In view of the worldwide aspect that Protection of Personal Data has acquired, and its category of Human Right in many laws around the world, it is necessary to have an adequate protection framework, which is not only limited to the laws that regulate its treatment and safeguarding, but also must extend to the relationships that are managed between the data controllers, data processors, third companies and the owners of said data.
From the incursion of personal data in all possible areas of interaction, the Law is not foreign at all, much less in the contractual field, as one more link in the chain of measures aimed at providing all current or current information accumulation, potentially related to a specific or determinable natural person. Therefore, it is unavoidable to make a list of the contracts that are used in this type of situation both in the field of cyberspace and in the relationships that are developed between the owner of the data with the person in charge of treatment, and of the latter with the data processor.
It could be taken into consideration that the privacy policies that abound in the websites have a contractual legal nature, with a predisposed content and the possibility for the user to select the browsing preferences to determine what data is available to share or allow them to be collected and which ones not.
- What information will be collected (names, emails, phone numbers, etc.).
- How the information will be used (for statistics, to improve the shopping or browsing experience, promotions, Email Marketing, etc.).
- What will be done with the collected data.
- The possibility of modifying the policy in the future.
- Contract form (for modifications, updates, or cancellations).
- Cookies policy.
- It offers relevant information about the way in which the data is protected.
b) Terms and conditions
It is an unnamed, on-line, electronic contract for adhesion to pre-arranged clauses.
Terms and conditions are established between the user of a certain website and the owner of said site and is mainly intended to inform the user of issues related to the content of the page and the services offered through it, as well as information appropriate to the user about what is done with the collection and processing of their personal data, and the type of data that is transferred to the person in charge through the site.
Also, within the terms and conditions are established the duties and responsibilities of the user and the correct use of the site, intellectual property issues, legal framework, among others.
Privacy policies can be found separately from the terms and conditions, or in a single identified body.
C) Data outsourcing
The outsourcing contract, in general terms, is mainly intended to delegate to a company, or a specialized natural person, a portion of the business process that is the responsibility of another company, which the latter considers that it is more suited to carry out that portion of the process involved. It is the outsourcing of activities.
With regard to the field of data in general and personal data in particular, a company that develops an activity in the process of which requires or feeds on said data hires another for the management and processing of personal data. The owner of the database is the data controller and the data processor is the third party that provides the outsourcing service.
Points to consider in the data outsourcing contract
- The data controller should include in the contract a clause by which it obliges the data processor, to fulfill and respect the purpose for which the database or registry was created, not being able to carry out acts tending to undermine said purpose, taking reservation of the data obtained and applying a treatment that serves said purposes.
- As the data processor is acting on behalf and order of the owner of the database, it is necessary that he respects the instructions given by the latter, having to abide by them and the framework of the contract and its purpose and also the contract and –if applicable- criminal law that govern the matter. Especially for the responsibility that entails the person responsible for the data, the election of the person in charge of personal data processing, and the development of the work of this one in front of third parties.
- The person in charge of the processing of personal data has to abstain from transferring the data that is subject to treatment to third parties. Data Processor does not have the authorization to obtain from the owner the consent to carry out the assignment -as he is not the owner or person in charge of the database.
- Once the objective or the purpose for which the data were collected and processed has been fulfilled, Data Processor must return all that information to the Data Controller, not being able to store or keep the data in their possession, unless there are subsequent situations expressly established, which determine the maintenance of these data in the possession of the data processor.
- There must be a duty of confidentiality on the part of the person in charge of the treatment, which consists primarily of not disclosing or using for purposes contrary to the contract, the law, public order or the rights of the owners and third parties, the personal data whose treatment was entrusted. Even this duty must be maintained after the ending of the contractual relationship between both parties.
- Both Data Processor and Controller have a security duty regarding not only the treatment of the data in general but also regarding the fact that databases where these data are stored, comply with, or have a level of security appropriate to the protection of the information stored there.
d) Transfer of data
The transfer of personal data is a contract that is established between Data Controller and third parties or companies. It inevitably requires the consent of the owner of the personal data and the cause of the transfer must be explained, which must be related to the legitimate and legal activity carried out by the person responsible for the database, file, registry, or archive or be related to the activity of the assignee.
