Fleeing Ukrainians to Get More Help From United States

The United States has joined many European countries that are opening their doors and offering humanitarian assistance to fleeing Ukrainians.

Ireland, Great Britain and Canada have all started private sponsorship programs for Ukrainians. That assistance is not necessarily a one-way street. Easing the way for incoming Ukrainians may help those nations deal with their own labor shortages.

Ukraine is known for its skilled workforce, including tech engineers, and some companies in Europe are specifically targeting jobs for Ukrainians, offering everything from language training to child care to attract the refugees. Even temporary employment agencies are involved and new companies are being founded for the purpose of matching Ukrainians to jobs across Europe – jobs that run the gamut from highly skilled tech work, to healthcare aids, to retail and hospitality positions.

U.S. employers are generously offering humanitarian aid and donations to help Ukrainian refugees, but now those employers may be able to offer jobs to displaced Ukrainians seeking refuge. The Biden Administration will open various legal pathways that could include the refugee admissions program (which can lead to permanent residence through asylum, but is a long process), visas, and humanitarian parole (a temporary solution). The focus will be on Ukrainians with family in the United States or others considered to be particularly vulnerable. Approximately 1,000,000 people of Ukrainian descent currently live in the United States.

The administration originally believed that most Ukrainians did not want to flee to the United States because it was too far away from other family members who have remained in Ukraine. Secretary of State Antony Blinken had stated that the priority was to help European countries who are the dealing with huge waves for migration instead. But advocates have been arguing that the administration could create special status for Ukrainians to allow them to enter the U.S. or stay with family members.

In early March, the Biden Administration established Temporary Protected Status (TPS) for Ukrainians who have been in the United States continuously since March 1, 2022, but that did not help those who are still abroad. Visitor visas are hard to come by because applicants for visitor visas need to be able to show that their stay will be temporary and that they have a home to return to in Ukraine, and such temporary nonimmigrant visas may not meet that criterion or be practical in most of these situations. Moreover, consulates abroad are already overwhelmed and understaffed due to COVID-19.

While small numbers of Ukrainians have made it to the United States by finding private or family sponsors, this new policy should at least open the doors to some Ukrainians and likely make it possible for U.S. companies to hire some of the incoming refugees. They will need and want employment, but they will also need support.

Jackson Lewis P.C. © 2022

EDPB on Dark Patterns: Lessons for Marketing Teams

“Dark patterns” are becoming the target of EU data protection authorities, and the new guidelines of the European Data Protection Board (EDPB) on “dark patterns in social media platform interfaces” confirm their focus on such practices. While they are built around examples from social media platforms (real or fictitious), these guidelines contain lessons for all websites and applications. The bad news for marketers: the EDPB doesn’t like it when dry legal texts and interfaces are made catchier or more enticing.

To illustrate, in a section of the guidelines regarding the selection of an account profile photo, the EDPB considers the example of a “help/information” prompt saying “No need to go to the hairdresser’s first. Just pick a photo that says ‘this is me.’” According to the EDPB, such a practice “can impact the final decision made by users who initially decided not to share a picture for their account” and thus makes consent invalid under the General Data Protection Regulation (GDPR). Similarly, the EDPB criticises an extreme example of a cookie banner with a humourous link to a bakery cookies recipe that incidentally says, “we also use cookies”, stating that “users might think they just dismiss a funny message about cookies as a baked snack and not consider the technical meaning of the term “cookies.”” The EDPB even suggests that the data minimisation principle, and not security concerns, should ultimately guide an organisation’s choice of which two-factor authentication method to use.

Do these new guidelines reflect privacy paranoia or common sense? The answer should lie somewhere in between, but the whole document (64 pages long) in our view suggests an overly strict approach, one that we hope will move closer to commonsense as a result of a newly started public consultation process.

Let us take a closer look at what useful lessons – or warnings – can be drawn from these new guidelines.

What are “dark patterns” and when are they unlawful?

According to the EDPB, dark patterns are “interfaces and user experiences […] that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data” (p. 2). They “aim to influence users’ behaviour and can hinder their ability to effectively protect their personal data and make conscious choices.” The risk associated with dark patterns is higher for websites or applications meant for children, as “dark patterns raise additional concerns regarding potential impact on children” (p. 8).

While the EDPB takes a strongly negative view of dark patterns in general, it recognises that dark patterns do not automatically lead to an infringement of the GDPR. The EDPB acknowledges that “[d]ata protection authorities are responsible for sanctioning the use of dark patterns if these breach GDPR requirements” (emphasis ours; p. 2). Nevertheless, the EDPB guidance strongly links the concept of dark patterns with the data protection by design and by default principles of Art. 25 GDPR, suggesting that disregard for those principles could lead to a presumption that the language or a practice in fact creates a “dark pattern” (p. 11).

The EDPB refers here to its Guidelines 4/2019 on Article 25 Data Protection by Design and by Default and in particular to the following key principles:

  • “Autonomy – Data subjects should be granted the highest degree of autonomy possible to determine the use made of their personal data, as well as autonomy over the scope and conditions of that use or processing.
  • Interaction – Data subjects must be able to communicate and exercise their rights in respect of the personal data processed by the controller.
  • Expectation – Processing should correspond with data subjects’ reasonable expectations.
  • Consumer choice – The controllers should not “lock in” their users in an unfair manner. Whenever a service processing personal data is proprietary, it may create a lock-in to the service, which may not be fair, if it impairs the data subjects’ possibility to exercise their right of data portability in accordance with Article 20 GDPR.
  • Power balance – Power balance should be a key objective of the controller-data subject relationship. Power imbalances should be avoided. When this is not possible, they should be recognised and accounted for with suitable countermeasures.
  • No deception – Data processing information and options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.
  • Truthful – the controllers must make available information about how they process personal data, should act as they declare they will and not mislead data subjects.”

Is data minimisation compatible with the use of SMS two-factor authentication?

