EU GENERAL COURT: A SIGN REFERRING TO MARIJUANA IS CONTRARY TO PUBLIC POLICY AND MAY NOT BE REGISTERED AS A EUROPEAN UNION TRADEMARK

27/12/2019

The General Court of the European Union, by judgment T-683/18 of 12 December 2019, confirmed that the sign “Cannabis Store Amsterdam” containing the graphic representation of cannabis leaves in the background is contrary to public policy and therefore cannot be registered as a trademark of the European Union.

 

The case
The applicant filed an application for registration of a European Union trademark for goods and services related to food and beverages. Following the refusal by the examiner on grounds of public policy under Article 7(1)(f) of EU Regulation 2007/1001, the applicant brought an appeal before the Board of Appeal. The Board of Appeal, by decision of 31 August 2018, also confirmed the examiner’s decision and rejected the appeal. The applicant then brought an appeal before the General Court of the European Union.

The decision of the EU General Court
By judgment T-683/18 of 12 December 2019, the General Court confirmed the decision of the Board of Appeal, in which it held that, although hemp leaf does not contain any psychoactive substance, it is often used as a media symbol for marijuana. In addition, the word “Amsterdam” refers to the fact that this city has many shops for narcotics derived from cannabis, due to the sale of cannabis being tolerated in Netherlands. Furthermore, the word “store”, which means “shop”, has the effect that the public could expect the products and services correspond to those offered by a marijuana shop.

With reference to the concept of public policy, the Court confirmed that the decisive criterion for the purposes of assessing whether a sign is contrary to public policy is the perception which the relevant public will have of the trademark. That perception may be based on inaccurate definitions from a scientific or technical point of view, which means that it is the specific and current perception of that sign that matters, irrespective of whether the consumer has all the information available. The presence in the sign of the words “Amsterdam”, “Cannabis” and “Store”, together with the cannabis leaves, means that the target public perceives that the goods and services identified by the sign contain drugs which are illegal in many Member States.

The judges emphasize the principle that if grounds for obstruction due to contrary to public policy exist only in certain EU territories, the obstruction extends to the entire territory of the European Union. EU law does not impose a uniform scale of values and acknowledges that the requirements of public policy may vary from one country to another and from one era to another. Member States essentially retain the freedom to determine what constitutes those requirements in accordance with their national politics.

In particular, the Court noted that, although there is a debate in some Member States about the legalization of marijuana also for recreational use, the use of marijuana is illegal in many European countries. That prohibition thus seeks to protect an interest which those Member States consider fundamental in accordance with their own systems of values, with the result that the rules applicable to the consumption and use of that substance are a matter of “public policy”. Considering this public policy protectable, the Court notes that there is no unanimously accepted, or even predominant trend in the European Union regarding the lawfulness of the use or consumption of products derived from cannabis, but Articles 83 and 168 TFEU which fight against illicit drug trafficking and prevention of and information on the health effects of drugs

In conclusion, the General Court rejected the appeal confirming that the sign cannot be registered under the combined provisions of Article 7(1)(f) and Article 7(2) of Regulation 2017/1001.

The full text of the decision can be found at the following link:

Paolo Passadori and Tankred Thiem


THE COURT OF JUSTICE RULES ON BALSAMIC VINEGAR OF MODENA PGI: ARE THE NON-GEOGRAPHICAL TERMS PROTECTED PURSUANT TO REG. NO 1151/2012?

12/12/2019

The Court of Justice of the European Union, by decision of 4 December 2019, held that the protection of the name “Aceto Balsamico di Modena” does not extend to the use of its non-geographical terms, such as “vinegar” and “balsamic”.

 

The parties and the case
The decision of the Court of Justice involved, on the one hand, Consorzio di Tutela dell’Aceto Balsamico di Modena IGP, a consortium of producers of products designated by the name “Aceto Balsamico di Modena (PGI)” and, on the other, the German company “Balema GmbH”. The consortium requested that Balema GmbH refrain from using the term “balsamico”. In response to the request to cease and desist from the usage of said terms, Balema brought an action before the German courts seeking a declaration that it has the right to use that term for those products.

Stages of the procedure
Balema GmbH, defeated at first instance, had appealed to the German Court of Appeal, which has recognized the right to use the term “balsamic” to distinguish vinegar-based products produced in Germany, stating the absence of violation of the prohibition of usurpation, evocation or imitation of the protected geographical indications in the EU.