The object of the data transfer contract must be circumscribed to those data contained in the databases, registers, files, and which are those collected by the person responsible for the treatment.
At Moeller IP Advisors we have a specialized worldwide work team with the ability to advise on drafting contracts and certain clauses that involve personal data, both in corporate and digital environments. Contact us!Read More
1. Introduction: MERCOSUR-EU Agreement and the legislation on Data Protection
As is well known, last year, after several rounds of negotiations, the agreement between Mercosur and the European Union on economic matters emerged. Said agreement included matters related to customs duties, exchange of goods and services, sanitary measures, intellectual and industrial property rights, SMEs, dispute resolution, among other issues of relevance to both blocks.
Among these issues, although not as an integral part of the text of the agreement, discussions related to the Protection of Personal Data were also included. Currently, the States of the European Union are governed by the General Data Protection Regulation, or by its acronym, the GDPR, which is mandatory since May 25, 2018. During her visit to Argentina, in July of last year, the European Commissioner for Justice, Consumers and Gender Equality Vera Jourova, spoke about the benefits that the regulation and harmonization of data protection legislation would bring to both blocs.
For sure the EU is at the forefront in this matter, and in order to enable the advancement of this agreement for both blocs and above all, for the MERCOSUR countries, it is necessary that their laws harmonize with the provisions and principles of the GDPR, as which would bring about a quantitative and qualitative leap towards respect for the individual rights of people, the self-determination of the person regarding the processing of their data on the internet and in files, the final recognition of data protection as a fundamental human right, among other conquests.
Nowadays, in the current global situation of the coronavirus pandemic that hits the whole world, the negotiations have stalled, since there are urgent issues to address regarding the countries that make up each block. However, it is noteworthy that the will to move forward is intact.
That is why is necessary to carry out a review of the situation in which the laws of the MERCOSUR countries are in relation to the Protection of Personal Data, and why it is almost mandatory to use this time to be able to adapt them to the required standards by the EU in order to finally reach the conclusion of the negotiations carried out at the time of carrying out the revision of the Agreement between the two trade blocs.
2. Country by Country: MERCOSUR-EU Agreement and the legislation on Data Protection
The law that regulates the protection of personal data in Argentina is Law 25326, enacted on October 4, 2000, and is currently in force.
This law regulates what pertains to the treatment of personal data, its classification, the principles that should govern its treatment, international transfer of data, the rights of its owners, and the resources and actions that they have both administrative as well as judicially to obtain the deletion, rectification, modification, addition and correction of the data found in files or databases, both public and private, and the obligations of the owners of said files or databases when collecting and processing personal data.
In Argentina, the enforcement authority regarding Personal Data and Access to Public Information is the National Agency of Access to Public Information, which has a secretariat that is in charge of regulating and supervising everything related to personal data and the compliance of the Personal Data Protection law, which is the National Office of Protection of Personal Data.
In 2018 a Bill was presented to amend the Data Protection law and bring it as closely as possible to the GDPR standards, but unfortunately, the bill lost parliamentary status this year.
In 2018 it was sanctioned the new Law on Personal Data Protection – No. 13,709 LGPD-. On August 26 the Brazilian Parliament decided that the suspension of its enforceability would not be extended, so it is the law that is currently in force in Brazil to regulate everything related to the protection of the personal data of natural persons, processed both within the borders of the country, and by foreign companies that process data of persons located in Brazil.
This law has many points in common with the European General Data Protection Regulation, establishing an adequate legal framework regarding the collection, processing, and storage of personal data in general and sensitive data in particular, as well as the obligations and responsibilities of those –processors and controllers- who collect, process, select and store personal data, and may be liable –in case of non-compliance with the provisions of the law-, to be sanctioned administratively, civilly and criminally.
Likewise, it establishes the rights of the holders of personal data to grant informed consent for the collection and processing of their data and to control access, correction, rectification, updating, anonymization, and deletion of their data that are contained in databases both public and private.
For this law, it is mandatory -in certain cases- the need to have a Data Protection Delegate, and the enforcement authority is the National Data Protection Agency of Brazil.
In Paraguay, the Protection of Personal Data is regulated not only in the country’s Constitution but is also based on Laws No. 1682/2001, 1969/2002, which amends the first one and Law 5542 / 2015.
