The digital transition of small and medium-sized enterprises was the AFNIC’s 2020 target – a year marked by the health and economic crisis. This target was reflected in the 2020 Annual Report of the French association. The report was released in June 2021.
In fact, there was a growth of 7% of <.fr> registrations with a total reach of 3,670,372 registered names at the end of 2020. The reason of this growth were the AFNIC’s efforts to make the registration and use of <.fr> more accessible, safe and proximate.
Given the increasing need for digital transformation, small and medium-sized enterprises had little choice but to develop and exploit Internet activities. The AFNIC organized a massive promotion of a secure and advantageous online presence via its Réussir-en.fr device. Thanks to this initiative, digital transitions took place more efficiently and more often.
In addition, the AFNIC signed a partnership with the DGCCRF (Directorate General of Competition, Consumer and Repression of Fraud). The aim of their partnership was to transmit the list of corresponding domain names to the DGCCRF on a daily basis, in order to block sites that supported or facilitated deceptive marketing practices. The general idea was to create a climate of trust.
Finally, the AFNIC Foundation took measures, in the context of the worldwide health crisis, to support local initiatives. The foundation aimed to reduce the distance with the digital environment and to restore the social connection, in particular through: purchasing computers for schoolchildren, purchasing sound equipment for EHPAD residents or setting up dematerialized accompaniments in order to find jobs online.
The AFNIC succeeded to achieve its 2020 goal to ensure the digital transition of small and medium-sized enterprises through making <.fr> safer and more accessible, through massive promotion and through supporting local initiatives to reduce the distance with the digital environment and to restore the social connection.
Prepare and prevent, don’t repair and prevent…This saying also applies to trademarks, since fraudulent payment notices are becoming more and more common nowadays.
How is this happening?
Dishonest private companies, scammers, approach trademark applicants directly to ask them to pay certain service fees or other payments that are in fact neither necessary nor legally required.
It is therefore crucial to be vigilant.
Since trademark registration and management are already time-consuming and expensive enough, it goes without saying that paying scammers for their so-called trademark services is unnecessary. You should be extra vigilant when enquiries about trademark procedures do not come directly from your usual counsel.
However, fraud is not always easy to detect and the imagination of fraudsters is endless.
For instance, some fraudsters approach trademark owners directly by e-mail and demand payment of certain expenses, fees or additional charges to obtain trademarks’ registration when these expenses are purely fictitious. The payment notices are often for trademark monitoring services, additional registration services or services related to trademark renewal.
The problem is that trademark owners are very often approached by a so-called official agency, company or institution and sometimes even a so-called public authority or government. They use the same official templates, signatures and stamps as these types of entities and they provide the exact data of the trademark application or registration in question. After all, this kind of information is relatively easy to find online.
Another issue is the cross-border nature of these scams.
It may happen that trademark owners receive a notice from a Russian, Indian or Chinese company. While it is perfectly possible that payment notices from foreign countries are made in good faith, it is always beneficial to carefully check the accuracy and legitimacy of such notices.
Here are our advices.
Firstly, we invite you to check the stage of the proceedings in which your trademark is located. Isn’t it strange to pay fees for the registration or renewal of a trademark if the time limit has not even started or has already expired?
We encourage you to be vigilant. Do not hesitate to ask us questions when you receive documents that do not come from Dreyfus. Indeed, it is always wise to contact your legal adviser before making a payment. Dreyfus is specialised in these matters and is fully aware of the applicable time limits, procedural steps and expenses.
There are also official offices and agencies that can be contacted in the event of a suspicious or misleading trademark notice. For instance, the United States Patent and Trademark Office (USPTO) can be contacted. Although this office does not have the legal authority to prevent companies from engaging in these types of fraudulent practices, the USPTO does assist in the fight against fraudulent trademark notices. The USPTO issues reports and works with the Department of Justice and the Federal Trade Commission. Trademark owners can always file complaints with the Federal Trade Commission. This commission has the power to investigate and even prosecute if, for example, a particular company commits fraudulent business practices on a large scale. Dreyfus can assist you in filing such complaints and prevent you from being entrapped.
