The Court of Justice of the European Union (CJEU), July 21, 2016, C-226/15, Apple and Pear Australia Ltd/Star Fruits Diffusion
In this case, the Court of Justice of the European Union recalls the extent and limits of the powers and functions of the European Union Intellectual Property Office (EUIPO) and of the national courts seized as European trademark courts.
Background
In 2009, the Belgian company Carolus C filed an application with the EUIPO for registration of the word sign “English Pink” as a Community trademark. In 2010, Apple and Pear Australia Ltd and Star Fruits Diffusion, filed a notice of opposition with the EUIPO based on three earlier trademarks, including the word mark “Pink Lady”.
Meanwhile, Apple and Pear and Star Fruits Diffusion brought an action for infringement against Carolus C, before the Tribunal de commerce de Bruxelles (Commercial Court, Brussels), in its capacity as a Community trademark court.
The Belgian trademark court annulled the “English Pink” trademark, ordering Carolus C to refrain from using the mark in the EU.
In view of the fact that, the Tribunal de commerce de Bruxelles (Commercial Court, Brussels) gave its decision before the EUIPO had decided on the opposition ruling, the European Union Trademark Office could thus have taken into account the judgment of the Belgian trademark court of the EU.
The EUIPO nevertheless rejected the opposition on the grounds that the marks were not visually, conceptually or phonetically similar. The appellants therefore applied to the General Court of the European Union for annulment of the decision of the EUIPO.
The General Court of the EU granted the application for annulment on the ground that the EUIPO, although not bound by the decision of the Belgian Community trademark court, did not take into account the potential impact of this judgment on the outcome of the opposition proceedings.
The General Court of the EU however objected to the registration of the contested trademark on the grounds that it does not have jurisdiction to substitute itself to the assessment of the Board of Appeal.
The CJEU in turn rejected the appeal and recalled first of all that EUIPO is the EU body with exclusive jurisdiction to authorise or refuse the registration of an EU trademark.
The Court also held that EU trademark courts have jurisdiction to give judgment prohibiting the pursuance of infringement actions of a Community trademark extending throughout the territory of the European Union.
Consequently, any proceedings brought before the EUIPO will have a subject matter different to an infringement action before a national EU trademark court.
Since the proceedings involve different subject matters, the EUIPO is not bound by final judgments of national EU trademark courts.
On the other hand, EUIPO should assess the potential impact of any judgment given by an EU national trademark court on the outcome of proceedings brought before it.
The defense strategy and timeline should therefore be established carefully in order to defend a Community trademark right.
The “.BRAND” Tld is a new gTLD that is becoming increasingly appealing. Companies are interested in this concept in order to own an extension of their own brand. This practice is an excellent marketing opportunity to present products of the brand.
Some statistics on the “.brand”
596 TLDs among which 536 were delegated
184 TLDs with more than 5 currently active registrations
4312 domain names but only 437 active websites
54 .BRANDs appear in the Alexa Rankings, representing a 69% increase in one month.
The top 5 terms to the left of .BRAND:
Home
www
mail
careers
support
sources 2016
What about companies having their “.brand”?
The actual impact of the “.brand” has not yet been established. However, these extensions are widely used in the banking sector, where security and authenticity are primary concerns.
Companies by now should have knowledge of their new websites using a “.brand” – notably the home.TLD used as a main site. While many companies have not yet given up their traditional domain names (.com, .fr, .co.uk, etc.), they no longer hesitate to promote their “.brand” amongst their clients.
Large companies have already made the transition: CERN, The Weir Group or even BNPParibas almost exclusively use their “.brand”. Others, like Barclays, are currently making the transition over towards complete use of their new extension.
Should one acquire a “.brand”?
There are many advantages to a “.brand” – particularly in terms of reputation with internet users and clients.
As a Tld exclusive to companies, internet users will thus be able to trust them, to value their reliability and will be able to feel safe in accessing these sites. Internet users will know with whom they are dealing and will not be misled by a potential cybersquatter. The company maintains full control of its extension and it can therefore apply any desired policy to promote its brand image.
A “.brand” is an excellent opportunity for businesses to promote their brand image and enhance communication. Companies would also at any time be able to use reliable statistics to determine their marketing and communication policy.
Will you make the transition?
Following the completion of the first round of new gTLDs, ICANN has scheduled a second one for 2018, even though it seems more likely that will take place in 2020.