One of the EDPB’s positions, while grounded in the principle of data minimisation, undercuts a security practice that has grown significantly over the past few years. In effect, the EDPB seems to question the validity under the GDPR of requests for phone numbers for two-factor authentication where e-mail tokens would theoretically be possible:

“30. To observe the principle of data minimisation, [organisations] are required not to ask for additional data such as the phone number, when the data users already provided during the sign- up process are sufficient. For example, to ensure account security, enhanced authentication is possible without the phone number by simply sending a code to users’ email accounts or by several other means.
31. Social network providers should therefore rely on means for security that are easier for users to re[1]initiate. For example, the [organisation] can send users an authentication number via an additional communication channel, such as a security app, which users previously installed on their mobile phone, but without requiring the users’ mobile phone number. User authentication via email addresses is also less intrusive than via phone number because users could simply create a new email address specifically for the sign-up process and utilise that email address mainly in connection with the Social Network. A phone number, however, is not that easily interchangeable, given that it is highly unlikely that users would buy a new SIM card or conclude a new phone contract only for the reason of authentication.” 
(emphasis ours; p. 15)

The EDPB also appears to be highly critical of phone-based verification in the context of registration “because the email address constitutes the regular contact point with users during the registration process” (p. 15).

This position is unfortunate, as it suggests that data minimisation may preclude controllers from even assessing which method of two-factor authentication – in this case, e-mail versus SMS one-time passwords – better suits its requirements, taking into consideration the different security benefits and drawbacks of the two methods. The EDPB’s reasoning could even be used to exclude any form of stronger two-factor authentication, as additional forms inevitably require separate processing (e.g., phone number or third-party account linking for some app-based authentication methods).

For these reasons, organisations should view this aspect of the new EDPB guidelines with a healthy dose of skepticism. It likewise will be important for interested stakeholders to participate in the consultation to explain the security benefits of using phone numbers to keep the “two” in two-factor authentication.

Consent withdrawal: same number of clicks?

Recent decisions by EU regulators (notably two decisions by the French authority, the CNIL have led to speculation about whether EU rules effectively require website operators to make it possible for data subjects to withdraw consent to all cookies with one single click, just as most websites make it possible to give consent through a single click. The authorities themselves have not stated that this is unequivocally required, although privacy activists notably filed complaints against hundreds of websites, many of them for not including a “reject all” button on their cookie banner.

The EDPB now appears to side with the privacy activists in this respect, stating that “consent cannot be considered valid under the GDPR when consent is obtained through only one mouse-click, swipe or keystroke, but the withdrawal takes more steps, is more difficult to achieve or takes more time” (p. 14).

Operationally, however, it seems impossible to comply with a “one-click withdrawal” standard in absolute terms. Just pulling up settings after registration or after the first visit to a website will always require an extra click, purely to open those settings. We expect this issue to be examined by the courts eventually.

Is creative wording indicative of a “dark pattern”?

The EDPB’s guidelines contain several examples of wording that is intended to convince the user to take a specific action.

The photo example mentioned in the introduction above is an illustration, but other (likely fictitious) examples include the following:

  • For sharing geolocation data: “Hey, a lone wolf, are you? But sharing and connecting with others help make the world a better place! Share your geolocation! Let the places and people around you inspire you!” (p.17)
  • To prompt a user to provide a self-description: “Tell us about your amazing self! We can’t wait, so come on right now and let us know!” (p. 17)

The EDPB criticises the language used, stating that it is “emotional steering”:

“[S]uch techniques do not cultivate users’ free will to provide their data, since the prescriptive language used can make users feel obliged to provide a self-description because they have already put time into the registration and wish to complete it. When users are in the process of registering to an account, they are less likely to take time to consider the description they give or even if they would like to give one at all. This is particularly the case when the language used delivers a sense of urgency or sounds like an imperative. If users feel this obligation, even when in reality providing the data is not mandatory, this can have an impact on their “free will”” (pp. 17-18).

Similarly, in a section about account deletion and deactivation, the EDPB criticises interfaces that highlight “only the negative, discouraging consequences of deleting their accounts,” e.g., “you’ll lose everything forever,” or “you won’t be able to reactivate your account” (p. 55). The EDPB even criticises interfaces that preselect deactivation or pause options over delete options, considering that “[t]he default selection of the pause option is likely to nudge users to select it instead of deleting their account as initially intended. Therefore, the practice described in this example can be considered as a breach of Article 12 (2) GDPR since it does not, in this case, facilitate the exercise of the right to erasure, and even tries to nudge users away from exercising it” (p. 56). This, combined with the EDPB’s aversion to confirmation requests (see section 5 below), suggests that the EDPB is ignoring the risk that a data subject might opt for deletion without fully recognizing the consequences, i.e., loss of access to the deleted data.

The EDPB’s approach suggests that any effort to woo users into giving more data or leaving data with the organisation will be viewed as harmful by data protection authorities. Yet data protection rules are there to prevent abuse and protect data subjects, not to render all marketing techniques illegal.

In this context, the guidelines should in our opinion be viewed as an invitation to re-examine marketing techniques to ensure that they are not too pushy – in the sense that users would in effect truly be pushed into a decision regarding personal data that they would not otherwise have made. Marketing techniques are not per se unlawful under the GDPR but may run afoul of GDPR requirements in situations where data subjects are misled or robbed of their choice.

