Dreyfus

While doubts about the implementation of the GDPR arose even before its occurrence on May, 25^th 2018, first reactions concerning compliance are already emerging.

While companies, on one hand, looked forward to a soft entering into force of the European Authorities Regulation (chapter VI GDPR), consumers’ associations, on the other hand, were, quite unexpectedly, on alert. The associations have rapidly exploited the opportunities given by the articles of the GDPR concerning the right to regain control of their personal data. For instance, Article 77 states that: “every data subject shall have the right to lodge a complaint with a supervisory authority (…) if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.”. It relates to individuals as well as class actions.

Maximilian Schrems, an Austrian lawyer and activist for protection of personal data. Three days later, the French association “La quadrature du Net”, in the name of more than 12 000 plaintiffs, has taken similar actions against Amazon, Google, Facebook, LinkedIn and Apple. The Complaints were based on non-compliance with the terms imposed by the GDPR for acquisition of users consent in personal data collection. According to the plaintiffs, the consent for collection and use of personal data is not authorized. Indeed, they apply an “all-or-nothing” politic: a forced consent, without which users cannot use the services offered by the companies. Thus, large companies are taking advantage of their clients. These complaints could turn out to be costly for the firms since the fines for GDPR infringement can amount up to 4% of the companies’ global turnover.

The way in which these complaints will be treated and the way in which the fines will be applied remain uncertain. Different national authorities in charge of the protection of personal data will be asked to cooperate in order to arrive at a unique solution for all the companies concerned. The decisions will thus be crucial and are highly anticipated.

In France, although it might appear surprising for foreign observers, very specific requirements have to be met when the time comes to ask for the renewal of a French trademark before the French National Institute of Intellectual Property (NIIP). Thus, one of the most primordial requirements is the confirmation that the trademark owner who appears on the national trademarks Register is indeed the same entity as the one filing the French trademark renewal application. If such is not the case, the consequences can be dire.

The company C BECAUSE TV has suffered a bitter experience in that regard and, hadn’t it been for the judgement issued by the Court of Appeal of Paris on November 28, 2017, the economical aftereffects of failing to meet the aforementioned requirement could have been dramatic for this company. In this matter: the company C BECAUSE TV became the owner, following a deed of cession signed on February 22, 2016, of two French trademarks. One of these two trademarks is the trademark ‘CULTURE PUB’ whose protection was expiring on June 10, 2016.

On September 20, 2016, the company C BECAUSE TV filed a fast track application before the NIIP in order to have the deed of assignment appear on the trademark’s status on the French national trademarks Register. A few days later, on September 20, 2016 the company filed a renewal application for the trademark ‘CULTURE PUB’ within the six months’ time frame of the grace period, in its own name as the de facto new owner. Nonetheless, the fast track application filed on September 16, 2016 had not yet resulted in the modification of the status of entries in the National Trademarks Register. Hence, on the day of the filing of the renewal application for the trademark ‘CULTURE PUB’, the company C BECAUSE TV did not appear as the registered trademark owner on the French National Trademarks Register. Consequently, the Director General of the NIIP declared that the renewal application for the trademark ‘CULTURE PUB’ was inadmissible.

However, the NIIP having a tendency to lag behind a bit, this inadmissibility decision was not notified to the company C BECAUSE TV before February 13, 2017. Therefore, the company found itself to be in a very problematic situation since it was unable to submit effectively any observation in reply to the inadmissibility decision insofar as the grace period was expired by then. It is in this context that the decision of the Court of Appeal of Paris issued on November 28, 2017 occurs.

The Court stated in its decision that the inadmissibility of a renewal application could not be pronounced in a case where the applicant had not been able to submit any observation in reply. Accordingly, and taking into consideration the seriousness of the economic consequences that might have arisen from the non-renewal of the trademark ‘CULTURE PUB’, the Court cancelled the NIIP inadmissibility decision.