To prepare for the above, companies need to perform an impact assessment: an analysis of the market, of the company’s activities and its competitors’ position in order to enable a brand to identify its needs.
Becoming a manager and a registrar of an extension requires preparation and particular technical skills and expertise. One must for example pay ICANN fees, manage the registry database and offer various services such as a 24/7 maintenance service.
If a business plans to have its brand name extension, all departments must be involved: marketing, communications, production, legal, technological, risk, etc. An internal strategy should be devised to efficiently determine the advantages and disadvantages and to carry out a study on the company’s return on investment. Finally, the technical conditions and compliance with ICANN standards are minor compared to this internal strategy. Businesses should consider integrating the “.brand” in their communication strategy.
Choosing not to have a “.brand” is already a strategy. One should therefore take a stand and ensure they are fully prepared before engaging in the .brand process.
Please feel free to contact Dreyfus for more information.
Brunei thus becomes the 6th member country, out of a total of 11 South-East Asian countries (ASEAN), to join the Madrid System.
Broad geographic coverage
Since January 6, 2017, the effective date of entry into force of the Madrid Protocol in Brunei, national trademark owners will be able to protect their trademarks in the 114 territories of the 98 members of the Madrid System.
In addition, foreign trademark owners can expand the protection of their trademark to the Southeast Asian market and more specifically to that of Brunei.
A convenient and cost-effective system
The main advantage of the Madrid System, is the simplification of the filing and management procedures of international trademark registration.
Following a simple application for trademark registration, or a trademark registration with a national or regional intellectual property office, one can apply for a single international registration with the same office, which will then arrange for submission of the application to the WIPO.
Filing an international application is therefore equivalent to filing multiple national applications, thus effectively saving time and money.
International registration as most national registrations is valid for 10 years.
Future accession of Thailand
Thailand should be the next ASEAN member state to become party to the Madrid System.
Only Indonesia, Malaysia and Burma as well as East Timor will then be left to obtain their accession to the Madrid Protocol so that all ASEAN countries become part of the international trademark system.
France : opposition procedure before the French Trademark Office and local communities
Since the decree no. 2015-671 dated June 15, 2015, an alert procedure has been made fully available for local communities and public establishments for cooperation between local authorities (EPCI), pertaining to registration trademark applications containing their designation.
This service, which is free on behalf of the NIIP’s public service mission, allows them to receive alerts when a trademark application contains their name and it also allows them to file an opposition within a 2 month deadline following trademark publication. The procedure has been implemented by new Code of Intellectual Property Articles D712-29 and D712-30. They provide that an Alert be issued by the NIIP « within five work days following the trademark’s filing date if the trademark contains the name of the local community or the country concerned ».
A valuable legislative policy change for french trademark law
Before the modification, legislation did not grant protection to local communities and EPCI’s against abusive use of their names, and the criteria that allowed to qualify for likelihood of confusion were difficult to fulfill. The NIIP’s means were, as a consequence, very limited as to defence of local communities’ rights.
The LAGUIOLE case of 2012 before the Paris Court of Appeals (Cour d’appel) illustrated the issue, because the judges reacted to only one of the plaintiff’s claims based on provisions of Code of Intellectual Property Article L714-5 for failure to meet the requirement for genuine use of the trademark during 5 years.
In this case, a Val-de-Marne restaurateur registered 27 trademarks containing the name « LAGUIOLE » seemingly looking to take advantage of the small town of Laguiole’s reputation, which is worldwide for the quality knives that are made there. French NIIP Director said that the trademark « enjoys no notoriety within restaurant and food industry businesses. Used as a brand to identify these different services, the word « Laguiole » will conjure up (…) the common name for that particular type of knife, not the Proper name designating a town in the Aveyron region ».
Protection made easier in pursuance of the NIIP’s public service mission
The decree currently in force allows for local communities to defend ownership rights to their own name without having to hope for a favorable decision based on incidental facts that are foreign to the actual legal issue, as was the case with LAGUIOLE in 2012. That decision has been the subject of judicial review before the French supreme Court (Cour de Cassation) in October 2016, and is currently still waiting for a referral date before the Paris Court of Appeals in 2018.
This change in the legislation is a positive one. With the NIIP alert system in place, local communities are now equipped to prohibit trademark registration if said registration is inimical to their interests. It is through enforcement of new Code of Intellectual Property Article L711-4 h) and decree no. 2015-671 dated June 15, 2015 that the trademark PARIS BY PARIS could not be registered, none of the proposed products being made in France.