This set of laws regulate, among other issues: the processing and treatment of personal data contained in files, records, and public and private databases. The collection, processing, and treatment of personal data is only allowed for scientific, economic, statistical, or marketing purposes.
However, the current legislation establishes nothing regarding the figures of the database administrator; but it does regulate obligations pertaining to those responsible for said bases. Nor does it make a distinction between processors and controllers. Nor does it establish any obligation to report data breaches or incidents that occur with personal data.
The international transfer of data and its regulatory framework is not established in the legislation of Paraguay.
Likewise, there is no authority in Paraguay that regulates matters relating to the Protection of Personal Data and compliance with the law.
Finally, although the law does not establish anything regarding the possibility of making claims before administrative or judicial entities for violation of Personal Data, the penalties are established by other regulations, which allow those whose data have suffered any violation the right to claim before civil or criminal justice the pursue of a compensation.
There is a bill presented to the Paraguayan Parliament in 2019.
In Uruguay, personal data is ruled by Law No. 18,331, amended by Law No. 19,670, whose regulatory decree 64/020 modified certain articles of the first-mentioned law.
The law regulates the following aspects: a) it establishes a sort of glossary with definitions pertaining to personal data and the principles applicable; b) it also regulates the registration of the databases of the entities that collect and process personal data, whether they are located in Uruguay or process personal data of persons residing in Uruguay -under certain circumstances-; c) Establishes for public and private entities the need to have a Data Protection Officer and its obligations and responsibilities thereof; d) the need to have the informed consent of the owner of the data to collect, process and treat said data; e) the international transfer of data, the cases in which it proceeds and the requirements to transfer data to third parties; f) the obligations of the person in charge and the administrator of the databases; g) In the event of personal data breached or incidents that occur with them, the collectors, processors and responsible of the databases has to give notice and take the necessary measures to minimize risks; h) administrative sanctions concerning non-compliance with the rules contained in the law, ranging from warning to imposition of fines.
The application authority in the field of Data Protection in Uruguay is the Regulatory and Control Unit of Personal Data.
In February 2020, Law 19,670 was regulated, which among other issues complements Law 18,331 in terms of: 1) the adoption by the person responsible for the treatment of technical and/or organizational security measures to avoid and/or minimize incidents and breaches that may occur with personal data; 2) the promotion of national and international standards on cybersecurity; 3) the documentation of such measures and the planning and impact assessment regarding Personal Data.
3. Conclusion: MERCOSUR-EU Agreement and the legislation on Data Protection
After having made a brief reference to the Agreement between the European Union and Mercosur and the current state of the negotiations, reviewing the legislative situation of some of the countries that make up this last regional bloc, the truth is that it is essential to have an adequate level of protection of personal data, especially due to the extraterritoriality principle generated by compliance with the provisions of the GDPR and the cross-border flow of data.
Today we are witnessing a new era in human rights, where digital self-determination is no stranger. Where the right to digital existence of people cannot be overwhelmed over other issues such as those of an economic nature. That existence must be protected against any kind of violation.
Likewise, it is necessary to harmonize the laws of both economic blocs, which pushes MERCOSUR to take all the necessary steps to adapt its laws and regulate this new human right as an imperative, in order to achieve safer agreements in pursuit of a conciliatory and protective globalization of this new right that appears today.
Finally, it is worth highlighting the position that countries such as Argentina and Uruguay have in terms of recognition by the European Union regarding the adequate level of protection that these countries ensure to Personal Data, which places them at the forefront in the region.
However, it is mandatory for Argentina to update its law in order to continue maintaining that position in the face of the constant requirements of a globalized world both materially and digitally.
If you’re reading this, it’s safe to imagine that you have applied for an International Trademark, filled out all the forms, and followed the TM registration procedure, but now you are faced with a Notification of Provisional Refusal. One (or more) of the national trademark offices has found a potential problem with your application for IP protection in their country. Or, perhaps you’re looking to file a provisional refusal against a foreign company that would be infringing upon your IP.
Now, depending on the national office, the details of how exactly to oppose such a notification vary depending on the national IP office’s rules and regulations. This is the first of a [X] part, country by country guide on how to oppose to a notification of provisional refusal when registering for an International Trademark.
