Tag: European Union

Bad Faith Games – Hasbro Rolls and Loses

For EU and UK trademarks, there is a five-year grace period following the issuance of a registration, during which the trademark owner must use the mark in connection with the goods and/or services covered by the registration before it can be challenged (and potentially ultimately revoked) for non-use with such goods and/or services. Some trademark owners have tried to take advantage of this by re-filing their previously registered trademarks for exactly the same goods and/or services just before the five-year grace period ends as a means of extending this grace period. This is commonly referred to as “evergreening.”

In Hasbro v EUIPO1, the General Court has upheld the EUIPO Board of Appeal’s decision that repeat filing of trademarks can result in bad faith applications. While it is true that evergreening doesn’t always mean bad faith, where it can be demonstrated that an applicant’s intention for filing a trademark application is to dodge showing genuine use of a mark more than five years old, then bad faith may be established.

Bad faith?

In legal terms, “bad faith” goes back in time and considers a trademark owner’s intention at the time it applied for the trademark. If the intention was to weaken the interests of third parties or obtain a trademark registration for reasons that are unrelated to the trademark itself, then this might result in bad faith. In Hasbro, the question of whether the board game conglomerate acted in bad faith hinged on whether Hasbro’s repeat filings of the MONOPOLY trademark, to avoid showing genuine use of the mark, amounted to bad faith.

Hasbro v EUIPO

When Hasbro filed its MONOPOLY trademark yet again, specifying goods and services near-identical to its earlier filing, the General Court said the application was made in bad faith, as Hasbro’s intention was to prolong the five-year grace period allowed for establishing use.

Although the case was initially rejected by the Cancellation Division of the EUIPO, the EUIPO Board of Appeal partially invalidated Hasbro’s EU Registration for the MONOPOLY mark. A key factor of the General Court’s decision supporting the EUIPO Board of Appeal’s verdict was Hasbro’s admission that its motivation for re-filing was to avoid potential costs that would be incurred to show genuine use of the MONOPOLY trademark.

Impact

The Hasbro case is setting precedent in both the European and UK courts. Although the Hasbro case came along post-Brexit, it is still considered “good law” in the English courts.

In a recent dispute between the two supermarket chains Tesco and Lidl2, Tesco argued that Lidl’s wordless version of its logo should be invalidated, as the mark had never been used and Lidl was periodically re-filing it to avoid having to prove genuine use. Tesco’s counterclaim was struck out in the High Court as Tesco had not made a clear-cut case for bad faith. However, the Court of Appeal allowed Tesco’s appeal and maintained that it was possible bad faith had occurred. This forced Lidl to explain its intentions when filing the mark, which is consistent with the Hasbro case. Tesco’s bad faith allegation will now be assessed at the substantive trial later this year. This will be watched closely by brand-owners and practitioners hoping for further guidance on evergreening and specifically where re-filings amount to bad faith.

In Sky v SkyKick3, the Court of Appeal said that a trademark applicant can have both good and bad reasons for applying to register trademarks. However, trademark filings that are submitted underhandedly, particularly where dishonesty is the main objective of filing the application in the first place, should be invalidated.

Bad faith beware!

The Hasbro v EUIPO decision has resulted in brand owners and trademark lawyers taking greater care when re-filing trademarks. It is important to highlight though, that re-filing a trademark is allowed. It is only when it can be established that an applicant’s intention at the point of re-filing the mark was to skirt use requirements, that bad faith can be found.

Brands looking to file new, or re-file existing, trademarks, should ensure they have a clear trademark strategy. Also consider retaining and recording: (1) evidence of genuine use of your marks; and (2) your reasons for re-filing any existing trademarks.

1 21/04/2021, Case T‑663/19, ECLI:EU:T:2021:211 (Hasbro, Inc. v European Union Intellectual Property Office)

Lidl Great Britain Limited v Tesco Stores Limited [2022] EWHC 1434 (Ch)

Sky Limited (formerly Sky Plc), Sky International AG, Sky UK Limited v SkyKick, UK Ltd, SkyKick, Inc [2021] EWCA Civ 1121, 2021 WL 03131604

Article By Sarah Simpson and Tegan Miller-McCormack of Katten. To read Kattison Avenue/Katten Kattwalk | Issue 2, please click here.

For more entertainment, art, and sports legal news, click here to visit the National Law Review.

©2023 Katten Muchin Rosenman LLP

EU Foreign Subsidies Regulation Enters Into Force In 2023

On December 23, 2022, Regulation (EU) 2022/2560 of December 14, 2022 on foreign subsidies distorting the internal market (FSR) was published in the Official Journal of the European Union. The FSR introduces a new regulatory hurdle for M&A transactions in the European Union (EU), in addition to merger control and foreign direct investment screening. The FSR’s impact cannot be overstated as it introduces two mandatory pre-closing filing regimes and it gives the Commission wide-reaching ex officio investigative and intervention powers. Soon, the Commission will also launch a public consultation on a draft implementing regulation that should further detail and clarify a number of concepts and requirements of the FSR.

