Loading...

Follow All About IP - Mayer Brown LLP on Feedspot

Continue with Google
Continue with Facebook
or

Valid

According to media reports, the first cease-and-desist letters have been issued in relation to alleged violations of the EU General Data Protection Regulation (GDPR). The cease-and-desist letters seem to concern, inter alia, data protection declarations on websites. In particular, the letters seem to address specific website tools (e.g., Google Fonts, Like buttons) and whether their use and description in the data protection declaration is compliant with the GDPR.

The legitimacy of the cease-and-desist claims addressed in these letters is unclear. For example, it is doubtful whether unfair competition law can form a legal basis for such claims since it is unclear whether GDPR rules are “market conduct rules” within the meaning of section 3 a) of the German Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb, UWG).

In order to prevent abusive cease-and-desist letters, various legislative proposals have been put forward by the German legislative bodies.

The Legislative Proposals

On 12 June 2018, the parliamentary group of the Free Democratic Party (FDP) requested that the German federal government combat abusive cease-and-desist-letters. The FDP says that a law is needed to ensure that, in case cease-and-desist letters are based on non-compliance with information duties under Articles 13 and 14 of the GDPR (e.g. incomplete data protection statements), the person who issues the letter has no claim for reimbursement of expenses against the addressee.

According to German daily newspaper Die Welt, Angela Merkel’s Christian Democratic Union (CDU/CSU) parliamentary group plans to enact legislative change before the parliamentary summer break to prevent lawyers from claiming fees for the issuance of GDPR cease-and-desist letters during a one-year grace period. Social Democratic Party (SPD ) representatives so far have been reluctant to express support for the proposal.

Most recently, on 26 June 2018, the federal state of Bavaria introduced draft legislation into the German Federal Council to, inter alia, prevent abusive GDPR cease-and-desist letters. The proposal is to amend the German Unfair Competition Act and the Unfair Terms and Conditions Act (Unterlassungsklagegesetz, UKlaG). According to the proposal, GDPR provisions should be explicitly and generally excluded from the scope of unfair competition law. The right of action of associations under the Unfair Terms and Conditions Act shall further be limited to associations that fulfill the requirements under the GDPR. The proposal aims in particular to protect small- and medium-sized enterprises against unjustified GDPR cease-and-desist-letters.

A Look Ahead

A law on the issue of cease-and-desist-letters based on alleged GDPR violations would bring some legal certainty on whether and under what circumstances cease-and-desist claims are justified. The German Federal Council will decide in July 2018 whether to submit the Bavarian draft legislation into the German parliament. It remains to be seen whether the draft can spawn support in the German Federal Council and what law ultimately will be passed.

This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Aktuellen Presseberichten zufolge sind erste Abmahnungen aufgrund von behaupteten Verstößen gegen die EU Datenschutzgrundverordnung (DSGVO) ergangen. Die ergangenen Abmahnungen betrafen etwa Datenschutzerklärungen auf Web-Seiten; im Konkreten die datenschutzkonforme Einbindung und Beschreibung von bestimmten Tools (bspw. Google-Fonts, Like Buttons).

Die Rechtmäßigkeit der Abmahnungen ist unklar. Es ist beispielsweise zweifelhaft, ob lauterkeitsrechtliche Vorschriften eine taugliche Anspruchsgrundlage bilden können, da bereits unklar ist, ob DSGVO Vorschriften überhaupt als sog. Marktverhaltensregeln i.S. des § 3 a) UWG qualifiziert werden können.

Um (rechts-)missbräuchliche Abmahnungen zu verhindern, sind in Bundestag und Bundesrat verschiedene Gesetzesvorhaben vorangebracht worden.

Die Gesetzesvorhaben

In einem Antrag vom 12. Juni 2018 forderte beispielsweise die FDP-Fraktion die Bundesregierung mitunter auf, „missbräuchliche Abmahnungen zu verhindern“. Hierzu soll die Bundesregierung etwa „bei Verstößen gegen die Informationspflichten nach den Artikeln 13 und 14 DSGVO [bspw. unvollständige Datenschutzerklärungen] sicherzustellen, dass der Abmahnende keinen Anspruch auf Aufwendungsersatz gegenüber den Abgemahnten erhält.“

Einem Bericht der Tageszeitung „Die Welt“ zufolge strebt die CDU/CSU-Fraktion im Bundestag noch vor den beginnenden Parlamentsferien im Juli eine entsprechende Gesetzesänderung an. Nach den Plänen der Unionsfraktion sollen Abmahngebühren innerhalb einer Schonfrist von bis zu zwölf Monaten nicht gefordert werden dürfen. Vertreter der SPD haben sich gegenüber diesem Vorschlag bisher mit Zurückhaltung geäußert.