Fraudulent trade mark notices are becoming increasingly common. It is important to be very vigilant, to check the applicable time limits, to contact your Trademark Attorney before making any payments. At Dreyfus, we work with trademark offices and official agencies, such as the USPTO, in case of trademark notices that are suspicious or appear to be misleading.
On November 22, 2016, at 4:05 p.m. sharp, the Vinci group is the victim of identity theft. Several media receive a false press release reporting a review of Vinci’s consolidated accounts for fiscal year 2015 and the first half of 2016 following alleged accounting embezzlement.
In 2019, the US news agency Bloomberg appealed a decision of the AMF’s sanctions commission. The hearing before the court of appeal will be held this Thursday. Bloomberg was sentenced to 5 million euros for relaying information from a false Vinci press release.
A fake press release from Bloomberg
The American news agency Bloomberg is accused of having disseminated, in 2016, false information about Vinci without having verified it.
On November 22, 2016, at 4:05 p.m. sharp, the Vinci group is the victim of identity theft. Several media receivea false press release reporting a review of Vinci’s consolidated accounts for fiscal year 2015 and the first half of 2016 following alleged accounting embezzlement.
The false statement also indicates that the chief financial officer was fired. Less than a minute later, between 4:06 p.m. and 4:07 p.m., Bloomberg picked up the information and disclosed it on his terminal.
This press release had even been signed with the name of the real person in charge of Vinci’s press relations, while referring to a false cell phone number.
In defense, the defendants point out before the commission that the tone, the absence of spelling errors, the careful layout, the exact references to certain directors of Vinci or to its auditors, the mention of the real spokesperson for Vinci as well as the plausibility of the foot of the press release, which contained a link to unsubscribe from the Vinci mailing list and alerted the recipient to the automated processing of data, mentioning the contact details of the real correspondent Cnil de Vinci , did not differentiate this press release from a real press release established by Vinci.
The domain name issue in the false press release
The only inaccuracies in the false press release: the domain name of the false Vinci site to which the press release referred and the false mobile phone number of the “media contact”.
The fraudulent press release was also received by AFP, which did not follow up after realizing that this document had been posted on a mirror website, very similar to the real site but with a separate address (vinci.group and not vinci.com).
How to protect your domain name?
Domain names represent an essential intangible asset for companies since they allow access to websites related to their activity. Now, protecting the domain names associated with the trademark or the business of the company has become almost as important to the company as the protection of its brands.
In addition, domain names are the preferred medium for cyber-attacks which calls for increased vigilance on the part of owners and Internet users.
Phishing, fake president fraud, identity theft, fake job offers, theft of personal or banking data, whaling… frauds are numerous and are constantly adapting to technological progress;
Fraud is facilitated by the very protective provisions of the GDPR, which prevent the direct identification of the domain name registrant; technical service providers tend to rely upon the provisions of the GDPR and the LCEN to justify their inaction and allow fraud to continue;
There is a great risk of damage to the company’s image and reputation. Such fraud also has a significant financial impact, given the risk of embezzlement and money laundering.
The AMF’s Guide to Periodic Disclosure for Listed Companies (dated June
To protect your domain name from cybersquatters or competitors, it is recommended to also register the domain name as a trademark in addition to the reservation of the domain name.
It is possible, before making a domain name reservation and trademark registration, to check its availability, to avoid conflicts between domain names, trademarks or corporate names.
Domain names are now an integral part of the international economic landscape. Like industrial property rights and traditional distinctive signs, they are instruments of competition and intangible assets of companies. It is of course essential to have it for anyone who wants to exist in a market.
But care must be taken not to come into conflict with one’s competitors by using, even in good faith, distinctive signs close to theirs. Conversely, it is also necessary to enforce its own distinctive signs by not allowing third parties to appropriate signs close to its own in order to offer the same or similar services.