The bulk of the FSR will apply as of July 12, 2023. Importantly, the notification requirements for M&A transactions and public procurement procedures will apply as of October 12, 2023.

We highlight the key principles of the FSR below and provide guidance to start preparing for the application of the FSR. We refer to our On The Subject article ‘EU Foreign Subsidies Regulation to Impact EU and Cross-Border M&A Antitrust Review Starting in 2023’ of August 2, 2022 for a more detailed discussion of the then draft FSR. We also refer to our December 8, 2022 webinar on the FSR. Given the importance of the FSR, we will continue to report any future developments.

IN DEPTH

FSR in a Nutshell

The FSR tackles ‘foreign subsidies’ granted by non-EU governments to companies active in the EU and which ‘distort the internal market’.

  • First, a ‘foreign subsidy’ will be considered to exist where a direct or indirect financial contribution from a non-EU country or an entity whose actions can be attributed to a non-EU country (public entities or private entities) confers a benefit on an undertaking engaging in an economic activity in the EU internal market, and where that benefit is not generally available under normal market conditions but is, instead, limited, in law or in fact, to assisting one or more undertakings or industries. A ‘financial contribution’ covers a broad spectrum and encompasses, amongst others, positive benefits such as the transfer of funds or liabilities, the foregoing of revenue otherwise due (e.g., tax breaks, the grant of exclusive rights below market conditions, or the provision or purchase of goods or services).

  • Second, a ‘distortion in the internal market’ will be considered to exist in case of a foreign subsidy which is liable to improve the competitive position of an undertaking and which actually or potentially negatively affects competition in the EU internal market. The Regulation provides some guidance on when a foreign subsidy typically would not be a cause for concern:
    – A subsidy that does not exceed EUR 200,000 per third country over any consecutive period of three years is considered de minimis and therefore not distortive;
    – A foreign subsidy that does not exceed EUR 4 million per undertaking over any consecutive period of three years is unlikely to cause distortions; and
    – A foreign subsidy aimed at making good/recovering from the damage caused by natural disasters or exceptional occurrences may be considered not to be distortive.

The FSR looks at ‘undertakings’, as is the case for merger control. Therefore, the Commission will not look merely at the legal entity concerned, but at the entire corporate group to which the entity belongs in order to calculate the total amount of foreign financial contributions granted to the undertaking. Even companies headquartered in the EU that have entities outside of the EU that have received foreign financial contributions are covered by the FSR.

The FSR introduces three tools for the European Commission (Commission): (i) a notification requirement for certain M&A transactions, (ii) a notification requirement for certain public procurement procedures (PPP) and (iii) investigations on a case by case basis.

Notification Requirement for Certain M&A Transactions

M&A transactions (or “concentrations”) involving a buyer and/or a target that has received a foreign financial contribution shall be notifiable if they meet the following cumulative conditions:

  • At least one of the merging undertakings, the acquired undertaking (target, not buyer) or the joint venture is established in the EU and has an EU turnover of at least EUR 500 million, AND

  • The combined aggregate financial contributions provided to the undertakings concerned in the three financial years (combined) prior to notification amounts to more than EUR 50 million.

M&A transactions that meet these criteria will need to be notified and approved by the Commission prior to implementation. During its review, the Commission will determine whether the foreign financial contributions received constitute foreign subsidies in the sense of the FSR and whether these foreign subsidies actually or potentially distort or negatively affect competition in the EU internal market. The Commission likely will consider certain indicators including the amount and nature of the foreign subsidy, the purpose and conditions attached to the foreign subsidy as well as its use in the EU internal market. For example, in a case of an acquisition, if a foreign subsidy covers a substantial part of the purchase price of the target, the Commission may consider it likely to be distortive.

Notification Requirement for Certain Public Procurement Procedures

A notifiable foreign financial contribution in the context of PPP shall be deemed to arise where the following cumulative conditions are met:

  • The estimated value of the public procurement or framework agreement net of VAT amounts to at least EUR 250 million, AND

  • The economic operator was granted aggregate foreign financial contributions in the three financial years prior to notification of at least EUR 4 million from a non-EU country.

Where the procurement is divided into lots, the value of the lot or the aggregate value of all lots for which the undertaking bids for must, in addition to the two criteria set out above, also amount to at least EUR 125 million.

Through this procedure, the Commission will ensure that companies that have received non-EU country subsidies do not submit unduly advantageous bids in public procurement procedures.

During the Commission’s review, all procedural steps may continue except for the award of the contract.

Even if the thresholds are not met, the Regulation requires undertakings to provide to the contracting authority in a declaration attached to the tender a list of all foreign financial contributions received in the last three financial years and to confirm that these are not notifiable, which the contracting authority will subsequently send to the Commission.