European Union Notice of Opposition Proceedings
When filing for an international trademark in order to protect your brand across Europe, it may be more convenient and economical to designate the EU as the protected territory instead of individual countries. The manner in which the EUIPO deals with such a designation differs to other countries such as the UK, where the procedure is dealt with nationally.
When the EUIPO receives an application through the WIPO, it will publish the requested trademark’s details in the EUTM Bulletin in Part M, which is dedicated entirely to international Trademark registrations. Once published through the Bulletin, the EUIPO will:
1. Prepare search reports (which, if you wish to access them, you will have to request a copy).
2. Conduct an examination of various formalities that may be relevant to your particular application.
3. Conduct an examination of potential absolute grounds for refusal and of any oppositions that are placed by pre-existing trademark holders within the EU.
We will focus on the procedure for any notice of opposition (or provisional refusal). EU trademark holders will have 3 months from the publication of the application in the EUTM Bulletin to file an opposition – this 3-month period starts exactly 1 months after the application has been published in the Bulletin.
If the EUIPO accepts the notice of opposition, then a notification of provisional refusal is sent to the WIPO, where the applicant will consequently be notified. At this moment, the need for a European representative may arise. This would occur if the applicant is not domiciled within the European Economic Area (EEA).
Once the opposition has been admitted by the EUIPO, the applicant and opponent will have to follow the EU procedure for notices of opposition.
United Kingdom notification of provisional refusal
The UK is a historic world economy that has always hosted a vast array of businesses, so it would come as no surprise if you were to be looking to protect your IP in Britain. In the UK, two key pieces of legislation are the Trade Marks Act 1994 and the Trade Marks Rules 2008. Once the application has been accepted by the IPO, it will be published in the UK IP Journal.
In the UK, the notification of provisional refusal is referred to as a notice of opposition, much like when registering for an EU Trademark.
From the date of publishing, any pre-existing trademark holder may, within a period of 2 months, file a notice of opposition by filling out Form TM7, being sure to pay special attention to the grounds of opposition. This should clearly explain the reasons for which you are opposing the trademark registration – whenever reinforced by sound legal arguments, even better. The IPO registrar would then communicate this notice to the applicant.
The applicant will then have to file a counterstatement through Form TM8 within 2 months of the Notification Date. However, if both parties agree, they may opt-in for a ‘cooling-off period’ of 9 months, which can be extended another 9 months through Form TM9c, also within 2 months of the date of notification. This period would give the parties time to negotiate with each other and come to some sort of amicable agreement. If unsuccessful, the applicant files Form TM8 and the procedure continues. For the opponent, Form TM9t would be the corresponding form to end the cooling-off period.
Differences according to the type of opposition
Depending on the type of opposition made, you will then enter Evidence Rounds or receive Preliminary Indications.
Provisional Refusal: Preliminary Indications
If the notice of opposition results in Preliminary Indications, the Registrar will examine the case and explain to the parties what the most likely outcome will be upon reviewing the evidence. It should be noted that either party can withdraw their application or opposition at any time. If, however, one of the parties is still wanting to pursue their trademark claim, they may file Form TM53 within one month of receiving the Preliminary Indications, which will then initiate the Evidence Rounds.
For the Evidence Rounds, the opponent has 2-3 months (extendable if they convince the Registrar) to file their evidence-in-chief, starting from the date the opponent received Form TM8. This is the main legal basis of your claim against the applicant, where you may also be requested to submit evidence proving that you have been and still are using your Trademark.
Once filed in its entirety, the applicant now has 2-3 months (extendable if they convince the Registrar) to do the same, legally backing their trademark application and its validity. The opponent then has another 2 months to do respond to the applicant’s counterstatement.
The case will then be reviewed by the IPO and, if requested by either of the parties, a Hearing may be called, where the two parties argue their case before the IPO. The IPO will give their decision and that will be the end of the administrative proceedings.
However, if the final decision was unfavourable to you, it is still possible to appeal the decision. The type of appeal and the national entity responsible for hearing the appeal will vary greatly depending on the specific decision.
To give one example, if you are the applicant appealing against an unfavourable decision that has ultimately rejected your trademark application, you can submit Form TM55 within 28 days of the decision in question. This, however, might not be the right procedure for you.