How to mitigate the risks regarding domain names ?
– Proceed to an audit of the corporate trademark and the company’s flagship trademarks among domain names, in order to map the risks;
– Set up a 7/7 watch of the corporate trademark among domain names, and a 7/7 or at least weekly watch on the company’s trademarks dedicated to goods or services;
– Set up watches on social networks such as Facebook, Instagram, Twitter and LinkedIn;
– Proceed with the preventive registration of domain names in risky extensions (such as .COM, .CO, .CM, .GROUP);
– Take preventive action(s) against potentially dangerous domain names;
– Define procedures and set up a crisis management unit to quickly react to infringements in case of emergency;
– Draft or update the company’s domain name policy (registration procedures, compliance with legal obligations, best practices) to be shared internally and with the company’s service providers and suppliers.
Cyber threats are more numerous and more complex and it has also become increasingly difficult to take action against registrants of disputed domains. More than ever, monitoring is required with the implementation of risk mapping and a defense strategy.
Dreyfus advise you in setting up the appropriate strategy to limit the risks related to domain names and to integrate industrial property assets in your compliance plans.
A right or legitimate interest in a domain name may be demonstrated by its use in the context of a bona fide offer of goods or services. This assessment requires to take into account how the domain name has been used, but also the space-time framework: When was the domain name registered? By whom? In which country?
Founded in 2003, Ba & sh is a French company operating in the field of design, manufacturing and distribution of women’s ready-to-wear clothing and fashion accessories.
Having detected the registration of the domain names <bashshitever.com> registered in 2014 and <bashclothing.co> in 2020, Ba & sh filed a complaint with the WIPO Arbitration and Mediation Center in order to obtain the transfer of these domain names.
While the construction of the <bashshitever.com> domain name is somewhat intriguing, the fact that the <bashclothing.co> name contains the term “clothing” may have led Ba & sh to consider that its rights were being infringed.
In any event, since the domain names include the sign “BASH” except for the ampersand, the panellist acknowledges a likelihood of confusion.
Nevertheless, the panellist deems that Respondent has chosen these domain names independently of Complainant’s trademark and has used them in the context of a bona fide offer of its goods on the corresponding websites.
Indeed, Respondent is from Malaysia, where the company was founded in 2015, while Ba & sh has provided no evidence of actual use of its BA & SH mark in that territory. Khor Xin Yu, Respondent, explains that he co-founded “BASH CLOTHING” in 2013 when he was 18 years old and that the mark was also used in Singapore in 2017. Initially, the sign used was “Bash Shit Ever”, later changed in 2020 to “Bash Clothing” as part of a branding update.
Similarly, Respondent provided an explanation and documentation justifying the selection of the sign BASH because of the meaning of the dictionary term “bash”. Finally, Respondent used a logo that differs from that of Complainant.
Complainant has not shown that Respondent registered and used the disputed domain names in bad faith.
Indeed, when the first disputed domain name <bashshitever.com> was acquired by Respondent, Complainant had been operating in France and worldwide for about 11 years and had owned an international trademark for about 7 years, designating Malaysia. However, Complainant has not presented any evidence of actual use of its BA & SH trademark in Malaysia at the time of registration of the first disputed domain name.
In addition, a Google search for “bash” shows several results unrelated to Complainant or its trademark. Respondent has also provided a plausible explanation as to why he chose the term “bash”, an English dictionary term related to the idea of a party insofar as its initial target was female students.
Finally, although the parties operate in the same market segment (i.e. ready-to-wear and accessories), Respondent’s use of the disputed domain names does not show an intention to compete with Complainant and its trademark, given the different logos/layouts, the significantly lower prices at which the Respondent’s clothing is offered for sale, and the absence of any information on Respondent’s website that would lead users to believe that the website is operated by Complainant or any of its affiliated entities.
The complaint is, therefore, dismissed.
