GDPR: GUIDELINES CONCERNING THE SCOPE OF TERRITORIAL APPLICATION HAVE BEEN PUBLISHED

27/11/2019

During its 15th plenary session (November 12-13, 2019), the European Data Protection Board (EDPB) adopted the final version of the territorial guidelines, which were submitted for public consultation on November 16, 2018. The guidelines provide clarification on the application of EU Regulation 2016/679 as well as a number of examples to clarify the range of application of the same Regulation with reference to Article 3.1 (establishment criterion) and Article 3.2 (targeting criterion), or the application of Article 3.3 (processing in a place where member state law applies by virtue of public international law).

 

Art. 3 GDPR and general remarks

The European Data Protection Board (EDPB) has recently published the definitive guidelines for the correct reading and interpretation of Art. 3 Reg. EU 679/2019 (better known as “GDPR”), which defines the territorial scope of the Regulation according to two main criteria: the establishment criterion and the targeting criterion and it extends the Regulation’s applicability to the processing of personal data carried out by a data controller who is not established in the European Union, but in a place under the law of a Member State pursuant to public international law.

This important rule reflects the legislator’s intention to ensure full protection of data subjects’ rights in the EU and to establish a level playing field for companies operating on EU markets, in a context of data flows that is now constantly taking place worldwide. However, it has raised a number of interpretative doubts that the recent guidelines aim to solve, representing an essential vademecum for all companies operating outside the European Union area and who need to understand whether or not their activity falls within the scope of the GDPR.

The 28-page document published by the EDPB, currently available in English only, is detailed and includes a number of practical examples to make it easier to understand.

 

The EDPB Guidelines

1 – Application of the establishment criterion to controller and processor

Referring to the first criterion, Article 3(1) of the GDPR states that “the Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”.

In sostanza, affinché sia applicabile il regolamento, è sufficiente la presenza in territorio dell’Unione, per mezzo di uno stabilimento, di un titolare o di un responsabile e il fatto che il trattamento avvenga nel contesto delle attività di quello stabilimento, indipendentemente dal luogo o dalla nazionalità dell’interessato i cui dati personali sono trattati

Essentially, for the Regulation to be applicable, it is sufficient that: a) a controller or a processor is located in the Union through an establishment; b) the processing take place in the context of the activities of that establishment, regardless of the place or nationality of the data subject whose personal data are being processed. It should be pointed out that, for the purposes of recital 22, an establishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

The EDPB guidelines make it clear that the definition of ‘permanent establishment’ must be understood in a broad sense, especially in cases involving the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of a non-EU entity in the Union, acting with a sufficient degree of stability, may be sufficient to constitute a stable arrangement. Conversely, the mere presence of an employee in the EU when the processing is not being carried out within the employee’s activities will not mean that the processing falls within the scope of the GDPR.

In order to determine whether the processing is carried out by a controller or a processor within its establishment in the Union, it is necessary to analyse on a case-by-case basis, even if the guidelines provide some criteria to be taken into account such as the relationship between a controller or a processor outside the Union, its local establishment in the Union and the revenues raising within the European Union.

The existence of a relationship between the controller and the processor does not necessarily imply the application of the GDPR to both, if one of these two entities is not established in the Union. Where a data controller subject to the GDPR chooses to use a processor located outside the EU for a processing activity, it will still be necessary for the data controller to ensure, by contract or other legal act pursuant to Art. 28 GDPR, that the data controller processes the data in accordance with the GDPR. The processor located outside the Union will therefore become indirectly subject to some obligations imposed by controllers subject to the GDPR by virtue of contractual arrangements.

In the case of a data processor established in the Union and carrying out processing on behalf of a data controller established outside the Union and not subject to the GDPR, the EDPB considers that the processing activities of the data controller would not be deemed as falling under the territorial scope of the GDPR (Article 3.2) merely because they are processed on its behalf by a processor established in the Union. However, even though the data controller is not established in the Union and is not subject to the provisions of the GDPR as per Article 3(2), the data processor, as it is established in the Union, will be subject to the relevant provisions of the GDPR as per Article 3(1).

2 – The criterion of physical and geographical location of the interested parties

Paragraph 2 of art. 3 GDPR establishes that the Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

The guidelines consider the location of the concerned person a crucial factor in order to assess whether the data subjects are in the EU, contrary to the nationality or the legal status, since, as specified in Recital 14, the protection conferred by the Regulation should apply to natural persons, regardless of their nationality or place of residence, in relation to the processing of their personal data.

The location requirement must be assessed when the activity takes place, for instance at the time of the offering of goods or services or the monitoring of their behaviour, regardless of the duration of the offer made or of the monitoring carried out.