Investigations on a Case-by-case Basis

The Commission may on its own initiative investigate potentially distortive foreign subsidies (e.g. following a complaint). These investigations are not limited to M&A transactions or PPP. However, on the basis of this power, the Commission may investigate M&A transactions and awarded contracts under PPP which do not fall within the scope of the notification requirements set out above.

If the Commission carries out an ex-officio review, its analysis will be structured in two phases: a preliminary examination and an in-depth investigation. Although these phases have no time limits, the Commission will endeavor to take a decision within 18 months of the start of the in-depth investigation.

HOW TO PREPARE FOR THE APPLICATION OF THE FSR

Application of the FSR – Timetable

As mentioned above, the FSR will apply as of July 12, 2023. The FSR shall apply to foreign subsidies granted in the five years prior to July 12, 2023 where such foreign subsidies create effects at present, i.e., they distort the internal market after July 12, 2023. By way of derogation, the FSR shall apply to foreign financial contributions granted in the 3 years prior to July 12, 2023 where such foreign financial contributions were granted to an undertaking notifying a concentration or notifying a PPP pursuant to the FSR.

The FSR shall not apply to concentrations for which the agreement was signed before July 12, 2023. The FSR shall also not apply to public procurement contracts that have been awarded or procedures initiated before July 12, 2023.

In general, the FSR shall apply from July 12, 2023 while the notification obligations for M&A transactions and PPP shall only apply from October 12, 2023. However, it is advisable to start preparing immediately for the application of the FSR, given the substantial scope of the regulation.

Actions to Take Now

Businesses which conduct activities in the EU, should put in place a system to monitor and quantify foreign financial contributions received since at least July 2020 – to cover the three-year review – and, preferably, July 2018. In particular, attention should be paid to positive benefits and reliefs from certain costs normally due by the company. External counsel can assist in determining whether these foreign financial contributions constitute a ‘foreign subsidy’.

As soon as a company decides to engage in an M&A or PPP in the EU, the company should map all relevant foreign financial contributions for the relevant time period to check whether the relevant notification thresholds are met. Subsequently companies must carefully consider whether any such financial contribution constitutes a foreign subsidy and, if so, whether such foreign subsidy may have a distortive effect. It is also advisable to determine whether there any positive effects relating to the subsidy that could be invoked. Companies should ensure that the preparation above is ably assisted by external counsel.

In particular with regard to M&A transactions, companies should carry out an FSR analysis in addition to merger control and foreign direct investment reviews. Even at the stage of due diligence, it would already be advisable to check whether the target has received any foreign financial contributions. If the transaction might eventually trigger a notification to the Commission, the M&A agreement should provide for Commission approval in the closing conditions. When acting as a bidder for a target that meets the EU turnover threshold, your bid will be much better viewed when accompanied with clear assurances that no FSR filing is required or, alternatively, that a filing may be required but that the foreign subsidies received are not distortive of competition.

© 2023 McDermott Will & Emery
For more Antitrust Legal News, click here to visit the National Law Review.

New UK IDTA and Addendum Come Into Force

The new UK International Data Transfer Agreement (“IDTA”) and Addendum to the new 2021 EU Standard Contract Clauses (“New EU SCCs”) are now in force (as of the 21 March 2022), providing much needed certainty for UK organisations transferring personal data to service providers and group companies based outside of the UK/EEA.

The IDTA and Addendum replace the old EU Standard Contractual Clauses  (“Old EU SCCs”) for use as a UK GDPR-compliant transfer tool for restricted transfers from the UK, which also enables UK data exporters to comply with the European Court of Justice’s ‘Schrems II’ judgement.

For new UK data transfer arrangements or where UK organisations are in the process of reviewing their existing arrangements, use of the new ITDA or Addendum would be the best option to seek to future proof against the need to replace them in 2 years’ time.

Where the data flows involve transfers of personal data from both the UK and the EU, the use of the Addendum alongside the New EU SCCs, will enable organisations to implement a more harmonised solution.

To view copies of the documents please follow the links below:

To read our previous blog post on this topic, click here.

Article By Francesca Fellowes of Squire Patton Boggs (US) LLP. Hannah-Mei Grisley also contributed to this article.

For more data privacy legal news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP

Fleeing Ukrainians to Get More Help From United States

The United States has joined many European countries that are opening their doors and offering humanitarian assistance to fleeing Ukrainians.

Ireland, Great Britain and Canada have all started private sponsorship programs for Ukrainians. That assistance is not necessarily a one-way street. Easing the way for incoming Ukrainians may help those nations deal with their own labor shortages.