Ba & sh should have investigated Respondent’s motives before initiating a UDRP proceeding, including whether its trademark was known in Respondent’s country when the first domain name was registered. It should also have determined for how long Respondent had been using the “Bash” sign for fashion activities. An investigation could have revealed these elements. Respondent explains that he first marketed the Bash clothing on social networks. And, depending on the answers to these two questions, write a proper letter to the defendant
Wednesday March 31, 2021 was the very last limit set by the National Commission for Informatics and Freedoms (Cnil), for French advertisers to comply with European rules relating to cookies.
From Thursday, April 1, 2021, the banner on websites is required to enable much more explicitlyInternet users to “refuse” these computer tracers much more explicitly.
This is one of the measures voted in 2016 by the European Union in the General Data Protection Regulation (GDPR)and entered into force in May 2018 in all 28 (now 27) member states.
When they browse the web or use mobile applications, Internet users are increasingly followed by various actors (service editors, advertising agencies, social networks, etc.) who analyze their browsing, their movements and their consultation or consumption habits, in particular in order to provide them with targeted advertising or personalized services.
This tracing is carried out by means of various technical tools, “tracers“, of which cookies are a part.
Cookies are small pieces of text inserted into your browser while you are browsing the web.
There are various types of cookies and have multiple uses: they can be used to remember your customer ID with a merchant site, the current content of your shopping cart, the language of the web page, an identifier allowing to track your navigation for statistical or advertising purposes, etc.
They are a source of concern for many users, while others are not even aware of their existence apart from the mandatory pop-ups on all websites that ask you to “Accept cookies“.
In France, the National Commission for Informatics and Liberties (CNIL) carries out numerouschecks and issues sanctions for non-compliance with the GDPR and French legislation.
Your website is required under the EU’s General Data Protection Regulation (GDPR) to allow European users to control the activation of cookies and trackers that collect their personal data.
This is the essential point of consent to the use of cookies according to the GDPR – and the future of our digital infrastructures.
The CNIL reminds that the consent requirement provided for by these provisions refers to the definition and the conditions provided for inArticles 4 and 7 of the GDPR.
It must therefore be free, specific, enlightened, unambiguous and the user must be able to withdraw it, at any time, with the same simplicity with which he has granted it.
In order to remind and clarify the law applicable to the deposit and reading of tracers in the user’s terminal, the CNIL adopted guidelines on September 17, 2020, supplemented by a recommendationaimed in particular at proposing examples of modalities consent collection practices.
Consent must be manifested by a positive action of the user, informed beforehand, in particular, of the consequences of his or her choice and having the means to accept, refuse and withdraw his or her consent. Appropriate systems must therefore be put in placeto collect consent in practical ways that allow Internet users to benefit from easy-to-use solutions.
Acceptance of general conditions of use cannot be a valid method of obtaining consent.
The CNIL will therefore now carry out checks to assess compliance with the rules relating to tracers, in application of article 82 of the Data Protection Act and articles 4 and 7 of the RGPD on consent, as summarized in its guidelines.
Through this action, the CNIL intends to meet the expectations of Internet users who are increasingly sensitive to Internet tracking issues, as evidenced by the constant complaints it receives on this subject.
If breaches are noted following checks or complaints, the CNIL may use all the means made available to it in its repressive chain and issue, if necessary, formal notices or public sanctions.
The evolution of the applicable rules, clarified by the guidelines and the recommendation of the CNIL, marks a turning point and progress for Internet users, who will now be able to exercise better control over online tracers.
Dreyfus can assist you in the management of your trademarks portfolios in all countries of the world. Do not hesitate to contact us.
With the rise of the digital age, setting up a reliable and effective compliance strategy as well as mobilizing the skills of professionals have become key factors in the company’s performance, particularly in the field of intellectual property.
From the outset, it seems important to remember that compliance includes all the processes intended to ensure that a company, its managers and its employees comply with the legal and ethical standards applicable to them.
Likewise, the challenges and risks of intellectual property have increased in the virtual world. Domain names as well as social networks are likely to be the targets of multiple attacks.