A growing number of local communities and townships have put the Alert system to good use by filing oppositions before the NIIP when the trademark registry application is inimical to « the name, image or repute of a local authority » per Code of Intellectual Property Article L. 711-4 h). Local communities are now better equipped to control brand name recognition and can avoid name hijacking by entities trying to piggyback their reputation with misleading representation and deceptive practices.
The extent of protection still unclear
The question that still remains to be answered concerns the full extent of the abovementionned protection and interpretation of Article 711-4 h) by the French NIIP.
In the PARIS BY PARIS case, the French NIIP ruled that « Code of Intellectual Property Article 711-4 h) does not prevent all third parties from registering a sign that identifies a local community as a trademark, but reserves such prohibition for cases where trademarking would be detrimental to public interests ».
It is a very engaging start, and a welcome change !
It is important for a business, irrespective of its size, to protect its creations, investments and business. Proper management of your trademark portfolio or patents and protection of your rights contribute to the healthy development of a company and its business.
For several years, the world of industrial property experienced the phenomenon of “patent trolls” or Non Practicing Entity (legal entity without any activity, ndlr) the objective of which is to constitute a patent portfolio and then to oppose them to potential infringement and by proposing them to enter into licensing contracts under the threat of infringement claims and actions for injunctions. These patent trolls do not engage in production activities and are not competitors of their victims. Their sole purpose is the financial valuation of their shares by licensing them against hefty fees. For example, Apple has been involved in numerous lawsuits against VirnetX which is a troll known in the United States to derive its revenues solely from lawsuits against major companies like Apple, Microsoft, Cisco or Siemens. Thus, on September 30, 2016, Apple was sentenced by the Federal Court of Texas to pay more than $ 302 million to VirnetX for using its patented Internet security technology without permission. Apple had already been ordered in 2013 to pay $ 368 million damages to VirnetX for infringing its patents by creating FaceTime and using its own VPN in iOS.
From patent trolling to trademark trolling
While patent trolls persists, the issue has evolved towards the “trademark troll” (or “marque troll” in French). Based on the same system, persons or companies register trademarks without the intention of using them for trade or production of goods or services, but as a means of pressure against companies whose trademarks have been “stolen” by these trademark trolls.
All companies, including big companies with notorious brands, but more specifically SMEs and start-ups, are targeted by this practice.
In the United States, 47/72 Inc. filed a large number of trademark applications with the US Patent and Trademark Office (USTPO), which seemed to evoke well-known brands or well-known phrases or words widely used on the Internet. On April 27, 2016, 47/72 Inc. filed the “OH SNAP! CHAT.” in class 35. There is obviously a reference to the trademark “SNAPCHAT.” filed by the company of the same name and corresponding to the recently popular social network. The registration application of the mark “OH SNAP! CHAT.” is still under examination as the examiner found a likelihood of confusion with the sign “SNAPCHAT” filed on May 4, 2015 by Snap Inc. (formerly Snapchat) in classes 35 and 42. 47/72 Inc. has filed many other signs such as “PERISCOPE”, “99 PROBLEMS”, “HATERS GONNA HATE”, etc.
The trademark trolls
Trademark trolls traditionally play with notorious trademarks by filing them in countries where the trademark has not yet been registered. The trademark will then be registered for goods and services quite similar to those developed by the business. Therefore, when the business would be set up in the same country by filing its trademark application, it will be confronted with the original applicant who will claim money in exchange for assignment of the trademark under the threat of an infringement claim before the courts of law.
However, this practice can also affect smaller businesses that may wish to expand to other countries in the near future.
Similarly, a trademark troll may register a trademark in its country, whereas the original trademark is still under examination in the country of origin and the trademark holder has not filed it in any other country. The trademark troll will then prevent the trademark and the products from accessing its country’s economy, unless the holder pays for a license.
In such circumstances, original trademark owners are advised to identify, the countries and classes in which it will be fundamental to file the trademark as soon as possible, and to do so before launching the product or service under the brand.
Special attention should be given to “first to file” countries, in which anyone can file a trademark, regardless of whether it is known worldwide and already filed in several countries, or of whether the applicant has any actual intention of using the trademark.
The example of China
China is particularly targeted by the practice of trademark trolling and there are several examples to illustrate this.
