European Union

Principles to Take Into Consideration in Data Protection Compliance

By Manuel Lobato. Patents Lawyer.

Data Protection Compliance: GDPR

The General Data Protection Regulation –GDPR–  constitutes a regulation that covers all (or almost all) aspects related to the personal data of European citizens both within Europe and outside it. It is self-sufficient and its rules are applied from the principle of extraterritoriality.

Just as this principle exists, to determine that the data of European citizens are treated in accordance with the standards established by the GDPR, there are also principles of an axiological nature that are scattered throughout the Regulation – although stated in art. 5° -, and that must be considered as mandatory and effective compliance for all those who process personal data.

Here is a brief explanation of these axioms that must be taken into account when implementing a personal data treatment policy:

Lawfulness, transparency, and fairness

The lawfulness in the treatment has to do with the fact that the collection and treatment of personal data must have a legal and justified basis, requiring the consent of the interested party, or legal provision failing that. The objectives of the regulation must also be borne in mind.

Regarding transparency and fairness, it refers to two behaviors that must be displayed by the person in charge of the treatment and/or the person in charge in relation to the owner of the data who has to be sufficiently informed of what the data processor and/or controller will with the data, how they will treat said data and the communication of the data owner regarding their rights of information, modification, rectification and deletion as a guarantee, always keeping in mind the purpose for which the data was collected.

Purpose

The collection and processing of personal data must have a lawful, legitimate, transparent, and explicit purpose, which must be informed to the owner of the data so that they can fully understand what they will do with the personal information that belongs to the owner. This principle is related to the previous one.

However, this principle also has another face, which is related to the application of the limitation in terms of purpose. The truth is that the person in charge and / or in charge of the processing of personal data cannot use them for a different purpose than the one that was informed to the owner and on which they consent was obtained, much less, for purposes incompatible with the law, the Regulation and its provisions.

Minimization of data

Based on this principle, the data that is collected and processed should be those that, based on the evaluation of the purpose, constitute the minimum and essential to carry out a project that involves its collection and treatment.

Accuracy in data recording

The importance of the principle of accuracy in personal data lies in the fact that, when dealing with rights that belong to natural people, their erroneous assignment, and in addition, their relationship with people who are not the true owners, can bring damage to them.

In addition, this principle also allows strict control to the owner of the so-called ARCO rights -access, rectification, cancellation, and opposition.

Temporal limitation in the conservation of personal data

This principle is related to the principle of data minimization but from its temporal aspect. The data should not be kept for longer than is necessary to fulfill the purpose for which they were collected. Once the cause of their collection and treatment has disappeared, they must be destroyed and, at the very least, apply a process of dissociation of the data in relation to the owner.

However, the different laws may establish exceptions to the principle of time limitation: for a public interest, for scientific or academic purposes, or because the law establishes an obligation of the person responsible to maintain them for a long time, despite the purpose having been fulfilled (eg: tax issues).

One manifestation of this principle is the so-called “Right to Be forgotten”.

Integrity and Confidentiality

Both principles have to do with the fact that both the person in charge mainly and the person in charge of the processing of personal data must maintain a proactive attitude when collecting and treating.

Furthermore, data processors and controllers’ have a proactive responsibility and both must take all necessary measures to avoid data breaches. In Argentina, the responsibility of the data controller is objective, through the application of the theory of risk.

In Moeller IP Advisors we can assist you in complying with all these principles in case you or your company decide to launch our own product or service in the European Union.

Please contact our expert’s team through our CRMs Ms. Vivianne Cardoso and/or Ms. María Ximena Amado.

European Data Protection Board – Clinical Trials, Test Subjects, And Data Protection – EDPB

By Manuel Lobato. Patents Lawyer.

On February 2nd, the European Data Protection Board published a series of responses related to inquiries prepared by the European Commission (justice and consumer section). These consultations are aimed at the EDPB solving questions about the protection of personal data used in clinical research.

European Data Protection Board

The document is divided into six different sections that are developed in various paragraphs and contain answers to questions ranging from ethical issues, informed consent to anonymization processes, and the collection and processing of personal data obtained in medical research.

Regarding informed consent and data processing, special focus is placed on its legal basis and on the distinction between informed consent and the legal basis of consent required under the standards of the General Data Protection Regulation, both terms being, complementary to such protection; and the need to have a special consent from the patient when there is no other way out than to resort to the treatment that the research is developing, to improve the quality of life of the subject.

The same happens when data controllers conduct clinical trials in different State Members of the EU, and it is necessary to homogenize the legal basis of all of them -when conducting the project- to comply with the GDPR standards and their own localisms.

An interesting topic that the document tries to elucidate, although it will be left to a later consultation, is the possibility of extending the consent of the owner of the data – the subject of the trial – extracted in one trial, for other trials of the same nature.

Related questions about the Data Protection document

Regarding obtaining broad consent in terms of clinical trials, the EDPB refers in a certain way to recital 33 of the GDPR, in order to minimize the requirements of specific consent when the purpose of the data processing cannot be determined at an initial stage of harvest.