This case highlights the great importance of the status of entries in the National Trademarks Register when one applies for a French trademark renewal. The extreme severity attached to the status of entries is only counterbalanced in the case at hand by the protection of the rights of the defence, in particular the right for the applicant to be able to effectively submit observations in reply.

Contributor: Nathalie Dreyfus, Trademarks Attorney

The European community’s greatest achievement in terms of intellectual property is surely the regional territoriality of Union rights as emerging from regulations no. 2017/1001 of the European Parliament and Council of 14 June 2017 on the EU trade mark. Extending a territoriality that was originally national to a European Union level, these regulations testify to the gradual but increasingly manifest construction of a fully-fledged “European” intellectual property right. Until then, Union rights holders could, through the unitary effect, claim protection of ownership extended to the twenty-eight Member States. However, Britain’s notification on 29 March 2017, announcing the United Kingdom’s intention to leave the European Union struck a blow to this standard building. For in spite of the potential subsistence of certain European achievements through the local laws transposing the directives, which will continue to apply, the main effect of this withdrawal will be to put an end to the direct application of European regulations inside the United Kingdom. We would add that the continuance of the achievements absorbed by British legislation must be relativised as, henceforward framed and defended on a national scale, they will be more exposed to potential amendments in the name of local interests. It should be specified that European patents shall not be directly affected by the United Kingdom’s withdrawal insofar as the European Patent Convention is not part of the legal order of the European Union.

The European Commission, in a notice published on 1^st December 2017  confirmed that EU trade marks and Community designs registered in accordance with Union law will simply no longer have effect in the United Kingdom as from 30 March 2019, in compliance with article 50(3) of the Treaty on European Union. In the light of this it is regrettable, mainly for questions of legal security, that there is no withdrawal agreement that would permit an organised and efficient transition. The situation changed on Monday 19 March 2018. The European Union and the UK effectively reached a much-awaited agreement on the terms of the transition. Without actually substantially altering the legal consequences of the withdrawal, it provides for the postponement of the effective date till 1^st January 2021. Such a postponement is welcome as it will allow owners of Union rights to anticipate more serenely the restriction of the field of protection pertaining to their rights. In respect of these transitional provisions, article 50 envisaged a “Draft Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community”, published on 19 March 2018 by the British government, a legal mechanism enabling the automatic transformation of Union titles, effective before 31 December 2020, into domestic British rights considered equivalent. Such a system turns out to be opportune as, benefiting rights holders, it will compensate for the restriction of the “origin” unitary field of protection. The implementation of such a mechanism remains, however, still uncertain to date.

Concerning the right of priority, article 55 of the withdrawal agreement allows for the possibility of registering a British design trade mark equivalent to a Union right if the application was submitted in the nine months following the end of the transition period, which means up until 30 September 2021. Also, under the terms of article 52, industrial property rights acquired within the scope of the Madrid and The Hague systems designating the European Union before the end of the transition period, shall retain their protection within the United Kingdom.

In conclusion, it is necessary to keep in mind that Union trade marks and designs being registered beyond 31 December 2020 shall only cover the twenty-seven Member States, therefore excluding the United Kingdom. Also, given the uncertainty surrounding the implementation of the automatic mechanism for the transformation of Union rights into equivalent British rights, owners of Union trade marks or community designs are strongly recommended to anticipate by registering in parallel with EUIPO, with the UK intellectual property office (UKIPO), thereby nonetheless running the risk of having two property rights covering the United Kingdom in 2021.

In tandem with ever stricter legislation, new technologies are increasingly requesting our personal data, often of a sensitive nature.

Facial recognition

Facial recognition is an innovation today widely used by major groups in the tech industry, such as Samsung or Huawei. Apple, however, undeniably remains the company having achieved the greatest impact when it released its new iPhone X in November 2017 by presenting its face ID technology, which allows one to unlock their mobile phone effortlessly. To do so, this innovation is based on extremely precise measurements of the user’s face dimensions. This biometric data then makes it possible to detect the user’s face in any circumstance, whatever its position.