It should also be noted that the processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, provided that the processing is not linked to a specific offer addressed to individuals in the EU or a monitoring of their behaviour in the Union.

In order to assess the supply of goods or services, which also includes information society services, it must be taken into account the application of the targeting criterion, regardless of whether a payment is requested by the interested party.

In order to determine whether or not the processing involves the monitoring of the behaviour of a data subject, the guidelines consider as a fundamental criterion the monitoring of the natural persons on Internet, including the potential subsequent use of profiling techniques. This activity may include a wide range of control activities, such as behavioural advertising, geolocation activities, in particular for marketing purposes, online tracking through the use of cookies or other tracking techniques such as fingerprinting, personalized services of analysis of diets and online health, video surveillance, market researches and other behavioural studies based on individual profiles and monitoring or periodic reports on an individual’s health.

3- The Application of the Regulation in a place where the law of the Member States applies under international law

Article 3 paragraph 3 of the GDPR establishes the applicability of the Regulation also to the processing of personal data carried out by a data controller not established in the Union, but in a place where Member State law applies by the virtue of public international law

According to the guidelines, the GDPR therefore applies to the processing of personal data carried out by embassies and consulates of EU Member States located outside the EU

4 – The Obligation to nominate a representative

In regard to the obligation for data controllers or processors to appoint a representative in the Union, except for the exceptions established by the Regulation, first of all the guidelines clarify that the presence of the representative in the Union does not constitute an “establishment” and that the function representative in the Union  is not compatible with the role of an external data protection officer (DPO), who must carry out his/her task with a sufficient degree of autonomy within his/her organization, nor with the role of data controller for the same data controller. The guidelines also recall that, in accordance with Article 13, paragraph 1, letter a) and Article 14, paragraph 1, letter a) in the context of their information obligations, the data controllers must provide the data subjects information on the identity of their representative in the Union

*****

For more details on the cases mentioned in the guidelines, please visit the website of the Authority where the official document is published (in English)

 

Margherita Stucchi

THE DIGITAL RIGHT TO BE FORGOTTEN: NOT A GLOBAL PROTECTION

12/11/2019

The Court of Justice of the European Union, with two judgements of September 24, 2019, clarified the scope of the right to be forgotten: in examining a de-referencing request of web pages containing sensitive data, search engine operators are required to balance fundamental rights of the applicant with freedom of information of Internet users, not being also obliged to apply the de-referencing of such content on a global scale.

 

The events

The decisions of cases C-507/17, Google v. CNIL, and C-136/17, Google and Others v. CNIL, both concerned the Google search engine.

The first judgment (C-507/17) regards a penalty imposed in 2016 by the French Data Protection Authority (CNIL) on Google, following its refusal to de-referencing a certain content from all its search engine’s domain name extensions, limiting it to versions relating to EU Member States only. Google appealed the decision before the French Council of State, which referred the question of the territorial scope of the right to be forgotten to the Court of Justice.

With the second decision (C-136/17), the Court, once again requested by the French Council of State, following an appeal by a group of individuals contesting the CNIL’s refusal to take action against Google for the removal of sensitive data, was called to rule on the conditions under which search engines must comply with de-referencing requests of web pages containing sensitive data.

The Court’s decisions

The Court ruled establishing that there is no obligation arising from the European Union law to provide for a global de-referencing, but only limited to search engine versions relating to the Member States of the Union.

The relative scope of the right to be forgotten has also been further clarified: upon the receipt of a de-referencing request of sensitive data on web pages, it will be necessary to find a balance with other fundamental rights, such as the right of public access to information.

The background

The right to be forgotten has never been presented as an absolute right; affirmed by the same Court in 2014 with the memorable decision Google Spain, was then specified by GDPR 2016/679, the EU Regulation on the processing of personal data and privacy, which emphasized the importance of balincing such right, by applying the principle of proportionality, with other fundamental rights, providing for a limitation of the right to erasure of sensitive data in order to protect the freedom of expression and information.

The territorial scope

The Court has pointed out that the application of the right to be forgotten is not allowed to transcend the boundaries delineated by the territoriality of the law and jurisdiction, although it believes would be desirable to achieve a global de-referencing result, for instance through cooperation mechanisms activated between national authorities. However, a similar solution appears difficult to attain, given the discordant recognition and fragmented application of the right to be forgotten worldwide.

The examination of de-referencing requests

The European Union legislation does not provide for an automatic fulfillment of de-referencing requests.  In fact, the search engine receiving a de-referencing request, will be expected to balance the rights of the individual applicant and the rights of digital users, by weighting factors such as the nature of the concerned information, its impact on the private life of the individual or the public role assumed by the latter, the potential obsolescence of the information as well as the presence of reasons of public interest to its accessibility.