Finally, the document refers to relative issues such as:

1) The use of the information obtained directly from the owner of the data for other purposes than those originally reported and if necessary and in which cases -and how-, must comply with the requirement of transparency.

2) The application of processes of pseudonymization and anonymization of personal data in clinical trials.

3) The processing of specific categories of data and their treatment on a large scale during clinical trials.

For further information or professional advice regarding clinical trials, legal requirements, compliance, and data protection, you can contact our Moeller’s Legal Department Members in charge of this area through our Relationship Managers Vivien Racy and/or Vivianne Cardoso, following this link.

Source: https://edpb.europa.eu/our-work-tools/our-documents/other/edpb-document-response-request-european-commission-clarifications_en

Contracts In Data Protection Matters

By Manuel Lobato. Patents Lawyer.

In view of the worldwide aspect that Protection of Personal Data has acquired, and its category of Human Right in many laws around the world, it is necessary to have an adequate protection framework, which is not only limited to the laws that regulate its treatment and safeguarding, but also must extend to the relationships that are managed between the data controllers, data processors, third companies and the owners of said data.

From the incursion of personal data in all possible areas of interaction, the Law is not foreign at all, much less in the contractual field, as one more link in the chain of measures aimed at providing all current or current information accumulation, potentially related to a specific or determinable natural person. Therefore, it is unavoidable to make a list of the contracts that are used in this type of situation both in the field of cyberspace and in the relationships that are developed between the owner of the data with the person in charge of treatment, and of the latter with the data processor.

Privacy Policy

It could be taken into consideration that the privacy policies that abound in the websites have a contractual legal nature, with a predisposed content and the possibility for the user to select the browsing preferences to determine what data is available to share or allow them to be collected and which ones not.

The privacy policy of a website must comply with the principles established in the data protection laws of the respective countries where the users are located, advocating for transparency, correct and complete information to the owner of the treatment data what is done with them, and the kind of information that the site takes, all this, written in a clear and understandable language for the website visitor.

What information should be included in the privacy policy?

• What information will be collected (names, emails, phone numbers, etc.).
• How the information will be used (for statistics, to improve the shopping or browsing experience, promotions, Email Marketing, etc.).
• What will be done with the collected data.
• The possibility of modifying the policy in the future.
• Contract form (for modifications, updates, or cancellations).
• Cookies policy.
• It offers relevant information about the way in which the data is protected.

Terms and conditions

It is an unnamed, on-line, electronic contract for adhesion to pre-arranged clauses.

Terms and conditions are established between the user of a certain website and the owner of said site and is mainly intended to inform the user of issues related to the content of the page and the services offered through it, as well as information appropriate to the user about what is done with the collection and processing of their personal data, and the type of data that is transferred to the person in charge through the site.

Also, within the terms and conditions are established the duties and responsibilities of the user and the correct use of the site, intellectual property issues, legal framework, among others.

Privacy policies can be found separately from the terms and conditions, or in a single identified body.

Data outsourcing

The outsourcing contract, in general terms, is mainly intended to delegate to a company, or a specialized natural person, a portion of the business process that is the responsibility of another company, which the latter considers that it is more suited to carry out that portion of the process involved. It is the outsourcing of activities.

With regard to the field of data in general and personal data in particular, a company that develops an activity in the process of which requires or feeds on said data hires another for the management and processing of personal data. The owner of the database is the data controller and the data processor is the third party that provides the outsourcing service.

Points to consider in the data outsourcing contract

• The data controller should include in the contract a clause by which it obliges the data processor, to fulfill and respect the purpose for which the database or registry was created, not being able to carry out acts tending to undermine said purpose, taking reservation of the data obtained and applying a treatment that serves said purposes.
• As the data processor is acting on behalf and order of the owner of the database, it is necessary that he respects the instructions given by the latter, having to abide by them and the framework of the contract and its purpose and also the contract and –if applicable- criminal law that govern the matter. Especially for the responsibility that entails the person responsible for the data, the election of the person in charge of personal data processing, and the development of the work of this one in front of third parties.
• The person in charge of the processing of personal data has to abstain from transferring the data that is subject to treatment to third parties. Data Processor does not have the authorization to obtain from the owner the consent to carry out the assignment -as he is not the owner or person in charge of the database.
• Once the objective or the purpose for which the data were collected and processed has been fulfilled, Data Processor must return all that information to the Data Controller, not being able to store or keep the data in their possession, unless there are subsequent situations expressly established, which determine the maintenance of these data in the possession of the data processor.
• There must be a duty of confidentiality on the part of the person in charge of the treatment, which consists primarily of not disclosing or using for purposes contrary to the contract, the law, public order or the rights of the owners and third parties, the personal data whose treatment was entrusted. Even this duty must be maintained after the ending of the contractual relationship between both parties.
• Both Data Processor and Controller have a security duty regarding not only the treatment of the data in general but also regarding the fact that databases where these data are stored, comply with, or have a level of security appropriate to the protection of the information stored there.

Transfer of data

The transfer of personal data is a contract that is established between Data Controller and third parties or companies. It inevitably requires the consent of the owner of the personal data and the cause of the transfer must be explained, which must be related to the legitimate and legal activity carried out by the person responsible for the database, file, registry, or archive or be related to the activity of the assignee.