Thus, the French winemaker Castel Frères SAS experienced this when the company Li Dao Zhi registered the sign “Ka Si Te”, the Chinese translation of “Castel”. However, Castel, which began selling its products in 1998 in China, did not apply to register the “Zhang Yu Ka Si Te” sign until 2002. Having learned that Li Dao Zhi is the holder of the KA SI TE trademark since 2000, Castel Frères SAS filed a request to cancel the trademark registration based on non-use in 2005. However, prior to this request, the Chinese company had begun to make use of its trademark. It therefore sued Castel Frères SAS for infringement. The French company was then ordered by the Chinese courts to stop any sale of its products and to pay $ 5 million to Li Dao Zhi. The French company was forced to obtain a license from the Chinese company to continue using its trademark and to sell its products in the country.
On May 1st, 2014, China adopted a new trademark law with clearer guidelines on the recognition and protection of notorious trademarks in China in order to fight against trademark trolls. Trolls often turn out to be agents mandated by licensees to file trademarks and abuse the “first to file” system. The law must then provide for good faith and confidentiality requirements for agents and prohibit them from registering a trademark outside their mandates or if they are aware of the existence of a similar trademark. However, this law remains insufficient since the trolls are not always agents but members of the public who are not related to the trademark owner.
The Castel Frères SAS case is now being handled by the Chinese Supreme Court, which suspended the fine and is now re-examining the dispute.
Moreover, in another well-publicized case dating from 2012 involving US-based Apple Inc. and the iPad in China, Apple finally paid $ 60 million to the Chinese company, Proview Technology in order to be able to use the trademark for its goods in China.
Trademarks trolls are a current issue and can affect all trademarks owners, whether they are big companies, SMEs or starts-up. Everyone must be cautious about their intellectual property rights and the countries in which their good(s) or service(s) will be traded. Indeed, trademark troll phenomenon can extend to domain names, which may be directly affected by the use of a trademark, and thus to the image of the brand on the Internet for Internet users.
In a decision of the Paris Cour d’appel dated November 8, 2016 (Pole 5, ch. 1, Mr X. / Team Reager AB and Stone Age Limited), the judges reversed an expert’s decision at the WIPO Arbitration and Mediation Center dated July 29, 2013 who ordered the transfer of a domain name to a community trademark owner prior to the registration of the disputed name.
Transfer of the domain name ordered by the WIPO
The Swedish company Team Reager AB, created on September 9, 2010 and specialized in design of products and services related to mobile phones, had launched through Moobitalk UK Limited its sister company, a hands-free device called “Moobitalk”. On February 10, 2011, it registered the community word mark Moobitalk, designating particularly telecommunication services, and assigned its rights on the trademark to Stone Age Limited on April 14, 2014.
Mr. X., managing director of companies operating in the Middle East, particularly in Yemen where he was born and is resident, had for several years operated communication services based on the “moobi” suffix (phonetic transcription of “mobi” meaning “mobile phone” in Arabic), and especially “chat” type services called MoobiChat and Moobitalk, in different countries of the Near East and the Middle East. On April 17, 2011, he registered the domain name <moobitalk.com>.
Team Reager had filed a UDRP complaint with the WIPO against Mr. X, and the Expert had ordered the transfer of the domain name <moobitalk.com> on July 29, 2013 on the grounds that Team Reager was the owner of the community trademark Moobitalk prior to the disputed name.
An ownership claim to the name
However, on August 27, 2013, 8 days following notification of the decision, Mr. X brought Team Reager before the TGI of Paris to settle whether he was the legitimate owner of the domain name <moobitalk.com> and to obtain its restitution. However, the TGI rejected the arguments put forward by Mr. X. It upheld the acts of infringement committed against the community trademark Moobitalk and ordered the transfer of the domain name ‘moobitalk.com’ as compensation.
However, Mr. X appealed against that decision in order to reclaim ownership of the disputed domain name. Indeed, the Cour d’Appel held that there was no trademark infringement insofar as the <moobitalk.com> site was not targeting an audience in the European Union but only in the Near and Middle East. Neither the use of the generic extension “.com” nor the use of the English language on the website demonstrated <moobitalk.com>’s owner’s will to target the European public.
The court therefore reversed the TGI judgment and dismissed the claims of Team Reager and Stone Age with respect to infringement of the community trademark Moobitalk and the violation of TeamReager’s rights over that trademark, and ordered restitution of the domain <moobitalk.com> to Mr. X., its owner.
Can we appeal a UDRP decision?