Ukraine is known for its skilled workforce, including tech engineers, and some companies in Europe are specifically targeting jobs for Ukrainians, offering everything from language training to child care to attract the refugees. Even temporary employment agencies are involved and new companies are being founded for the purpose of matching Ukrainians to jobs across Europe – jobs that run the gamut from highly skilled tech work, to healthcare aids, to retail and hospitality positions.

U.S. employers are generously offering humanitarian aid and donations to help Ukrainian refugees, but now those employers may be able to offer jobs to displaced Ukrainians seeking refuge. The Biden Administration will open various legal pathways that could include the refugee admissions program (which can lead to permanent residence through asylum, but is a long process), visas, and humanitarian parole (a temporary solution). The focus will be on Ukrainians with family in the United States or others considered to be particularly vulnerable. Approximately 1,000,000 people of Ukrainian descent currently live in the United States.

The administration originally believed that most Ukrainians did not want to flee to the United States because it was too far away from other family members who have remained in Ukraine. Secretary of State Antony Blinken had stated that the priority was to help European countries who are the dealing with huge waves for migration instead. But advocates have been arguing that the administration could create special status for Ukrainians to allow them to enter the U.S. or stay with family members.

In early March, the Biden Administration established Temporary Protected Status (TPS) for Ukrainians who have been in the United States continuously since March 1, 2022, but that did not help those who are still abroad. Visitor visas are hard to come by because applicants for visitor visas need to be able to show that their stay will be temporary and that they have a home to return to in Ukraine, and such temporary nonimmigrant visas may not meet that criterion or be practical in most of these situations. Moreover, consulates abroad are already overwhelmed and understaffed due to COVID-19.

While small numbers of Ukrainians have made it to the United States by finding private or family sponsors, this new policy should at least open the doors to some Ukrainians and likely make it possible for U.S. companies to hire some of the incoming refugees. They will need and want employment, but they will also need support.

Article By Forrest G. Read IV of Jackson Lewis P.C.

For more immigration-related legal news, click here to visit the National Law Review.

Jackson Lewis P.C. © 2022

EDPB on Dark Patterns: Lessons for Marketing Teams

“Dark patterns” are becoming the target of EU data protection authorities, and the new guidelines of the European Data Protection Board (EDPB) on “dark patterns in social media platform interfaces” confirm their focus on such practices. While they are built around examples from social media platforms (real or fictitious), these guidelines contain lessons for all websites and applications. The bad news for marketers: the EDPB doesn’t like it when dry legal texts and interfaces are made catchier or more enticing.

To illustrate, in a section of the guidelines regarding the selection of an account profile photo, the EDPB considers the example of a “help/information” prompt saying “No need to go to the hairdresser’s first. Just pick a photo that says ‘this is me.’” According to the EDPB, such a practice “can impact the final decision made by users who initially decided not to share a picture for their account” and thus makes consent invalid under the General Data Protection Regulation (GDPR). Similarly, the EDPB criticises an extreme example of a cookie banner with a humourous link to a bakery cookies recipe that incidentally says, “we also use cookies”, stating that “users might think they just dismiss a funny message about cookies as a baked snack and not consider the technical meaning of the term “cookies.”” The EDPB even suggests that the data minimisation principle, and not security concerns, should ultimately guide an organisation’s choice of which two-factor authentication method to use.

Do these new guidelines reflect privacy paranoia or common sense? The answer should lie somewhere in between, but the whole document (64 pages long) in our view suggests an overly strict approach, one that we hope will move closer to commonsense as a result of a newly started public consultation process.

Let us take a closer look at what useful lessons – or warnings – can be drawn from these new guidelines.

What are “dark patterns” and when are they unlawful?

According to the EDPB, dark patterns are “interfaces and user experiences […] that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data” (p. 2). They “aim to influence users’ behaviour and can hinder their ability to effectively protect their personal data and make conscious choices.” The risk associated with dark patterns is higher for websites or applications meant for children, as “dark patterns raise additional concerns regarding potential impact on children” (p. 8).

While the EDPB takes a strongly negative view of dark patterns in general, it recognises that dark patterns do not automatically lead to an infringement of the GDPR. The EDPB acknowledges that “[d]ata protection authorities are responsible for sanctioning the use of dark patterns if these breach GDPR requirements” (emphasis ours; p. 2). Nevertheless, the EDPB guidance strongly links the concept of dark patterns with the data protection by design and by default principles of Art. 25 GDPR, suggesting that disregard for those principles could lead to a presumption that the language or a practice in fact creates a “dark pattern” (p. 11).