Implications

Both decisions raise the challenge of drawing a line between the protection of the individual right to privacy and the access to information and freedom of expression.

While the global application of the right to be forgotten could lead to the possibility of restricting freedom of information, the transnational nature of the Internet could in fact undermine the effectiveness of national or Community measures intendend for the protection of certain fundamental rights.

Alessia Asaro and Luigi Goglia


RUBIK’S CUBE: THEGENERAL COURT CONFIRMS EU TRADEMARK’S INVALIDITY

31/10/2019

Another judicial episode concerning the shape of the famous Rubik’s cube: by its recent decision of October 24, 2019 in Case T-601/17, the General Court confirmed that the shape of the Rubik’s Cube cannot be registered as a three dimensional trademark because its essential features are necessary “to obtain the technical result to rotate the different rows of the cube”.

 

The background

 In 1999 the UK- based toy company Seven Towns Ltd. registered the shape of Rubik’s Cube as three dimensional EU Trademark for “three-dimensional puzzles” in Class 28 of the Nice Agreement concerning the International Classification of Goods and Services. The Applicant claimed no particular color for the trademark, nor did it provide a description.

Seven years later the German competitor Simba Toys filed an application before the EUIPO for a declaration of invalidity of that registration, on the ground that the rotating capability actually implied a technical solution that should only have been protected with a specific patent and not with a trademark (on the basis of Articles 59 and 7 of EU trademark community Regulation).

General Court’s first ruling:

In 2009, further to the rejection of the application for invalidity, Simba Toys brought an action for annulment of EUIPO’s decision before the General Court of the European Union.

On November 25, 2014 the Appeal was firmly rejected: the General Court stated that the essential features of the Cube did not prevent it from being protected as a trademark. In addition, the General Court, in its ruling, also held that the technical solution did not actually result from the shape but from a non-visibile mechanism located at the centre of the cube itself.

The CGUE solution and the new EUIPO’s ruling

Simba Toys then lodged an appeal against the General Court’s decision before the EU Court of Justice (CJEU). On November 10, 2016 the CJEU set aside the General Court decision, overturning the previous ruling. On the matter, by examining whether the registration should be rejected because the shape of the cube involved a technical solution, the CJEU rejected both the General Court and the EUIPO’s rulings.
According to the CJEU, the EUIPO and the General Court should have taken into consideration not only the sign’s graphic representation, but also other elements (even invisible ones) of the product related to the functionality of the good itself, such as its rotating capability.

The matter thus returned to the EUIPO. The First Board of Appeal stated that the graphic representation of the contested mark revealed the following three essential characteristics: firstly, the overall cube shape; secondly, the black lines and the resulting little squares on each face of the cube; and thirdly, the differences in the colors on the six faces of the cube. Based on this statement, the Board of Appeal considered that each of them, as fundamental characteristics, was essential to achieve the final technical result of the Cube, i.e. the presence on each face, following a series of horizontal and vertical rotation operations, of a single color common to all nine squares. On this point, however, it was noted that the European Trademark Regulation No. 40/94 did not allow the registration of a shape whose essential characteristics are necessary to obtain a precise technical result. Consequently, the EUIPO invalidated the registration in its entirety and cancelled the trademark from the register.

In the light of this ruling, Rubik’s Brand Ltd. (in 2014 the registration of the mark was assigned to this company) applied to the General Court of the European Union.

The general court’s recent ruling

By its recent decision of October 24, 2019 the General Court emphasised that the EUIPO’s Board erred in identifying that differences in the colors of the six faces of the cube constitute an essential element of the mark. This is highlighted for two reasons: firstly, in the application for registration of the contested mark, such importance in terms of colour variety has never been underlined by the Applicant and, moreover, with a simple visual analysis of the graphic representation of that mark it is not possible to identify the difference in colour between the six faces.

Besides, the General Court then aligned itself with EUIPO’s previous ruling, pointing out that the black lines are an essential element to achieve the expected technical result. They create a physical separation which is necessary to rotate the different rows horizontally and vertically thanks to a specific mechanism located at the center of the cube.

Finally, the General Court focused on the second further essential element represented by the overall cube shape. In this regard, the ruling clearly stated that the shape can be no more than a ‘Cube’, a regular hexahedron since it is inseparable both from the grid structure consisting of the black lines and from the function of the actual goods at issue, which is to rotate vertically and horizontally the rows of the small cubes. In the light of this, the two essential Rubik’s Cube elements, which have been also correctly qualified by EUIPO, are extremely necessary to obtain the technical result consisting in the ability of that good to rotate in the contested form. Therefore, for this reason, it is not possible to register this shape as a European Union trademark.