Both practical and fun, this technology nevertheless raises questions about the compatibility of such data processing by Apple with that of current and future legislation and especially the General Data Protection Regulation that will come into effect on 25 May 2018. As the latter tends to be increasingly stricter with respect to companies collecting personal data, it is interesting to analyse whether collecting such biometric data cannot be challenged by the regulation.

Processing of sensitive data

Unlike the previously applicable Personal Data Directive, the General Data Protection Regulation specifies that biometric data falls within the scope of “sensitive data” (Article 9 of the Regulation). Recital No. 51 of the General Data Protection Regulation defines biometric data as data “processed through a specific technical means allowing the unique identification or authentication of a natural person”. Although this definition remains relatively vague, it is a safe bet that the courts will include facial recognition in such a category of personal data. Such a qualification is of great importance, insofar as the General Data Protection Regulation in principle prohibits such a collection, unless this collection fulfils the conditions set out in Article 9-2. It is indeed tolerated if “the data subject has given explicit consent to the processing of those data (…) for one or more specified purposes”. By being careful to rigorously fulfil such conditions, Apple could indeed carry out such data processing, provided that, as authorised under Article 9-3 of the said Regulation, the Member State in which the processing is carried out does not provide for more restrictive provisions.

The company must also endeavour to meet the requirements of Article 35 of the said Regulation. In fact, with regard to the data collected with the use of new technologies that would represent a high risk for the rights and freedoms of individuals, the General Data Protection Regulation requires companies to carry out a detailed analysis concerning the data collected. Through its collection of biometric data via its iPhone X, Apple is in fact faced with such an obligation. The analysis shall include a systematic description of the processing operations envisaged, an assessment of the necessity and proportionality of the processing operations with respect to the purposes, and an assessment of the risks to the rights and freedoms of the persons concerned.

Regarding the potential risks, Apple had already communicated on the degree of increased security that it provided for this type of data: in fact, the company does not keep the user’s biometric data on an external server to the extent that such data is encrypted and locked in the smartphone’s processor via the Secure Enclave (ultra-secure cloud storage). However, such a degree of security had been called into question by a controversy that erupted a few months ago. The American Civil Liberties Union (ACLU), the equivalent of the French data protection authority (CNIL) in the United States, warned that Apple is sharing this biometric data with third-party application developers. Sharing data that concerns facial recognition would allow developers to add new features to their applications. Even though Apple forbade them to use the data for advertisement or marketing purposes, security experts had raised the fact that there was still a risk of fraudulent use of the data by the developers, diverting them from their intended use.

Face ID, consistent with the General Data Protection Regulation?

Apple will have to take the challenges of the General Data Protection Regulation seriously by simultaneously ensuring users give their explicit and informed consent to the processing of their data, guaranteeing a high level of data security and a use strictly proportionate to the purpose for collecting the images. The company’s innovation through its face ID is in fact a typical example of the growing use of increasingly sensitive data through new technologies. This is indeed what the European Union understood during its reflections on the General Data Protection Regulation. Even if, at this stage, simple assumptions about the alignment of high-tech companies with this legislation can be made, it will be necessary to pay close attention to the interpretatio of the courts regarding the processing of this type of data.

The company’s innovation through its face ID is in fact a typical example of the growing use of increasingly sensitive data through new technologies. This is indeed what the European Union understood during its reflections on the General Data Protection Regulation. Even if, at this stage, simple assumptions about the alignment of high-tech companies with this legislation can be made, it will be necessary to pay close attention to the interpretation of the courts regarding the processing of this type of data.

Intrinsically linked to cyberspace, cryptocurrencies have burst into our economy in recent years even though there is still a lack of legislation on them.