The EDPB refers here to its Guidelines 4/2019 on Article 25 Data Protection by Design and by Default and in particular to the following key principles:

  • “Autonomy – Data subjects should be granted the highest degree of autonomy possible to determine the use made of their personal data, as well as autonomy over the scope and conditions of that use or processing.
  • Interaction – Data subjects must be able to communicate and exercise their rights in respect of the personal data processed by the controller.
  • Expectation – Processing should correspond with data subjects’ reasonable expectations.
  • Consumer choice – The controllers should not “lock in” their users in an unfair manner. Whenever a service processing personal data is proprietary, it may create a lock-in to the service, which may not be fair, if it impairs the data subjects’ possibility to exercise their right of data portability in accordance with Article 20 GDPR.
  • Power balance – Power balance should be a key objective of the controller-data subject relationship. Power imbalances should be avoided. When this is not possible, they should be recognised and accounted for with suitable countermeasures.
  • No deception – Data processing information and options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.
  • Truthful – the controllers must make available information about how they process personal data, should act as they declare they will and not mislead data subjects.”

Is data minimisation compatible with the use of SMS two-factor authentication?

One of the EDPB’s positions, while grounded in the principle of data minimisation, undercuts a security practice that has grown significantly over the past few years. In effect, the EDPB seems to question the validity under the GDPR of requests for phone numbers for two-factor authentication where e-mail tokens would theoretically be possible:

“30. To observe the principle of data minimisation, [organisations] are required not to ask for additional data such as the phone number, when the data users already provided during the sign- up process are sufficient. For example, to ensure account security, enhanced authentication is possible without the phone number by simply sending a code to users’ email accounts or by several other means.
31. Social network providers should therefore rely on means for security that are easier for users to re[1]initiate. For example, the [organisation] can send users an authentication number via an additional communication channel, such as a security app, which users previously installed on their mobile phone, but without requiring the users’ mobile phone number. User authentication via email addresses is also less intrusive than via phone number because users could simply create a new email address specifically for the sign-up process and utilise that email address mainly in connection with the Social Network. A phone number, however, is not that easily interchangeable, given that it is highly unlikely that users would buy a new SIM card or conclude a new phone contract only for the reason of authentication.” (emphasis ours; p. 15)

The EDPB also appears to be highly critical of phone-based verification in the context of registration “because the email address constitutes the regular contact point with users during the registration process” (p. 15).

This position is unfortunate, as it suggests that data minimisation may preclude controllers from even assessing which method of two-factor authentication – in this case, e-mail versus SMS one-time passwords – better suits its requirements, taking into consideration the different security benefits and drawbacks of the two methods. The EDPB’s reasoning could even be used to exclude any form of stronger two-factor authentication, as additional forms inevitably require separate processing (e.g., phone number or third-party account linking for some app-based authentication methods).

For these reasons, organisations should view this aspect of the new EDPB guidelines with a healthy dose of skepticism. It likewise will be important for interested stakeholders to participate in the consultation to explain the security benefits of using phone numbers to keep the “two” in two-factor authentication.

Consent withdrawal: same number of clicks?

Recent decisions by EU regulators (notably two decisions by the French authority, the CNIL have led to speculation about whether EU rules effectively require website operators to make it possible for data subjects to withdraw consent to all cookies with one single click, just as most websites make it possible to give consent through a single click. The authorities themselves have not stated that this is unequivocally required, although privacy activists notably filed complaints against hundreds of websites, many of them for not including a “reject all” button on their cookie banner.

The EDPB now appears to side with the privacy activists in this respect, stating that “consent cannot be considered valid under the GDPR when consent is obtained through only one mouse-click, swipe or keystroke, but the withdrawal takes more steps, is more difficult to achieve or takes more time” (p. 14).

Operationally, however, it seems impossible to comply with a “one-click withdrawal” standard in absolute terms. Just pulling up settings after registration or after the first visit to a website will always require an extra click, purely to open those settings. We expect this issue to be examined by the courts eventually.

Is creative wording indicative of a “dark pattern”?

The EDPB’s guidelines contain several examples of wording that is intended to convince the user to take a specific action.

The photo example mentioned in the introduction above is an illustration, but other (likely fictitious) examples include the following:

  • For sharing geolocation data: “Hey, a lone wolf, are you? But sharing and connecting with others help make the world a better place! Share your geolocation! Let the places and people around you inspire you!” (p.17)
  • To prompt a user to provide a self-description: “Tell us about your amazing self! We can’t wait, so come on right now and let us know!” (p. 17)

The EDPB criticises the language used, stating that it is “emotional steering”:

“[S]uch techniques do not cultivate users’ free will to provide their data, since the prescriptive language used can make users feel obliged to provide a self-description because they have already put time into the registration and wish to complete it. When users are in the process of registering to an account, they are less likely to take time to consider the description they give or even if they would like to give one at all. This is particularly the case when the language used delivers a sense of urgency or sounds like an imperative. If users feel this obligation, even when in reality providing the data is not mandatory, this can have an impact on their “free will”” (pp. 17-18).