REGISTERING SOUNDS, MOVEMENTS, MULTIMEDIA AND HOLOGRAMS AS TRADEMARKS – THE CONSULTATION PROCESS OF THE CONCERNED CIRCLES WITH THE GOAL OF ACHIEVING AN HARMONISED PRACTICE IN THE ASSESSMENT OF VALIDITY REQUIREMENTS HAS BEGUN

15/10/2019

With Directive no. 2015/2436 the European Union has provided a framework for the regulation of new types of trademarks, responding to an increasingly widespread practice of exploiting modern forms of communication for marketing. Italy implemented the directive by Legislative Decree no. 15/2019, which, inter alia, abolished the requirement that a sign, in order to be registered as a trademark, must be capable of being represented graphically. With the prospect of registering new forms of trademarks, a series of questions still remain unanswered, such as, for example, that of intrinsic distinctiveness or the descriptiveness of new forms of trademarks. A consultation open to all interested parties and aimed at arriving at a concerted and harmonized practice will be concluded within mid-November.

 

In the context of European Union law, the implementing regulation no. 626/2018 of the Regulation on the European Union trademark clarifies that the trademark may be represented in “any appropriate form using generally available technology”, provided that it can be reproduced in the register in a “clear, precise, self-contained, easily accessible, intelligible, durable and objective manner”. This should enable the competent authorities and the public to determine with clarity and precision the subject matter of the protection afforded to its proprietor. However, these aspects – also known as Sieckmann criteria – have not (yet) been defined more precisely. In addition to the application of these criteria to new types of trademarks, the consultation also concerns the question of how any discrepancies between the representation and description of the trademark can be assessed or how priority claims should be examined when at least one of the trademarks belongs to a new type. The consultation is not limited to the examination of absolute grounds of validity but also addresses the examination of relative grounds of invalidity. There is no established case law as to how the comparison between two new types of marks should be conducted or if only one of the marks to be compared is of the new type.

The consultation, which is open until 14 November 2019, offers the opportunity to participate in the development of shared criteria. In view of the increasingly crowded space in the field of traditional trademarks, the registration of new types of trademarks offers important economic advantages, as demonstrated by a recent analysisconducted by EUIPO in collaboration with the EPO.


THE COURT OF JUSTICE OF THE EUROPEAN UNION FORCE FACEBOOK TO REMOVE ALL IDENTICAL AND ILLEGAL CONTENT WORLDWIDE

08/10/2019

Based on the recent decision of 3 October 2019, the Court of Justice strengthens the obligation for hosting providers to stay down on a worldwide scale, concerning all identical and/or equivalent contents previously declared to be illegal.

 

La vicenda

Mme Eva Glawischnig, a member of the Austrian Parliament, seeks an order that facebook removes a comment, published by a user on his personal profile and available for any facebook user, harmful to her reputation, and allegations which were identical and/or of an equivalent content.

The context behind the preliminary ruling and the request of the Court

LThe Oberster Gerichtshof (Supreme Court, Austria), when called upon to give a ruling on the question, asks the Court of Justice to interpret art. 15 of the Directive on electronic commerce (Directive n. 2000/31), which provides for a general prohibition on the supervision of host providers. In particular, the Austrian Supreme Court asked whether art. 15 generally precludes the obligation imposed on a hosting provider, who has not promptly removed unlawful information, to remove not only that illegal information but also others identical or equivalent worldwide.

The CJUE solution

The Court of Justice, by the abovementioned decision, clarifies that although art. 15 (1) of the E-commerce Directive prohibits Member States from imposing on hosting service providers a general obligation to monitor information they transmit or store, as it stands out from recital 47 of the Directive, that obligation does not concern monitoring obligations in “specific cases”. Such a specific case may arise, as in the present case, from precise information, stored by the service providers and requested by a social network user, the content of which has been analyzed and considered unlawful by the Court of the member state. Consequently, it is legitimate to consider that the Competent Court may require the hosting providers to remove information which it stores, the content of which is identical to the content of information was previously declared to be unlawful or to block access to that information, irrespective of who requested the storage of that information. The same has been acknowledged in relation to equivalent contents, provided that it contains specific elements duly identified such as the name of the person concerned, the circumstances in which that infringement was established or a content equivalent to that declared unlawful, so as not to compel the hosting provider to carry out an independent assessment of that content.
Finally, the Court of Justice clarifies that article 18 (1), Directive n. 2000/31 does not provide for any territorial limitation and therefore does not preclude the abovementioned injunctive measures from producing worldwide effects.