Other key lessons for marketers and user interface designers

  • Avoid continuous prompting: One of the issues regularly highlighted by the EDPB is “continuous prompting”, i.e., prompts that appear again and again during a user’s experience on a platform. The EDPB suggests that this creates fatigue, leading the user to “give in,” i.e., by “accepting to provide more data or to consent to another processing, as they are wearied from having to express a choice each time they use the platform” (p. 14). Examples given by the EDPB include the SMS two-factor authentication popup mentioned above, as well as “import your contacts” functionality. Outside of social media platforms, the main example for most organisations is their cookie policy (so this position by the EDPB reinforces the need to manage cookie banners properly). In addition, newsletter popups and popups about “how to get our new report for free by filling out this form” are frequent on many digital properties. While popups can be effective ways to get more subscribers or more data, the EDPB guidance suggests that regulators will consider such practices questionable from a data protection perspective.
  • Ensure consistency or a justification for confirmation steps: The EDPB highlights the “longer than necessary” dark pattern at several places in its guidelines (in particular pp. 18, 52, & 57), with illustrations of confirmation pop-ups that appear before a user is allowed to select a more privacy-friendly option (and while no such confirmation is requested for more privacy-intrusive options). Such practices are unlawful according to the EDPB. This does not mean that confirmation pop-ups are always unlawful – just that you need to have a good justification for using them where you do.
  • Have a good reason for preselecting less privacy-friendly options: Because the GDPR requires not only data protection by design but also data protection by default, make sure that you are able to justify an interface in which a more privacy-intrusive option is selected by default – or better yet, don’t make any preselection. The EDPB calls preselection of privacy-intrusive options “deceptive snugness” (“Because of the default effect which nudges individuals to keep a pre-selected option, users are unlikely to change these even if given the possibility” p. 19).
  • Make all privacy settings available in all platforms: If a user is asked to make a choice during registration or upon his/her first visit (e.g., for cookies, newsletters, sharing preferences, etc.), ensure that those settings can all be found easily later on, from a central privacy settings page if possible, and alongside all data protection tools (such as tools for exercising a data subject’s right to access his/her data, to modify data, to delete an account, etc.). Also make sure that all such functionality is available not only on a desktop interface but also for mobile devices and across all applications. The EDPB illustrates this point by criticising the case where an organisation has a messaging app that does not include the same privacy statement and data subject request tools as the main app (p. 27).
  • Be clearer in using general language such as “Your data might be used to improve our services”: It is common in most privacy statements to include a statement that personal data (e.g., customer feedback) “can” or “may be used” to improve an organisation’s products and services. According to the EDPB, the word “services” is likely to be “too general” to be viewed as “clear,” and it is “unclear how data will be processed for the improvement of services.” The use of the conditional tense in the example (“might”) also “leaves users unsure whether their data will be used for the processing or not” (p. 25). Given that the EDPB’s stance in this respect is a confirmation of a position taken by EU regulators in previous guidance on transparency, and serves as a reminder to tell data subjects how data will be used.
  • Ensure linguistic consistency: If your website or app is available in more than one language, ensure that all data protection notices and tools are available in those languages as well and that the language choice made on the main interface is automatically taken into account on the data-related pages (pp. 25-26).

Best practices according to the EDPB

Finally, the EDPB highlights some other “best practices” throughout its guidelines. We have combined them below for easier review:

  • Structure and ease of access:
    • Shortcuts: Links to information, actions, or settings that can be of practical help to users to manage their data and data protection settings should be available wherever they relate to information or experience (e.g., links redirecting to the relevant parts of the privacy policy; in the case of a data breach communication to users, to provide users with a link to reset their password).
    • Data protection directory: For easy navigation through the different section of the menu, provide users with an easily accessible page from where all data protection-related actions and information are accessible. This page could be found in the organisation’s main navigation menu, the user account, through the privacy policy, etc.
    • Privacy Policy Overview: At the start/top of the privacy policy, include a collapsible table of contents with headings and sub-headings that shows the different passages the privacy notice contains. Clearly identified sections allow users to quickly identify and jump to the section they are looking for.
    • Sticky navigation: While consulting a page related to data protection, the table of contents could be constantly displayed on the screen allowing users to quickly navigate to relevant content thanks to anchor links.
  • Transparency:
    • Organisation contact information: The organisation’s contact address for addressing data protection requests should be clearly stated in the privacy policy. It should be present in a section where users can expect to find it, such as a section on the identity of the data controller, a rights related section, or a contact section.
    • Reaching the supervisory authority: Stating the specific identity of the EU supervisory authority and including a link to its website or the specific website page for lodging a complaint is another EDPB recommendation. This information should be present in a section where users can expect to find it, such as a rights-related section.
    • Change spotting and comparison: When changes are made to the privacy notice, make previous versions accessible with the date of release and highlight any changes.
  • Terminology & explanations:
    • Coherent wording: Across the website, the same wording and definition is used for the same data protection concepts. The wording used in the privacy policy should match that used on the rest of the platform.
    • Providing definitions: When using unfamiliar or technical words or jargon, providing a definition in plain language will help users understand the information provided to them. The definition can be given directly in the text when users hover over the word and/or be made available in a glossary.
    • Explaining consequences: When users want to activate or deactivate a data protection control, or give or withdraw their consent, inform them in a neutral way of the consequences of such action.
    • Use of examples: In addition to providing mandatory information that clearly and precisely states the purpose of processing, offering specific data processing examples can make the processing more tangible for users
  • Contrasting Data Protection Elements: Making data protection-related elements or actions visually striking in an interface that is not directly dedicated to the matter helps readability. For example, when posting a public message on the platform, controls for geolocation should be directly available and clearly visible.
  • Data Protection Onboarding: Just after the creation of an account, include data protection points within the onboarding experience for users to discover and set their preferences seamlessly. This can be done by, for example, inviting them to set their data protection preferences after adding their first friend or sharing their first post.
  • Notifications (including data breach notifications): Notifications can be used to raise awareness of users of aspects, changes, or risks related to personal data processing (e.g., when a data breach occurs). These notifications can be implemented in several ways, such as through inbox messages, pop-in windows, fixed banners at the top of the webpage, etc.

Next steps and international perspectives

These guidelines (available online) are subject to public consultation until 2 May 2022, so it is possible they will be modified as a result of the consultation and, we hope, improved to reflect a more pragmatic view of data protection that balances data subjects’ rights, security, and operational business needs. If you wish to contribute to the public consultation, note that the EDPB publishes feedback it receives (as a result, we have occasionally submitted feedback on behalf of clients wishing to remain anonymous).

Irrespective of the outcome of the public consultation, the guidelines are guaranteed to have an influence on the approach of EU data protection authorities in their investigations. From this perspective, it is better to be forewarned – and to have legal arguments at your disposal if you wish to adopt an approach that deviates from the EDPB’s position.

Moreover, these guidelines come at a time when the United States Federal Trade Commission (FTC) is also concerned with dark patterns. The FTC recently published an enforcement policy statement on the matter in October 2021. Dark patterns are also being discussed at the Organisation for Economic Cooperation and Development (OECD). International dialogue can be helpful if conversations about desired policy also consider practical solutions that can be implemented by businesses and reflect a desirable user experience for data subjects.