Similarly, in a section about account deletion and deactivation, the EDPB criticises interfaces that highlight “only the negative, discouraging consequences of deleting their accounts,” e.g., “you’ll lose everything forever,” or “you won’t be able to reactivate your account” (p. 55). The EDPB even criticises interfaces that preselect deactivation or pause options over delete options, considering that “[t]he default selection of the pause option is likely to nudge users to select it instead of deleting their account as initially intended. Therefore, the practice described in this example can be considered as a breach of Article 12 (2) GDPR since it does not, in this case, facilitate the exercise of the right to erasure, and even tries to nudge users away from exercising it” (p. 56). This, combined with the EDPB’s aversion to confirmation requests (see section 5 below), suggests that the EDPB is ignoring the risk that a data subject might opt for deletion without fully recognizing the consequences, i.e., loss of access to the deleted data.

The EDPB’s approach suggests that any effort to woo users into giving more data or leaving data with the organisation will be viewed as harmful by data protection authorities. Yet data protection rules are there to prevent abuse and protect data subjects, not to render all marketing techniques illegal.

In this context, the guidelines should in our opinion be viewed as an invitation to re-examine marketing techniques to ensure that they are not too pushy – in the sense that users would in effect truly be pushed into a decision regarding personal data that they would not otherwise have made. Marketing techniques are not per se unlawful under the GDPR but may run afoul of GDPR requirements in situations where data subjects are misled or robbed of their choice.

Other key lessons for marketers and user interface designers

  • Avoid continuous prompting: One of the issues regularly highlighted by the EDPB is “continuous prompting”, i.e., prompts that appear again and again during a user’s experience on a platform. The EDPB suggests that this creates fatigue, leading the user to “give in,” i.e., by “accepting to provide more data or to consent to another processing, as they are wearied from having to express a choice each time they use the platform” (p. 14). Examples given by the EDPB include the SMS two-factor authentication popup mentioned above, as well as “import your contacts” functionality. Outside of social media platforms, the main example for most organisations is their cookie policy (so this position by the EDPB reinforces the need to manage cookie banners properly). In addition, newsletter popups and popups about “how to get our new report for free by filling out this form” are frequent on many digital properties. While popups can be effective ways to get more subscribers or more data, the EDPB guidance suggests that regulators will consider such practices questionable from a data protection perspective.
  • Ensure consistency or a justification for confirmation steps: The EDPB highlights the “longer than necessary” dark pattern at several places in its guidelines (in particular pp. 18, 52, & 57), with illustrations of confirmation pop-ups that appear before a user is allowed to select a more privacy-friendly option (and while no such confirmation is requested for more privacy-intrusive options). Such practices are unlawful according to the EDPB. This does not mean that confirmation pop-ups are always unlawful – just that you need to have a good justification for using them where you do.
  • Have a good reason for preselecting less privacy-friendly options: Because the GDPR requires not only data protection by design but also data protection by default, make sure that you are able to justify an interface in which a more privacy-intrusive option is selected by default – or better yet, don’t make any preselection. The EDPB calls preselection of privacy-intrusive options “deceptive snugness” (“Because of the default effect which nudges individuals to keep a pre-selected option, users are unlikely to change these even if given the possibility” p. 19).
  • Make all privacy settings available in all platforms: If a user is asked to make a choice during registration or upon his/her first visit (e.g., for cookies, newsletters, sharing preferences, etc.), ensure that those settings can all be found easily later on, from a central privacy settings page if possible, and alongside all data protection tools (such as tools for exercising a data subject’s right to access his/her data, to modify data, to delete an account, etc.). Also make sure that all such functionality is available not only on a desktop interface but also for mobile devices and across all applications. The EDPB illustrates this point by criticising the case where an organisation has a messaging app that does not include the same privacy statement and data subject request tools as the main app (p. 27).
  • Be clearer in using general language such as “Your data might be used to improve our services”: It is common in most privacy statements to include a statement that personal data (e.g., customer feedback) “can” or “may be used” to improve an organisation’s products and services. According to the EDPB, the word “services” is likely to be “too general” to be viewed as “clear,” and it is “unclear how data will be processed for the improvement of services.” The use of the conditional tense in the example (“might”) also “leaves users unsure whether their data will be used for the processing or not” (p. 25). Given that the EDPB’s stance in this respect is a confirmation of a position taken by EU regulators in previous guidance on transparency, and serves as a reminder to tell data subjects how data will be used.
  • Ensure linguistic consistency: If your website or app is available in more than one language, ensure that all data protection notices and tools are available in those languages as well and that the language choice made on the main interface is automatically taken into account on the data-related pages (pp. 25-26).