The key challenges of compliance with regards to intellectual property risks (I) raise questions both about the practical consequences of compliance in all aspects of intellectual propertythe role of the “compliance officer” in this framework (II) and the role of the “compliance officer” in this framework (III).
The challenges of intellectual property compliance
The environment as well as legal decisions revolve around the long-term development of the company and justify the establishment of real legal engineering within companies whose intellectual property is decisive. This is the key challenge of compliance, which is both a framework for thinking and a method of solving problems, involving a large number of tools and components oriented by company strategy.
Legal, regulatory and fiscal constraints are increasingly stringent and make companies bear increased responsibility in case of negligence, or even simple inaction. In particular, the regulatory framework sets out increased requirements regarding the protection of consumers and personal data.
In the field of intellectual property, domain names are key assets to contemplate when analyzing the risks and drafting compliance plans. While they are a major asset, essential to the very functioning of the business (for example, for e-mail servers, they are also risk vectors: phishing, fraud, identity theft, forged e-mail …
Online fraud can lead to loss of turnover, endangerment of consumers, and if so, risks of civil or criminal liabilities of directors for non-compliance with enforceable laws and regulations. impact the stock market price, thus causing loss of customers.
It is therefore very important to put in place the appropriate strategies to anticipate dangers, react effectively in the event of a breach and ultimately protect the company.
The practical consequences of compliance in all aspects of intellectual and digital property
Beyond its legal meaning of compliance with the requirements of laws, regulations, Codes or even directives, compliance aims to protect the company and intellectual property professionals against any non-compliance with internal and external standards and its values. Intellectual property frauds are growing and becoming increasingly complex in the digital era, which requires taking action to mitigate risks for the company business, including in terms of compliance. Its objective is to avoid adverse consequences for the company and its managers, both financial and civil or criminal liability, or damage to image and reputation. It is ultimately part of a desire for lasting growth in all aspects of intellectual property, both in France and internationally.
To cope with these new standards, companies must put in place a governance policy capable of minimizing their exposure to risk vis-à-vis their customers, their shareholders, but also regulatory authorities.
To begin with, it is essential to identify the risks through the relevant audits.
Then, it is important to assess those risks and map them. The risk management policy shall be defined accordingly.
In particular, a policy for the management of Intellectual Property related risks calls for a virtually systematic surveillance system of trademarks among domain names.
The role of the “compliance officer”
The compliance officer must protect the company from any risk of non-compliance, and therefore ensure that the organization adopts good conduct in business practice, respects the rules of ethics and finally, complies with the various laws, regulations, or even European directives. It must therefore undertake a proactive approach, organize and implement the means necessary to comply with the regulations.
Likewise, it is important to anticipate risks: once they have been defined and supervised, the mission of the compliance officer being to protect the group and its reputation, he will have to analyze the rules and standards according to the context, the activity, and the business sector.
According to a study“Who are compliance professionals?”published on March 27, 2019 and carried out by the firm Fed Legal, 92% of compliance officers have a legal background. They are operational professionals who have a strategic vision as well as a multiplicity of soft skills, in particular an ability to persuade and an interest for teaching. In addition, 60% of compliance officers belong to legal services in which there are many recruitments, both in large and small companies.
When a company is questioned, the consequences are at the same time financial, commercial and human: the company reputation will suffer greatly. The compliance officer thus takes care of protecting his company from the financial, legal and reputational risks that it incurs in the event that it does not comply with laws, regulations, conventions, or quite simply a certain code of ethics or professional conduct.
Dreyfus can assist you in the management of your trademarks portfolios in all countries of the world. Please feel free to contact us.
As of May 24, 2021, the Madrid Systemwill officially welcome its 108th member: the Islamic Republic of Pakistan.
On February 24, 2021, Pakistan deposited its instrument of accession to the Madrid System with the Director General of the World Intellectual Property Office (WIPO). The arrival of this new member brings the number of countries covered by the Madrid System to 124, and highlights the importance of this international system for the filing and registration of Trademarks.
