When the General Data Protection Regulation1)Regulation (EU) 2016/679 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, … Continue reading came into force throughout the European Union nearly three years ago, one of its most eye-catching features was its extraterritorial jurisdiction provisions. These extend the reach of the GDPR to businesses located outside the European Union who offer goods or services to EU residents or who monitor the behavior of EU residents2)Art. 3(2)(a) and (b) GDPR..

Under the threat of becoming liable for a breach of the GDPR and potential fines of up to €20m or four percent of global turnover (whichever the higher), many businesses based in the United States and other locations outside the European Union have simply taken a stance of refusing to deal with EU residents, including taking measures such as geo-blocking websites to EU-based visitors. Other businesses, in the United States and elsewhere, have found themselves contemplating whether they might be subject to the GDPR and how to react merely because they have made a new EU-based business connection, acquired the contact details of a potential customer in the European Union, or even become aware that an employee at a customer organization had moved to the European Union.

A court in the United Kingdom has now considered the limits of extraterritorial jurisdiction of the GDPR, which may provide some reassurance to overseas businesses that limited contact with EU residents via a website may not necessarily lead to them being subject to the GDPR.

(more…)

On 4 July 2019, the French Data Protection (CNIL) published its Guidelines on Cookies and Other Tracking Technologies (the Guidelines, available in French here). The Guidelines further detailed the nature of the interplay between the General Data Protection Regulation (GDPR) which reinforced expectations towards obtaining consent to data processing operations when such consent is required), and the ePrivacy Directive which more specifically addresses the privacy requirements on cookies and other tracking technologies. Indeed, while the ePrivacy Directive was expected to be updated through an ePrivacy Regulation (latest draft proposal available here), on or before GDPR entered into force, it remains under discussion at the European level to this day, and subject to intense lobbying by all stakeholders.

Further to the publication of the Guidelines, several French professional associations in the online marketing, distance selling and online media activities initiated legal action against the CNIL, before the French Administrative Supreme Court (the Conseil d’État), on the grounds that the CNIL acted above and beyond its authority in adopting the Guidelines, notably by (i) generally prohibiting “cookie walls”, (ii) recognizing a right of data subjects to refuse cookies, (iii) requiring the identification of the data controller for the cookies, (iv) mandating an exhaustive and up-to-date information of the data subjects on the cookies, regardless of their involvement in data processing operations, (v) requiring that the users’ agreement must be expressed by a separate action for each of the distinct purposes brought to their knowledge with a view to the storage of information or access to information already stored in their terminal equipment, and (vi) imposing maximum data retention periods for cookies.

(more…)

The European Union Court of Justice confirmed the intellectual property rights owned by the French company “Forge de Laguiole”, but solely in areas in which it pursued an actual business activity.

A decision (Judgement dated 5 April 2017 of the Second Chamber of the EU Court of Justice, No C-598/14Szajner”) dated 5 April 2017 of the European Union Court of Justice (“EUCJ”) put an end to the longstanding series of court decisions about the Laguiole trademark before the European Union jurisdictions (“EU Jurisdictions”), on which relied the right for French company “Forge de Laguiole” to keep using its business name. This decision also gave the EUCJ the opportunity to clarify the application of national case law by the EU Jurisdictions within the framework of proceedings based on Article 8 (4) of Council Regulation (EC) No 207/2009 dated 26 February 2009 on the Community trade mark (the “Regulation”).

(more…)

Of the difficulty to frame photograph as a protected work and its consequences on social network.

On December 18, 2012, further to its acquisition by Facebook, Instagram unveiled its new terms of use, to be enforced on January 16, 2013. At the case of the redrafting of the contract tying the social network to it, users stood much-discussed undertaking which allowed the company to monetize its users’ photographs, notably for commercial and advertising purposes. Facing a major uproar from internet users Instagram elected to withdraw this provision and apologized fondly. However, such withdrawal only targeted the cancellation of clear terms of what the terms of use provided from the very beginning: the grant by the users to Instagram of the right to use the photographs uploaded on its platform.

Two days later, the courts of Paris rendered a judgment (TGI Paris, 3ème chambre, 4ème section, Jugement du 20 décembre 2012 – Philippe G, Alexandra J c./ Paul M. (in French)) which may jeopardize the grievances of the social network users. Indeed, the judges refused to recognize that the airplane photographs take by individuals bore sufficient originality to allow any protection under French intellectual property law.

(more…)