The object of the data transfer contract must be circumscribed to those data contained in the databases, registers, files, and which are those collected by the person responsible for the treatment.

At Moeller IP Advisors we have a specialized worldwide work team with the ability to advise on drafting contracts and certain clauses that involve personal data, both in corporate and digital environments. Contact us!

The MERCOSUR-EU Agreement and the Legislation on Data Protection in the Countries of the Region.

By Manuel Lobato. Patents Lawyer.

1. Introduction: MERCOSUR-EU Agreement and the legislation on Data Protection

As is well known, last year, after several rounds of negotiations, the agreement between Mercosur and the European Union on economic matters emerged. Said agreement included matters related to customs duties, exchange of goods and services, sanitary measures, intellectual and industrial property rights, SMEs, dispute resolution, among other issues of relevance to both blocks.

Among these issues, although not as an integral part of the text of the agreement, discussions related to the Protection of Personal Data were also included. Currently, the States of the European Union are governed by the General Data Protection Regulation, or by its acronym, the GDPR, which is mandatory since May 25, 2018. During her visit to Argentina, in July of last year, the European Commissioner for Justice, Consumers and Gender Equality Vera Jourova, spoke about the benefits that the regulation and harmonization of data protection legislation would bring to both blocs.

For sure the EU is at the forefront in this matter, and in order to enable the advancement of this agreement for both blocs and above all, for the MERCOSUR countries, it is necessary that their laws harmonize with the provisions and principles of the GDPR, as which would bring about a quantitative and qualitative leap towards respect for the individual rights of people, the self-determination of the person regarding the processing of their data on the internet and in files, the final recognition of data protection as a fundamental human right, among other conquests.

Nowadays, in the current global situation of the coronavirus pandemic that hits the whole world, the negotiations have stalled, since there are urgent issues to address regarding the countries that make up each block. However, it is noteworthy that the will to move forward is intact.

That is why is necessary to carry out a review of the situation in which the laws of the MERCOSUR countries are in relation to the Protection of Personal Data, and why it is almost mandatory to use this time to be able to adapt them to the required standards by the EU in order to finally reach the conclusion of the negotiations carried out at the time of carrying out the revision of the Agreement between the two trade blocs.

2. Country by Country: MERCOSUR-EU Agreement and the legislation on Data Protection

a) ARGENTINA:

The law that regulates the protection of personal data in Argentina is Law 25326, enacted on October 4, 2000, and is currently in force.

This law regulates what pertains to the treatment of personal data, its classification, the principles that should govern its treatment, international transfer of data, the rights of its owners, and the resources and actions that they have both administrative as well as judicially to obtain the deletion, rectification, modification, addition and correction of the data found in files or databases, both public and private, and the obligations of the owners of said files or databases when collecting and processing personal data.

In Argentina, the enforcement authority regarding Personal Data and Access to Public Information is the National Agency of Access to Public Information, which has a secretariat that is in charge of regulating and supervising everything related to personal data and the compliance of the Personal Data Protection law, which is the National Office of Protection of Personal Data.

In 2018 a Bill was presented to amend the Data Protection law and bring it as closely as possible to the GDPR standards, but unfortunately, the bill lost parliamentary status this year.

b) BRAZIL:

In 2018 it was sanctioned the new Law on Personal Data Protection – No. 13,709 LGPD-. On August 26 the Brazilian Parliament decided that the suspension of its enforceability would not be extended, so it is the law that is currently in force in Brazil to regulate everything related to the protection of the personal data of natural persons, processed both within the borders of the country, and by foreign companies that process data of persons located in Brazil.

This law has many points in common with the European General Data Protection Regulation, establishing an adequate legal framework regarding the collection, processing, and storage of personal data in general and sensitive data in particular, as well as the obligations and responsibilities of those –processors and controllers- who collect, process, select and store personal data, and may be liable –in case of non-compliance with the provisions of the law-, to be sanctioned administratively, civilly and criminally.

Likewise, it establishes the rights of the holders of personal data to grant informed consent for the collection and processing of their data and to control access, correction, rectification, updating, anonymization, and deletion of their data that are contained in databases both public and private.

For this law, it is mandatory -in certain cases- the need to have a Data Protection Delegate, and the enforcement authority is the National Data Protection Agency of Brazil.

c) PARAGUAY:

In Paraguay, the Protection of Personal Data is regulated not only in the country’s Constitution but is also based on Laws No. 1682/2001, 1969/2002, which amends the first one and Law 5542 / 2015.

This set of laws regulate, among other issues: the processing and treatment of personal data contained in files, records, and public and private databases. The collection, processing, and treatment of personal data is only allowed for scientific, economic, statistical, or marketing purposes.

However, the current legislation establishes nothing regarding the figures of the database administrator; but it does regulate obligations pertaining to those responsible for said bases. Nor does it make a distinction between processors and controllers. Nor does it establish any obligation to report data breaches or incidents that occur with personal data.

The international transfer of data and its regulatory framework is not established in the legislation of Paraguay.

Likewise, there is no authority in Paraguay that regulates matters relating to the Protection of Personal Data and compliance with the law.