The decision recalls the rules for an appeal of a UDRP decision. This action is possible provided that it is brought within ten days following the notification, in order to avoid cancellation or transfer of the name. Thereafter, the competent court is either where the registered office is located or where the domicile of the domain name owner is located. In the context of proceedings relating to the domain name <moobitalk.com>, the independence of French judges from the WIPO must be emphasized, since the Paris Cour d’appel reversed the judgment of the WIPO experts and ordered restitution of the disputed name.
The Court of Justice of the European Union (CJEU), June 22, 2016, C-207-15P, Nissan/EUIPO
Nissan is the owner of a figurative Community trademark “CVTC” for which registration was sought in classes 7, 9 and 12. Nissan requested the renewal of the trademark, due in April of 2011, in respect of goods and services in classes 7 and 12 only.
The European Union Intellectual Property Office (EUIPO) refused Nissan’s request. The decision to refuse Nissan’s request for renewal of the “CVTC” trademark in class 9 was confirmed by both the First Board of Appeal of the EUIPO and the EUIPO General Court.
Nissan then appealed to the CJEU seeking annulment of the judgment of the General Court of the EU, which rejected the application for partial renewal of the mark in class 9.
The CJEU acknowledges the possibility to request successively for partial renewal of a trademark in different classes, not only before, but also during the grace period.
Therefore, the only prerequisite for successive requests for partial renewal of a Community trade mark to be accepted, is compliance with the grace period, together with payment of the surcharge.
By way of this decision, the CJEU establishes that the new Article 47 of the EUTMR, provides that the request for renewal should be submitted within a period of six months prior to the expiry of registration. In other words, 10 years following the date of application for registration.
An order of the European Court of Justice (ECJ) dated September 8, 2016 highlights the need for business trademark owners to register all relevant changes with the Trademark Register.
Changing one’s corporate name requires compliance with various formalities, such as amending the statutes or even advertising in a Journal of legal notices. When the business is a trademark owner, recording the change into the Trademarks Register is another formality requirement.
This recommendation is the result of an order of the ECJ dated September 8, 2016 where a company’s opposition to a trademark filing was dismissed on the grounds that its change of name did not allow it to oppose its trademarks to third parties insofar as it had not been entered into the Trademarks Register. This ECJ decision is contrary to the existing French legal framework with respect to trademarks.
ThecurrentFrench regulations
In accordance with Article L714-7 of the Intellectual Property Code, a trademark holder is required to make a recordal with the INPI only for some changes.
This article is at the root of the distinction made in practice between “compulsory” entries for changes in ownership of the trademark (transfer, merger…), and “optional” entries affecting the trademark owner (new legal form, new registered office, new corporate name).
Such an important distinction allowed businesses to prioritise the formalities to be carried out. As soon as a company was confronted with a “compulsory” entry, this change had to be entered with the INPI. If not, ownership was not enforceable against third parties. However, in the case of “optional” entry, the absence of entry in the INPI Trademarks Register did not impact the existing rights.
This policy is being questioned by the ECJ’s recent decision, which seems to require a balance between the business information with the Trade and Companies Register and trademark information with various Trademark Offices.
A policy weakened by the ECJ
While the ECJ has recently reduced its requirements for registration with the Trademarks Register of licences for trademarks or designs, this is not the case with respect to registration of changes concerning the trademark owner.
On September 8, 2016, the ECJ dismissed Real Express SRL’s opposition to the filing of a European Union trademark by MIP Metro Group Intellectual Property GmbH & Co KG. The Court then confirmed the position adopted by previous European institutions, namely the EUIPO and the General Court of the European Union, and considered that the applicant did not justify having rights over the registration of Romanian trademarks on which the opposition was based.
This debate arose as a result of a change of name from Real Express SRL to SC Unibrand SRL at the time of filing. The application for entry with the Romanian Office (OSIM) only took place a few days before the opposition. The various European bodies will judge this application for late registration insufficient and consider that Real Express SRL does not establish the existence of rights to earlier trademarks which was the reason for the opposition.
Late submission after filing of the opposition of a simple fax sent by OSIM confirming the request for registration of change of name and confirming the ownership of the trademarks since June 2011 will be considered insufficient. The ECJ therefore requires that the applicant’s situation be legitimate on the date of the application, otherwise his objection may be rejected.
This solution should be applied not only to changes in corporate name but also to changes in the registered office and changes in legal form.
