Closing in on the fifth anniversary of the entry into force of the EU General Data Protection Regulation (GDPR), the Irish Data Protection Commission (DPC) announced on 22 May 2023 that it had fined Meta for EUR 1,2b (USD 1.3b), the highest GDPR fine levied since 2018.

Further to the DPC decision (Decision), and in addition to the record fine, Meta will need to:

  • suspend any future transfers of personal data to the United States within five months from the date of notification of the decision to Meta Ireland;
  • ensure the compliance of its data processing operations by ceasing the unlawful processing, including storage, in the United States of personal data of its users in the European Economic Area, transferred without sufficient safeguards, within six months from the date of notification of the DPC’s decision to Meta Ireland.

The core of the grievances relates to a decade-long (and going) crusade initiated by datactivist Maximilien Schrems and its data protection association, None of Your Business (noyb). The crusade started in 2013, with a first step resulting in a resounding cancelation of the Safe Harbor framework, which allowed personal data to be freely transferred from the European Union to the United States, in the 2015 Schrems I case (see our Alert). It was subsequently followed by a same action against Safe Habor’s successor, the Privacy Shield Framework, leading to the same result in the Schrems II case (see our Alerts here, here and here).

(more…)

In this first episode, we discuss the challenges faced by data controllers in their compliance with Article 5 GDPR following the EU Court of Justice’s Digi Case C-77/21. In particular, we focus our discussion on the purpose and data storage limitations, and how your legal team should be the 3PO protocol droid within your organization for the implementation of GDPR best practices.

May the enforcement be with you!

First publication: K&L Gates Hub with Eleonora Curreri

When the General Data Protection Regulation (“GDPR” – external source) came into force throughout the European Union nearly three years ago, one of its most eye-catching features was its extraterritorial jurisdiction provisions. These extend the reach of the GDPR to businesses located outside the European Union who offer goods or services to EU residents or who monitor the behavior of EU residents (See Art. 3(2)(a) and (b) GDPR).

Under the threat of becoming liable for a breach of the GDPR and potential fines of up to €20m or four percent of global turnover (whichever the higher), many businesses based in the United States and other locations outside the European Union have simply taken a stance of refusing to deal with EU residents, including taking measures such as geo-blocking websites to EU-based visitors. Other businesses, in the United States and elsewhere, have found themselves contemplating whether they might be subject to the GDPR and how to react merely because they have made a new EU-based business connection, acquired the contact details of a potential customer in the European Union, or even become aware that an employee at a customer organization had moved to the European Union.

A court in the United Kingdom has now considered the limits of extraterritorial jurisdiction of the GDPR, which may provide some reassurance to overseas businesses that limited contact with EU residents via a website may not necessarily lead to them being subject to the GDPR.

(more…)

On 4 July 2019, the French Data Protection (CNIL) published its Guidelines on Cookies and Other Tracking Technologies (the Guidelines, available in French here). The Guidelines further detailed the nature of the interplay between the General Data Protection Regulation (GDPR) which reinforced expectations towards obtaining consent to data processing operations when such consent is required), and the ePrivacy Directive which more specifically addresses the privacy requirements on cookies and other tracking technologies. Indeed, while the ePrivacy Directive was expected to be updated through an ePrivacy Regulation (latest draft proposal available here), on or before GDPR entered into force, it remains under discussion at the European level to this day, and subject to intense lobbying by all stakeholders.

Further to the publication of the Guidelines, several French professional associations in the online marketing, distance selling and online media activities initiated legal action against the CNIL, before the French Administrative Supreme Court (the Conseil d’État), on the grounds that the CNIL acted above and beyond its authority in adopting the Guidelines, notably by (i) generally prohibiting “cookie walls”, (ii) recognizing a right of data subjects to refuse cookies, (iii) requiring the identification of the data controller for the cookies, (iv) mandating an exhaustive and up-to-date information of the data subjects on the cookies, regardless of their involvement in data processing operations, (v) requiring that the users’ agreement must be expressed by a separate action for each of the distinct purposes brought to their knowledge with a view to the storage of information or access to information already stored in their terminal equipment, and (vi) imposing maximum data retention periods for cookies.