The Madrid System provides a practical and cost-effective solution for the registration and management of trademarks worldwide. More than 1.5 million international trademarks have been registered since its creation in 1891. While the system has been in place for more than 125 years, three quarters of its member countries have joined it in the last three decades. After the recent accessions of Canada, Samoa, Thailand, and the Sultanate of Brunei, it is now up to Pakistan to join the protocol.
Pakistan’s adhesion to the Madrid Protocol enables the harmonization of Pakistani trademark law at the international level. With the filing of a single international Trademark application, Pakistani applicants now have the possibility to apply for protection in 124 countries. Likewise, Pakistan can be designated by applications from any state party to the Madrid system and international Trademark owners can easily extend their protection in the Pakistani market.
The international trademark system is a major asset for the registration of your trademarks abroad at a lower cost.
Dreyfus can assist you in the management of your trademarks portfolios in all countries of the world. Please feel free to contact us.
(WIPO Arbitration and Mediation Center Natixis Intertitres v. Super Privacy Service LTD c/o Dynadot / Fredrik Lindgrent Case No. D2020-1383)
Being the owner of a trademark that is identical to the disputed domain name is a real advantage in the UDRP procedure. Nevertheless, it is necessary to prove that the respondent was aware of said trademark rights, which is quite complicated when the trademark at issue hasn’t been widely advertised.
Natixis Intertitres, the subsidiary of Natixis, a French internationally known corporate company, holds the registered trademark “INTERTITRES”. This subsidiary filed a complaint before the WIPO Arbitration and Mediation Center in order to obtain the transfer of the disputed domain name <intretitres.fr> registered by a third party without authorization.
During the procedure, the identity of the registrant was disclosed, revealing a Swedish owner.
The Complainant sustained that the domain name was registered in reference to its trademark without any relation to the generic definition of the term “intertitres” especially considering that, in the French language, as in the French dictionary, the term is generally used in the singular form.
Moreover, the complainant finds the configuration of mail servers on a domain name that doesn’t refer to any website “suspicious”. Natixis Intertitres sustained that the Respondent’s intention was to take undue advantage of the Complainant and its trademark’s reputation.
The Respondent didn’t submit a formal response to the complaint but stated that he had reserved the domain name in order to create a site related to literature.
The expert in charge of this dispute acknowledges the likelihood of confusion between the trademark and the subsequent domain name, as well as the lack of proof of legitimate interest by the Respondent, who didn’t really explain the choice of this domain name.
However, the expert is not convinced by the Complainant’s arguments as regards the bad faith criterion. In this respect, he highlights two important points.
Firstly, there is no evidence that the Swedish-based registrant was aware of the trademark “INTERTITRES”. Natixis is certainly internationally known as a company, but this is not the case for its “INTERTITRES” trademark, which designates lunch vouchers mainly available in France. These vouchers are rather known under the names of “CHEQUE DE TABLE” or “APETIZ”. Therefore, it is unlikely that the Respondent was aware of this trademark.
Secondly, “INTERTITRES” is mainly a generic term. The fact that dictionary definitions are given in the singular form does not mean that the term does not exist in its plural form.
The complaint is therefore rejected.
In view of the above, it is essential for right holders to be aware of the scope of protection that their trademark can enjoy. Is the trademark sufficiently well known in the registrant’s country so that it is reasonable to assume that they had it in mind when they reserved the name? This question must be carefully considered, especially when the trademark has also an everyday language meaning and the disputed domain name is not used for an activity similar to the one for which the prior trademark is used. In this regard, the expert rightly pointed out that using a domain name primarily for having a letterbox is not prohibited (referring to the presence of e-mail servers on the disputed domain name).
Dreyfus can assist you in the management of your trademarks portfolios in all countries of the world and in their enforcement. Do not hesitate to contact us.
Un litige opposant une société de distribution à YouTube
A dispute between a distribution company and YouTube
Constantin Film, a German film distribution company, noticed that some of the films it distributed were uploaded on YouTube without its consent. Therefore, the company turned to YouTube to obtain the e-mail and IP addresses of the users who had put this content online.