Challenges and uncertainties
This ruling will have major implications for trademark owners. As soon as the details about the trademark owner become outdated, protecting a trademark right becomes risky.
It is obvious that a simple application with the Trademarks Register is insufficient, as registration of the entry must be effective. Depending on the country, this registration may take some time. There are, of course, fast-track procedures.
This decision encourages the anticipation and securing of trademark rights by entering all changes that may affect a trademark.
Following the French Digital Republic Law of October 7, 2016, Dreyfus presents a trilogy of articles on three essential features of the law.
The Digital Republic Law is centered around its’ title II called “Protection of rights in the society”. Within this Title II is the Second Chapter, entirely dedicated to “Protection of personal privacy online”, including “Protection of personal data”.
These new rules entail profound changes that the French legislator wished to anticipate in order to guide and the stakeholders and ensure compliance when processing personal data.
Power given to the data subjects
Both the Digital Republic Law and the GDPR focus on the person whose personal data will be processed (hereinafter called the “data subject”).
Article 4 of the GDPR defines personal data as “any information relating to an identified or identifiable natural person”. However, an identifiable person refers to “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity”. Therefore, data is personal when it allows the identification of a natural person. This data does not have to identify the data subject directly, as it shall be sufficient to identify them with data roll-up.
A self-determination right is thus conferred on the data subject.
Control of Post-mortem data
The Digital Republic Law also incorporates the right for data subjects to control their post-mortem data by amending the Act of January 6, 1798, and Article 40-1, with the aim to empower them to exercise their right over their personal data. The law thus creates a system of directives on storage, deletion and communication of the data subject’s personal data.
These directives may be amended or revoked at any time by the data subject. The directives define the manner in which the person intends to exercise his various rights following his or her death.
There are two types of directives:
General directives: they concern all personal data relating to the data subject. They may be registered with a trusted third party certified by the National Commission on Informatics and Liberty (CNIL). The CNIL will be responsible for managing a single registry where the references to the general directives and the registered and trusted third party will be recorded.
Specific directives: they concern the processing of personal data mentioned in these directives. They shall be registered with the relevant data controllers and shall be subject to specific consent of the data subject. Thus, the mere approval of the general terms and conditions of use (GTC) does not allow the definition of these specific directives.
The directives may designate a person who, upon the death of the data holder concerned, will be responsible for executing directives and requesting their implementation from the data controllers. In the absence of the designated person and unless otherwise instructed, the heirs of the deceased shall take note of the instructions and request their execution.
Providers of a public online communication service are responsible for informing users about what is done with their personal data upon their death and must allow them to choose whether or not to communicate their data to a third party they designate. Additional information on this issue should be included in the GTC specifically, but also in the data protection policy.
The rights granted to a person to decide what should be done with their post mortem data cannot be limited. Thus, a clause in the GTCs regarding the processing of personal data limiting these prerogatives is considered null and void.
Strengthening information available to users
Article 32 of the French Data Protection Law already required certain informations to be communicated to data subjects by whose data is being processed. Thus, the data collection forms had to mention the identity of the data controller, the purpose of the data processing, the mandatory or optional character of the data, the recipients of the data, and so on. The Digital Republic Law includes an eighth point on the storage period in terms of the categories of data processed or, if not possible, the criteria used to determine this duration.
Thus, any data collection form, data protection policy and any general terms and conditions of use shall henceforth indicate the data storage period.
Henceforth, when a data controller fails to comply with his obligations, the CNIL’s chair shall be entitled to issue a formal notice to put an end to any identified infringement within a time limit set by him. In case of extreme emergency, this delay may be reduced to twenty-four hours. Previously, the timeframe was five days. If infringement does not cease, the CNIL Restricted Committee may then issue, following an adversarial hearing (procédure contradictoire), a warning, a penalty (except where the processing is made by the State), an injunction to cease the processing or a withdrawal of the authorisation issued pursuant to Article 25 of the Law of January 6, 1978.
Monetary penalties are a novelty because prior to the French Digital Republic Law, monetary penalties were set only in cases of violation of a formal notice. This penalty may not exceed three million euros.
– up to EUR 10,000,000 or, in the case of a company, up to 2% of the total annual worldwide turnover for the previous financial year, whichever is the greater;
– or up to EUR 20 000 000 or, in the case of a company, up to 4% of the total annual worldwide turnover for the previous financial year, whichever is the greater.