The cryptocurrency revolution

Cryptocurrencies are alternative currencies, as they do not have legal tender in any country, are not regulated by any bank and function as a peer-to-peer payment system. Revolutionizing our way of thinking about money, the emergence of these currencies has also shown the public’s growing desire to emancipate themselves from a sometimes excessively regulated financial world. Many cryptocurrencies have been developed, but most work in a similar way and derive from the first full implementation: Bitcoin. Created in 2008 by an individual who goes by the pseudonym Satoshi Nakamoto, Bitcoin represents the archetype of cryptocurrency, so to speak. Its value having experienced an exponential increase by the end of 2017, reaching nearly $20,000 and having subsequently experienced strong fluctuations, is only symptomatic of the craze and fascination that cryptocurrency has aroused. It remains true, however, that the law is struggling to adapt to what is arguably one of the biggest revolutions in recent years.

Bitcoin, a currency?

Not falling under any of the pre-existing legal categories, Bitcoin cannot be recognised as legal tender, or even an electronic currency. It is often substituted for the status of “financial index” or even simply a “valuable intangible asset” that can be the subject of a transaction.  In fact, a currency is conventionally considered as a particular asset issued by the State and whose value is guaranteed by the latter. From the perspective of the law of obligations, a currency is further characterized by its universal discharging effect: the debtor is in fact discharged of his debt once he has turned over to his creditor the amount of money due. The discharging effect is considered to be universal to the extent that the creditor does not need to agree to release the debtor of his debt. This discharging effect is deemed to be automatic, given the power that the law attaches to the currency. However, Bitcoin does not have universal discharging effect insofar as a debtor who would like to pay in Bitcoin must first obtain the agreement of the creditor. Thus, a creditor who refuses such a payment would not be exposed to the sanctions under Article R. 642-3 of the French Penal Code which prohibits the refusal to accept euro banknotes and coins having legal tender.

Bitcoin does no longer fulfils the requirements of an electronic currency. Indeed, Article L.315-1 of the French Monetary and Financial Code, which transposes Article 2.2 of Directive 2009/110/EC, defines electronic money as a monetary value which is stored in an electronic form, representing a receivable from the issuer and which is issued against the remittance of funds for payment transactions. Since Bitcoin is not issued against a remittance of funds, it cannot be classified under this definition.

The Court of Justice of the European Union has nevertheless considered that as Bitcoin “is a means of contractual payment, it cannot, on the one hand, be regarded as a current account, or as a deposit of funds, a payment or a transfer. On the other hand, unlike receivables, claims, cheques and other commercial paper (…), it constitutes a means of direct settlement between the operators who accept it”. In this respect, it had determined that Bitcoin could benefit from the VAT exemptions provided for financial transactions, without giving a more specific definition of the status of cryptocurrencies.

Taxation of Bitcoin

The darkness around the legal status of Bitcoin does not mean that it is exempt from any regulation. The TRAFCIN unit, an agency of the French Ministry of Economy and Finance, in charge of the fight against money laundering and the financing of terrorism, published a report in 2014 on the taxation of Bitcoins. This report specifies that the capital gains on Bitcoins are thus subject to income tax in France as of 11 July 2014, under the category of non-commercial profits if the gains are occasional, or that of industrial and commercial profits if it is a normal activity. This tax is, however, only valid for Bitcoin sales, and does not apply when the cryptocurrency is simply stored in a virtual wallet. Bitcoins are also subject to inheritance and gift tax. As a result, Bitcoins that would be given could be re-qualified as a disguised donation and give rise to the gift tax which could reach up to 60% for non-relatives.

This bit of information given by the TRAFCIN unit, as well as that given by the CJEU provide some clarification of the contours of the legal status of cryptocurrencies, even though they remain unclear. It is therefore important to remain attentive to the understanding of both French and European case law and future legislation on the characterisation of such currencies.

This bit of information given by the TRAFCIN unit, as well as that given by the CJEU provide some clarification of the contours of the legal status of cryptocurrencies, even though they remain unclear. It is therefore important to remain attentive to the understanding of both French and European case law and future legislation on the characterisation of such currencies.