As YouTube and Google (Google owns YouTube) refused to share such data, the case went to German courts.
Article 8 of the European Union Directive on the enforcement of intellectual property rights provides for the possibility for right holders to request information from infringers and/or persons who have provided services to them, here YouTube, about “the origin and distribution networks of goods or services which infringe an intellectual property right”, including the “names and addresses” of the persons involved.
The German Federal Court has questioned whether e-mail and IP addresses should be considered “addresses” within the meaning of the Directive. The German Court decided to stay the proceedings and referred to the European Court of Justice for a preliminary ruling on whether such information falls within the meaning of the term “address” in the Directive 2004/48.
2. A definition of “address” that does not include IP and e-mail addresses
The answer of the CJEU is clear: EU law does not assimilate IP addresses and e-mail addresses with addresses.
The notion of address in the above-mentioned article must be understood in the sense of a postal address.
In its press release No.88/20 of July 9, 2020, the Court states that: “as regards the usual meaning of the term ‘address’, it refers only to the postal address, that is to say, the place of a given person’s permanent address or habitual residence” when used without any further clarification.
Nevertheless, the CJEU indicates that Member States may grant holders of intellectual property rights a more extensive right to information.
In the above-mentioned press release, the Court specifically mentions, regarding Article 8 of the 2004/48 directive, that “the aim of that provision is to reconcile compliance with various rights, inter alia the right of holders to information and the right of users to protection of personal data”.
This decision limits the range of action of right holders, for whom it is increasingly difficult to identify persons infringing on their assets. In addition to this issue of IP addresses and e-mails that do not fall within the scope of what is understood by “address”, The Data Protection Regulation, known as the GDPR, of April 27, 2016, has also complexifed the defence of rights on the Internet, as privacy has been increased and information on the holders of domain names redacted.
Like many digital players, Fashion ID inserted a Facebook “Like” button on its website. This plug-in automatically collects and transmits to Facebook the personal data of the website users, whether or not they click on the button, and whether or not they have a Facebook account. This process takes place without any control by the website operator. Arguing that users’ rights are being infringed, a consumer association brought an action before the German court in order to stop this infringement. On 20 January 2017, the competent trial court referred several questions for a preliminary ruling to the Court of Justice of the European Union (CJEU). The main question is whether the integration of this “Like” button is sufficient to make Fashion ID a ‘data controller’ (jointly with Facebook), for the purpose of Directive 95/46/EC of 24 October 1995, which has now been replaced by the General Data Protection Regulation of 27 April 2016 (GDPR).
Although the Court must rule on the notion of joint liability and the consequences of such liability in the light of Directive 95/46/EC, which has now been replaced by the GDPR. Both texts define the data controller in the same way. As a result, the scope of the CJEU decision will most likely go beyond the present case. Aware of the stakes involved in this future decision, Advocate General Michel Bobek, in his Opinion of 19 December 2018, expressed his support for joint liability between Fashion ID and Facebook.
In the past, the CJEU has already recognised the administrator of a Facebook page as a data controller who had freely chosen to host the page on Facebook and therefore could set up the statistical processing carried out by the social network (CJEU, “Wirtschaftsakademie”, 5 June 2018, C-210/16). The Court also said that this liability might be retained even if no direct processing is carried out by the page administrator (CJEU, 10 July 2018, “Jehovan”, C-25/17). The CJEU has therefore adopted a broad understanding of the notion of joint liability.
In his Opinion, Advocate General Bobek has invited the Court to reduce the scope of joint liability in order to better identify the liability of each involved. He considers that extending the notion of data controller to any third party allowing the processing in any way would actually dilute the liability, making the protection of individuals less effective. For this reason, he proposes to link the definition of data controller with the purpose of the processing operation, which must be unique in its means and purpose.