Organisations should consider evaluating their own techniques to encourage users to go one way or another and document the justification for their approach.

© 2022 Keller and Heckman LLP

Google to Launch Google Analytics 4 in an Attempt to Address EU Privacy Concerns

On March 16, 2022, Google announced the launch of its new analytics solution, “Google Analytics 4.” Google Analytics 4 aims, among other things, to address recent developments in the EU regarding the use of analytics cookies and data transfers resulting from such use.

Background

On August 17, 2020, the non-governmental organization None of Your Business (“NOYB”) filed 101 identical complaints with 30 European Economic Area data protection authorities (“DPAs”) regarding the use of Google Analytics by various companies. The complaints focused on whether the transfer of EU personal data to Google in the U.S. through the use of cookies is permitted under the EU General Data Protection Regulation (“GDPR”), following the Schrems II judgment of the Court of Justice of the European Union. Following these complaints, the French and Austrian DPAs ruled that the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie is unlawful.

Google’s New Solution

According to Google’s press release, Google Analytics 4 “is designed with privacy at its core to provide a better experience for both our customers and their users. It helps businesses meet evolving needs and user expectations, with more comprehensive and granular controls for data collection and usage.”

The most impactful change from an EU privacy standpoint is that Google Analytics 4 will no longer store IP address, thereby limiting the data transfers resulting from the use of Google Analytics that were under scrutiny in the EU following the Schrems II ruling. It remains to be seen whether this change will ease EU DPAs’ concerns about Google Analytics’ compliance with the GDPR.

Google’s previous analytics solution, Universal Analytics, will no longer be available beginning July 2023. In the meantime, companies are encouraged to transition to Google Analytics 4.

Read Google’s press release.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Europol: More Than Half of Counterfeits Originate in China

On March 7, 2022, the European Union Agency for Law Enforcement Cooperation (Europol) and the European Union Intellectual Property Office (EUIPO) jointly released the Intellectual Property Crime Threat Assessment 2022. Per the Assessment, China (including Hong Kong) was the main source of counterfeits based on number of counterfeits and by value of the counterfeits seized at the EU external borders.  Almost 76% of the fake goods detained were for trademark infringement; design infringement was the second most reported at 23% while copyright was third with 15%.

China and Turkey remain the main countries of origins for counterfeit clothing, shoes, bags, watches, and jewelry seized at the EU’s border. These goods are mostly ordered online and discovered as part of postal shipments or on passengers entering the EU.

Similarly, China is the country of origin for most of the seized counterfeit electrical/electronic and computer equipment, mobile phones and accessories. With respect to mobile phones, the Assessment states,

…the visual appearance of the counterfeit devices is very convincing, closely mimicking the external characteristics of the original phones. However, typically some features and software characteristics are missing and the International Mobile Equipment Identity (IMEI) is often fake.  The use of cheap and substandard electric components, which can be found in fake batteries, headphones or chargers, pose safety risks.

“China and Turkey were among the most frequently reported non-EU countries of origin for counterfeit food and drink seized at the EU’s external border.” Similarly, counterfeit perfumes and cosmetic products often originate from China and Turkey.

In addition to ready-to-use IPR-infringing goods, product components, such as aroma compounds, fixatives and solvents, are increasingly being seized. These components are used to create the final counterfeit products in the EU.

More worrisome, China and Turkey were the main origin of counterfeit pharmaceutical products.

Toys round out the top 10 counterfeits with China also being main point of origin.

The full Assessment is available here: IP_Crime_Threat_Assessment_2022_FullR_en.

© 2022 Schwegman, Lundberg & Woessner, P.A. All Rights Reserved.

Law Firms Respond to Russia’s Invasion of Ukraine: How the Legal Industry & the Public Can Help

On February 21, 2022, Russian President Vladimir Putin ordered ground troops into the eastern Ukrainian provinces of Donetsk and Luhansk. Invading under the guise of establishing independence for the region on February 24, Russia started bombing key points of interest around the country, including the capital city of Kyiv. At the time of writing, the skirmishes remain ongoing, with Russia expanding its invasion force as the days go on.

The ramifications of Russia’s war are widespread. In Ukraine, infrastructural damage is considerable, an estimated 2 million civilians are evacuating or have been driven from their homes. The death toll remains uncertain at this time, but the Ukrainian health ministry estimates that hundreds of citizens have been killed as a result of the violence. Globally, financial markets are in a state of rapid flux, seeing huge rises in inflation, a strained supply chain and plummeting stock prices.

Law firms in the United States and abroad have responded to the conflict by offering pro bono services in anticipation of resultant legal complications and organized means by which money can be donated to Ukrainian humanitarian efforts.

How Have Law Firms Responded to Russia’s Invasion of Ukraine?

In some instances, firms have also closed offices in Ukraine to protect workers, and severed ties with Russian businesses. Law firms that have closed offices in Ukraine include Dentons, CMS and Baker McKenzie, which have closed offices in Kyiv.

“Dentons has established a taskforce to monitor and manage the crisis situation, with a primary focus on protecting our people,”  Tomasz Dąbrowski, CEO of Dentons Europe, told the National Law Review“We are in regular contact with our team in Kyiv and are providing our colleagues and their families with any possible assistance, including transport, relocation and accommodation assistance in the neighboring countries. Furthermore, we have seen a wave of kindness and generosity from our people across Europe, who have volunteered to provide accommodation in their homes for Ukrainian colleagues.  Furthermore, in addition to the financial support our Firm is providing to our Ukrainian colleagues, we have also received financial donations from around the world to help them resettle.”

Many law firms have announced they are closing offices in Russia, including Squire Patton Boggs, Latham & Watkins Freshfields Bruckhaus Deringer, Akin Gump Strauss Hauer & Feld and Morgan Lewis & Bockius, among others. Norton Rose Fulbright announced March 7 that they are winding down their operations in Russia and will be closing their Moscow office as soon as they can, calling Russia’s invasion of Ukraine “increasingly brutal.”

“The wellbeing of our staff in the region is a priority. We thank our 50 colleagues in Moscow for their loyal service and will support them through this transition.”

Norton Rose Fulbright said they “stand unequivocally with the people of Ukraine,” and are taking steps to respond to the invasion.

“Some immediate actions are possible and we are taking them. We are not accepting any further instructions from businesses, entities or individuals connected with the current Russian regime, irrespective of whether they are sanctioned or not. In addition, we continue to review exiting from existing work for them where our professional obligations as lawyers allow. Where we cannot exit from current matters, we will donate the profits from that work to appropriate humanitarian and charitable causes,” the statement read. “We are working with our charitable partners in every region to raise funds to help the people of Ukraine, as well as providing pro bono support to those Ukrainians and others who are being forced to relocate.”

Law firms have also stepped forward to offer pro bono assistance to those affected by the Russian invasion of Ukraine.

Law Firms Offering Pro Bono Assistance to Ukraine

Akin Gump Partner and Pro Bono Practice leader Steven Schulman explained how the legal industry is collaborating and working to provide assistance:

“So what we often do in these crises, we will self organize, [and] say who’s a point person who knows what’s going on, and then we will share information so that again, we’re lightening the load on the legal aid organizations.”

Another law firm offering assistance to Ukraine is  Covington & Burling, which the country hired to help pursue its claim against  Russia at the International Court of Justice (ICJ). Specifically, Ukraine asked the court to order Russia to halt its invasion. Covington filed a claim on behalf of Ukraine to the ICJ.

Nongovernmental organizations (NGOs) are providing emergency aid in Ukraine, as well as in neighboring countries, such as Poland, Hungary, Slovakia and Romania to help people displaced by the war as they come across the border, Mr.Dąbrowski said. These organizations are providing food, water, hygiene supplies and other necessities, and urgent psychological counseling. Specific NGOs on the ground in Ukraine include Mercy CorpsFight for Right, Project HOPEHungarian Helsinki Committee, and  Fundacja Ocalenieamong others.

However, NGOs need cash donations in order to keep providing aid. Mr.Dąbrowski detailed what pro bono work Dentons is doing, and how the firm is supporting NGOs:

“Our Positive Impact team is in touch with numerous NGOs and lawyers from our firm to identify opportunities for pro bono legal advice, mainly in the countries which share a border with Ukraine.  We are already working with NGOs in Poland and Hungary which are helping Ukrainian refugees displaced by the war. We are assisting with issues related to employment law, contracts, establishment of charitable foundations, etc… We are also in discussions with an international relief agency which is looking to set up operations within Ukraine.

While men between the ages of 18 and 60 are currently prohibited from leaving Ukraine, as of March 10, 2022, the conflict has created one of the largest refugee crises within the last few decades.

“We have activated our registered charitable foundation to collect donations from our people around the world to support Ukrainian families – and particularly children –  displaced by the war, including some of our own people from Kyiv.  So far, our colleagues from around the world have donated or pledged close to €300,000,” Mr.Dąbrowski said. “We have already distributed €60,000 of that to eight NGOs in Poland, Hungary and Romania, which are providing emergency aid, food and water, hygiene supplies, transportation, medical and psychological care, shelter and schooling to Ukrainian civilians fleeing from the war”

Concerns with immigration and refugee asylum is the next expected complication. In the short-term, the Department of Homeland Security is prioritizing Temporary Protected Status (TPS) designations for those already in the U.S.

For the public, there are a number of actions to take to support Ukrainians. However, those wishing to help should make sure to do their research before making any donations in order to ensure the funds end up in the right hands.

How Can Members of the Public Help Ukraine?

Possible scam organizations and outreach programs are common during international crises, so it’s important to know the signs of fraudulent charities. Some best practices for providing support include:

  • Giving directly to an organization rather than through shared donation links on social media

  • Being wary of crowdfunding efforts

  • Doing a background check on an organization and its donation claims using Charity WatchGive.org, and Charity Navigator.

Some examples of charitable organizations focused on Ukraine relief include:

Informational resources for those affected are provided below:

Conclusion

Law firms and the public alike have stepped up to offer assistance and financial help to those most affected by the Russian invasion. Law firms cutting ties with Russian businesses and closing offices in Russia shows that the legal industry is standing behind Ukraine as the conflict continues to escalate.

In upcoming coverage, the National Law Review will be writing about how law firms are helping clients handle Russian sanctions, as well as the immigration implications of refugees displaced by the war in Ukraine.

*The quotes and input of interviewees reflect the latest information on the Russian invasion of Ukraine as of March 7, 2022. Readers can find the latest legal news from around the world on The National Law Review’s Global Law page.*

Copyright ©2022 National Law Forum, LLC

Apple, Inc. Probed by European Commission for Possible Antitrust Violations

In late June, the European Commission (EC) opened several formal cases investigating Apple’s mobile payment technology (Apple Pay) and various third-party and user agreements to determine whether the tech giant’s practices and policies infringe on competition rights and abuse market power. Specifically, the Commission will investigate the company’s terms and conditions integrating the payment feature into merchant applications and websites, and the imposition of its proprietary in-app purchase system and accompanying restrictions. The latter prevents third-party developers from informing their users of cheaper alternative purchases available outside the app. The investigations follow complaints made by Spotify, a music streaming service competitor, and an e-book/audiobook distributor competitor, according to the EC’s press release.

In a statement, EC Executive Vice President Margrethe Vestager said that the Commission needs to allay fears that Apple’s “gatekeeper role” in the distribution of apps and content to users does not distort market competition. The impetus, she said, was to ensure that “Apple’s measures do not deny consumers the benefits of new payment technologies, including better choice, quality, innovation and competitive prices.”

Apple is one of the latest tech targets to experience regulatory scrutiny. Facebook, Amazon, and Google are facing antitrust inquiries by EU member states, the European Commission, and the United States’ Department of Justice and Federal Trade Commission.


© MoginRubin LLP

ARTICLE BY the Competition Policy and Advocacy practice at MoginRubin.
For more on mobile payment portals, see the National Law Review Financial Institutions & Banking law section.

The Rise Of Digital Services Taxes

Governments are coming after online businesses. Multinational clients that provide online advertising services, sell consumer data, or run online intermediary platforms should prepare themselves for the imminent arrival of digital services taxes (DSTs) on revenues from digital activities.

IN DEPTH


Having failed to reach an EU-wide unanimous consensus on an earlier EU Commission proposal for a DST Directive, certain EU countries, including Austria, the Czech Republic, France, Italy, Spain and the United Kingdom, decided to go it alone and introduce DSTs unilaterally into their own national tax systems. These decisions were driven primarily by a perception that larger multinationals, many of which have highly digitalised operations, are not paying their “fair share” of taxes globally. In addition, a growing consensus has emerged in recent months that “market jurisdictions” should have the right to tax, because those markets—namely, the countries where the users and consumers are based—ultimately create value for online businesses.

The Organisation for Economic Co-operation and Development (OECD) takes a neutral view on the use of DSTs by its members, in that it neither recommends nor discourages them. Member countries that do decide to adopt a DST should

  • Comply with international obligations
  • Ensure the DST is temporary and narrowly targeted
  • Minimise over-taxation, cost, complexity, and compliance burdens
  • Ensure the DST has a minimal adverse impact on small businesses.

The French DST is already in force. The Italian DST is in draft form, with the government intending for it to enter into force in January 2020, while other DST regimes, including that of the United Kingdom, are expected to come into force some time during 2020. None of these national rules seem to have complied with the OECD guidelines, and there are several practical challenges for businesses that are common across all three regimes.

Identifying Taxable Revenues and Services 

In France, each company belonging to a group that derives gross revenues from digital services exceeding €750 million on a worldwide basis, and €25 million in France, is subject to French DST at a rate of 3 per cent. French DST is assessed at the company level only, based on gross revenues derived from digital services deemed to be provided in France during the previous calendar year. This is calculated as the gross revenues derived from taxable digital services, multiplied by the proportion of French users over the total number of users of the taxable digital services.

As it currently stands, the Italian DST would apply to Italian resident and non-resident companies that, at the individual or group level, earned during a calendar year a total amount of worldwide revenues of over €750 million, and an amount of revenues derived from digital services provided in Italy of over €5.5 million.

Only groups with annual worldwide revenues above £500 million and UK revenues above £25 million would be affected by the UK DST, with the first £25 million of UK revenues being exempt. The UK DST would be calculated on a group-wide basis and apportioned pro rata to each group member. Groups with low operating margins may opt for a “safe harbour” alternative DST calculation, based on the group’s operating margin.

Identifying Taxable Services

The taxable services that fall within the scope of the French, Italian, and UK DSTs are broadly similar and include

  • The provision of a social media platform
  • Search engines
  • Any online marketplace
  • Online advertising business, including those that use or sell individual users’ data

It is noteworthy that digital platforms for the provision of payment services, communication services, crowdfunding services, or digital content, as well as self-operated digital platforms for the direct sale of goods and services, are specifically beyond the scope of the French and UK DST.

The issues that arise are also broadly similar. There are likely to be conflicts regarding dual-purpose platforms, i.e., those that include both taxable and exempt digital services. The fact that the lists are not exhaustive and that the DSTs will apply to all revenues received in connection with a relevant DST activity means that affected businesses will need to analyse the nature of the revenue streams and the activities from which they are generated, and each case will turn on its own facts.  This will entail a substantial administrative burden for affected businesses, as well as a lack of certainty over potential DST filing obligations.

Identifying Users 

Both France and Italy consider the location of users to be based on the location of the electronic device when the user accesses the digital services. The United Kingdom intends to determine that someone is a UK user if, it is reasonable to assume, they are normally located or established in the United Kingdom.

France and Italy will use IP addresses, wi-fi connections, GPS data, etc., plus reference to that user’s personal data and place of residence; while the UK plans to extrapolate user location from data such as delivery addresses, payment details, IP addresses, contractual evidence, or the address of properties for rent or location of goods for sale.

There are many problems with these approaches. At the most basic level, different data sources can provide conflicting evidence of a user’s location, and IP addresses can be easily manipulated. Businesses will, therefore, need to come to a reasonable, evidence-based conclusion on the likelihood of that user’s location, further adding to their administrative burden and broadening the scope to make a mistake. The use of personal data and place of residence are also likely to trigger data protection issues under the EU General Data Protection Regulations.

Potential Double Taxation and Reimbursements

There is a risk of double taxation if another jurisdiction imposes a DST on the same revenues, for example as a result of inconsistencies between one set of national rules and those of another jurisdiction regarding user location or taxing rights. DST is however generally deductible for corporate income tax purposes.

France’s President Macron stated at the 2019 G7 that any excess of French DST over the new international DST being brokered by the OECD would be refunded. He did not, unfortunately, give much detail as to how and under what limitations this refund will take place.

The Italian draft DST provisions do not include any specific rule on this aspect and, although they seem to propose a sunset clause according to which the Italian DST is automatically repealed when the new OECD-agreed corporate income tax enters into force, there does not appear to be scope for a retroactive reimbursement of the difference (if any) between the Italian DST and such future corporate income tax.

The draft UK DST rules disregard 50 per cent of UK revenues from cross-border transactions between a buyer and a seller through an online marketplace where the non-UK party is in another DST jurisdiction. But this does not fully resolve the issue of potential double taxation if the other jurisdiction imposes a DST on the same revenues, for example due to inconsistencies between the UK national rules and those of the other DST jurisdiction regarding user location and/ or taxing rights.

The UK DST will also not be creditable against either corporation tax, income tax under the Offshore Receipts in respect of Intangible Property regime, or diverted profits tax; although it should generally be deductible for corporation tax purposes as a trading expense. Unlike France or Italy, neither the draft legislation nor HMRC guidance mentions the possibility of a retroactive reimbursement of the UK DST once the OECD’s long-term solution for a revised corporate income tax has been agreed and implemented by member countries.

The US Response

The US administration takes a hostile view of DST proposals generally, as evidenced by a recent investigation into whether the French DST discriminates against US businesses. This could lead to retaliatory US tariffs being imposed on imports from France and punitive US tax charges on French companies doing business in the United States.

Other DSTs, including those of the United Kingdom and Italy, can probably expect similar responses from the United States. UK Prime Minister Boris Johnson has indicated his support in principle for a UK DST or a similarly targeted tax. He has also indicated that the structure of this tax would be on the table in any trade negotiations with the United States, and the future of the current draft Finance Bill hinges on the result of the UK general election in December, so there is currently very little certainty as to whether UK DST will take effect at all.

For now, the best course of action for affected businesses is to assume that all DSTs will take effect as planned and prepare accordingly, notwithstanding any current legislative or political uncertainty.


© 2019 McDermott Will & Emery

More on digital taxation on the National Law Review Tax law page.

FCA Publishes “Brexit Special” Market Watch

On October 7, the Financial Conduct Authority (FCA) published a “Brexit Special” of its monthly Market Watch newsletter, in which it summarized some recent developments and publications in connection with the regulated sector’s preparedness for the forthcoming departure of the UK from the EU on November 1.

In the newsletter, the FCA noted that Andrew Bailey, FCA CEO, gave a speech in September at Bloomberg London on the Brexit “state of play”. Mr. Bailey outlined recent developments and the outstanding issues, such as the desire for an equivalence agreement for the Share Trading Obligation (STO). (For more information, please see the June 14 edition of Corporate & Financial Weekly Digest).

The FCA explained that transaction reporting rules under the Markets in Financial Instruments Regulation (MiFIR) will not be subject to the temporary transitional power. (For more information, please see the September 27 edition of Corporate & Financial Weekly Digest). Therefore, firms, trading venues and approved reporting mechanisms will need to take “reasonable steps to comply with the changes to their regulatory obligations”. Firms who cannot comply on the day that the UK leaves the EU will need to back-report missing, incomplete or inaccurate transaction reports as soon as possible thereafter.

The FCA provided an updated statement on the operation of the Markets in Financial Instruments Directive (MiFID) transparency regime following Brexit. The FCA published a statement on this topic in March 2019 (please see the March 8 edition of Corporate & Financial Weekly Digest), and the main purpose of this update was to change dates to reflect the extension of the departure date from March to October 2019.

The FCA’s MiFID transparency regime update also reflects a statement made on October 7 from the European Securities and Markets Authority (ESMA). In addition to other updates, ESMA described how reference data submitted by UK trading venues and systematic internalisers will be phased out of EU calculations. ESMA will “freeze” the quarterly calculations until Q1 2020, during which time the EU will re-determine the relevant competent authority (RCA) for all financial instruments that remain available for trading in the EU, for which the FCA is currently the RCA.

Finally, the FCA announced that industry testing for the FCA Financial Instruments Transparency Systems (FITRS) would start on October 10 and noted that it continues to update the Brexit material available on its website.

The Market Watch newsletter is available here.

Andrew Bailey’s speech is available here.

The FCA’s updated statement is available here.

ESMA’s statement is available here.


©2019 Katten Muchin Rosenman LLP

Can We Really Forget?

I expected this post would turn out differently.

I had intended to commend the European Court of Justice for placing sensible limits on the extraterritorial enforcement of the EU’s Right to be Forgotten. They did, albeit in a limited way,[1] and it was a good decision. There.  I did it. In 154 words.

Now for the remaining 1400 or so words.

But reading the decision pushes me back into frustration at the entire Right to be Forgotten regime and its illogical and destructive basis. The fact that a court recognizes the clear fact that the EU cannot (generally) force foreign companies to violate the laws of their own countries in internet sites that are intended for use within those countries (and NOT the EU), does not come close to offsetting the logical, practical and societal problems with the way the EU perceives and enforces the Right to be Forgotten.

As a lawyer, with all decisions grounded in the U.S. Constitution, I am comfortable with the First Amendment’s protection of Freedom of Speech – that nearly any truthful utterance or publication is inviolate, and that the foundation of our political and social system depends on open exposure of facts to sunlight. Intentionally shoving those true facts into the dark is wrong in our system and openness will be protected by U.S. courts.

Believe it or not, the European Union also has such a concept at the core of its foundation too. Article 10 of the European Convention on Human Rights states that:

“Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.”

So we have the same values, right? In both jurisdictions the right to impart information can be exercised without interference by public authority.  Not so fast.  The EU contains a litany of restrictions on this right, including a limitation of your right to free speech by the policy to protect the reputation of others.

This seems like a complete evisceration of a right to open communication if a court can force obfuscation of facts just to protect someone’s reputation.  Does this person deserve a bad reputation? Has he or she committed a crime, failed to pay his or her debts, harmed animals or children, stalked an ex-lover, or violated an oath of office, marriage, priesthood or citizenship? It doesn’t much matter in the EU. The right of that person to hide his/her bad or dangerous behavior outweighs both the allegedly fundamental right to freedom to impart true information AND the public’s right to protect itself from someone who has proven himself/herself to be a risk to the community.

So how does this tension play out over the internet? In the EU, it is law that Google and other search engines must remove links to true facts about any wrongdoer who feels his/her reputation may be tarnished by the discovery of the truth about that person’s behavior. Get into a bar fight?  Don’t worry, the EU will put the entire force of law behind your request to wipe that off your record. Stiff your painting contractors for tens of thousands of Euros despite their good performance? Don’t worry, the EU will make sure nobody can find out . Get fired, removed from office or defrocked for dishonesty? Don’t worry, the EU has your back.

And that undercutting of speech rights has now been codified in Article 17 of Regulation 2016/679, the Right to be Forgotten.

And how does this new decision affect the rule? In the past couple weeks, the Grand Chamber of the EU Court of Justice issued an opinion limiting the extraterritorial reach of the Right to be Forgotten. (Google vs CNIL, Case C‑507/17) The decision confirms that search engines must remove links to certain embarrassing instances of true reporting, but must only do so on the versions of the search engine that are intentionally servicing the EU, and not necessarily in versions of the search engines for non-EU jurisdictions.

The problems with appointing Google to be an extrajudicial magistrate enforcing vague EU-granted rights under a highly ambiguous set of standards and then fining them when you don’t like a decision you forced them to make, deserve a separate post.