Jüngst, am 26. Juni 2018, hat das Bundesland Bayern einen Gesetzesentwurf in den Bundesrat eingebracht, um mitunter einer „rechtswidrigen Abmahnpraxis im Bereich des Datenschutzrechts vorzubeugen“. Dieser Gesetzesentwurf sieht Anpassungen des UWG und des UKlaG, vor. Die Regeln der DSGVO sollen nach dem Vorschlag „ausdrücklich und generell aus dem Anwendungsbereich des UWG herausgenommen“ werden. Das Klagerecht von Verbänden nach dem UKlaG soll auf Verbände begrenzt werden, „welche die Vorgaben der DSGVO erfüllen“. Dadurch sollen „insbesondere kleine und mittlere Unternehmen effektiv vor etwaigen […] Abmahnungen im Bereich des Datenschutzrechts“ geschützt werden.

Ausblick

Ein Gesetz würde Klarheit über die Rechtmäßigkeit von Abmahnungen auf Basis von behaupteten DSGVO-Verstößen verschaffen. Der Bundesrat wird über die Einbringung des bayerischen Gesetzesentwurfs in den Bundestag im Juli 2018 entscheiden. Es bleibt abzuwarten, ob und inwieweit der Entwurf des Freistaats im Parlament zur Abstimmung gebracht werden wird und welche Gesetzesvorschläge letztendlich realisiert werden.

This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

On 12 June 2018, the Court of Justice of the European Union (CJEU) ruled that Christian Louboutin’s red sole trademark was valid (Case C-163/16). The decision comes after years of litigation between Louboutin and Dutch footwear company Van Haren over the scope and validity of Louboutin’s trademark.

The Facts of the Case

Christian Louboutin is a French fashion and shoe designer who is best known for his signature red-soled high heels. In 2010, the designer was granted a Benelux trademark for ‘the colour red (Pantone 18‑1663TP) applied to the sole of a shoe […] (the contour of the shoe is not part of the trade mark but is intended to show the positioning of the mark)’. In 2013, the registration was amended to only cover high-heeled shoes.

In 2012, Dutch shoe retailer Van Haren started to sell high-heeled women’s shoes with red soles. Christian Louboutin initiated trademark infringement proceedings before the District Court, The Hague, Netherlands, and succeeded in the initial proceeding. Van Haren then challenged the validity of Louboutin’s red sole trademark under Article 3(1)(e)(iii) of Directive 2008/95/EC, which prevents registration of any sign which consists ‘exclusively of […] the shape which gives substantial value to the goods’. Van Haren argued that the mark at issue was ‘a two-dimensional figurative mark that consists of a red coloured surface’.

The Hague District Court was unsure about the notion of the term ‘shape’ and asked the CJEU whether the concept of ‘shape’ is limited to three-dimensional properties of the goods, such as their contours, measurements and volume, or whether it includes non-three-dimensional properties of the goods, such as their colour.

The Ruling

In an additional opinion delivered on 6 February 2018, CJEU Advocate General Maciej Szpunar maintained that he was inclined ‘to classify the mark at issue as a sign consisting of the shape of the goods’ because ‘the shape of the sole matches the spatial delimitation of the colour red’. The CJEU, however, did not follow the opinion of AG Szpunar and confirmed the validity of Louboutin’s red sole trademark.

The Court concluded that where the main element of a sign is a specific colour designated by an internationally recognised identification code, that sign cannot be regarded as consisting ‘exclusively’ of a shape. Louboutin’s trademark description expressly excluded the contour of the sole from trademark protection. Article 3(1)(e)(iii) of Directive 2008/95 must therefore be interpreted as meaning that the sign in question did not consist exclusively of a ‘shape’, within the meaning of that provision.