Best practices according to the EDPB

Finally, the EDPB highlights some other “best practices” throughout its guidelines. We have combined them below for easier review:

  • Structure and ease of access:
    • Shortcuts: Links to information, actions, or settings that can be of practical help to users to manage their data and data protection settings should be available wherever they relate to information or experience (e.g., links redirecting to the relevant parts of the privacy policy; in the case of a data breach communication to users, to provide users with a link to reset their password).
    • Data protection directory: For easy navigation through the different section of the menu, provide users with an easily accessible page from where all data protection-related actions and information are accessible. This page could be found in the organisation’s main navigation menu, the user account, through the privacy policy, etc.
    • Privacy Policy Overview: At the start/top of the privacy policy, include a collapsible table of contents with headings and sub-headings that shows the different passages the privacy notice contains. Clearly identified sections allow users to quickly identify and jump to the section they are looking for.
    • Sticky navigation: While consulting a page related to data protection, the table of contents could be constantly displayed on the screen allowing users to quickly navigate to relevant content thanks to anchor links.
  • Transparency:
    • Organisation contact information: The organisation’s contact address for addressing data protection requests should be clearly stated in the privacy policy. It should be present in a section where users can expect to find it, such as a section on the identity of the data controller, a rights related section, or a contact section.
    • Reaching the supervisory authority: Stating the specific identity of the EU supervisory authority and including a link to its website or the specific website page for lodging a complaint is another EDPB recommendation. This information should be present in a section where users can expect to find it, such as a rights-related section.
    • Change spotting and comparison: When changes are made to the privacy notice, make previous versions accessible with the date of release and highlight any changes.
  • Terminology & explanations:
    • Coherent wording: Across the website, the same wording and definition is used for the same data protection concepts. The wording used in the privacy policy should match that used on the rest of the platform.
    • Providing definitions: When using unfamiliar or technical words or jargon, providing a definition in plain language will help users understand the information provided to them. The definition can be given directly in the text when users hover over the word and/or be made available in a glossary.
    • Explaining consequences: When users want to activate or deactivate a data protection control, or give or withdraw their consent, inform them in a neutral way of the consequences of such action.
    • Use of examples: In addition to providing mandatory information that clearly and precisely states the purpose of processing, offering specific data processing examples can make the processing more tangible for users
  • Contrasting Data Protection Elements: Making data protection-related elements or actions visually striking in an interface that is not directly dedicated to the matter helps readability. For example, when posting a public message on the platform, controls for geolocation should be directly available and clearly visible.
  • Data Protection Onboarding: Just after the creation of an account, include data protection points within the onboarding experience for users to discover and set their preferences seamlessly. This can be done by, for example, inviting them to set their data protection preferences after adding their first friend or sharing their first post.
  • Notifications (including data breach notifications): Notifications can be used to raise awareness of users of aspects, changes, or risks related to personal data processing (e.g., when a data breach occurs). These notifications can be implemented in several ways, such as through inbox messages, pop-in windows, fixed banners at the top of the webpage, etc.

Next steps and international perspectives

These guidelines (available online) are subject to public consultation until 2 May 2022, so it is possible they will be modified as a result of the consultation and, we hope, improved to reflect a more pragmatic view of data protection that balances data subjects’ rights, security, and operational business needs. If you wish to contribute to the public consultation, note that the EDPB publishes feedback it receives (as a result, we have occasionally submitted feedback on behalf of clients wishing to remain anonymous).

Irrespective of the outcome of the public consultation, the guidelines are guaranteed to have an influence on the approach of EU data protection authorities in their investigations. From this perspective, it is better to be forewarned – and to have legal arguments at your disposal if you wish to adopt an approach that deviates from the EDPB’s position.

Moreover, these guidelines come at a time when the United States Federal Trade Commission (FTC) is also concerned with dark patterns. The FTC recently published an enforcement policy statement on the matter in October 2021. Dark patterns are also being discussed at the Organisation for Economic Cooperation and Development (OECD). International dialogue can be helpful if conversations about desired policy also consider practical solutions that can be implemented by businesses and reflect a desirable user experience for data subjects.

Organisations should consider evaluating their own techniques to encourage users to go one way or another and document the justification for their approach.

Article By Peter Craddock, Sheila A. Millar, and Tracy P. Marshall of Keller and Heckman LLP

For more cybersecurity legal news, click here to visit the National Law Review.

© 2022 Keller and Heckman LLP

Google to Launch Google Analytics 4 in an Attempt to Address EU Privacy Concerns

On March 16, 2022, Google announced the launch of its new analytics solution, “Google Analytics 4.” Google Analytics 4 aims, among other things, to address recent developments in the EU regarding the use of analytics cookies and data transfers resulting from such use.

Background

On August 17, 2020, the non-governmental organization None of Your Business (“NOYB”) filed 101 identical complaints with 30 European Economic Area data protection authorities (“DPAs”) regarding the use of Google Analytics by various companies. The complaints focused on whether the transfer of EU personal data to Google in the U.S. through the use of cookies is permitted under the EU General Data Protection Regulation (“GDPR”), following the Schrems II judgment of the Court of Justice of the European Union. Following these complaints, the French and Austrian DPAs ruled that the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie is unlawful.