According to article L.713-3 of the French Intellectual Property Code, in order to allow that a sign imitates an earlier trademark, a similarity must exist between the signs in question and the products or services must be identical or similar. This must also lead to a risk of confusion for an averagely attentive consumer. The danger of confusion between signs is assessed globally on the basis of all relevant factors in the case in question. With regard to the visual, phonetic and conceptual similarity of the trademarks in question, this global assessment must be based on the overall impression created by the signs, notably taking their distinctive and dominant elements into account.

The visual or conceptual similarity between the trademarks in question has traditionally been assessed by comparing the signs as patented, independent from the use made thereof. In a decision dated 8 February 2018, the Court of Appeal of Douai took into consideration not just the visual and phonetic similarities but also the specific meaning of the signs in order to assess the absence of any danger of confusion between the two trademarks in question (Douai Court of Appeals, 1^st Chamber, Section 2, 8 February 2018, no. 17/04715). In this case, the company Décathlon had lodged an objection to the registration of the verbal trademark “Résathlon” on 27 November 2016 on the basis of its earlier EU trademark “Décathlon” dated 28 April 2004. These two trademarks were in fact used to refer to identical services such as advertising, sporting activities and software design. The objection having been rejected by the Director General of the French patent office (INPI), Décathlon then filed an appeal with the Court of Appeal in Douai. This decision has been confirmed by the order issued by the Court.

In fact, the Court considers that “the term “Décathlon” is a proper noun that designates a men’s athletics event consisting of ten different competitions and, therefore, a sporting activity in the literal sense, the term “Résathlon” has been made up. It has been created by using the term “resa” in reference to the notion of reservation, and the suffix “-athlon” in reference to sporting activities. In doing so, it acquires a meaning that is different from that of the brand Décathlon”. Similar interpretations have been applied in numerous decisions. For example, it has been accepted that there is no danger of confusion between the earlier trademark “Cultura” and the trademark “Culturapy”, the Court having considered that the disputed sign constituted an “arbitrary neologism evoking the notion of joy or therapy through culture” (Court of Appeal of Bordeaux, 1^st Chamber, 18 January 2016, no. 15/00352). Similar, in the Cicaderma v. Cicareva ruling, the Court concluded that there was no danger of confusion due to the major conceptual differences separating the trademarks: the earlier trademark referred directly to skin creams aimed at reducing the visibility of scarring, while the disputed trademark was a work of the imagination (Court of Appeal of Lyon, 1^st Chamber, 25 July 2013, no. 13/01142). Finally, in the Angulus v. Angel’us ruling, given that the earlier trademark was a Latin word meaning angle while the disputed trademark consisted of an association between the words Angel (“ange” in French) and the abbreviation for the United States (US), the Court considered that there was no danger of confusion between the two trademarks in question because of the absence of any conceptual similarity, despite the obvious visual and phonetic resemblance (Court of Appeal of Aix-en-Provence, 2^nd Chamber, 25 June 2015, no. 14/14876).

Therefore, in accordance with established case law precedent, it should be noted that the danger of confusion between two signs with strong visual and phonetic similarities must be set aside if these have different meanings.

The very essence of copyright is to confer on the author of an original work an exclusive, intangible property right enforceable against all. Pursuant to this exclusive right, no infringement of the work, of any nature whatsoever, can be carried out without the prior consent of the author. The right to the respect of the integrity of the work enshrined in article L.121-1 of the Intellectual Property Code imposes that a work that expresses the personality of the author cannot in theory be subject to a material alteration without the express agreement of the author. Through a judgment on 20 December 2017, the Supreme Court of Appeal has just established a limit to this exclusive right of the author: an alteration of a work of architecture that does not infringe the rights of the author can be carried out without their consent. An original architectural work can be protected in respect of copyright as any other literary or artistic work would be. However, and contrary to a purely aesthetic work, a work of architecture has a functional purpose which results from the fact that a building, in addition to being original, may constitute a place of residence, work or access to culture. In the case at hand, the architectural work intended to house the collections of the “Musée d’Arles antique” had been produced by an architect on behalf of a département, which, without the consent of the architect, proceeded to carry out extension works to the building in order to exhibit a Gallo-Roman trading ship.