Preliminary ruling of the Court of Justice
The German Federal Court of Justice, has asksed the Court of Justice to determine whether the protection of the name “Aceto Balsamico di Modena”, which is conferred by the regulation on the protection of geographical indications and designations of origin for agricultural products and foodstuffs covers only the entire name, that is “Aceto Balsamico di Modena”, or extends to the use of the non-geographical terms of that name, that is to say “aceto”, “balsamico” and “aceto balsamico”, in order to obtain an official interpretation of EU Regulation no. 1151/2012.

The decision issued by the Court of Justice
In its judgment of 4 December 2019, the Court held that the protection of the name “Aceto Balsamico di Modena” did not extend to the use of individual non-geographical terms. According to the Court, the registration of said PGI concerns the name “Aceto Balsamico di Modena” as a whole. Consequently, the protection granted by EU Regulation no. 1151/2012 covers only the whole name. The non-geographical terms of said PGI, namely “vinegar” and “balsamic vinegar”, their combination and translations, in the Court’s view, cannot benefit from such protection. According to the Court, those terms lack any geographical connotation. In particular, the Court has stated that the term “vinegar” is a common term and the term “balsamic” is an adjective commonly used to designate a vinegar characterised by a sweet-and-sour taste.

Valentina Cerrigone


TURNING POINT IN GERMANY ON THE USE OF GOOGLE ANALYTICS COOKIES: MANY REGIONS OF GERMANY WILL REQUIRE USER CONSENT IN THE FUTURE, ABANDONING A MODEL SIMILAR TO THAT CURRENTLY USED IN ITALY

03/12/2019

In Germany, where the implementation of personal data protection measures is the responsibility of the individual regions, and not of the Federal Government, several regional authorities have published recommendations regarding the use of instruments such as GOOGLE ANALYTICS. According to these recommendations, the use of the service in question must be subject to the prior consent of the user. The competent authorities have pointed out that when using the services of Google Analytics, the data collected are also transmitted to another recipient (Google), who uses them for its own purposes. It follows that such processing by Google can no longer be considered as a mere activity of the “data processor”.

 

Under the previous rules, services such as GOOGLE ANALYTICS were considered lawful from the point of view of processing of personal data, even though the processing in question was carried out without the prior consent of the data subjects. In this respect, some German regional authorities (e.g. Hamburg) considered the processing of personal data to be lawful in the absence of consent as long as certain specific requirements were met, such as the following:

– the creation of pseudonymised profiles;
– the right of opposition (with an opt-out procedure);
– the conclusion of a contract with Google;
– the presence of information for the user on the use of Google Analytics;
– partial deletion of the IP address in Google’s settings (IP anonymisation).

In many respects, these criteria are similar to the provisions of the Italian Data Protection authority in the directives published in 2014 and 2015.

The decision taken by the Länder was justified by the changes and technical development the product: “Google Analytics has been developed in recent years in such a way that it no longer represents processing as a mere data controller. Rather, the provider is granted the right to use the data of visitors to the websites for its own purposes.”

Since data protection matters are harmonised and since the reasons for the decision taken by the German authorities are based on an analysis of the technical characteristics of the service, it can be assumed that the issue will soon be brought to the attention of other national data protection authorities, with the possible consequence that the prior consent of the data subject will also become a necessary requirement in other EU Member States or – to be more precise – throughout the European Union (so that the various German Länder would in this case act as “forerunners”).

Tankred Thiem


GDPR: GUIDELINES CONCERNING THE SCOPE OF TERRITORIAL APPLICATION HAVE BEEN PUBLISHED

27/11/2019

During its 15th plenary session (November 12-13, 2019), the European Data Protection Board (EDPB) adopted the final version of the territorial guidelines, which were submitted for public consultation on November 16, 2018. The guidelines provide clarification on the application of EU Regulation 2016/679 as well as a number of examples to clarify the range of application of the same Regulation with reference to Article 3.1 (establishment criterion) and Article 3.2 (targeting criterion), or the application of Article 3.3 (processing in a place where member state law applies by virtue of public international law).

 

Art. 3 GDPR and general remarks

The European Data Protection Board (EDPB) has recently published the definitive guidelines for the correct reading and interpretation of Art. 3 Reg. EU 679/2019 (better known as “GDPR”), which defines the territorial scope of the Regulation according to two main criteria: the establishment criterion and the targeting criterion and it extends the Regulation’s applicability to the processing of personal data carried out by a data controller who is not established in the European Union, but in a place under the law of a Member State pursuant to public international law.