Finally, although the law does not establish anything regarding the possibility of making claims before administrative or judicial entities for violation of Personal Data, the penalties are established by other regulations, which allow those whose data have suffered any violation the right to claim before civil or criminal justice the pursue of a compensation.

There is a bill presented to the Paraguayan Parliament in 2019.

d) URUGUAY:

In Uruguay, personal data is ruled by Law No. 18,331, amended by Law No. 19,670, whose regulatory decree 64/020 modified certain articles of the first-mentioned law.

The law regulates the following aspects: a) it establishes a sort of glossary with definitions pertaining to personal data and the principles applicable; b) it also regulates the registration of the databases of the entities that collect and process personal data, whether they are located in Uruguay or process personal data of persons residing in Uruguay -under certain circumstances-; c) Establishes for public and private entities the need to have a Data Protection Officer and its obligations and responsibilities thereof; d) the need to have the informed consent of the owner of the data to collect, process and treat said data; e) the international transfer of data, the cases in which it proceeds and the requirements to transfer data to third parties; f) the obligations of the person in charge and the administrator of the databases; g) In the event of personal data breached or incidents that occur with them, the collectors, processors and responsible  of the databases has to give notice and take the necessary measures to minimize risks; h) administrative sanctions concerning non-compliance with the rules contained in the law, ranging from warning to imposition of fines.

The application authority in the field of Data Protection in Uruguay is the Regulatory and Control Unit of Personal Data.

In February 2020, Law 19,670 was regulated, which among other issues complements Law 18,331 in terms of: 1) the adoption by the person responsible for the treatment of technical and/or organizational security measures to avoid and/or minimize incidents and breaches that may occur with personal data; 2) the promotion of national and international standards on cybersecurity; 3) the documentation of such measures and the planning and impact assessment regarding Personal Data.

3. Conclusion: MERCOSUR-EU Agreement and the legislation on Data Protection

After having made a brief reference to the Agreement between the European Union and Mercosur and the current state of the negotiations, reviewing the legislative situation of some of the countries that make up this last regional bloc, the truth is that it is essential to have an adequate level of protection of personal data, especially due to the extraterritoriality principle generated by compliance with the provisions of the GDPR and the cross-border flow of data.

Today we are witnessing a new era in human rights, where digital self-determination is no stranger. Where the right to digital existence of people cannot be overwhelmed over other issues such as those of an economic nature. That existence must be protected against any kind of violation.

Likewise, it is necessary to harmonize the laws of both economic blocs, which pushes MERCOSUR to take all the necessary steps to adapt its laws and regulate this new human right as an imperative, in order to achieve safer agreements in pursuit of a conciliatory and protective globalization of this new right that appears today.

Finally, it is worth highlighting the position that countries such as Argentina and Uruguay have in terms of recognition by the European Union regarding the adequate level of protection that these countries ensure to Personal Data, which places them at the forefront in the region.

However, it is mandatory for Argentina to update its law in order to continue maintaining that position in the face of the constant requirements of a globalized world both materially and digitally.

Sources:

https://www.mercosur.int/mercosur-cierra-un-historico-acuerdo-de-asociacion-estrategica-con-la-union-europea/

https://www.efe.com/efe/america/economia/el-pacto-con-mercosur-mejorara-las-politicas-de-proteccion-datos-segun-la-ue/20000011-4021149

https://www.impo.com.uy/bases/leyes/18331-2008

http://www2.congreso.gob.pe/sicr/cendocbib/con2_uibd.nsf/8F7EC36BB743626D052577C1007243CC/$FILE/Protecci%C3%B3n_d_Datos.pdf

https://www.jornaldocomercio.com/_conteudo/especiais/jornal_da_lei/2020/01/720955-prontos-para-a-lei-geral-de-protecao-de-dados.html

The Case Schrems and the Fall of the Privacy Shield. First Part

By Manuel Lobato. Patents Lawyer.

Background of the case

The young Austrian Maximiliano Schrems – law student and resident in Ireland – made a complaint in 2011 to the Irish Commissioner for Data Protection against the social network Facebook, for transfer of their data from the servers of Facebook in Ireland to the servers of Facebook Inc. located in the United States for further processing.

In his claim, Schrems – based on the facts and evidence provided by Edward Snowden through which, the former agent revealed how the United States operated in global surveillance-, alleged that said country did not offer adequate protection to the personal data that received from users in the countries that are members of the EU, and did not even contain a process for the selection and treatment of these data, but rather took them in large quantities and thus processed them, using them for purposes other than those that truly informed the users of the social network –in their eagerness to fight terrorism-.

This motivated Schrems to request a ban on his data being transferred to the servers of Facebook Inc. The Irish body rejected Schrems’ proposal, based on Decision 2000/520 / EC, of ​​July 26, 2000S, considering that The United States complied with an adequate level of protection. However, Schrems appealed this decision to the highest court in Ireland – the High Court -, which finally held that the United States made excessive interference with the personal data that was transferred to its territory.

The decision of the CJEU. Schrems´ I judgment.