The functional purpose of the work of architecture means the right to the respect of architecture must be reconciled with the right of the owner of the work. The method applied by the judges is that of the control of proportionality: a limit to the fundamental right (the right of the author) must be accepted but in a way that is justified and proportionate. The Supreme Court of Appeal here validated the reasoning of the 7 January 2016 ruling by the Court of Appeal of Aix-en-Provence which rejected the architect’s claims. To preserve the balance between the prerogatives of author and owner of the work of architecture, the alterations must not exceed what is strictly necessary for the adaptation of the work to new needs and must not be disproportionate with respect to the purpose. In the case at hand, the discovery of the boat and its cargo, dating back to ancient Roman times, declared a “national treasure”, and the necessity of showing both in the museum in question, characterise the existence of a new need which, to be satisfied, required the building of an extension, because the unity attached to the museum excluded the construction of a separate building. The extension produced altered the original construction but made use of the original colours, the white walls and blue facades, and it was not established that it spoilt the overall harmony of the work.

The right to the respect of the work is subject to a variable geometry application depending on the purpose of said work. In terms of a work of architecture, the architect cannot impose absolute intangibility of the premises they produce and must accept infringements of their rights when these are justified and proportionate.

While most companies have understood the challenge of the General Data Protection Regulation (GDPR) that will come into effect on 25 May 2018, the implementation of its provisions remains difficult to grasp. With just two months to go before the regulation enters into force, it is imperative for companies to make their staff aware of the objectives of the regulation and, especially, how to put them into practice.

1.Risk mapping

To implement its compliance plan, the company must start by identifying the processing of personal data, and all computer and manual flows, to determine where each data process comes from, by whom is it carried out, and finally, its purpose. This data mapping will ultimately define the challenges and risks specific to the company. In this context, the CNIL (French data protection authority) offers examples of record sheets to guide work teams on the actions to be taken.

2. A roadmap sent to its work team

Once the mapping is established, the team must prioritize its actions by drafting a roadmap including:

– a method ensuring management of the risks previously identified by the work team,

– raising awareness of the operational staff within the company,

– establishment of a new governance,

– creation of a procedure for data processing management, to ensure the company’s continuous conformity.

3. Informing the individual when collecting personal data from external sources

Although it is possible to process data collected from external sources such as public databases, social networks, lists of prospects, the provisions of the Regulation must be respected. However, under Article 47 of the GDPR, the company will have to assert a legitimate interest in the collection of such data. This legitimate interest can be asserted when:

• the data processing takes place in the context of a customer relationship,
• the processing is carried out for marketing purposes,
• the processing prevents fraud or ensures the security of the computer systems network.

4. The choice of the individual in relation to the collection of his personal data

In order to be able to process the personal data, the company must allow the individual to provide his express consent as stipulated under Article 7 of the GDPR. In practice, the pre-checked boxes will be excluded in favour of a provision exclusively devoted to the individual’s consent for each piece of personal data collected. This makes it possible to limit the over-collection of data; for example, collecting the individual’s exact date of birth will no longer be allowed if the year of birth is sufficient to satisfy the purpose of the processing, just as the individual’s exact place of residence if the country is sufficient. Faced with these requirements, the company will have to adapt and store only the data strictly necessary. Moreover, if the individual wishes to modify or even delete his personal data, this operation must be easy to perform, which means making the system for collecting personal data flexible.

5. Ensuring compliance by subcontractors

Although the regulation is aimed at the direct holders of personal data, said regulation also applies to subcontractors and sales persons when they have access to such data. Indeed, the latter are required to certify their compliance with the GDPR. To do this, it is recommended that, if companies subcontract the data collected, they include standard data protection clauses attesting to their compliance with the GDPR.