This important rule reflects the legislator’s intention to ensure full protection of data subjects’ rights in the EU and to establish a level playing field for companies operating on EU markets, in a context of data flows that is now constantly taking place worldwide. However, it has raised a number of interpretative doubts that the recent guidelines aim to solve, representing an essential vademecum for all companies operating outside the European Union area and who need to understand whether or not their activity falls within the scope of the GDPR.

The 28-page document published by the EDPB, currently available in English only, is detailed and includes a number of practical examples to make it easier to understand.

 

The EDPB Guidelines

1 – Application of the establishment criterion to controller and processor

Referring to the first criterion, Article 3(1) of the GDPR states that “the Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”.

In sostanza, affinché sia applicabile il regolamento, è sufficiente la presenza in territorio dell’Unione, per mezzo di uno stabilimento, di un titolare o di un responsabile e il fatto che il trattamento avvenga nel contesto delle attività di quello stabilimento, indipendentemente dal luogo o dalla nazionalità dell’interessato i cui dati personali sono trattati

Essentially, for the Regulation to be applicable, it is sufficient that: a) a controller or a processor is located in the Union through an establishment; b) the processing take place in the context of the activities of that establishment, regardless of the place or nationality of the data subject whose personal data are being processed. It should be pointed out that, for the purposes of recital 22, an establishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

The EDPB guidelines make it clear that the definition of ‘permanent establishment’ must be understood in a broad sense, especially in cases involving the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of a non-EU entity in the Union, acting with a sufficient degree of stability, may be sufficient to constitute a stable arrangement. Conversely, the mere presence of an employee in the EU when the processing is not being carried out within the employee’s activities will not mean that the processing falls within the scope of the GDPR.

In order to determine whether the processing is carried out by a controller or a processor within its establishment in the Union, it is necessary to analyse on a case-by-case basis, even if the guidelines provide some criteria to be taken into account such as the relationship between a controller or a processor outside the Union, its local establishment in the Union and the revenues raising within the European Union.

The existence of a relationship between the controller and the processor does not necessarily imply the application of the GDPR to both, if one of these two entities is not established in the Union. Where a data controller subject to the GDPR chooses to use a processor located outside the EU for a processing activity, it will still be necessary for the data controller to ensure, by contract or other legal act pursuant to Art. 28 GDPR, that the data controller processes the data in accordance with the GDPR. The processor located outside the Union will therefore become indirectly subject to some obligations imposed by controllers subject to the GDPR by virtue of contractual arrangements.

In the case of a data processor established in the Union and carrying out processing on behalf of a data controller established outside the Union and not subject to the GDPR, the EDPB considers that the processing activities of the data controller would not be deemed as falling under the territorial scope of the GDPR (Article 3.2) merely because they are processed on its behalf by a processor established in the Union. However, even though the data controller is not established in the Union and is not subject to the provisions of the GDPR as per Article 3(2), the data processor, as it is established in the Union, will be subject to the relevant provisions of the GDPR as per Article 3(1).

2 – The criterion of physical and geographical location of the interested parties

Paragraph 2 of art. 3 GDPR establishes that the Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

The guidelines consider the location of the concerned person a crucial factor in order to assess whether the data subjects are in the EU, contrary to the nationality or the legal status, since, as specified in Recital 14, the protection conferred by the Regulation should apply to natural persons, regardless of their nationality or place of residence, in relation to the processing of their personal data.

The location requirement must be assessed when the activity takes place, for instance at the time of the offering of goods or services or the monitoring of their behaviour, regardless of the duration of the offer made or of the monitoring carried out.

It should also be noted that the processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, provided that the processing is not linked to a specific offer addressed to individuals in the EU or a monitoring of their behaviour in the Union.

In order to assess the supply of goods or services, which also includes information society services, it must be taken into account the application of the targeting criterion, regardless of whether a payment is requested by the interested party.

In order to determine whether or not the processing involves the monitoring of the behaviour of a data subject, the guidelines consider as a fundamental criterion the monitoring of the natural persons on Internet, including the potential subsequent use of profiling techniques. This activity may include a wide range of control activities, such as behavioural advertising, geolocation activities, in particular for marketing purposes, online tracking through the use of cookies or other tracking techniques such as fingerprinting, personalized services of analysis of diets and online health, video surveillance, market researches and other behavioural studies based on individual profiles and monitoring or periodic reports on an individual’s health.