Since the European regulation is of direct application, these amounts should be applied by the CNIL as of May 25, 2018.
Such measures may also be taken by the Restricted Committee, without prior formal notice and following an adversarial hearing (procédure contradictoire), where the identified infringement cannot be brought into conformity in the context of a formal notice.
Where there has been a violation of rights and freedoms of the data subject following execution of the processed data, the Restricted Committee may also, when the matter is brought before it by the chairman of the CNIL andin the context of emergency proceedings defined by a decree of the Conseil d’Etat and following an adversarial hearing (procédure contradictoire):
– decide to suspend processing, for a maximum period of three months,
– issue a warning,
– decide to lock certain processed personal data, for a maximum period of three months,
– or, for certain processing, inform the Prime Minister so that he may take action toward putting an end to the infringement identified.
In the event of a serious and immediate violation of human rights and freedom of the data subject, the CNIL chair may request a court of law to order, by way of summary proceedings, any measure necessary to safeguard these rights and freedoms.
the intentional or negligent nature of the breach,
measures taken by the data controller to mitigate the damage suffered by the data subjects,
the level of cooperation with the CNIL in order to remedy the breach and to mitigate its possible negative effects,
categories of personal data,
and finally the way in which the breach was communicated to the Committee.
The Restricted Committee may make public the sanctions issued. It may also order sanctioned parties to inform the data subjects of this sanction individually, at their expense.
The Restricted Committee may also order the publication of sanctions in newspapers and other media, at the sanctioned person’s expense.
Certain developments and clarifications on this law will be specified in the decrees. To be continued…
Please see our two other articles on the Digital Republic Law:
Part 1: French Digital Republic Law – online platforms
Part 2: French Digital Republic Law – data recovery
Further to the French Digital Republic Law on October 7, 2016, Dreyfus presents a trilogy of articles on three major aspects of law.
As soon as the online consultation on the Digital Republic Law came into force in September 2015, the right to data portability was at the heart of debates. The participants displayed a keen interest and votes in favour of article were positive (out of 796 votes, 704 were in favour of the article).
The Act therefore inserted a new subsection 4 in Section 3 of Chapter IV of Book II of the French Consumers Code entitled “Data Recovery and Portability”. According to the new article L. 224-42-1 of the French Consumer Code, “The consumer has at all times a right of recovery of all his data.”
A right to data recovery in accordance with European Union law
So as not to be in conflict with its future provisions, the drafting and coming into force of the Digital Republic Law followed the new European Regulation on the protection of personal data
The new Article L. 224-4-2 provides that the recovery of personal data introduced by the Law for a digital Republic is in conformity with the provisions of Article 20 of the Regulation of April 27, 2016.
However, there is a difference between the Digital Republic Law and the Regulation: while the latter speaks of data portability, the Digital Republic Law only mentions data recovery, regardless of what the title of the new subdivision 4 implies.
Difference between data portability and data recovery
As the name suggests, recovery allows for the retrieval of one’s data from an online provider of communication services to the public, in an open and easily reusable way. Thus, the data possessed by this provider shall not be lost when unsubscribing from its services.
Portability, however, not only makes it possible to retrieve data from the provider but also to transfer data to another. This can be initiated by the owner of the files himself, or if technically feasible, directly between the operators. Its scope is therefore larger than mere data retrieval.
The difference between data portability in the Regulation and data recovery in the Act is that the former covers only personal data and not “all files uploaded by the consumer”, contrary to the Digital Republic Law. The aim is therefore to target data processors in the Regulation and to target online providers of communication services to the public through the Law..
The choice between portability and recovery therefore becomes clearer: personal data is sensitive data and it is normal for a person to make use of this information. “All the files uploaded by the consumer” however, makes the question to be asked a little more complex. It is understandable that the legislator did not wish to impose portability on the providers: this would have required considerable technical efforts and very high costs in terms of compliance. Nothing however, prevents the user from subsequently transmitting files to another provider, even if technically possible.
What data is involved in the recovery according to the Digital Republic Law?
The legislator sought to go further than personal data under the Regulation. The aim of these provisions is indeed to facilitate the access of new providers, in particular young innovative startups, to markets very often closed or at the very least dominated by oligopolies. The choice was made to lower the barriers to changes of service providers and to promote competition among different digital service providers. Thus, the choice was made to include, for example, online bank statements, order history on an electronic sales site or the content of music preferences progressively posted on an online streaming site.