The High Court asked the European Court to issue a preliminary ruling regarding the issue of whether said decision -2000/520/EC- is valid and whether it makes it impossible – or not – for the national authorities of the countries of the European Union to carry out a correct control regarding the personal data that is transferred from an European country – in this case, Ireland – to a third state. Finally, the European Court ruled that, although the EC decision 2000/520 prescribes that the United States has an adequate level of protection, the truth is that also the national organizations responsible for ensuring the protection of the data of its inhabitants, they are empowered to carry out this control, although the invalidity of a Decision – in this case, the one adopted by the European Commission – can only be declared by the CJEU.

Finally, the European Court, in order to rule as it did –declaring the invalidation of the EC decision-, taking into account, not what was established by the Commission’s Decision, but, in factual terms, whether the privacy of the data owners was protected when transferred to the United States. In other words, when making such an assessment, the third country is not required to have a regulatory framework and a level of protection identical to that of the EU; more than anything, that this third country provides an adequate protection framework for the data of the holders.

For all these reasons, it declared Decision 520/2000 invalid based on the following arguments:

1) That there was an interference with the right to privacy;

2) Declared that said interference meant a violation of the essential content of the right to privacy.

Decision 1250/2016.

Due to the judgment issued by the CJEU that invalidated decision 520/2000 of the European Commission regarding what is known as “safe harbor”, regarding the transfer of data to the United States, it was adopted within this framework, the so-called decision 1250/2016, better known as “Privacy Shield”.

The purpose of this decision is summarized as follows:

– Acknowledges that the EU-EE Privacy Shield comprised of the privacy principles applicable to certified United States organizations (companies) and related commitments made by the Department of Commerce and other United States authorities, it provides an adequate level of protection for personal data transferred from the EU to these organizations.

– This means that personal data can be freely transferred to organizations in the United States included in the “Privacy Shield List”, which is prepared and published by the United States Department of Commerce.

– The application of the Privacy Shield guarantees the right to respect for privacy and the right to the protection of personal data of all persons in the EU whose personal data is transferred through the Privacy Shield.

– It also guarantees legal certainty for companies that rely on your application to transfer personal data from the EU to US organizations certified by the Privacy Shield.

Precisely this decision is the one that was declared invalid in the judgment of the Schrems II Case, issued by the CJEU on 07/16/2020, which will be subsequently commented.

Sources:

https://eur-lex.europa.eu/legal-content/ES/LSU/?uri=CELEX%3A32016D1250

https://www.boe.es/doue/2016/207/L00001-00112.pdf

https://www.redalyc.org/jatsRepo/3376/337655201009/html/index.html

https://www.researchgate.net/publication/321792394

Provisional Refusals under the Madrid Protocol: Country by Country Guide – EU and UK

By Moeller IP Team.

If you’re reading this, it’s safe to imagine that you have applied for an International Trademark, filled out all the forms, and followed the TM registration procedure, but now you are faced with a Notification of Provisional Refusal. One (or more) of the national trademark offices has found a potential problem with your application for IP protection in their country. Or, perhaps you’re looking to file a provisional refusal against a foreign company that would be infringing upon your IP.

Now, depending on the national office, the details of how exactly to oppose such a notification vary depending on the national IP office’s rules and regulations. This is the first of a [X] part, country by country guide on how to oppose to a notification of provisional refusal when registering for an International Trademark.

European Union Notice of Opposition Proceedings

When filing for an international trademark in order to protect your brand across Europe, it may be more convenient and economical to designate the EU as the protected territory instead of individual countries. The manner in which the EUIPO deals with such a designation differs to other countries such as the UK, where the procedure is dealt with nationally.

When the EUIPO receives an application through the WIPO, it will publish the requested trademark’s details in the EUTM Bulletin in Part M, which is dedicated entirely to international Trademark registrations. Once published through the Bulletin, the EUIPO will:

1. Prepare search reports (which, if you wish to access them, you will have to request a copy).

2. Conduct an examination of various formalities that may be relevant to your particular application.

3. Conduct an examination of potential absolute grounds for refusal and of any oppositions that are placed by pre-existing trademark holders within the EU.

We will focus on the procedure for any notice of opposition (or provisional refusal). EU trademark holders will have 3 months from the publication of the application in the EUTM Bulletin to file an opposition – this 3-month period starts exactly 1 months after the application has been published in the Bulletin.

If the EUIPO accepts the notice of opposition, then a notification of provisional refusal is sent to the WIPO, where the applicant will consequently be notified. At this moment, the need for a European representative may arise. This would occur if the applicant is not domiciled within the European Economic Area (EEA).

Once the opposition has been admitted by the EUIPO, the applicant and opponent will have to follow the EU procedure for notices of opposition.

United Kingdom notification of provisional refusal

The UK is a historic world economy that has always hosted a vast array of businesses, so it would come as no surprise if you were to be looking to protect your IP in Britain. In the UK, two key pieces of legislation are the Trade Marks Act 1994 and the Trade Marks Rules 2008. Once the application has been accepted by the IPO, it will be published in the UK IP Journal.

In the UK, the notification of provisional refusal is referred to as a notice of opposition, much like when registering for an EU Trademark.