If you would like to speak with a lawyer experienced in these proceedings in order to have the best chance possible of winning your claim, please do get in touch.Read More
Lionel Andrés Messi Cuccittini, one of the World’s best soccer players has now yet another cause for celebration, as he has now been allowed to register his own trademark for selling sports equipment and clothing.
Messi filed an application in August 8, 2011, to register the above trademark design. It covers classes 9, 25 and 28. This trademark received an opposition from J.M.-E.V. E HIJOS, S.R.L., owner of trademark MASSI for cycling clothes and gear, and sports related goods in general, in classes 9, 12, 18, 25, 28 and 35.
This opposition was admitted by the European Union IP Office (EUIPO), and consequently Messi’s application was rejected, arguing that MESSI and MASSI were almost identical, visually and phonetically. Needless to say, an appeal was promptly filed against this resolution.
After years of procedures, the European Union’s General Court ruled in favor of Messi, asserting that his “fame counteracts the visual and phonetic similarities” with the prior mark MASSI.
The General Court also pointed out that “The degree of similarity between the marks is not sufficiently high to accept that the relevant public may believe that the goods at issue come from the same undertaking or, as the case may be, from economically-linked undertakings”.
Indeed, the fame of Lionel Messi as the star of the Fútbol Club Barcelona, and of the Argentina National Team is worldwide, is hard to deny. Through this resolution, the importance of notorious or well-known trademarks is evidenced. Even in cases were the opposed marks are somewhat similar, protect related products, and distribution channels, the fact that the sign is recognized worldwide by a significant portion of the relevant public would (according to this ruling) should be sufficient to overcome the risk of confusion, allowing the sign to be registered.
An appeal can still be filed by the opponent before the EU Court of Justice.
- Case T-554/14, Messi Cuccittini v EUIPO v. J-M.-E.V. e hijos (MESSI).-
Artificial Intelligence and GDPR
The interaction of Personal Data Protection and Artificial Intelligence (AI) becomes particularly interesting when issues arise from the use of personal data with AI.
General Data Protection Regulation (GDPR)
The new General Data Protection Regulation (GDPR) of the European Union (EU), which entered into force on 25 May 2018, aims to give control to citizens of and residents in the EU over their personal data.
Regarding Artificial Intelligence, in particular, GDPR aims to create transparency rights and safeguards against automated decision-making, meaning decisions that are made by machines when personal data is used.
In essence, GDPR states that:
- When companies collect personal data, they have to say what it will be used for, and not use it for anything else.
- Companies are supposed to minimize the amount of personal data they collect and keep, limiting it to what is strictly necessary for those purposes stated. They also are supposed to put limits on how long they hold that data, too.
In short, companies must tell people what data they hold on them, and what’s being done with it.
- Companies should be able to alter or get rid of people’s personal data if requested.
- If personal data is used to make automated decisions about people in an AI system, companies must be able to explain the logic underpinning the algorithm used for the decision-making process, i.e., the general functionality of the automated system.
In particular, Article 22 of the GDPR grants individuals the right to contest a completely automated decision if it has legal or other significant effects on them.Read More
On April 26, 2018, the United Kingdom announced that it deposited the instruments of ratification for the Agreement relating to the Unified Patent Court (UPCA). This now brings the total number of ratifications to sixteen in Europe.
The ratification by the UK makes a decisive step closer to achieving the entry Unitary Patent into force. This new European patent will support innovation in Europe with simplified administration, reduced costs and greater legal certainty.
For the Unitary Patent to enter into force, the UPC Agreement needs to be ratified by thirteen of the 26 participating EU Member States (all EU countries except Croatia and Spain), including France, Germany and the UK as the countries with the largest numbers of European patents in force. While the necessary number of ratifications had already been achieved in 2017, the ratification of Germany is the only one from the big countries still outstanding.
There is a pending complaint against the UPC Agreement at the Federal Constitutional Court of Germany. The German constitutional complaint against ratification of the Unified Patent Court Agreement is on the list of cases to be decided by the “Bundesverfassungsgericht”, the Federal Constitutional Court of Germany this year. It is very likely that Germany will ratify the UPC agreement this year.
The UPC is a dedicated court for patents, hearing cases of validity and infringement – and later also European patents – granted by the EPO. The Court forms part of the Unitary Patent Package and is based on an international treaty, which needs to be ratified in parliament by the EU Member States, while the patent itself is the result of two EU regulations adopted in 2012.