(more…)

On the morning of 16 July 2020, in a significant decision of the Court of Justice of the European Union (CJEU), the Privacy Shield was held to be invalid.

What is the Privacy Shield

The Privacy Shield was an agreement negotiated in 2016 between the United States Department of Commerce, the European Commission and the Swiss Administration to provide a mechanism for companies to transfer personal data from the European Union and Switzerland to the United States. The Privacy Shield was designed to enable companies to transfer personal data across the Atlantic in accordance with EU data protection law that pre-dated the GDPR.

(more…)

On January 21, 2019, the French Data Protection Authority (Commission Nationale de l’Information et des Libertés, or “CNIL”) published its first sanction rendered under the General Data Protection Regulation (“GDPR”).

Barely eight months after GDPR entered into force, and the subsequent group actions that were introduced in France, the CNIL followed in their footsteps its other European counterparts. However, while Portugal in July drew first against a hospital with a EUR 400,000 fines, the Austrian and German follow-ups, respectively for EUR 4,800 and 20,000 underwhelmed in contrast with the EUR 20 million, or 4% of the global turnover of a company (which ever the greatest) maximum fines allowed under GDPR.

Today’s CNIL decision nevertheless set the possible path for upcoming application of GDPR, by striking a EUR 50 million fine against Google LLC.

This sanction followed the group complaints formed by Maximilian Schrems’s association “None Of Your Business” (“NOYB” – already behind the cancellation of the Safe Harbor in 2015 and currently litigating against the Standard Contractual Clauses in Ireland) and La Quadrature du Net (“LQDN”), which received a mandate from 10,000 individuals to refer the matter to the CNIL.

The CNIL grounded its decision on the lack of transparency and inadequate information of the individuals in order to deem the consent regarding the ads personalization invalid.

On the one hand, the CNIL highlighted that the information of the data subjects was diluted in a myriad of documents while applying to a plurality of services at once (e.g. Google search, You Tube, Google Home, Google Maps, Playstore…). This did not allow the user to gain a “just perception of the nature and the volume of data collected.”

On the other hand, the consent-gathering mechanism was deemed inadequate to obtain the “specific” and “unambiguousconsent required for such data processing operations. The CNIL notably criticized the blanket acceptance of “the processing of [users’] information as described above and further explained in the Privacy Policy”, which, according to the Regulator, does not allow the users to opt-it to the each particular processing operation at stake without additional steps for the users to reach the required information.

This decision, in addition to be the first rendered by the CNIL under GDPR, will also in all likelihood be the last under the current Secretary General, Isabelle Falque-Pierrotin, who will be replaced on February 1st, after heading the CNIL since 2011.

The European Union Court of Justice confirmed the intellectual property rights owned by the French company “Forge de Laguiole”, but solely in areas in which it pursued an actual business activity.

A decision (Judgement dated 5 April 2017 of the Second Chamber of the EU Court of Justice, No C-598/14Szajner”) dated 5 April 2017 of the European Union Court of Justice (“EUCJ”) put an end to the longstanding series of court decisions about the Laguiole trademark before the European Union jurisdictions (“EU Jurisdictions”), on which relied the right for French company “Forge de Laguiole” to keep using its business name. This decision also gave the EUCJ the opportunity to clarify the application of national case law by the EU Jurisdictions within the framework of proceedings based on Article 8 (4) of Council Regulation (EC) No 207/2009 dated 26 February 2009 on the Community trade mark (the “Regulation”).

(more…)

As stated in a previous article published in the Trademark and Unfair Competition Bulletin1)“FR – Creation of a new industrial property right in France : « The Geographical indication of industrial and handicraft products »”, … Continue reading, the Act no. 2014–344 on consumer protection, named “Hamon Act” and dated March 17, 2014, created a new industrial property right: the “Geographical Indications protecting Industrial Products and Crafts” (or “Indications Géographiques protégeant les Produits Industriels et Artisanaux”, hereinater, “IGPIA”) in order to include industrial and handicraft products in the scope of the protection of geographical indications.

In the same article, the authors highlighted the fact that prior to the implementation of the aforementioned provision, there was a lack of protection since a third party could use the name of a famous place or city and register it as a trademark to misleadingly sell handicraft products under that name.