From the date of publishing, any pre-existing trademark holder may, within a period of 2 months, file a notice of opposition by filling out Form TM7, being sure to pay special attention to the grounds of opposition. This should clearly explain the reasons for which you are opposing the trademark registration – whenever reinforced by sound legal arguments, even better. The IPO registrar would then communicate this notice to the applicant.

The applicant will then have to file a counterstatement through Form TM8 within 2 months of the Notification Date. However, if both parties agree, they may opt-in for a ‘cooling-off period’ of 9 months, which can be extended another 9 months through Form TM9c, also within 2 months of the date of notification. This period would give the parties time to negotiate with each other and come to some sort of amicable agreement. If unsuccessful, the applicant files Form TM8 and the procedure continues. For the opponent, Form TM9t would be the corresponding form to end the cooling-off period.

Differences according to the type of opposition

Depending on the type of opposition made, you will then enter Evidence Rounds or receive Preliminary Indications.

Provisional Refusal: Preliminary Indications

If the notice of opposition results in Preliminary Indications, the Registrar will examine the case and explain to the parties what the most likely outcome will be upon reviewing the evidence. It should be noted that either party can withdraw their application or opposition at any time. If, however, one of the parties is still wanting to pursue their trademark claim, they may file Form TM53 within one month of receiving the Preliminary Indications, which will then initiate the Evidence Rounds.

Evidence Rounds

For the Evidence Rounds, the opponent has 2-3 months (extendable if they convince the Registrar) to file their evidence-in-chief, starting from the date the opponent received Form TM8. This is the main legal basis of your claim against the applicant, where you may also be requested to submit evidence proving that you have been and still are using your Trademark.

Once filed in its entirety, the applicant now has 2-3 months (extendable if they convince the Registrar) to do the same, legally backing their trademark application and its validity. The opponent then has another 2 months to do respond to the applicant’s counterstatement.

The case will then be reviewed by the IPO and, if requested by either of the parties, a Hearing may be called, where the two parties argue their case before the IPO. The IPO will give their decision and that will be the end of the administrative proceedings.

However, if the final decision was unfavourable to you, it is still possible to appeal the decision. The type of appeal and the national entity responsible for hearing the appeal will vary greatly depending on the specific decision.

To give one example, if you are the applicant appealing against an unfavourable decision that has ultimately rejected your trademark application, you can submit Form TM55 within 28 days of the decision in question. This, however, might not be the right procedure for you.

If you would like to speak with a lawyer experienced in these proceedings in order to have the best chance possible of winning your claim, please do get in touch.

What is a Notice of Opposition Against an EU Trademark Application and What Can I Do About it?

By Moeller IP Team.

When filing for an EU Trademark to protect your brand, you might receive a Notice of Opposition from the EUIPO. You might be worried about this. Maybe you’re asking yourself: What is a notice of opposition? What can I do to register my trademark now? How can I make sure that my brand is protected in the EU? In this article, we will explain what a Notice of Opposition is and how to deal with it to ensure that you protect your IP.

First, let’s remind ourselves of the application process for EU trademarks.

Recap of EU Trademark Application Process

We must remember that once you have sent your application away, the EUIPO examiner will analyze it and look for any problems. If provisionally approved, your application will be published in the EU Trade Marks Bulletin for all to see. Any party that already owns a registered trademark now has 3 months to file a Notice of Opposition, which will prevent you from being granted protection for your trademark.

What is a Notice of Opposition?

A Notice of Opposition filed by a preregistered EU trademark holder is a claim to the EUIPO that your future trademark infringes on their pre-existing trademark, or is too similar and could cause confusion. This must be done by the opposing party within 3 months of publication in the EU Trade Marks Bulletin.

Once the filing has been completed, and the opposing party has paid the corresponding fees, the Opposition Division of the EUIPO will examine the Notice and determine its admissibility. This admissibility test is conducted in accordance with the EU Trademark Regulation. If it passes the test, you will be advised of the Notice and the next phase of the procedure will begin.

What can I do against a Notice of Opposition?

In order to go against a Notice of Opposition, you must first know the procedure that will be followed. Firstly, there will be a 2-month period in which you may negotiate with the opposing party to try to come to some sort of arrangement. If unsuccessful, you will then have to argue before the EUIPO. These are known as the cooling-off period and the adversarial stage.

Cooling-off period

Once you have been informed of the Notice of Opposition, a 2-month period begins in which you and the opposing party may attempt to reach a friendly settlement. This is known as the ‘cooling-off’ period. If you are able to reach an agreement with the opposing party, then whatever you agree shall be established and neither side will have to pay any costs for further phases of the procedure. If, however, you are unable to come to an agreement, the adversarial stage shall begin in which you must argue with the opposing party before the EUIPO as to why your trademark should be granted protection and, more importantly, why it is not infringing on the pre-existing trademark, nor is so similar that it would cause confusion.

Adversarial stage

In this next stage, the opposing party must complete his opposition filing within 2 months of the end of the cooling-off period – the Notice of Opposition was merely provisional. Here, the opposing party will include all evidence that supports his case, as well as proving that the IP rights he is invoking from his trademark truly exist and are valid. For an extensive description of what the opposing party must file and the requirements for doing so, check the Guidelines for Examination in the Office.