3- The Application of the Regulation in a place where the law of the Member States applies under international law

Article 3 paragraph 3 of the GDPR establishes the applicability of the Regulation also to the processing of personal data carried out by a data controller not established in the Union, but in a place where Member State law applies by the virtue of public international law

According to the guidelines, the GDPR therefore applies to the processing of personal data carried out by embassies and consulates of EU Member States located outside the EU

4 – The Obligation to nominate a representative

In regard to the obligation for data controllers or processors to appoint a representative in the Union, except for the exceptions established by the Regulation, first of all the guidelines clarify that the presence of the representative in the Union does not constitute an “establishment” and that the function representative in the Union  is not compatible with the role of an external data protection officer (DPO), who must carry out his/her task with a sufficient degree of autonomy within his/her organization, nor with the role of data controller for the same data controller. The guidelines also recall that, in accordance with Article 13, paragraph 1, letter a) and Article 14, paragraph 1, letter a) in the context of their information obligations, the data controllers must provide the data subjects information on the identity of their representative in the Union

*****

For more details on the cases mentioned in the guidelines, please visit the website of the Authority where the official document is published (in English)

 

Margherita Stucchi

THE DIGITAL RIGHT TO BE FORGOTTEN: NOT A GLOBAL PROTECTION

12/11/2019

The Court of Justice of the European Union, with two judgements of September 24, 2019, clarified the scope of the right to be forgotten: in examining a de-referencing request of web pages containing sensitive data, search engine operators are required to balance fundamental rights of the applicant with freedom of information of Internet users, not being also obliged to apply the de-referencing of such content on a global scale.

 

The events

The decisions of cases C-507/17, Google v. CNIL, and C-136/17, Google and Others v. CNIL, both concerned the Google search engine.

The first judgment (C-507/17) regards a penalty imposed in 2016 by the French Data Protection Authority (CNIL) on Google, following its refusal to de-referencing a certain content from all its search engine’s domain name extensions, limiting it to versions relating to EU Member States only. Google appealed the decision before the French Council of State, which referred the question of the territorial scope of the right to be forgotten to the Court of Justice.

With the second decision (C-136/17), the Court, once again requested by the French Council of State, following an appeal by a group of individuals contesting the CNIL’s refusal to take action against Google for the removal of sensitive data, was called to rule on the conditions under which search engines must comply with de-referencing requests of web pages containing sensitive data.

The Court’s decisions

The Court ruled establishing that there is no obligation arising from the European Union law to provide for a global de-referencing, but only limited to search engine versions relating to the Member States of the Union.

The relative scope of the right to be forgotten has also been further clarified: upon the receipt of a de-referencing request of sensitive data on web pages, it will be necessary to find a balance with other fundamental rights, such as the right of public access to information.

The background

The right to be forgotten has never been presented as an absolute right; affirmed by the same Court in 2014 with the memorable decision Google Spain, was then specified by GDPR 2016/679, the EU Regulation on the processing of personal data and privacy, which emphasized the importance of balincing such right, by applying the principle of proportionality, with other fundamental rights, providing for a limitation of the right to erasure of sensitive data in order to protect the freedom of expression and information.

The territorial scope

The Court has pointed out that the application of the right to be forgotten is not allowed to transcend the boundaries delineated by the territoriality of the law and jurisdiction, although it believes would be desirable to achieve a global de-referencing result, for instance through cooperation mechanisms activated between national authorities. However, a similar solution appears difficult to attain, given the discordant recognition and fragmented application of the right to be forgotten worldwide.

The examination of de-referencing requests

The European Union legislation does not provide for an automatic fulfillment of de-referencing requests.  In fact, the search engine receiving a de-referencing request, will be expected to balance the rights of the individual applicant and the rights of digital users, by weighting factors such as the nature of the concerned information, its impact on the private life of the individual or the public role assumed by the latter, the potential obsolescence of the information as well as the presence of reasons of public interest to its accessibility.

Implications

Both decisions raise the challenge of drawing a line between the protection of the individual right to privacy and the access to information and freedom of expression.

While the global application of the right to be forgotten could lead to the possibility of restricting freedom of information, the transnational nature of the Internet could in fact undermine the effectiveness of national or Community measures intendend for the protection of certain fundamental rights.

Alessia Asaro and Luigi Goglia