As the CJEU’s ruling concerns Directive 2008/95/EC, which has since been replaced by Directive 2015/2436, its impact is somewhat unclear. The old version of Article 3(1)(e)(iii) included the wording ‘the shape which gives substantial value to the goods’, whereas the new law was amended to add ‘or another characteristic’ after the word ‘shape’.

This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Padlock and EU flag inside smartphone and EU map, symbolizing the GDPR

On 29 May 2018, only five days after the GDPR became applicable, the Regional Court of Bonn issued the first ruling applying the GDPR in Europe (file no. 10 O 171/18).

Facts of the Case

The dispute involved the Internet Corporation for Assigned Names and Numbers (ICANN) and the ICANN-accredited registrar EPAG Domainservices GmbH (EPAG). ICANN is a non-profit company that coordinates the assignment of domain names and ensures that website names are not duplicated on the network. By means of an agreement between the parties, EPAG is authorized by ICANN to assign Second Level Domains to interested parties (so-called registrants).

For each domain name assigned, ICANN requires registrars to collect and further process not only the name and contact details of the registrant of the domain name, but also the name and contact details of a technical contact and of an administrative contact within the registrant. This personal data becomes public through publication on the WHOIS website platform. With the GDPR becoming applicable on 25 May 2018, EPAG argued that there was no legal basis for the processing of the personal data of the technical and administrative contacts of registrants and therefore, based on the GDPR, informed ICANN that it would no longer process such personal data. ICANN then filed an application for interim relief with the Regional Court of Bonn aiming at forcing EPAG to continue obtaining this information from registrants and making it available to ICANN.

Legal Assessment

According to Article 5 (1) (b) and (c) of the GDPR, personal data may only be collected for specified, explicit and legitimate purposes (purpose limitation principle), and must be adequate, relevant and limited to what is necessary for the purposes for which the personal data is processed (data minimization principle). Moreover, pursuant to Article 25 (1) of the GDPR, companies must take appropriate organizational and technical measures to implement the GDPR principles, such as purpose limitation and data minimization.

Relying on this, EPAG held the view that the processing of the name and contact details of one responsible person within the registrant of a domain name should be deemed sufficient for the purpose of identifying the registrant and allowing  contact by third parties, and therefore no legal basis existed for the processing of name and contact details of a technical and an administrative contact of registrants.

ICANN opposed that the identification of a technical contact person is necessary to find solutions to technical problems, and that the processing of personal data of a technical and administrative contact of registrants is also necessary for security and criminal prosecution purposes; Prosecutors and trademark representatives are particularly interested in such additional information.

Decision
The Regional Court of Bonn denied ICANN’s request and decided that processing personal data of a technical and an administrative contact persons of registrants violates Article 5 (1) (b) and (c) of the GDPR. The specified, explicit and legitimate purpose of processing personal data in the context of assigning domain names shall be the identification of the registrant, which in turn is sufficient to address ICANN’s concerns regarding the security of the network. The owner of the domain name is the only person responsible for the content of the website and therefore only the processing of their personal data shall be deemed necessary for this purpose.

Take away

Interestingly, the discussion did not focus on the lawfulness of processing (Article 6 of the GDPR), but rather on the implementation of the GDPR principles of purpose limitation and data minimization. Nonetheless, the central issue was the necessity of data processing, which is one of the foundations of the GDPR, reflected both in the GDPR principles and in their concretization through the grounds for processing.

The Court did briefly address Article 6 of the GDPR though. One fact that caught the Court’s attention in particular was that the registration of a domain name has always been possible even if a technical and an administrative contact were not made available by the registrant. This was considered by the Court as a clear sign that such personal data is not necessary for the purposes of the processing of personal data. As such, registrants should be free to decide if they want to provide such additional contact details or not, based on Article 6 (1) (a) of the GDPR (consent). They shall not, however, be forced to provide such data, there is no other legal ground for their processing.

This rationale will probably be used by other Courts when applying the necessity test, so companies should analyze carefully whether they really need the personal data they are processing, and if not, take measures to assure that their processing is lawful based on another GDPR legal ground.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

On 25 May 2018, the General Data Protection Regulation (GDPR) of the European Union entered into force, accompanied by some uncertainties regarding its application. For example, some legal commentators believe there are “irreconcilable” differences between blockchain technologies and some of GDPR’s core principles, raising doubts as to whether the technology can achieve widespread adoption under the new data protection regime. 