Responding to the Notice of Opposition

Proof of Use

In responding to the opposition, in the case that you believe the opposing party may very well have a registered trademark, but is not actually using it, you may request proof of use. This requires the opposing party to submit additional documentation that proves that he is actively using his trademark in a commercial environment. It is essential that every trademark owner is aware that it’s using it or lose it when it comes to opposition proceedings.

Restrictions of your Trademark Application

When filing the application to register your trademark, you will have had to specify which goods and services are traded under the brand. As this could be the grounds for the Opposition in the first place, you may also decide to restrict your application in order to limit the goods and services you provide under that brand, to prevent any potential infringement of the opposing party’s protection. This would only work in specific cases in which you and the opposing party are operating in similar or overlapping sectors. It is important to mention here that the EUIPO will not accept restrictions that are conditional. The restriction must be absolute and unconditional.

Formulate a Strong Legal Argument

Make a strong legal argument behind why your trademark application is acceptable may seem rather obvious, but it is much easier said than done. There is a reason that lawyers dedicate their entire professional lives to IP law. It is an area of the law that is always changing and evolving, not to mention that it has the potential to be incredibly subjective, given that a key factor in a EUIPO decision is how similar it looks compared to the pre-existing trademark.

If you want to have the best chances at a successful trademark application, it is highly recommended to hire the services of an experienced IP lawyer to go through the process with you. At Moeller IP, we have been practicing solely IP law for nearly 100 years across the world, and there is still more to do. If you would like to clarify some doubts, please don’t hesitate to contact us right away.

European Patent Office Issued Opinion G 3/19 (Pepper) on 14.05.20

By José Santacroce. Partner and Head of Patent Department.

The Enlarged Board of Appeal of the European Patent Office issued opinion G 3/19 (Pepper) on 14.05.20 and concluded that plants and animals exclusively obtained by essentially biological processes are not patentable.

The key concepts of opinion G 3/19

The Enlarged Board of Appeal of the European Patent Office adopted a dynamic interpretation of the exception to patentability under Article 53(b) of the European Patent Convention (EPC) and held that the non-patentability of essentially biological processes for the production of plants or animals also extends to plant or animal products that are exclusively obtained by means of an essentially biological process.

Background

The Enlarged Board of Appeal is the highest judicial authority under the EPC, which provides for an autonomous legal system that is separate from the European Union. The Enlarged Board’s main task is to ensure the uniform application of the EPC.

Under Article 53(b) EPC, European patents shall not be granted in respect of plant or animal varieties or essentially biological processes for the production of plants or animals. Rule 28(2) EPC provides that under Article 53(b) EPC, European patents shall not be granted in respect of plants or animals exclusively obtained by means of an essentially biological process.

Rule 28(2) EPC was introduced by the decision of the Administrative Council of the European Patent Organisation and came into force on 1 July 2017.

In 2015, the Enlarged Board had concluded in its decisions G 2/12 and G 2/13 within the then applicable legal framework, i.e. before the introduction of Rule 28(2) EPC, that the non‑patentability of essentially biological processes for the production of plants or animals under Article 53(b) EPC did not extend to products that are exclusively obtained by means of an essentially biological process.

In 2018, a Technical Board of Appeal held in decision T 1063/18 that new Rule 28(2) EPC had no impact on the interpretation of Article 53(b) EPC, and followed the Enlarged Board’s earlier decisions G 2/12 and G 2/13.

In 2019, the President of the European Patent Office referred a point of law to the Enlarged Board of Appeal under Article 112(1)(b) EPC concerning the interpretation of Article 53(b) EPC in view of legal and other developments occurring after decisions G 2/12 and G 2/13, and in particular in view of new Rule 28(2) EPC.

Key considerations

In its opinion issued today, the Enlarged Board of Appeal held the referral by the President of the European Patent Office to be admissible within the terms of a re‑phrased question. On the merits of the referral, the Enlarged Board endorsed its earlier findings on the scope of Article 53(b) EPC, which were based on the classical (i.e. the grammatical, systematic, teleological and historical) methods of interpretation. However, the Enlarged Board found that a particular interpretation which has been given to a legal provision can never be taken as carved in stone, because the meaning of the provision may change or evolve over time. This meant that decisions G 2/12 and G 2/13 did not settle the meaning of Article 53(b) EPC once and for all.

Taking account of the Administrative Council’s decision to introduce Rule 28(2) EPC, the preparatory work on this provision and the circumstances of its adoption, as well as legislative developments in the EPC contracting states, the Enlarged Board concluded that new Rule 28(2) EPC allowed and indeed called for a dynamic interpretation of Article 53(b) EPC.

In adopting this dynamic interpretation, the Enlarged Board abandoned its earlier interpretation of Article 53(b) EPC in decisions G 2/12 and G 2/13. It held that, after the introduction of new Rule 28(2) EPC, Article 53(b) EPC was to be interpreted to exclude from patentability plants, plant material or animals, if the claimed product is exclusively obtained by means of an essentially biological process or if the claimed process features define an essentially biological process.