6. What are the working tools of employees covered by the GDPR?

By definition, the GDPR applies when

• the processing is carried out by “automated means”,
• the data “is part of a filing system or is intended to form part of a filing system” although the processing is not carried out by automated means in the strict sense of the word.

With regard to the first case, the work teams only convert documents into digital format. The situations referred to in the second case are those of systems for classifying “any structured set of personal data that is accessible according to specific criteria”. In practice, all unorganised paper documents, such as loose documents on a printer or documents on a desk, are not subject to the GDPR. On the other hand, whenever these paper documents are organised by staff so as to be accessible according to defined criteria, the GDPR will apply. For example, files submitted in a file indexed by name, expense reports sorted by function and sorted internally, or files from the department of human resources, will be subject to the GDPR. In light of future changes, we recommend coming into compliance as soon as possible. With a department dedicated to personal data issues and a department with technical skills, Dreyfus & associés is the ideal partner to assist you in this transition process.

In light of future changes, we recommend coming into compliance as soon as possible. With a department dedicated to personal data issues and a department with technical skills, Dreyfus & associés is the ideal partner to assist you in this transition process.

The adoption of the “European data protection package” on 27 April 2016 launched a movement within the Member States to reform national legislation on personal data. The implementation of the General Data Protection Regulation 2016/679 (http://eur-lex.europa.eu/legal-content/FR/TXT/PDF/?uri=CELEX:32016R0679&from=FR) (“GDPR”) particularly marks significant progress in this area. It is from the perspective of the application of this regulation that the French government made public on December 13, 2017 the “bill on the protection of personal data” adapting the Data Protection Act to the GDPR ( http://www.legifrance.gouv.fr/affichLoiPreparation.do?idDocument=JORFDOLE000036195293&type=general&typeLoi=proj&legislature=15)

This draft law highlights the desire, contained in the European regulation, to increase the influence of the national supervisory authorities responsible for personal data. To this end, numerous changes relating to the powers and organization of the CNIL (http://www.cnil.fr/) are planned.  We note the strengthening of its role, especially through the extension of its powers in soft law and sanctions. Some changes also concern its investigative powers and cooperation with other EU supervisory authorities. In this sense, it is noted that the CNIL will henceforth be able to attach to its conclusions a reference for a preliminary ruling to the Court of Justice of the European Union for an assessment of the validity of the European Commission’s adequacy decision and of all the acts taken by the European Commission authorizing or approving the appropriate assurances in the context of data transfers. In addition, its scope of action has been broadened through its ability to ask the State Council 🙁http://www.google.fr/searchq=conseil+d%27%C3%A9tat&rlz=1C1CHBD_frFR778FR778&oq=conseil+d%27&aqs=chrome.0.69i59j0j69i57j0l3.1759j1j4&sourceid=chrome&ie=UTF-8) to order the suspension or termination of the data transfer concerned, if applicable under penalty.

In addition, the draft law establishes a specific procedure for the processing of health data. While this category of processing includes medical research and evaluation of care, it excludes, when they fall under the provisions on sensitive data, processes “necessary for the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of health services“. Also, in accordance with the GDPR, the bill establishes a fundamental prohibition on the processing of so-called “sensitive” data, genetic and biometric data for the purpose of uniquely identifying a natural person. However, it goes further than Article 9.2 of the GDPR by providing for the possibility for the administration and employers to use biometric data for access control purposes to workplaces, devices and applications. In addition, the bill limits the use of data relating to criminal convictions, offences or related security measures to only certain categories of persons. An exception is, however, provided where such data are used for the purpose of taking legal action as a victim, defendant or on their behalf and enforcing the judgment given. Finally, it has been provided, in procedural matters, that the persons concerned may be represented individually by any organization or association authorized to take group actions in the context of complaints or actions against the CNIL.