Introduction to the Laguiole case

A famous example was the “Laguiole cutlery” case where a third party, among others, was using the famous French city name of “Laguiole” as a trademark to flood the market with knives made in China under that brand. Following the scandal that ensued, the Laguiole municipality launched an action against several companies and legal persons that had registered 27 trademarks in total, on the ground that such use of “Laguiole” was deceptive.

Indeed, the trademark “Laguiole” had been filled in almost all trademarks’ classes and therefore the Laguiole municipality was prevented from using such trademark for its own activities, and in particular for its renowned cheese and cutlery.

After a first instance ruling, the Paris Court of Appeal rejected the Laguiole municipality’s action in 2014 which was subsequently presented to the French Supreme Court (“Cour de cassation”).

The Cour de cassation ruling
By a ruling dated 4 October 2016, the Cour de cassation overturned parts of the ruling of the Court of Appeal and welcomed the argumentation of the Laguiole municipality.

Indeed, the Cour de cassation considered that the use of the “Laguiole” trademark by the defendants was misleading and confusing to consumers since the products sold under that trademark were not manufactured in such place.

In addition to such argument based on consumer protection laws, several arguments grounded on trademark law were also favorably received by the Cour de cassation. However, as such Court only has jurisdiction over legal qualification but not on facts, the end of this saga will be written by the Court of Appeal to which the case has been remanded to for the final ruling.

This Court of Appeal will hopefully close the ongoing debate. However, such Court of Appeal may also side with the initial Court of Appeal ruling. In such a case, the Cour de cassation may have to hear the case again.

Nevertheless, such litigation intervenes in a context where IGPIA have effectively become protected. Even if Laguiole was not among the five applications filed for IGPIA in France (out of which only one has been granted so far), the broad power given to geographical indications with the adoption of the European Regulation No 2015/2424 amending the Community Trade Mark Regulation and the European Directive No 2015/2436 approximating the laws of the Member States relating to trade marks may have an impact on players’ practices.

Indeed, according to these Regulations, the national right granted on geographical indications through IGPIA or otherwise conferred by the courts, may materialize a ground for refusal for not only trademarks applications but also European trademarks. There is thus a strong incentive to seek this protection by any means necessary.

In collaboration with Clémence Marolla.

First publication in the K&L Gates Trademarks & Unfair Competition Bulletin, 1/2017 – Avril 2017

References

References
1 “FR – Creation of a new industrial property right in France : « The Geographical indication of industrial and handicraft products »”, Olivia Roche and Claude-Etienne Armingaud, TM and Unfair Competition Bulletin, no. 2/2014 (14)

In view of the strong international dimension, notably European, of commercial issues related to trademarks, the economic players do not limit the scope of their protection to one single national territory anymore. On the contrary, the current trend is to multiply of the trademarks filings, which often leads to a variety of protections, for a same sign, through a national trademark, a European Union (EU) trademark and an international trademark.

However, in France, the jurisdiction of the courts varies depending upon these different titles, and thus requires, prior to introducing an action, adopting an actual procedural strategy. The Commercial Division of the French Supreme Court, in a decision dated 6 September, 2016 1) Commercial Division of the French Supreme Court, 6 September 2016, No.15-29.113 , confirmed these strategical issues relating to the choice of the forum election. Indeed, according to this decision, limiting the scope of a proceeding to French trademarks becomes a real advantage (1.), which could lead, in fine, to a new equilibrium for trademark litigation in France (2.)
(more…)

References

References
1 Commercial Division of the French Supreme Court, 6 September 2016, No.15-29.113

After its invalidation of the data retention requirements imposed by Directive 2006/24/EC in its Digital Rights Ireland decision dated 8 April 2014, the ECJ was requested to assess the compatibility with the Directive 2002/58/EC (the “ePrivacy Directive”) and the Charter of Fundamental Rights of the European Union (the “CFREU”) of a domestic legislation mandating a general and indiscriminate obligation to retain traffic and location data, without prior judicial review, for purposes including the fight against crime.). The ECJ joined the two cases which had been submitted for review and issued its decision on 21 December 2016 (the “Decision”).
(more…)