Blockchain technology rose to fame as the underpinning of the Bitcoin system, but there are a myriad of applications for it beyond transacting in cryptocurrencies, such as executing contracts and even authenticating fine art.

Nigel Houlden, head of technology policy at the Information Commissioner’s Office (ICO)—the body responsible for enforcing data protection and privacy regulations in the United Kingdom—stated that he has “nightmares” about the future relationship between blockchain and some of GDPR’s core principles. One of the tensions revolves around the so-called “right to be forgotten.”

Pursuant to Article 17, “[t]he data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.“ However, this might not be possible if that personal data is stored on an immutable, open blockchain, in which each block of data contains a hash of the previous one. By design, a blockchain is resistant to modification of the data, which is argueably one of the technology’s core advantages. There are, of course, exemptions from the right to erasure in Article 17. However, it is unclear whether any of those exemptions might apply to blockchain. It is also unclear whether cryptographic information on a blockchain will qualify as personal information in all circumstances.

We will update you on further blockchain and GDPR-related issues soon.

This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

The European Union (“EU”) General Data Protection Regulation 2016 (“GDPR”) entered into effect on 25 May 2018. A brief summary of the GDPR can be found in our Legal Update.

Organisations in Hong Kong may need to comply with the GDPR if it (1) has an establishment in the EU, where personal data is processed in the context of the activities of the establishment, regardless of whether the data is actually processed in the EU, or (2) does not have an establishment in the EU, but offers goods or services to or monitor the behaviour of individuals in the EU.

As some requirements in the GDPR are not found in Hong Kong’s existing Personal Data (Privacy) Ordinance (Cap. 486), the Privacy Commissioner for Personal Data issued a booklet (the “Booklet”) to outline the possible impact of the new regulatory framework on organisations or businesses in Hong Kong.

A number of features of the GDPR are highlighted in the Booklet, including the following:

  • Extra-territorial application
  • Personal data covered
  • New data privacy governance, data mapping and impact assessment
  • Sensitive personal data
  • Consent
  • Mandatory breach notification
  • Data processors’ obligations
  • New and enhanced rights for individuals
  • Data rotection seals, codes of conduct and cross-jurisdiction data transfer
  • Sanctions

The press release of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) and the Booklet can be downloaded from the PCPD-website.

This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

The 13th People’s National Congress (“NPC”) recently approved the State Council’s proposal to restructure China’s State Intellectual Property Office (“SIPO”). The proposal intends to consolidate the administration of trademarks and patents and to streamline the enforcement of IPR in China.

According to the proposal, a new SIPO will be set up and will be responsible for:

  1. Patent examination, registration and administration as originally regulated by SIPO;
  2. Trademark examination, registration and administration as currently managed and administered by the State Administration of Industry and Commerce (“SAIC”);
  3. Registration and administration of geographic indicators as currently managed and administered by the Gerneral Administration of Quality Supervision, Inspection and Quarantine (“GAQSIQ”);
  4. Providing general guidance to patents and trademarks enforcement agencies; and
  5. Facilitating the establishment of a comprehensive system to reinforce protection of intellectual property rights (“IPR”).

The new SIPO and the patents and trademarks enforcement agency will be supervised by a new State Administration for Market Supervision (“SAMS”), which will take over the responsibilities of, among others, SAIC and GAQSIQ. The aim of restructuring the SIPO is to achieve a more systematic system for the management and protection of IPR. For example, following the proposed restructuring, the SAMS will carry out patent and trademark enforcement actions, thus, rendering administrative enforcement more efficient.

The scale of the proposed restructuring will naturally bring along uncertainties. For instance, copyright administration and enforcement, trade secret protection and plant variety protection are noticeably not addressed or specified as falling within the remit of the new SIPO. No time frame has been set yet for the commencement or completion of this proposed restructuring, but there is every expectation that the restructuring will be officially announced by the Government in the coming months.

For more information, click here to read the full legal update in our “Asia IP & TMT: Quarterly Review” of Q1 2018.