This approach requires splitting the processing into as many subprocesses as there are purposes to get to the part in which the website operator exercises effective control. This approach would limit the website operator’s liability to the processing phase for which he is actually responsible and would not include subsequent processing operations beyond his control. In this instance, Facebook and Fashion ID pursue a commercial and advertising purpose. Therefore, Facebook should be solely liable for processing operations carried out after the data collection, while Fashion ID’s liability would be limited to the collection and transmission of such data. However, this solution proposed by the Advocate General has several disadvantages.
Thus, reducing the notion of purpose to the functions of the processing, (i.e. the technical operations of collection), conceals the advertising purpose. However, users should be able to anticipate this. The processing cannot be examined as a whole and an analysis of its compliance with regard to the consequences for the persons concerned is not possible. In the end, adopting this narrow approach would exempt website operators from requiring the disclosure of information from their operating partners that would effectively inform users, because the different data controllers involved would not be required to know the processing operations carried out by their partners.
Indeed, a data controller could try to evade responsibility by arguing his actions did not cause damage and try to put blame on all others who have beeen held to be joint data controllers. Such presumption of solidarity could be considered if the provisions of Article 26 GDPR (requiring joint controllers to transparently determine responsibilities) are not met.
Moreover, the Advocate General does not address the question of cascading responsibilities. Indeed, in the case of multiple data controllers, a new division of the processing operation would have to be carried out under this solution. For example, if Facebook provides data to a partner, the company will have limited liability and it would be up to its partner to enforce the GDPR.
An extensive interpretation of joint liability in cascade would force operators to identify the relevant mechanisms for ensuring respect for the rights of individuals.
The choice of an extensive or restricted interpretation of joint liability now rests with the CJEU. Its decision is therefore highly anticipated since it will have a direct impact on website publishers and the protection of private individuals’ personal data.
Dreyfus assists its clients worldwide in their strategies to protect and defend their rights on the Internet. Do not hesitate to contact us!
Our site uses cookies to offer you the best service and to produce statistics, and measure the website's audience. You can change your preferences at any time by clicking on the "Customise my choices" section.
When browsing the Website, Internet users leave digital traces. This information is collected by a connection indicator called "cookie".
Dreyfus uses cookies for statistical analysis purposes to offer you the best experience on its Website.
In compliance with the applicable regulations and with your prior consent, Dreyfus may collect information relating to your terminal or the networks from which you access the Website.
The cookies associated with our Website are intended to store only information relating to your navigation on the Website. This information can be directly read or modified during your subsequent visits and searches on the Website.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Dreyfus is concerned about protecting your privacy and the Personal Data ("Data"; "Personal Data") it collects and processes for you.
Hence, Dreyfus complies every day with the European Union legislation regarding Data protection and particularly the European General Data Protection Regulation Number 2016/679 of 27 April 2016 (GDPR).
This Privacy Policy is aimed at informing you clearly and comprehensively about how Dreyfus, as Data Controller, collects and uses your Personal Data. In addition, the purpose of this Policy is to inform you about the means at your disposal to control this use and exercise your rights related to the said processing, collection and use of your Personal Data.
This Privacy Policy describes how Dreyfus collects and processes your Personal Data. The collection happens when you visit our Website, when you exchange with Dreyfus by e-mail or post, when exercising our Intellectual Property Attorney and representative roles, when we interact with our clients and fellow practitioners, or on any other occasion when you provide your Personal Data to Dreyfus, in particular when you register for our professional events.
Written by Dreyfus22/02/2022 
The digital transition of small and medium-sized enterprises was the AFNIC’s 2020 target – a year marked by the health and economic crisis. This target was reflected in the 2020 Annual Report of the French association. The report was released in June 2021.
Like many digital players, Fashion ID inserted a Facebook “Like” button on its website. This plug-in automatically collects and transmits to Facebook the personal data of the website users, whether or not they click on the button, and whether or not they have a Facebook account. This process takes place without any control by the website operator. Arguing that users’ rights are being infringed, a consumer association brought an action before the German court in order to stop this infringement. On 20 January 2017, the