A detailed explanation of the Unitary Patent and the Unified Patent Court is provided below.
Thereby, nothing will change in the pre-grant phase and the same high standards of quality search and examination will apply. After a European patent is granted, the patent proprietor will be able to request unitary effect, thereby getting a Unitary Patent, which provides uniform patent protection in up to 26 EU Member States.
By submitting a single request to the EPO, via a Unitary Patent, it will make it possible to get patent protection in up to 26 EU Member States. The 26 member states will build on European patents granted by the European Patent Office (EPO) under the rules of the European Patent Convention (EPC).
Today, via a national patent or a European patent an inventor can protect an invention in Europe.The EPO examines applications for European patents centrally, saving inventors the costs of parallel applications, while ensuring a high quality of granted patents.
However, granted European patents must be validated and maintained individually in each member country. Currently, this process can be a complex and potentially very costly as validation requirements differ between countries. This leads to high direct and indirect costs, including translation costs, validation fees and associated representation and maintenance costs. These costs can be considerable depending on the number of countries where the patent proprietor wishes to validate.
Here are some of the benefits which will save applicants costs, time and minimize the administrative workload .
- The EPO acts as a one-stop-shop, allowing for a simple registration of a Unitary Patent.
- No fees are due for the filing, examination of the request for unitary effect or for registration.
- No post-grant translations will be required after a six-year transitional period (during this time, informational purposes only will a translation will be required and will not have any legal effect).
- A new compensation scheme will cover costs related to the translation of the patent application if it was filed in an official EU language other than English, French or German for EU-based SMEs, natural persons, non-profit organizations, universities and public research organizations.
- Unitary Patents will also not be subject to the currently fragmented renewal fee system: there will be only one procedure, currency and deadline and no obligation to use a representative.
- The renewal fees have been set at a very competitive level and are particularly attractive for the first ten years (average protection for a European patent). The more countries in which the European patent will be validated, the greater the savings also on indirect costs for applicants.
- All post-grant administration will centrally be handled by the EPO.
- The online register, notably for licenses and transfers will include legal status information relating to Unitary Patents.
- Unitary Patents will confer truly uniform protection thanks to all matters harmonized previously in the Agreement on a Unified Patent Court.
Unified Patent Court
An international court set up by 25 participating Member States (all EU countries, except for Croatia, Poland and Spain to deal with the infringement and validity of both Unitary Patents and European patents. Its rulings will apply in all Member States that have ratified the Agreement on a Unified Patent Court.
The UPC will:
- establish an effective forum for enforcing and challenging patents in Europe;
- end the need for litigation in different countries;
- enhance legal certainty through harmonized case law in the area of patent infringement and validity;
- provide simpler, quicker and more efficient judicial procedures;
- harmonize substantive patent law relating to the scope and limitations of the rights conferred as well as the remedies in cases of infringement.
Currently, national courts and authorities decide on the infringement and validity of European patents. This can lead to difficulties when a patent proprietor wishes to enforce a European patent in several countries or when a third party seeks the revocation of a European patent. Forum shopping is often inevitable, as parties seek to take advantage of differences between national courts and their procedures. Litigation in multiple countries is expensive and there is a risk of diverging decisions and a lack of legal certainty.
The UPC Agreement addresses these shortcomings by creating a specialized patent court with exclusive jurisdiction for litigation relating to Unitary patents and European patents and harmonizing the scope and limitations of the rights conferred by a patent, and remedies available beyond EU Directive 2004/48/EC (Enforcement Directive).
A Court of First Instance, a Court of Appeal and a Registry will comprise the UPC.
The Court of First Instance will be composed of a central division (seat in Paris, sections in London and Munich) and several local and regional divisions. The Court of Appeal will be located in Luxembourg.
For all parties involved in European patent litigation, the UPC will provide a better framework. Costs will be reduced and different decisions from national courts on infringement and validity will cease. A more efficient and balanced patent litigation system will emerge over time. (The benefits for patent proprietors and third parties are:
- the UPC will offer better valid patent enforcement, with Europe-wide effects of decisions, injunctions and damages for patent proprietors;
- the UPC will provide a central revocation action, separate from the EPO’s opposition procedure, at any time during the life of the patent for third parties and the public.