The Act therefore provides that recovery must be a free-of-chargeservice for all providers of online communication services to the public. It therefore covers
“all the files uploaded by the consumer”;
“all the data resulting from the use of the user account of the consumer and viewable online by him, other than those that were subject to significant enhancements by the provider”;
And “other data related to the consumer’s user account that meets the following requirements: a) these data enables the change of service provider or allows access to other services; b) data identification takes into account the economic importance of services involved, the intense competition between providers, the usefulness to the consumer, the frequency and the financial issues in the use of those services.”
The data involved in the recovery is therefore significant and the criteria provided by the law allows for a wide scope of retrievable data. It includes files uploaded by the consumer, data available online on the consumer’s user-account, other data associated with the account as well as that of economic importance, useful for the consumer, that bear financial issues, etc.
However, there is one significant exception: data “thatwere subject to significant enhancements by the provider” are not in the scope of the recovery. This involves making a distinction between raw data and significantly enriched data. The latter are those that concern services offered by the platform; data transmitted by the consumer that have been modified, enhanced using algorithms created by the service provider. The contribution of this algorithm cannot therefore be retrieved by the consumer while recovering the data.
Furthermore, it is only information visible to the public and not that of the “back office” that is concerned.
What are the new obligations on online communication service providers?
They must set up this data recovery feature and offer it free of charge.
The service provider must take all necessary measures, in terms of interface programming and transmission of the information necessary for the change of provider. The consumer must be able to retrieve all of his/her data or files through a single request made to the provider.
The data must be recovered using an open standard, easily reusable and exploitable by an automated processing system. However, when this is impossible, the provider must clearly and transparently inform the consumer. Otherwise, where appropriate, the provider informs the consumer of the alternative methods of such data recovery and specifies the technical characteristics of the recovery file format, in particular its open and interoperable character.
A decree is expected to specify the list of the types of enrichments deemed to be insignificant that can not give rise to a recovery refusal to the consumer. In case of a dispute, the burden of proving the alleged insignificant enrichment will be that of the professional.
To this extent, the new Article L. 224-42-4 of the French Consumer Code specifies that these provisions do not apply to providers of an online public communication service with a number of user accounts subject to an active connectionion during the last six months less than a threshold number defined by decree.
What do these new provisions bring about?
The ability to retrieve data from an online communication service was highly anticipated by Internet users. For some, this is even the corollary of the recognition of the right to the free disposal of personal data.
The challenge here was to balance the needs of consumers with business economic needs. The aim was not to disadvantage young innovative companies struggling to find a place among the giants within the markets concerned .
Time will tell us whether this objective is achieved and the impact of these provisions. We will have to wait until May 25, 2018 to notice the first visible effects, when the European Regulation and these provisions on data portability and recovery will come into force.
Our site uses cookies to offer you the best service and to produce statistics, and measure the website's audience. You can change your preferences at any time by clicking on the "Customise my choices" section.
When browsing the Website, Internet users leave digital traces. This information is collected by a connection indicator called "cookie".
Dreyfus uses cookies for statistical analysis purposes to offer you the best experience on its Website.
In compliance with the applicable regulations and with your prior consent, Dreyfus may collect information relating to your terminal or the networks from which you access the Website.
The cookies associated with our Website are intended to store only information relating to your navigation on the Website. This information can be directly read or modified during your subsequent visits and searches on the Website.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Dreyfus is concerned about protecting your privacy and the Personal Data ("Data"; "Personal Data") it collects and processes for you.
Hence, Dreyfus complies every day with the European Union legislation regarding Data protection and particularly the European General Data Protection Regulation Number 2016/679 of 27 April 2016 (GDPR).
This Privacy Policy is aimed at informing you clearly and comprehensively about how Dreyfus, as Data Controller, collects and uses your Personal Data. In addition, the purpose of this Policy is to inform you about the means at your disposal to control this use and exercise your rights related to the said processing, collection and use of your Personal Data.
This Privacy Policy describes how Dreyfus collects and processes your Personal Data. The collection happens when you visit our Website, when you exchange with Dreyfus by e-mail or post, when exercising our Intellectual Property Attorney and representative roles, when we interact with our clients and fellow practitioners, or on any other occasion when you provide your Personal Data to Dreyfus, in particular when you register for our professional events.
The Court of Justice of the European Union (CJEU), July 21, 2016, C-226/15, Apple and Pear Australia Ltd/Star Fruits Diffusion