Although the bill is in line with the GDPR, there are some discrepancies between the two texts. Indeed, while the GDPR abolishes prior formalities with the supervisory authorities, subject to a few exceptions, the bill keeps them with the CNIL for health data in certain areas. In addition, it also maintains a high level of authorization for processing on behalf of the State, including the use of biometric or genetic data for identification and identity control purposes. Processing requiring the use of the social security number (NIR) will also be authorized within the framework of a decree in the State Council, taken after a reasoned opinion and published by the CNIL which will determine the categories of data controllers and the purposes of these processing operations. The use of NIRs will also be authorized for derogatory purposes for national statistics, electronic relations with the French administration and scientific research. Therefore, the bill is more inflexible in this regard.

It is regrettable that the draft law does not specify the appointment of a Data Protection Officer (“DPO”) or the age of consent required of minors, aspects for which the Member States had a certain amount of leeway.

In conclusion, in the light of these discrepancies, it is certain that, even after the adoption of the law, certain amendments are still necessary to make the French law all the more compatible with the GDPR. However, the impact of these divergences will have to be measured insofar as the European regulation remains directly applicable.

Faced with cumbersome administrative procedures and numerous incoming letters, companies are facing a very worrying kind of fraud. This takes the form of fraudulent invoices from companies pretending to be official bodies domiciled abroad in order to collect payments for trademark services.

Fraudulent invoices

While rationally, companies are cautious about their accounts and the payment of their invoices, fantom organizations claim payments, alleging to have served as intermediaries for a trademark registration. This practice is ultimately simplistic for these crooks because when a national or European trademark is registered, the trademark will be published in an official gazette such as the BOPI. The criminals then only have to obtain the contact details of the applicants from this publication, , photocopy the announcement and then send them an invoice that they will pay thinking that it is for the costs related to their trademark applications.

The culprits

Many players active in fraud have now been identified, which can help avoid falling into the trap of such fraudulent schemes. The culprits are notably known as Globus Edition SL, Global Edition, Edition the Marks or Trademark Publisher with which the trademark offices, in particular INPI, have no links. Moreover, the services offered by the latter have no official character and are therefore devoid of any legal effect.

A case law favorable to companies

Faced with these fraudulent practices, a case law has gradually emerged in favor of companies. Already in the year 2000, French judges sentenced two Austrian crooks attacked by the INPI. In 2017, the Svea Court of Appeal in Sweden, following a judgment by the Uppsala District Court, sentenced twenty people. This conviction follows the issuing of false invoices between 2011 and 2014 by what appeared to be the European Union Intellectual Property Office (EUIPO) to hundreds of addressees in various States following their applications for registration of a Community trademark with EUIPO. Following the receipt of these invoices, the financial services of the victim companies did not notice the fraud and paid the amount considering them official invoices.

Looking at the facts, the judges considered that “these letters were designed to mislead the recipients by making them pay for something of no value”, explaining their convictions for fraud offenses. However, companies must be extremely vigilant to the risk that such crooks will not be convicted in court for lack of clear evidence that payers were indeed being misled. Indeed, some fraudsters were able to avoid heavy convictions since, in certain cases, the proof that the companies were, in fact, misled was not reported.

The recommendations

Faced with this phenomenon, the EUIPO provides a tool to identify fraudsters via its “false invoices” page. In addition, it is strongly recommended that employees be informed and that proper internal approval procedures are in place before any payments are made. Indeed, these frauds are facilitated since internally, the services making the payments are not those who know the brand.

Fraud awareness is essential, because beyond trademarks, patents and domain names are also victims of these scams. As a precaution, companies should be aware that, for example, only the INPI intervenes in patent matters. Therefore, an invoice from any other entity must raise suspicions. Confronted with these suspicions, WIPO, EUIPO and all national offices and councils are at the disposal of companies in order to advise them on the best way to avoid fraudulent maneuvers. Faced with countless attempts of fraud affecting companies, these companies must be very vigilant about their intellectual property rights and all related elements such as their invoicing. Dreyfus & Associés is dedicated to providing you with all the requisite advice on trademarks and to protect you from any related damage, and is the ideal partner to accompany you in implementing your security strategy.