In order to ensure legal certainty and to protect the legitimate interests of patent proprietors and applicants, the Enlarged Board ruled that the new interpretation of Article 53(b) EPC given in G 3/19 had no retroactive effect on European patents containing such claims which were granted before 1 July 2017, or on pending European patent applications seeking protection for such claims which were filed before that date.

Source: www.epo.org

The ePrivacy Regulation: the European Union’s Final Piece to the Digital Privacy Puzzle

By Ivan Blomqvist.

ePrivacy Regulation (ePR)

The “Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)”, known also as the ePrivacy Regulation (ePR), is a proposed legal act of the European Union, enforceable as law in all member states, that intends to focus on a more expansive regulation of electronic communications by outlining data security laws and reinforcing rules regarding the electronic transfer of data.

Noncompliance of ePrivacy Regulation could mean penalties of up to 20 million euros or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

ePrivacy Regulation objectives

The ePrivacy Regulation plans to account for the new players providing electronic communications services like WhatsApp and Skype, while benefiting from one single set of rules across all of the European Union.

It also looks to simplify the provision of cookies by utilizing rules that are friendlier to users and to prohibit unsolicited electronic communications, commonly referred to as spam, such as emails, text messages and automated calls. Additionally, the ePR seeks to repeal the Privacy and Electronic Communications Directive (Directive 2002/58/EC), also referred to as the ePrivacy Directive (ePD), while also overriding the General Data Protection Regulation (GDPR) on specific matters (lex specialis).

Since its inception in 2017, the ePR has been the subject of many discussions in the Council of the European Union. But, despite its progress, common ground could not be found on the some matters like the protection of terminal equipment information, the processing of electronic communications data by third parties, and the cooperation among data protection and telecommunications regulatory authorities.

In 2020, the current Presidency of the Council of the European Union released a newly revised draft of the ePrivacy Regulation in which it focuses on metadata and what can be considered as “legitimate interests” to process it and to also place cookies on end-users’ devices.

Companies obligations  

Under the new draft, businesses would require to conduct data protection impact assessments, consult the relevant supervisory authority body, implement appropriate security measures, provide information to end-users about data processing activities and the right to object to such data processing, and to not share metadata or information collected through the use of cookies or similar technologies with third parties, unless it has been anonymized.

In March 2020, the current presidency invited all delegations to provide their final comments on the proposed draft, so that negotiations with the European Parliament can begin as soon as possible. Should the ePR be finally approved, it will finalize the European Union’s framework regarding the protection of data and the confidentiality of electronic communications.

Source: https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications

The European Patent Office – Patent Index 2019

By José Santacroce. Partner and Head of Patent Department

Patent Index 2019

The European Patent Office (EPO) just published its Patent Index 2019, below a summary of the key statistics.

The EPO received last year a record 181 000 patent applications, 4% more than in 2018.

In total, nearly half of all patent applications came from companies based in Europe, with Germany alone accounting for some 15%. From the other regions, US firms dominated with a quarter of all applications, followed by companies from Japan, China and South Korea.

Origin of patent applications in 2019

In terms of growth, patent applications filed by European companies increased modestly. There was a strong rise in demand from the US. The steepest growth rates were posted by Asian companies, in particular Chinese and South Korean firms.

Top 10 applicants at the EPO in 2019

• 1.HUAWEI 3 524

• 2.SAMSUNG 2 858

• 3.LG 2 817

• 4.UNITED TECHNOLOGIES 2 813

• 5.SIEMENS 2 619

• 6.QUALCOMM 1 668

• 7.ERICSSON 1 616

• 8.ROYAL PHILIPS 1 542

• 9.SONY 1 512

• 10.ROBERT BOSCH 1 498

Top 10 countries for patent applications at the EPO in 2019

Among European countries with large volumes, the greatest increases in filings came from Sweden, the UK, and Switzerland. Filings from Germany remained stable and Italy saw moderate growth, while France and the Netherlands saw decreases.

Looking at countries with mid-range patenting volumes, Spain saw the biggest rise in applications. There were also increases in filings from Belgium and Austria.

Further significant growth was seen from companies in Portugal, Ireland, and Norway, albeit from small overall patenting volumes.

The patent applications filed with the EPO in 2019 also indicate Europe’s position as a key market for the next wave of digital transformation technologies.

Technical fields with most patent applications in 2019

Digital communication: The new top technology field at the EPO

Digital communication was the new top technology field at the EPO, reflecting the rapid development of 5G technologies.

China, the US, and Europe were the most active regions of origin. They each account for roughly a quarter of the patent applications in this field.

Computer technology: The second fastest-growing field

It was fuelled by the growing importance of Artificial Intelligence. Patent applications concerned especially machine learning, data retrieval, image data processing, and pattern recognition. Overall, US companies led this field, with European applicants not far behind.

The dominant position of digital technologies was clearly reflected in the list of leading applicants. Huawei topped the table, followed by Samsung, LG, United Technologies and Siemens.

Overall, European companies retained the largest share in seven of the ten most active technology fields. These include transport, where Europe continued to excel in the automotive sector. The same was also true for clean energy technologies.

Source: www.epo.org