This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
All About IP - Mayer Brown LLP by Mark A. Prinsley, Dr. Ulrich Worm, .. - 2M ago

The UK ratified the Unified Patent Court Agreement (“UPCA”) on 26 April 2018. The UPCA will introduce the Unified Patent Court which will establish a single scheme for patent litigation across contracting Member States.

The UK is the sixteenth country to ratify the UPCA, and is one of the three countries whose ratification is required for the regime to come into being, the others being France and Germany. France ratified in 2014, while Germany has yet to finalise the legislative process to ratify the UPCA. Following the submission of a constitutional complaint against the German participation in the UPC system before the German Federal Constitutional Court in mid-2017, ratification of the UPCA was put on hold. The Federal Constitutional Court is expected to rule on the complaint in autumn 2018. If the Court dismissed the complaint, ratification would likely happen shortly after that.

Joining the UPCA as a contracting Member State will mean that, despite Brexit, the UK will have access to a streamlined, singular approach to patent enforcement across Europe, at least during the transitional period to follow Brexit, which will give the UK time to renegotiate its continued involvement in the UPC following the end of that period.

Download our Legal Update.

This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

In April 2018, Amazon Technologies, Inc., a subsidiary of e-commerce giant Amazon, was granted a patent relating to a “technology for a streaming data marketplace” by the United States Patent and Trademark Office (USPTO). The technology underlying the patent is described as gathering (online) data streams from various sources and enhancing those streams “by correlating the raw data with additional data.” The patent description lists a number of potential use cases for the streaming data feeds that participants in the market place are offering subscriptions to. One notable use case relates to “bitcoin transactions,” with the ultimate goal of identifying users of the virtual currency by their Bitcoin addresses.

As rightly stated in the patent document, and contrary to common belief, Bitcoin is not an anonymous network. Bitcoin transactions, including the transaction parties’ pseudonymous identities (derived from a pair of two cryptography keys), are publicly available on a ledger called the “blockchain.” For this reason, the date and time of any transaction—and the pseudonymous parties involved—are visible to any participant in the Bitcoin network.

While such pseudonymous data might per se be of little value to potential customers, a correlation of the raw transaction data stream with other useful data could increase the data’s value significantly. As the patent description states: “For example, a group of electronic or internet retailers who accept bitcoin transactions may have a shipping address that may correlate with the bitcoin address.” Depending on the additional data correlated with the transaction data, the patented technology might allow Bitcoin users to be identified by their transaction history.

A Look Ahead

Data marketplaces are not a new idea. But the inclusion of data from Bitcoin and other virtual currency transactions would spark an interest from many people and institutions. And, as expressly mentioned in the patent description, law enforcement, in particular, would find Bitcoin user identification very helpful.

This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

On 1 May 2018, the “Information Security Technology – Personal Information Security Specification” (PI-Specification) by China’s National Information Security Standardization Technical Committee (NISSTC) will come into effect. The PI-Specification, inter alia, provides guidance on the collection, storage, use, transfer and disclosure of personal information. While the PI Specification is voluntary and not legally binding, it is likely that Chinese regulators will take into account breaches of the PI Specification when enforcing cybersecurity obligations.

The requirements for the collection, use, and storage of personal information are briefly outlined below.

Collection, Use and Storage of Personal Information

The requirements for the collection, use, and storage of personal information under the PI-Specification are very similar to those adopted in other jurisdictions. For example, the PI Specification requires the personal data controller to notify personal data subjects of the type of personal information being collected and the rules of collection, and to obtain the personal data subject’s consent prior to collecting the personal information. The collection of sensitive personal information can only be made with explicit consent. Sensitive personal information, such as information, relating to a person’s reputation or physical and mental health, is subject to increased protection under the PI Specification.

When storing personal information, personal data controllers are required to perform de-identification of all personal information immediately after collection and to store the de-identified information separately from information that can be used to re-identify the information. Storing sensitive personal information requires additional security measures such as encryption.

Moreover, data controllers are required to provide data subjects access to their personal information and provide a way for the personal data subjects to correct or complete their personal information.

Other Requirements

The PI-Specification also sets out guidance on expected data breach incident responses and enterprise standards for safeguarding and processing of data. Among other things, data controllers are required to devise and publish a privacy policy.

For further information, click here to read the full legal update in our “Asia IP & TMT: Quarterly Review” of Q1 2018.

This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.

Read Full Article

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview