The EU’s New Green Claims Directive – It’s Not Easy Being Green

Highlights

  • On March 22, 2023, the European Commission proposed the Green Claims Directive, which is intended to make green claims reliable, comparable and verifiable across the EU and protect consumers from greenwashing
  • Adding to the momentum generated by other EU green initiatives, this directive could be the catalyst that also spurs the U.S. to approve stronger regulatory enforcement mechanisms to crackdown on greenwashing
  • This proposed directive overlaps the FTC’s request for comments on its Green Guides, including whether the agency should initiate a rulemaking to establish enforceable requirements related to unfair and deceptive environmental claims. The deadline for comments has been extended to April 24, 2023

The European Commission (EC) proposed the Green Claims Directive (GCD) on March 22, 2023, to crack down on greenwashing and prevent businesses from misleading customers about the environmental characteristics of their products and services. This action was in response, at least in part, to a 2020 commission study that found more than 50 percent of green labels made environmental claims that were “vague, misleading or unfounded,” and 40 percent of these claims were “unsubstantiated.”

 

This definitive action by the European Union (EU) comes at a time when the U.S. is also considering options to curb greenwashing and could inspire the U.S. to implement stronger regulatory enforcement mechanisms, including promulgation of new enforceable rules by the Federal Trade Commission (FTC) defining and prohibiting unfair and deceptive environmental claims.

According to the EC, under this proposal, consumers “will have more clarity, stronger reassurance that when something is sold as green, it actually is green, and better quality information to choose environment-friendly products and services.”

Scope of the Green Claims Directive

The EC’s objectives in the proposed GCD are to:

  • Make green claims reliable, comparable and verifiable across the EU
  • Protect consumers from greenwashing
  • Contribute to creating a circular and green EU economy by enabling consumers to make informed purchasing decisions
  • Help establish a level playing field when it comes to environmental performance of products

The related proposal for a directive on empowering consumers for the green transition and annex, referenced in the proposed GCD, defines the green claims to be regulated as follows:

“any message or representation, which is not mandatory under Union law or national law, including text, pictorial, graphic or symbolic representation, in any form, including labels, brand names, company names or product names, in the context of a commercial communication, which states or implies that a product or trader has a positive or no impact on the environment or is less damaging to the environment than other products or traders, respectively, or has improved their impact over time.”

The GCD provides minimum requirements for valid, comparable and verifiable information about the environmental impacts of products that make green claims. The proposal sets clear criteria for companies to prove their environmental claims: “As part of the scientific analysis, companies will identify the environmental impacts that are actually relevant to their product, as well as identifying any possible trade-offs to give a full and accurate picture.” Businesses will be required to provide consumers information on the green claim, either with the product or online. The new rule will require verification by independent auditors before claims can be made and put on the market.

The GCD will also regulate environmental labels. The GCD is proposing to establish standard criteria for the more than 230 voluntary sustainability labels used across the EU, which are currently “subject to different levels of robustness, supervision and transparency.” The GCD will require environmental labels to be reliable, transparent, independently verified and regularly reviewed. Under the new proposal, adding an environmental label on products is still voluntary. The EU’s official EU Ecolabel is exempt from the new rules since it already adheres to a third-party verification standard.

Companies based outside the EU that make green claims or utilize environmental labels that target the consumers of the 27 member states also would be required to comply with the GCD. It will be up to member states to set up the substantiation process for products and labels’ green claims using independent and accredited auditors. The GCD has established the following process criteria:

  • Claims must be substantiated with scientific evidence that is widely recognised, identifying the relevant environmental impacts and any trade-offs between them
  • If products or organisations are compared with other products and organisations, these comparisons must be fair and based on equivalent information and data
  • Claims or labels that use aggregate scoring of the product’s overall environmental impact on, for example, biodiversity, climate, water consumption, soil, etc., shall not be permitted, unless set in EU rules
  • Environmental labelling schemes should be solid and reliable, and their proliferation must be controlled. EU level schemes should be encouraged, new public schemes, unless developed at EU level, will not be allowed, and new private schemes are only allowed if they can show higher environmental ambition than existing ones and get a pre-approval
  • Environmental labels must be transparent, verified by a third party, and regularly reviewed

Enforcement of the GCD will take place at the member state level, subject to the proviso in the GCD that “penalties must be ‘effective, proportionate and dissuasive.’” Penalties for violation range from fines to confiscation of revenues and temporary exclusion from public procurement processes and public funding. The directive requires that consumers should be able to bring an action as well.

The EC’s intent is for the GCD to work with the Directive on Empowering the Consumers for the Green Transition, which encourages sustainable consumption by providing understandable information about the environmental impact of products, and identifying the types of claims that are deemed unfair commercial practices. Together these new rules are intended to provide a clear regime for environmental claims and labels. According to the EC, the adoption of this proposed legislation will not only protect consumers and the environment but also give a competitive edge to companies committed to increasing their environmental sustainability.

Initial Public Reaction to the GCD and Next Steps

While some organizations, such as the International Chamber of Commerce, offered support, several interest groups quickly issued public critiques of the proposed GCD. The Sustainable Apparel Coalition asserted that: “The Directive does not mandate a standardized and clearly defined framework based on scientific foundations and fails to provide the legal certainty for companies and clarity to consumers.”

ECOS lamented that “After months of intense lobbying, what could have been legislation contributing to providing reliable environmental information to consumers was substantially watered down,” and added that “In order for claims to be robust and comparable, harmonised methodologies at the EU level will be crucial.” Carbon Market Watch was disappointed that “The draft directive fails to outlaw vague and disingenuous terms like ‘carbon neutrality’, which are a favoured marketing strategy for companies seeking to give their image a green makeover while continuing to pollute with impunity.”

The EC’s proposal will now go to the European Parliament and Council for consideration. This process usually takes about 18 months, during which there will be a public consultation process that will solicit comments, and amendments may be introduced. If the GCD is approved, each of the 27 member states will have 18 months after entry of the GCD to adopt national laws, and those laws will become effective six months after that. As a result, there is a reasonably good prospect that there will be variants in the final laws enacted.

Will the GCD Influence the U.S.’s Approach to Regulation of Greenwashing?

The timing and scope of the GCD is of no small interest in the U.S., where regulation of greenwashing has been ramping up as well. In May 2022, the Securities and Exchange Commission (SEC) issued the proposed Names Rule and ESG Disclosure Rule targeting greenwashing in the naming and purpose of claimed ESG funds. The SEC is expected to take final action on the Names Rule in April 2023.

Additionally, as part of a review process that occurs every 10 years, the FTC is receiving comments on its Green Guides for the Use of Environmental Claims, which also target greenwashing. However, the Green Guides are just that – guides that do not currently have the force of law that are used to help interpret what is “unfair and deceptive.”

It is particularly noteworthy that the FTC has asked the public to comment, for the first time, on whether the agency should initiate a rulemaking under the FTC Act to establish independently enforceable requirements related to unfair and deceptive environmental claims. If the FTC promulgates such a rule, it will have new enforcement authority to impose substantial penalties.

The deadline for comments on the Green Guides was recently extended to April 24, 2023. It is anticipated that there will be a substantial number of comments and it will take some time for the FTC to digest them. It will be interesting to watch the process unfold as the GCD moves toward finalization and the FTC decides whether to commence rulemaking in connection with its Green Guide updates. Once again there is a reasonable prospect that the European initiatives and momentum on green matters, including the GCD, could be a catalyst for the US to step up as well – in this case to implement stronger regulatory enforcement mechanisms to crackdown on greenwashing.

© 2023 BARNES & THORNBURG LLP

Mexico’s Minimum Wage Set to Increase on January 1, 2023

On December 1, 2022, Mexican President Andrés Manuel Lopez Obrador announced that, unanimously, the business and labor sectors, as well as the government, had agreed to increase the minimum wage by 20 percent for 2023, which will be applicable in the Free Zone of the Northern Border (Zona Libre de la Frontera Norte or ZLFN), as well as the wage applicable in the rest of the country. The increase will become official when it is published in the Official Gazette of the Federation (Diario Oficial de la Federación).

Before the increase was determined, the Mexican National Commission on Minimum Wages (Comisión Nacional de los Salarios Mínimos, or CONASAMI) applied an independent recovery amount (Monto Independiente de Recuperación or MIR) in accordance with the following:

  • MIR for the ZLFN: MXN $23.68
  • MIR for the rest of the country: MXN $15.72

On top of the MIR, the CONASAMI approved a 10 percent increase from the 2022 rate to the daily minimum wage applicable to the ZLFN and the rest of the country, resulting in MXN $312.41 (approximately USD $16.11) for the ZLFN and MXN $207.44 (approximately USD $10.69) for the rest of the country. The new rates would be effective as of January 1, 2023.

The MIR and the 10 percent increase—combined—would represent a 20 percent increase in the daily minimum wage rate which translates to more than MXN $30 per day.

Finally, Secretary of Labor Luisa Maria Alcalde stated that the above increases would directly benefit 6.4 million workers in Mexico.

© 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.

Hackers Caused a Traffic Jam in Moscow

Hackers caused a massive traffic jam in Moscow by exploiting the ride-sharing app Yandex Taxi and using it to summon dozens of taxis to a single location. While Yandex has not confirmed the attacker’s identity, the hacktivist group Anonymous claimed responsibility on Twitter. The group has been actively taking aim at Russian targets in response to the Russian Federation’s ongoing invasion of Ukraine.

Yandex claims that it has implemented new algorithms to detect this type of attack in the future and will compensate the affected drivers.

This traffic jam is a new application of an old hacktivist tactic: flood the system to make it unusable. Other techniques in this vein include blackouts (which target fax machines) and distributed denial of service (which targets websites and networks). No word yet on whether this new rideshare jam exploit will merit a snappy title.

Blair Robinson contributed to this article. 

For more Global Law news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Supreme People’s Court Upholds China’s First Patent Linkage Ruling – Decision Released

On August 28, 2022, 知识产权那点事 published the first patent linkage decision from the Supreme People’s Court (SPC). The SPC upheld the Beijing IP Court ruling that Wenzhou Haihe Pharmaceutical Co., Ltd.’s application for marketing authorization for a generic form of “Aidecalcidol Soft Capsule” did not fall within scope of protection of the relevant patent. China’s patent linkage system prevents marketing authorization for a generic prior to the expiration of the patent term on the branded equivalent unless the Beijing IP Court or the China National Intellectual Property Administration (CNIPA) rules that the generic does not fall within the scope of the relevant patent rights or is invalid.

On November 10, 2021, the Beijing IP Court announced that the plaintiff of the case, Chugai Pharmaceutical Co., Ltd., a subsidiary of Roche, claimed that it was the patentee as well as the holder of the marketing license for the patented drug “Aidecalcidol Soft Capsule”, and the patent involved in the drug was CN 2005800098777.6 entitled “ED-71 preparation.” The plaintiff discovered that the defendant Wenzhou Haihe Pharmaceutical Co., Ltd. had applied to the National Medical Products Administration (NMPA) for a generic drug marketing license application named “Aidecalcidol Soft Capsule”. The public information on the Chinese listed drug patent information registration platform showed that the defendant had made a 4.2 category statement regarding the generic drug (the generic drugs do not fall into the scope of protection of the related patents). Therefore, the plaintiff filed a drug patent linkage lawsuit with the Beijing Intellectual Property Court in accordance with the provisions of Article 76 of the Amended Patent Law, requesting the court to confirm that the generic drug “Aidecalcidol Soft Capsule” that the defendant applied for registration fell into the scope the rights of Patent No. 2005800098777.6 enjoyed by the plaintiff.

 

The Beijing IP Court held:

The technical solution used by the generic drug involved is neither the same nor equivalent to the technical solution of claim 1 of the involved patent, so the technical solution does not fall within the protection scope of claim 1 of the involved patent. Since claims 2-6 are dependent claims of claim 1, if the technical solution of the generic drug involved does not fall within the protection scope of claim 1, it also does not fall within the protection scope of claims 2-6. Accordingly, the plaintiff’s claim that the involved generic drug falls within the protection scope of claims 1-6 of the involved patent cannot be established, and the court will not support it.

In the decision, the Supreme People’s Court stated there were two key points:

1. In the process of drug marketing review and approval, disputes arising from the patent rights related to the drug to be registered between the drug marketing license applicant and the relevant patentee or interested parties are only one type of the related patent rights between the two parties – often referred to as drug patent link disputes. For chemical generic drugs, the drug regulatory department of the State Council conducts drug marketing review and approval based on the application materials of the generic drug applicant, and decides whether to suspend the approval of the relevant drugs according to the effective judgment made by the people’s court [or the China National Intellectual Property Administration] on such disputes within the prescribed time limit. Therefore, when judging whether the technical solution of a generic drug falls within the scope of patent protection, in principle, it should be compared and judged on the basis of the application materials of the generic drug applicant. If the technical solution actually implemented by the generic drug applicant is inconsistent with the declared technical solution, it shall bear legal responsibility in accordance with the relevant laws and regulations on drug supervision and administration; if the patentee or interested party believes that the technical solution actually implemented by the generic drug applicant constitutes infringement, a separate lawsuit for patent infringement may also be filed. Therefore, whether the technical solution actually implemented by a generic drug applicant is the same as the application materials is generally not within the scope of examination to confirm that the dispute falls within the scope of patent protection.

2. The court of second instance held that both the donation [to the public] rule and the estoppel rule can constitute a restriction on the application of the principle of equivalence, both of which aim to achieve a reasonable balance between equitably protecting the interests of the patentee and safeguarding the interests of the public. If the conditions for limiting the application of the principle of equivalence are met, there is usually no need to judge whether the two features constitute similar means, functions, and effects, and whether those skilled in the art can conceptualize them without creative work. In this case, since Haihe Company claimed the application of the estoppel rule by virtue of the amendment of the claims by Chugai Pharmaceutical Co., Ltd., and claimed the application of the donation rule by the patent text as the result of the amendment, the court of second instance first rendered a judgment on whether the rules on estoppel should be applied on the basis of the amendment of the claims by the patentee.

The case numbers are:

北京知识产权法院(2021)京73民初1438号民事判决书

最高人民法院(2022)最高法知民终905号民事判决书

The full text of the decision courtesy of 知识产权那点事 is available here (Chinese only).

© 2022 Schwegman, Lundberg & Woessner, P.A. All Rights Reserved.

War and Peace at Rospatent: Protecting Trademarks in Russia

Yes, we shall live, Uncle Vanya. Could Anton Chekhov ever have imagined that his literary work would be used to sell hamburgers? In March, a controversial application for an “Uncle Vanya” mark in connection with “snack bars, cafes, cafeterias, restaurants, bar services, canteens, cooking and home delivery services,” incorporated the red-and-yellow golden arches logo of McDonald’s. It was just one in a series of recent applications in Russia that have caused serious pearl-clutching among intellectual property lawyers.

Since Russia invaded Ukraine on February 24, the country has faced numerous financial, trade and travel sanctions. It’s also been snubbed by major intellectual property partners. In a February 28 letter, a group of whistleblowers and staff representatives at the World Intellectual Property Organization (WIPO) called for the entity’s public condemnation of Russia’s invasion of Ukraine and the rapid closure of its Russia Office. The European Patent Office severed ties with Russia on March 1, and shortly thereafter the United States Patent and Trademark Office (USPTO) confirmed that it had “terminated engagement” with officials from Russia’s agency in charge of intellectual property, the Federal Service for Intellectual Property (Rospatent), and with the Eurasian Patent Organization.

In response, Russia has adopted an aggressive posture in the intellectual property realm where it once sought to peacefully engage with the world, an effort that began well before the collapse of the Union of Soviet Socialist Republics. When the USSR joined the Paris Convention in 1965, it eagerly sought to develop Soviet intellectual property. Yet in March, Russia issued Decree No. 299, which effectively nullifies the enforcement value of Russian patents owned by entities and individuals in “unfriendly” countries including the United States, European Union member states, the United Kingdom, Ukraine, Japan, South Korea, Australia and New Zealand.

Russian Prime Minister Mikhail Mishustin also greenlighted the importation of branded products without the brands’ permission, creating gray market headaches. As Boris Edidin, deputy chairman of the Commission for Legal Support of the Digital Economy of the Moscow Branch of the Russian Bar Association, clarified in a recent legal commentary published by Moscow-based RBC Group: “entrepreneurs have the opportunity to import goods of well-known brands, regardless of the presence or absence of an official representative on the Russian market.”

Russia, like the EU, had traditionally adopted a tougher stance than the United States on parallel imports. Now, however, “both by ‘anti-crisis’ measures and by cloak-and-dagger methods” Russia is sure to do all it can to keep its planes flying and its factories running, said Peter B. Maggs, research professor of law at the University of Illinois at Urbana-Champaign and noted expert on Russian and Soviet law and intellectual property.’

The increase in parallel imports makes trademark prosecution and maintenance more important than ever in Russia, but it’s not the only cause for concern. In March, as political tensions reached a crescendo, a Russian court declined to enforce the trademark rights for Peppa Pig, the famous British cartoon character, due to “unfriendly actions of the United States of America and affiliated foreign countries.” (See case No. A28- 11930/2021 in the Arbitration Court of the Kirov Region; an appeals court later overturned this holding, in a win for the porcine star.) RBC Group reported in March that it had tracked more than 50 trademark applications by Russian entrepreneurs and businesses for the marks of famous foreign brands, many in the fashion and tech sector. While most trademark applications were explicit copies of existing brands, in other cases applicants were content to imitate well-known trademarks and trade dress.

For example, a Russian entrepreneur from a design studio called Luxorta applied to register an IDEA brand that mimics the style and yellow-and-blue color schemes of famous Swedish brand IKEA. He told RBC that his business had suffered after IKEA suspended its Russian operations, and that he aspired to develop his own line of furniture and work with IKEA’s former suppliers. Other applicants RBC interviewed indicated they hoped to sell the marks back to foreign companies once those companies return.

On April 1, Rospatent published a press statement clarifying that “in case an identical or similar trademark has already been registered in the Russian Federation, it would be the ground for refusal in such registration.” More recently, the head of Rospatent, Yury Zubov, has responded with frustration to news coverage of trademark woes in Russia, noting that intellectual property legislation is unchanged and the “Uncle Vanya” hamburger mark had been withdrawn.

Prof. Maggs agreed that those trying to register or use close copies of foreign marks in Russia will likely fail. He cited a June 2 decision by the Court of Intellectual Property Rights to uphold lower court findings that the mark “FANT” for a carbonated orange soft drink violated unfair competition laws, because it was confusingly similar to the “FANTA” brand owned and licensed to third parties by Coca-Cola HBC Limited Liability Company. Russia’s consumer protection agency had originally brought the case.

The Court reasoned that “confusion in relation to two products can lead not only to a reduction in sales of the FANTA drink and a redistribution of consumer demand, but can also harm the business reputation of a third party, since the consumer, having been misled by the confusion between the two products, in the end receives a different product with different quality, taste and other characteristics.”

In addition, Prof. Maggs said, “the Putin Regime is and will be promoting Russian products as ‘just as good’ as foreign products. An example, obviously approved at high levels is the adoption of a totally different trademark for the sold McDonald’s chain,” he said, referring to the June 12 reopening of former McDonald’s restaurants in Moscow under the name “Vkusno & tochka” (“Tasty and that’s it”).

Brands should be wary of inadvertently jeopardizing their Russian marks by suspending local operations; a trademark may be cancelled in Russia after three years of uninterrupted non-use. While Article 1486 of the Russian Civil Code states that “evidence presented by the rightholder of the fact that the trademark was not used due to circumstances beyond his control [emphasis added] may be taken into account,” brands claiming infringement still risk being ineligible for damages or injunctive relief, because technically they are not losing sales while pausing business in Russia.

Moreover, if a company has suspended sales in Russia to show solidarity with Ukraine but seeks to stop sales in Russia by others, it may be accused of violating the good faith requirement of Article 10 of the Russian Civil Code, which states that exercising “rights for the purpose of limiting competition and also abuse of a dominant position in a market are not allowed.”

Russia remains a party to numerous intellectual property treaties, including the Paris Convention, the Agreement on TradeRelated Aspects of Intellectual Property Rights and the Hague Agreement. But as the Peppa Pig case illustrates, court decisions on intellectual property are not immune to political heat.

The question looming on the horizon is whether, if the current crisis escalates, the Russian government would outright cancel trademarks from hostile countries. It would not be the first time a state denied intellectual property rights during political conflicts. In the aftermath of the First World War, for example, the US government advocated for the “expropriation” of property, including intellectual property, of German nationals, perceived as responsible for the militarism of their government1. And in the 1930s, the German patent office removed Jewish patent-holders from its roster as part of its notorious “Aryanization” process. However, because Russia is not officially at war with the countries it has deemed “unfriendly,” these precedents are not directly on point.

Brands that have suspended business operations in Russia should monitor their trademark portfolios closely for infringement and consider how they can prove use of each mark during a prolonged absence from the Russian market. In other words: keep your eyes on Uncle Vanya.


FOOTNOTES

Caglioti DL. Property Rights in Time of War: Sequestration and Liquidation of Enemy Aliens’ Assets in Western Europe during the First World War. Journal of Modern European History. 2014;12(4):523-545. doi:10.17104/1611-8944_2014_4_523.

©2022 Katten Muchin Rosenman LLP

Uyghur Forced Labor Prevention Act Is Coming… Are You Ready? CBP Issues Hints at the Wave of Enforcement To Come

US Customs and Border Protection (CBP) has issued some guidance relating to its enforcement of the Uyghur Forced Labor Prevention Act (UFLPA) prior to June 21, 2022, the effective date of the rebuttable presumption.

What to Know

  • US Customs and Border Protection (CBP) has issued some guidance relating to its enforcement of the Uyghur Forced Labor Prevention Act (UFLPA) prior to June 21, 2022, the effective date of the rebuttable presumption.
  • The new guidance imposes tighter timelines and a higher burden of evidence on importers to rebut the presumption that merchandise was produced with forced labor. If CBP does not make a decision within specific timeframes, goods will automatically be deemed excluded.
  • CBP is expected to issue additional technical guidance at the end of May or early June. The Department of Homeland Security (DHS) is also expected to issue guidance closer to June 21, 2022.
  • CBP is scheduled to host informational webinars detailing their UFLPA guidance in the coming weeks.

What’s New: Tighter Timelines  

While US importers were eagerly anticipating the issuance of technical guidance regarding implementation of the UFLPA from CBP last week, which is now expected this week, CBP did post a new guidance document summarizing the UFLPA and forced labor Withhold Release Orders (WRO) enforcement mechanisms. Specifically, CBP’s authority to detain merchandise under the UFLPA will be pursuant to 19 CFR § 151.16, which provides for a much different timeline for the detention of merchandise than the WRO process. Under this process, if Customs does not make a timely decision regarding admissibility, goods are automatically excluded.

UFLPA Timeline Enforcement under 19 CFR § 151.16

Number of Days

Actions

5 Days from Presentation for Examination

CBP must decide whether to release or detail merchandise

  • If the merchandise is not released, it is detained
5 Days after Decision to Release or Detain

CBP will issue a notice to importer advising them of:

  • The initiation of detention
  • Date merchandise examined
  • Reason for detention
  • Anticipated length of detention
  • Nature of tests and inquiries to be conducted
  • Information to accelerate disposition
  Upon written request, CBP must provide importer with testing procedures, methodologies used, and testing results
Within 30 Days of Examination

CBP will make a final determination as to the admissibility of merchandise

  • If CBP does not make a determination within the 30-day period, the merchandise will be deemed excluded
  • This means any submission to rebut the presumption should be made before this 30 day period
Within 180 Days of CBP Determination/Exclusion Importers may protest CBP’s final determination
Within 30 Days After Protest Submitted The protest is deemed denied if CBP does not grant or deny the protest within 30 days
Within 180 Days after the Date the Protest is Denied

The importer may commence a court action contesting the denied protest (28 U.S.C. § 1581(a))

  • In a court action, CBP must establish by a preponderance of the evidence that an admissibility decision has been reached for good cause
  • Customs can decide to grant the protest after the deemed denial but before a court case is filed

This is a much shorter timeline than the WRO process. Importantly, a company contesting CBP’s detention of merchandise pursuant to the UFLPA would be required to submit documentation to rebut the presumption within the 30-day period that CBP is assessing admissibility, whereas the WRO process permits 90 days. Like the WRO process, the importer may also file a protest 180 days after CBP makes its final determination regarding the exclusion.

CBP Listening Session: A Higher Burden of Evidence 

On Tuesday, May 24, 2022, CBP provided information regarding the publication of guidance and enforcement of the UFLPA:

  • CBP Publication of Guidance. CBP’s guidance regarding its enforcement of the rebuttable presumption and the UFLPA is scheduled to be published the week of May 30.
  • DHS Publication of Guidance. DHS guidance will be published on or about June 21, 2022, which will include information relating to supply chain due diligence, importer guidance, and the entity lists.
  • Clear and Convincing Evidence Required to Rebut the Presumption that Merchandise was Produced with Forced Labor. It was confirmed that the UFLPA will have a much higher burden of evidence required to rebut the presumption that merchandise was produced with forced labor than that of a WRO. Any exception to the rebuttable presumption must be reported to Congress, and thus the level of evidence that will be required to overcome the rebuttable presumption is very high. As a practical matter, it appears that very few detained entries will be released. Importers are advised to start conducting due diligence on supply chains in order to ensure that they will be able to obtain documentation should merchandise be detained once the rebuttable presumption goes into effect. Importantly, products that are subject to an existing WRO from Xinjiang will now be enforced under the UFLPA process instead of the WRO process.
  • Evidence Required if Merchandise is Detained. The forthcoming guidance will set forth information regarding how an importer may meet the exception to the rebuttable presumption and to demonstrate that merchandise was not produced with forced labor, by meeting the following three criteria:
    • Demonstrate compliance with the Forced Labor Enforcement Task Force/DHS strategy;
    • Demonstrate compliance with CBP’s guidance and any inquiries that CBP raises; and
    • Provide clear and convincing evidence that the supply chain in question is free of forced labor.
  • Binding Rulings. Importers may apply for a binding ruling to confirm or request an exception to the rebuttable presumption under the UFLPA. Although CBP is still finalizing the process for importers to apply for a binding ruling, importers would be required to prove by clear and convincing evidence that merchandise is not produced with forced labor. If the ruling is granted, it applies to future shipments for the specific supply chain in question.
  • Known Importer Letters and Detention Notices. Going forward, CBP will not issue Known Importer letters, and CBP will notify importers that merchandise is subject to the UFLPA through the issuance of detention notices.
  • Detention of Merchandise. If goods are detained by CBP because they are suspected of having a nexus to Xinjiang Uyghur Autonomous Region (XUAR) of the People’s Republic of China (PRC), importers may either provide clear and convincing evidence that merchandise was not produced with forced labor or export the products. If detained products that fall under the UFLPA are comingled with other products that are not subject to the UFLPA, importers may request the segregation of the merchandise that is not subject to the UFLPA.
  • Chain of CBP Review for Importer Submissions Relating to Detained Merchandise. Chain of CBP review for the request of an exception to the rebuttable presumption has not been finalized yet. However, importers will be required to submit evidence that rebuts the presumption that merchandise was produced with forced labor to the applicable CBP Port Director. For the moment, the CBP Commissioner is the final individual who can ultimately make an exception to the rebuttable presumption, but CBP is deciding if it will delegate this responsibility to any additional persons.

Upcoming CBP Informational Webinars

CBP will be holding three webinar sessions, all covering the same material, to discuss and review its guidance relating to the UFLPA. The dates of the webinars and the registration links are listed below.

© 2022 ArentFox Schiff LLP

Trade Mark Infringement – Muslim Dating App Meets its Match [.com]

A recent Intellectual Property Enterprise Court Decision (IPEC) on 20 April 2022 has decided that ‘Muzmatch’, an online matchmaking service to the Muslim Community has infringed Match.com’s registered trade marks.

The decision by Nicholas Caddick Q.C was that Muzmatch’s use of signs and its name amounted to trade mark infringement and/or passing off of Match.com’s trade marks. This case follows successful oppositions by Match.com to Muzmatch’s registration of its marks in 2018, and unsuccessful attempts by Match.com to purchase Muzmatch between 2017 and 2019.

Match.com is one of the largest and most recognisable dating platforms in the UK. It first registered a word mark ‘MATCH.COM’ in 1996 and also owns other dating-related brands including Tinder and Hinge with other marks including the word mark ‘TINDER’. Match.com used a 2012 TNS report to illustrate its goodwill and reputation and 70% of people surveyed would be able to recall Match.com if prompted, 44% unprompted and 31% of people would name Match.com as the first dating brand off the ‘top of their head.’

Muzmatch is a comparatively niche but growing dating platform, which aims to provide a halal (i.e. in compliance with Islamic law) way for single Muslim men and women to meet a partner. Muzmatch is comparatively much smaller and was founded in 2011 by Mr Shahzad Younas and now has had around 666,069 sign-ups in the UK alone.

The Court considered that the marks ‘Muzmatch’ and ‘MATCH.COM’ and each company’s graphical marks, had a high degree of similarity in the services provided. The marks were also similar in nature orally and conceptually and the addition of the prefix ‘Muz’ did not distinguish the two marks, nor could the lack of the suffix ‘.com’ or stylistic fonts/devices.

The key issue of the case relates to the idea of the term ‘Match’ which is used by both marks to describe the nature of the business: match[ing]. Muzmatch argued that as both marks share this descriptive common element, so it is difficult to conclude that there is a likelihood of confusion between the two marks as the term just describes what each business does.

 The Court found that finding that there is a likelihood of confusion for a common descriptive element is not impossible, as the descriptive element can be used distinctively. The average consumer would conclude that the portion ‘Match’ is the badge of origin for Match.com due to its reputation as a brand and the very substantial degree of distinctiveness in the dating industry. An average consumer would have seen the word ‘Match’ as the dominant element in the Match.com trade marks and Match.com is often referred to as just ‘Match’ in advertisements.

Aside from its marks, Muzmatch utilised a Search Engine Optimisation strategy from January 2012 whereby it utilised a list of around 5000 keywords which would take a user to a landing page on the its website. In the list of the keywords used, Muzmatch used the words ‘muslim-tinder’, ‘tinder’ and ‘halal-tinder’ which were accepted by Muzmatch during the litigation to have infringed Match’s trade marks of the Tinder brand including the word mark ‘TINDER’. Muzmatch’s SEO use was also found to cause confusion based on some of its keywords including ‘UK Muslim Match’, which again uses the term Match distinctively, therefore a consumer may confuse a link to ‘UK Muslim Match’ with ‘Match.com’.

Therefore, the Court found that there was likely to be confusion between Muzmatch and Match.com because of the distinctive nature of the term ‘Match’ in the world of dating platforms.  An average consumer would conclude that Muzmatch was connected in a material way with the Match.com marks, as if it was targeted at Muslim users as a sub-brand, so this confusion would be trade mark infringement under S10(2) of the Trade Marks Act 1994.

The Court also considered that Muzmatch had taken unfair advantage of Match.com’s trade marks and had therefore infringed those marks under S10(3) of the Trade Marks Act 1994. This was due to the reputation of Match.com’s trade marks and because a consumer would believe that Muzmatch was a sub-brand of Match.com.

The Court rejected Muzmatch’s defence of honest concurrent use and found that Match.com would also have an alternative claim in the tort of passing off.

Key Points:

  • The Court found that a common descriptive element can acquire distinctiveness in an area, solely because of a company’s reputation and influence in that market.
  • The use of Search Engine Optimisation strategies can also constitute a trade mark infringement.
  • The lack of the suffix ‘.com’ in a mark is not sufficient to distinguish use from a household brand such as Match.com, so care should be taken with brands such as ‘Match.com’, ‘Booking.com’[1]

Source:

[1] Match Group, LLC, Meetic SAS, Match.Com International Limited v Muzmatch Limited, Shahzad Younas [2022] EWHC 941 (IPEC)


[1] Note- Blog Post of July 6 2020 Relating to Booking.com- https://www.iptechblog.com/2020/07/us-supreme-court-opens-doors-to-generic-com-trademarks/

New UK IDTA and Addendum Come Into Force

The new UK International Data Transfer Agreement (“IDTA”) and Addendum to the new 2021 EU Standard Contract Clauses (“New EU SCCs”) are now in force (as of the 21 March 2022), providing much needed certainty for UK organisations transferring personal data to service providers and group companies based outside of the UK/EEA.

The IDTA and Addendum replace the old EU Standard Contractual Clauses  (“Old EU SCCs”) for use as a UK GDPR-compliant transfer tool for restricted transfers from the UK, which also enables UK data exporters to comply with the European Court of Justice’s ‘Schrems II’ judgement.

For new UK data transfer arrangements or where UK organisations are in the process of reviewing their existing arrangements, use of the new ITDA or Addendum would be the best option to seek to future proof against the need to replace them in 2 years’ time.

Where the data flows involve transfers of personal data from both the UK and the EU, the use of the Addendum alongside the New EU SCCs, will enable organisations to implement a more harmonised solution.

To view copies of the documents please follow the links below:

To read our previous blog post on this topic, click here.


Article By Francesca Fellowes of Squire Patton Boggs (US) LLP. Hannah-Mei Grisley also contributed to this article.

© Copyright 2022 Squire Patton Boggs (US) LLP

Fleeing Ukrainians to Get More Help From United States

The United States has joined many European countries that are opening their doors and offering humanitarian assistance to fleeing Ukrainians.

Ireland, Great Britain and Canada have all started private sponsorship programs for Ukrainians. That assistance is not necessarily a one-way street. Easing the way for incoming Ukrainians may help those nations deal with their own labor shortages.

Ukraine is known for its skilled workforce, including tech engineers, and some companies in Europe are specifically targeting jobs for Ukrainians, offering everything from language training to child care to attract the refugees. Even temporary employment agencies are involved and new companies are being founded for the purpose of matching Ukrainians to jobs across Europe – jobs that run the gamut from highly skilled tech work, to healthcare aids, to retail and hospitality positions.

U.S. employers are generously offering humanitarian aid and donations to help Ukrainian refugees, but now those employers may be able to offer jobs to displaced Ukrainians seeking refuge. The Biden Administration will open various legal pathways that could include the refugee admissions program (which can lead to permanent residence through asylum, but is a long process), visas, and humanitarian parole (a temporary solution). The focus will be on Ukrainians with family in the United States or others considered to be particularly vulnerable. Approximately 1,000,000 people of Ukrainian descent currently live in the United States.

The administration originally believed that most Ukrainians did not want to flee to the United States because it was too far away from other family members who have remained in Ukraine. Secretary of State Antony Blinken had stated that the priority was to help European countries who are the dealing with huge waves for migration instead. But advocates have been arguing that the administration could create special status for Ukrainians to allow them to enter the U.S. or stay with family members.

In early March, the Biden Administration established Temporary Protected Status (TPS) for Ukrainians who have been in the United States continuously since March 1, 2022, but that did not help those who are still abroad. Visitor visas are hard to come by because applicants for visitor visas need to be able to show that their stay will be temporary and that they have a home to return to in Ukraine, and such temporary nonimmigrant visas may not meet that criterion or be practical in most of these situations. Moreover, consulates abroad are already overwhelmed and understaffed due to COVID-19.

While small numbers of Ukrainians have made it to the United States by finding private or family sponsors, this new policy should at least open the doors to some Ukrainians and likely make it possible for U.S. companies to hire some of the incoming refugees. They will need and want employment, but they will also need support.

Jackson Lewis P.C. © 2022

EDPB on Dark Patterns: Lessons for Marketing Teams

“Dark patterns” are becoming the target of EU data protection authorities, and the new guidelines of the European Data Protection Board (EDPB) on “dark patterns in social media platform interfaces” confirm their focus on such practices. While they are built around examples from social media platforms (real or fictitious), these guidelines contain lessons for all websites and applications. The bad news for marketers: the EDPB doesn’t like it when dry legal texts and interfaces are made catchier or more enticing.

To illustrate, in a section of the guidelines regarding the selection of an account profile photo, the EDPB considers the example of a “help/information” prompt saying “No need to go to the hairdresser’s first. Just pick a photo that says ‘this is me.’” According to the EDPB, such a practice “can impact the final decision made by users who initially decided not to share a picture for their account” and thus makes consent invalid under the General Data Protection Regulation (GDPR). Similarly, the EDPB criticises an extreme example of a cookie banner with a humourous link to a bakery cookies recipe that incidentally says, “we also use cookies”, stating that “users might think they just dismiss a funny message about cookies as a baked snack and not consider the technical meaning of the term “cookies.”” The EDPB even suggests that the data minimisation principle, and not security concerns, should ultimately guide an organisation’s choice of which two-factor authentication method to use.

Do these new guidelines reflect privacy paranoia or common sense? The answer should lie somewhere in between, but the whole document (64 pages long) in our view suggests an overly strict approach, one that we hope will move closer to commonsense as a result of a newly started public consultation process.

Let us take a closer look at what useful lessons – or warnings – can be drawn from these new guidelines.

What are “dark patterns” and when are they unlawful?

According to the EDPB, dark patterns are “interfaces and user experiences […] that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data” (p. 2). They “aim to influence users’ behaviour and can hinder their ability to effectively protect their personal data and make conscious choices.” The risk associated with dark patterns is higher for websites or applications meant for children, as “dark patterns raise additional concerns regarding potential impact on children” (p. 8).

While the EDPB takes a strongly negative view of dark patterns in general, it recognises that dark patterns do not automatically lead to an infringement of the GDPR. The EDPB acknowledges that “[d]ata protection authorities are responsible for sanctioning the use of dark patterns if these breach GDPR requirements” (emphasis ours; p. 2). Nevertheless, the EDPB guidance strongly links the concept of dark patterns with the data protection by design and by default principles of Art. 25 GDPR, suggesting that disregard for those principles could lead to a presumption that the language or a practice in fact creates a “dark pattern” (p. 11).

The EDPB refers here to its Guidelines 4/2019 on Article 25 Data Protection by Design and by Default and in particular to the following key principles:

  • “Autonomy – Data subjects should be granted the highest degree of autonomy possible to determine the use made of their personal data, as well as autonomy over the scope and conditions of that use or processing.
  • Interaction – Data subjects must be able to communicate and exercise their rights in respect of the personal data processed by the controller.
  • Expectation – Processing should correspond with data subjects’ reasonable expectations.
  • Consumer choice – The controllers should not “lock in” their users in an unfair manner. Whenever a service processing personal data is proprietary, it may create a lock-in to the service, which may not be fair, if it impairs the data subjects’ possibility to exercise their right of data portability in accordance with Article 20 GDPR.
  • Power balance – Power balance should be a key objective of the controller-data subject relationship. Power imbalances should be avoided. When this is not possible, they should be recognised and accounted for with suitable countermeasures.
  • No deception – Data processing information and options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.
  • Truthful – the controllers must make available information about how they process personal data, should act as they declare they will and not mislead data subjects.”

Is data minimisation compatible with the use of SMS two-factor authentication?

One of the EDPB’s positions, while grounded in the principle of data minimisation, undercuts a security practice that has grown significantly over the past few years. In effect, the EDPB seems to question the validity under the GDPR of requests for phone numbers for two-factor authentication where e-mail tokens would theoretically be possible:

“30. To observe the principle of data minimisation, [organisations] are required not to ask for additional data such as the phone number, when the data users already provided during the sign- up process are sufficient. For example, to ensure account security, enhanced authentication is possible without the phone number by simply sending a code to users’ email accounts or by several other means.
31. Social network providers should therefore rely on means for security that are easier for users to re[1]initiate. For example, the [organisation] can send users an authentication number via an additional communication channel, such as a security app, which users previously installed on their mobile phone, but without requiring the users’ mobile phone number. User authentication via email addresses is also less intrusive than via phone number because users could simply create a new email address specifically for the sign-up process and utilise that email address mainly in connection with the Social Network. A phone number, however, is not that easily interchangeable, given that it is highly unlikely that users would buy a new SIM card or conclude a new phone contract only for the reason of authentication.” 
(emphasis ours; p. 15)

The EDPB also appears to be highly critical of phone-based verification in the context of registration “because the email address constitutes the regular contact point with users during the registration process” (p. 15).

This position is unfortunate, as it suggests that data minimisation may preclude controllers from even assessing which method of two-factor authentication – in this case, e-mail versus SMS one-time passwords – better suits its requirements, taking into consideration the different security benefits and drawbacks of the two methods. The EDPB’s reasoning could even be used to exclude any form of stronger two-factor authentication, as additional forms inevitably require separate processing (e.g., phone number or third-party account linking for some app-based authentication methods).

For these reasons, organisations should view this aspect of the new EDPB guidelines with a healthy dose of skepticism. It likewise will be important for interested stakeholders to participate in the consultation to explain the security benefits of using phone numbers to keep the “two” in two-factor authentication.

Consent withdrawal: same number of clicks?

Recent decisions by EU regulators (notably two decisions by the French authority, the CNIL have led to speculation about whether EU rules effectively require website operators to make it possible for data subjects to withdraw consent to all cookies with one single click, just as most websites make it possible to give consent through a single click. The authorities themselves have not stated that this is unequivocally required, although privacy activists notably filed complaints against hundreds of websites, many of them for not including a “reject all” button on their cookie banner.

The EDPB now appears to side with the privacy activists in this respect, stating that “consent cannot be considered valid under the GDPR when consent is obtained through only one mouse-click, swipe or keystroke, but the withdrawal takes more steps, is more difficult to achieve or takes more time” (p. 14).

Operationally, however, it seems impossible to comply with a “one-click withdrawal” standard in absolute terms. Just pulling up settings after registration or after the first visit to a website will always require an extra click, purely to open those settings. We expect this issue to be examined by the courts eventually.

Is creative wording indicative of a “dark pattern”?

The EDPB’s guidelines contain several examples of wording that is intended to convince the user to take a specific action.

The photo example mentioned in the introduction above is an illustration, but other (likely fictitious) examples include the following:

  • For sharing geolocation data: “Hey, a lone wolf, are you? But sharing and connecting with others help make the world a better place! Share your geolocation! Let the places and people around you inspire you!” (p.17)
  • To prompt a user to provide a self-description: “Tell us about your amazing self! We can’t wait, so come on right now and let us know!” (p. 17)

The EDPB criticises the language used, stating that it is “emotional steering”:

“[S]uch techniques do not cultivate users’ free will to provide their data, since the prescriptive language used can make users feel obliged to provide a self-description because they have already put time into the registration and wish to complete it. When users are in the process of registering to an account, they are less likely to take time to consider the description they give or even if they would like to give one at all. This is particularly the case when the language used delivers a sense of urgency or sounds like an imperative. If users feel this obligation, even when in reality providing the data is not mandatory, this can have an impact on their “free will”” (pp. 17-18).

Similarly, in a section about account deletion and deactivation, the EDPB criticises interfaces that highlight “only the negative, discouraging consequences of deleting their accounts,” e.g., “you’ll lose everything forever,” or “you won’t be able to reactivate your account” (p. 55). The EDPB even criticises interfaces that preselect deactivation or pause options over delete options, considering that “[t]he default selection of the pause option is likely to nudge users to select it instead of deleting their account as initially intended. Therefore, the practice described in this example can be considered as a breach of Article 12 (2) GDPR since it does not, in this case, facilitate the exercise of the right to erasure, and even tries to nudge users away from exercising it” (p. 56). This, combined with the EDPB’s aversion to confirmation requests (see section 5 below), suggests that the EDPB is ignoring the risk that a data subject might opt for deletion without fully recognizing the consequences, i.e., loss of access to the deleted data.

The EDPB’s approach suggests that any effort to woo users into giving more data or leaving data with the organisation will be viewed as harmful by data protection authorities. Yet data protection rules are there to prevent abuse and protect data subjects, not to render all marketing techniques illegal.

In this context, the guidelines should in our opinion be viewed as an invitation to re-examine marketing techniques to ensure that they are not too pushy – in the sense that users would in effect truly be pushed into a decision regarding personal data that they would not otherwise have made. Marketing techniques are not per se unlawful under the GDPR but may run afoul of GDPR requirements in situations where data subjects are misled or robbed of their choice.

Other key lessons for marketers and user interface designers

  • Avoid continuous prompting: One of the issues regularly highlighted by the EDPB is “continuous prompting”, i.e., prompts that appear again and again during a user’s experience on a platform. The EDPB suggests that this creates fatigue, leading the user to “give in,” i.e., by “accepting to provide more data or to consent to another processing, as they are wearied from having to express a choice each time they use the platform” (p. 14). Examples given by the EDPB include the SMS two-factor authentication popup mentioned above, as well as “import your contacts” functionality. Outside of social media platforms, the main example for most organisations is their cookie policy (so this position by the EDPB reinforces the need to manage cookie banners properly). In addition, newsletter popups and popups about “how to get our new report for free by filling out this form” are frequent on many digital properties. While popups can be effective ways to get more subscribers or more data, the EDPB guidance suggests that regulators will consider such practices questionable from a data protection perspective.
  • Ensure consistency or a justification for confirmation steps: The EDPB highlights the “longer than necessary” dark pattern at several places in its guidelines (in particular pp. 18, 52, & 57), with illustrations of confirmation pop-ups that appear before a user is allowed to select a more privacy-friendly option (and while no such confirmation is requested for more privacy-intrusive options). Such practices are unlawful according to the EDPB. This does not mean that confirmation pop-ups are always unlawful – just that you need to have a good justification for using them where you do.
  • Have a good reason for preselecting less privacy-friendly options: Because the GDPR requires not only data protection by design but also data protection by default, make sure that you are able to justify an interface in which a more privacy-intrusive option is selected by default – or better yet, don’t make any preselection. The EDPB calls preselection of privacy-intrusive options “deceptive snugness” (“Because of the default effect which nudges individuals to keep a pre-selected option, users are unlikely to change these even if given the possibility” p. 19).
  • Make all privacy settings available in all platforms: If a user is asked to make a choice during registration or upon his/her first visit (e.g., for cookies, newsletters, sharing preferences, etc.), ensure that those settings can all be found easily later on, from a central privacy settings page if possible, and alongside all data protection tools (such as tools for exercising a data subject’s right to access his/her data, to modify data, to delete an account, etc.). Also make sure that all such functionality is available not only on a desktop interface but also for mobile devices and across all applications. The EDPB illustrates this point by criticising the case where an organisation has a messaging app that does not include the same privacy statement and data subject request tools as the main app (p. 27).
  • Be clearer in using general language such as “Your data might be used to improve our services”: It is common in most privacy statements to include a statement that personal data (e.g., customer feedback) “can” or “may be used” to improve an organisation’s products and services. According to the EDPB, the word “services” is likely to be “too general” to be viewed as “clear,” and it is “unclear how data will be processed for the improvement of services.” The use of the conditional tense in the example (“might”) also “leaves users unsure whether their data will be used for the processing or not” (p. 25). Given that the EDPB’s stance in this respect is a confirmation of a position taken by EU regulators in previous guidance on transparency, and serves as a reminder to tell data subjects how data will be used.
  • Ensure linguistic consistency: If your website or app is available in more than one language, ensure that all data protection notices and tools are available in those languages as well and that the language choice made on the main interface is automatically taken into account on the data-related pages (pp. 25-26).

Best practices according to the EDPB

Finally, the EDPB highlights some other “best practices” throughout its guidelines. We have combined them below for easier review:

  • Structure and ease of access:
    • Shortcuts: Links to information, actions, or settings that can be of practical help to users to manage their data and data protection settings should be available wherever they relate to information or experience (e.g., links redirecting to the relevant parts of the privacy policy; in the case of a data breach communication to users, to provide users with a link to reset their password).
    • Data protection directory: For easy navigation through the different section of the menu, provide users with an easily accessible page from where all data protection-related actions and information are accessible. This page could be found in the organisation’s main navigation menu, the user account, through the privacy policy, etc.
    • Privacy Policy Overview: At the start/top of the privacy policy, include a collapsible table of contents with headings and sub-headings that shows the different passages the privacy notice contains. Clearly identified sections allow users to quickly identify and jump to the section they are looking for.
    • Sticky navigation: While consulting a page related to data protection, the table of contents could be constantly displayed on the screen allowing users to quickly navigate to relevant content thanks to anchor links.
  • Transparency:
    • Organisation contact information: The organisation’s contact address for addressing data protection requests should be clearly stated in the privacy policy. It should be present in a section where users can expect to find it, such as a section on the identity of the data controller, a rights related section, or a contact section.
    • Reaching the supervisory authority: Stating the specific identity of the EU supervisory authority and including a link to its website or the specific website page for lodging a complaint is another EDPB recommendation. This information should be present in a section where users can expect to find it, such as a rights-related section.
    • Change spotting and comparison: When changes are made to the privacy notice, make previous versions accessible with the date of release and highlight any changes.
  • Terminology & explanations:
    • Coherent wording: Across the website, the same wording and definition is used for the same data protection concepts. The wording used in the privacy policy should match that used on the rest of the platform.
    • Providing definitions: When using unfamiliar or technical words or jargon, providing a definition in plain language will help users understand the information provided to them. The definition can be given directly in the text when users hover over the word and/or be made available in a glossary.
    • Explaining consequences: When users want to activate or deactivate a data protection control, or give or withdraw their consent, inform them in a neutral way of the consequences of such action.
    • Use of examples: In addition to providing mandatory information that clearly and precisely states the purpose of processing, offering specific data processing examples can make the processing more tangible for users
  • Contrasting Data Protection Elements: Making data protection-related elements or actions visually striking in an interface that is not directly dedicated to the matter helps readability. For example, when posting a public message on the platform, controls for geolocation should be directly available and clearly visible.
  • Data Protection Onboarding: Just after the creation of an account, include data protection points within the onboarding experience for users to discover and set their preferences seamlessly. This can be done by, for example, inviting them to set their data protection preferences after adding their first friend or sharing their first post.
  • Notifications (including data breach notifications): Notifications can be used to raise awareness of users of aspects, changes, or risks related to personal data processing (e.g., when a data breach occurs). These notifications can be implemented in several ways, such as through inbox messages, pop-in windows, fixed banners at the top of the webpage, etc.

Next steps and international perspectives

These guidelines (available online) are subject to public consultation until 2 May 2022, so it is possible they will be modified as a result of the consultation and, we hope, improved to reflect a more pragmatic view of data protection that balances data subjects’ rights, security, and operational business needs. If you wish to contribute to the public consultation, note that the EDPB publishes feedback it receives (as a result, we have occasionally submitted feedback on behalf of clients wishing to remain anonymous).

Irrespective of the outcome of the public consultation, the guidelines are guaranteed to have an influence on the approach of EU data protection authorities in their investigations. From this perspective, it is better to be forewarned – and to have legal arguments at your disposal if you wish to adopt an approach that deviates from the EDPB’s position.

Moreover, these guidelines come at a time when the United States Federal Trade Commission (FTC) is also concerned with dark patterns. The FTC recently published an enforcement policy statement on the matter in October 2021. Dark patterns are also being discussed at the Organisation for Economic Cooperation and Development (OECD). International dialogue can be helpful if conversations about desired policy also consider practical solutions that can be implemented by businesses and reflect a desirable user experience for data subjects.

Organisations should consider evaluating their own techniques to encourage users to go one way or another and document the justification for their approach.

© 2022 Keller and Heckman LLP