation (GDPR), in order to unify the regulations of all the Member States on the matter. Faced with this new regulation, which affects both, citizens and European companies, the complex exit of the United Kingdom from the Union, for which a new date has been set for October 31st* of this year, is one of the biggest concerns for the community companies that operate in the Anglo-Saxon country.
Hypotheses about Brexit
Faced with this situation, different hypotheses are presented taking into account whether the English House of Commons decides to leave the EU with an agreement, also known as the “Soft Brexit”, or without agreement, giving way to a “Hard Brexit”.
In the event that the exit situation happens within an agreement, or the so-called “Soft Brexit”, the GDPR will continue to be applicable during the transition period set by the aforementioned agreement, creating a period of transposition of laws as a result. From that date, the United Kingdom would have until December 31st, 2021 to sign new treaties with the European Union, including those related to data protection.
On the other hand, if no exit agreement is reached, it would lead to what is known as “Hard Brexit”, whereby the UK’s relationship with the EU would be similar to that maintain with the United States, where “safe harbor” agreements are required as well as the compliance with another series of requirements to allow the acquisition and handling of data of European citizens and companies.
In other words, a legal vacuum would be created for all European companies that currently operate with data in the United Kingdom for a period of time, until the signing of new agreements on the subject.
Conclusion about GDPR and Brexit
Therefore, taking into account the present scenario and the continuous postponement of the famous Brexit, during the current year, it is certain that the departure of the United Kingdom from the EU will not be calm and peaceful, affecting different aspects of the community system, such as the protection and control in the exchange of data.
Thus, the most advisable for companies that handle European data is to comply with both the GDPR and the previous regulations, the Organic Law of Protection of Personal Data (LOPD), to avoid any type of conflict during this transition.
* After the postponement of Brexit for 04/12/2019, the departure from Great Britain is delayed until 10/31/19, in order to offer six months extra time to reach an agreement that allows an orderly departure.
Source: www.zonamovilidad.esRead More
By Marta Garcia
The European Union (EU) and the four founding members of sub-regional trade bloc Mercosur (Argentina, Brazil, Paraguay, and Uruguay) have been negotiating a free trade agreement (FTA) for the last 17 years as part of a broader Association Agreement between the two regions.
After a pause in the EU-Mercosur negotiations in 2012, these were re-launched in May 2016. Since then, there have been several rounds of negotiations, with the pace picking up in recent months.
The current EU proposal for the FTA comprises a chapter on intellectual property rights (IPR) covering standards concerning copyright, trademarks, designs, geographical indications, patents and plant varieties, as well as a section regarding IPR enforcement.
Regarding industrial designs, the EU proposal establishes in its Article 6.1 that the parties shall implement the Geneva Act to the Hague Agreement Concerning the International Registration of Industrial Designs (which establishes an international system – the Hague System – that allows industrial designs to be protected in multiple countries or regions with minimal formalities). Regarding the term of protection, under article 6.3 of the EU proposal, the duration of protection available shall amount to 25 years from the date of filing of the application. Additionally, article 6.6 establishes that a design shall also be eligible for protection under copyright law as from the date on which the design was created or fixed in any form.
The report from the 30th negotiation round in November 2017 states that the agreement section on designs was tentatively completed. However, the actual text in the final agreement will be a result of negotiations between the EU and Mercosur.
The chapter regarding patents states that the parties shall comply with the Patent Cooperation Treaty (PCT), of which neither Argentina and Paraguay norUruguay are yet part.
Out of the three non-PCT Mercosur members, as we previously reported here, only the Uruguayan Parliament is currently discussing its adhesion to the PCT.
Regarding Argentina, it is worth mentioning that a Memorandum of Understanding (MoU) on technical co-operation was signed by the European Patent Office (EPO) and the Argentine PTO (INPI) in May 2017, which was recently discussed during the visit of the EPO President BenoîtBattistelli to Argentina last February. One of the aims of the MoU is to encourage the use of the PCT system and raise awareness about its benefits.
Article 8.2 – Patents and Public Health – of the EU proposal’s IPR chapter expresses the EU’s commitment to the World Trade Organization (WTO) Doha Declaration on the Trade Related Aspects of Intellectual Property (TRIPS) and Public Health, stating the following:
“The Parties recognize the importance of the declaration on the TRIPS Agreement and Public Health, adopted on 14 November 2001 (hereinafter referred to as the “Doha Declaration”) by the Ministerial Conference of the WTO. In interpreting and implementing the rights and obligations under this Chapter, the Parties shall ensure consistency with the Doha Declaration.”
Notwithstanding the above, the EU proposal text on IPR includes articles on patent term extensions and data exclusivity, probably two of the sections on which positions between the EU and Mercosur are farthest apart.
Articles 8.4 and 8.5 of the EU proposal establish extensions of the patent term to compensate for unreasonable delays in the grant of marketing approval of a medicinal product or a plant protection product.The period of extension is the period that elapses between the filing of the application for a patent and the first authorization to place the product on the respective market, reduced by a period of 5 years. There is no proposal of extension due to unreasonable delays by national patent offices in granting the patent.
Regarding data protection, Articles 10.2 of the EU proposal establishes that parties shall not permit any other applicant to market the same or a similar medicinal product, on the basis of the marketing approval granted to the party which had provided the results of pre-clinical tests or of clinical trials for a period of […] years (not specified in the proposal) from the date of marketing approval.
According to the report from the 28th negotiation round in July 2017, “some divergences of views remain, notably regarding the level of protection as compared to TRIPS and certain international Treaties of which Mercosur countries are not yet members. Mercosur noted their concerns on patents and regulatory data.” Additionally, the last published report from the 30th negotiation round in December 2017 states that “on protection of regulatory test data in patents, the EU tabled a revised proposal but positions are still apart.”
Check back to Moeller’s blog to see updates about any developments on this matter.