Why did we even need this decision? Because the French data privacy protection agency, known as CNIL, fined Google for not removing presumably true data from non-EU search results concerning, as Reuters described, “a satirical photomontage of a female politician, an article referring to someone as a public relations officer of the Church of Scientology, the placing under investigation of a male politician and the conviction of someone for sexual assaults against minors.”  So, to be clear, while the official French agency believes it should enforce a right for people to obscure that they have been convicted of sexual assault against children from the whole world, the Grand Chamber of the European Court of Justice believes that the people convicted child sexual assault should be protected in their right to obscure these facts only from people in Europe. This is progress.

Of course, in the U.S., politicians and other public figures, under investigation or subject to satire or people convicted of sexual assault against children do not have a right to protect their reputations by forcing Google to remove links to public records or stories in news outlets. We believe both that society is better when facts are allowed to be reported and disseminated and that society is protected by reporting on formal allegations against public figures or criminal convictions of private ones.

I am glad that the EU Court of Justice is willing to restrict rules to remain within its jurisdiction where they openly conflict with the basic laws of other jurisdictions. The Court sensibly held,

“The idea of worldwide de-referencing may seem appealing on the ground that it is radical, clear, simple and effective. Nonetheless, I do not find that solution convincing, because it takes into account only one side of the coin, namely the protection of a private person’s data.[2] . . . [T]he operator of a search engine is not required, when granting a request for de-referencing, to operate that de-referencing on all the domain names of its search engine in such a way that the links at issue no longer appear, regardless of the place from which the search on the basis of the requester’s name is carried out.”

Any other decision would be wildly overreaching. Believe me, every country in the EU would be howling in protest if the US decided that its views of personal privacy must be enforced in Europe by European companies due to operations aimed only to affect Europe. It should work both ways. So this was a well-reasoned limitation.

But I just cannot bring myself to be complimentary of a regime that I find so repugnant – where nearly any bad action can be swept under the rug in the name of protecting a person’s reputation.

As I have written in books and articles in the past, government protection of personal privacy is crucial for the clean and correct operation of a democracy.  However, privacy is also the obvious refuge of scoundrels – people prefer to keep the bad things they do private. Who wouldn’t? But one can go overboard protecting this right, and it feels like the EU has institutionalized its leap overboard.

I would rather err on the side of sunshine, giving up some privacy in the service of revealing the truth, than err on the side of darkness, allowing bad deeds to be obscured so that those who commit them can maintain their reputations.  Clearly, the EU doesn’t agree with me.


[1] The Court, in this case, wrote, “The issues at stake therefore do not require that the provisions of Directive 95/46 be applied outside the territory of the European Union. That does not mean, however, that EU law can never require a search engine such as Google to take action at worldwide level. I do not exclude the possibility that there may be situations in which the interest of the European Union requires the application of the provisions of Directive 95/46 beyond the territory of the European Union; but in a situation such as that of the present case, there is no reason to apply the provisions of Directive 95/46 in such a way.”

[2] EU Court of Justice case C-136/17, which states, “While the data subject’s rights [to privacy] override, as a general rule, the freedom of information of internet users, that balance may, however, depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information. . . .”

 


Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

For more EU’s GDPR enforcement, see the National Law Review Communications, Media & Internet law page.

Trade Mark Re-filing And Bad Faith – Go Directly To Jail. Do Not Pass Go, Do Not Collect $200

Hasbro Inc. (Hasbro), owner of the well-loved board game Monopoly, suffered a defeat on 22 July 2019, before the EUIPO Board of Appeal in relation to the MONOPOLY trade mark. The EU registration for the MONOPOLY trade mark was partially invalidated as it was found that Hasbro had acted in bad faith when filing the application as part of a ‘trade mark re-filing’ programme.

Background

Hasbro applied to register the trade mark MONOPOLY for goods and services in Classes 9, 16, 28 and 41 of the Nice Classification. The application was published on 9 August 2010 and the mark was registered on 25 March 2011. Kreativini Dogadaji d.o.o (KD) filed an application for invalidation of the trademark in 2015, arguing that it had been registered in bad faith on the basis that the mark was a repeat filing of three identical earlier trade mark registrations for MONOPOLY.

Acting in bad faith

The EUTM Regulation states that a trade mark shall be declared invalid where the applicant acted in bad faith at the time of filing the application for the trade mark. However, EU trade mark law does not provide a definitive clarification of bad faith and ‘bad faith’ is not defined in the EUTM Directive or Regulation. The most notable case from the CJEU dealing with bad faith is the Lindt Goldhase-case (C-529/07) which sets out three areas of consideration:

  1. the applicant knows that a third party is using, in at least one member state, an identical/similar sign for an identical/similar product or service for which the registration is sought

  2. the applicant’s intention of preventing that third party from using the sign, and

  3. the degree of legal protection enjoyed by the third party’s sign and by the sign for which registration is sought.

Nonetheless, these factors are only examples and are not exhaustive, ‘bad faith’ cannot be restrained to a limited set of circumstances.

Findings of Board of Appeal

The Board of Appeal found that Hasbro had a dishonest intention at the time of filing the contested EUTM on the basis that Hasbro had previously filed and successfully registered MONOPOLY as an EUTM on three previous occasions. This dishonest intention was found because Hasbro had repeated filings in effect to circumvent the legal risk of removal due to non-use after five years. Although Hasbro claimed it had been adding more goods and services with each subsequent re-filing, the Board of Appeal did not deem it an acceptable excuse. The Board therefore invalidated the MONOPOLY mark for all goods and services identical or similar to those covered by the earlier trade marks.

The Key Takeaways

Hasbro did try to argue that their re-filing tactic was common practice in maintaining ownership of a trade mark, which it is, but the decision highlights that a tactics popularity does not equate to acceptability or legality. Brand owners should carefully consider the risk of invalidation or opposition on the basis of bad faith when filing future trade mark applications for existing brands.


Copyright 2019 K & L Gates
ARTICLE BY Niall J. Lavery and Simon Casinader of K&L Gates.
For more trade mark cases, see the Intellectual Property law page on the National Law Review.