Google’s New Solution

According to Google’s press release, Google Analytics 4 “is designed with privacy at its core to provide a better experience for both our customers and their users. It helps businesses meet evolving needs and user expectations, with more comprehensive and granular controls for data collection and usage.”

The most impactful change from an EU privacy standpoint is that Google Analytics 4 will no longer store IP address, thereby limiting the data transfers resulting from the use of Google Analytics that were under scrutiny in the EU following the Schrems II ruling. It remains to be seen whether this change will ease EU DPAs’ concerns about Google Analytics’ compliance with the GDPR.

Google’s previous analytics solution, Universal Analytics, will no longer be available beginning July 2023. In the meantime, companies are encouraged to transition to Google Analytics 4.

Read Google’s press release.

Article By Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity legal news, click here to visit the National Law Review. 

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Europol: More Than Half of Counterfeits Originate in China

On March 7, 2022, the European Union Agency for Law Enforcement Cooperation (Europol) and the European Union Intellectual Property Office (EUIPO) jointly released the Intellectual Property Crime Threat Assessment 2022. Per the Assessment, China (including Hong Kong) was the main source of counterfeits based on number of counterfeits and by value of the counterfeits seized at the EU external borders.  Almost 76% of the fake goods detained were for trademark infringement; design infringement was the second most reported at 23% while copyright was third with 15%.

China and Turkey remain the main countries of origins for counterfeit clothing, shoes, bags, watches, and jewelry seized at the EU’s border. These goods are mostly ordered online and discovered as part of postal shipments or on passengers entering the EU.

Similarly, China is the country of origin for most of the seized counterfeit electrical/electronic and computer equipment, mobile phones and accessories. With respect to mobile phones, the Assessment states,

…the visual appearance of the counterfeit devices is very convincing, closely mimicking the external characteristics of the original phones. However, typically some features and software characteristics are missing and the International Mobile Equipment Identity (IMEI) is often fake.  The use of cheap and substandard electric components, which can be found in fake batteries, headphones or chargers, pose safety risks.

“China and Turkey were among the most frequently reported non-EU countries of origin for counterfeit food and drink seized at the EU’s external border.” Similarly, counterfeit perfumes and cosmetic products often originate from China and Turkey.

In addition to ready-to-use IPR-infringing goods, product components, such as aroma compounds, fixatives and solvents, are increasingly being seized. These components are used to create the final counterfeit products in the EU.

More worrisome, China and Turkey were the main origin of counterfeit pharmaceutical products.

Toys round out the top 10 counterfeits with China also being main point of origin.

The full Assessment is available here: IP_Crime_Threat_Assessment_2022_FullR_en.

Article By Aaron Wininger of Schwegman, Lundberg & Woessner, P.A.

For more intellectual property legal news, click here to visit the National Law Review.

© 2022 Schwegman, Lundberg & Woessner, P.A. All Rights Reserved.

GDPR Privacy Rules: The Other Shoe Drops

Four years after GDPR was implemented, we are seeing the pillars of the internet business destroyed. Given two new EU decisions affecting the practical management of data, all companies collecting consumer data in the EU are re-evaluating their business models and will soon be considering wholesale changes.

On one hand, the GDPR is creating the world its drafters intended – a world where personal data is less of a commodity exploited and traded by business. On the other hand, GDPR enforcement has taken the form of a wrecking ball, leading to data localization in Europe and substitution of government meddling for consumer choice.

For years we have watched the EU courts and enforcement agencies apply GDPR text to real-life cases, wondering if the legal application would be more of a nip and tuck operation on ecommerce or something more bloody and brutal. In 2022, we received our answer, and the bodies are dropping.

In January Austrian courts decided that companies can’t use Google Analytics to study their own site’s web traffic. The same conclusion was reached last week by French regulators. While Google doesn’t announce statistics about product usage, website tracker BuiltWith published that 29.3 million websites use Google Analytics, including 69.5 percent of Quantcast’s Top 10,000 sites, and that is more than ten times the next most popular option. So vast numbers of companies operating in Europe will need to change their platform analytics provider – if the Euro-crats will allow them to use site analytics at all.

But these decisions were not based on the functionality of Google Analytics, a tool that does not even capture personally identifiable information – no names, no home or office address, no phone numbers. Instead, these decisions that will harm thousands of businesses were a result of the Schrems II decision, finding fault in the transfer of this non-identifiable data to a company based in the United States. The problem here for European decision-makers is that US law enforcement may have access to this data if courts allow them. I have written before about this illogical conclusion and won’t restate the many arguments here, other than to say that EU law enforcement behaves the same way.

The effects of this decision will be felt far beyond the huge customer base of Google Analytics.  The logic of this decision effectively means that companies collecting data from EU citizens can no longer use US-based cloud services like Amazon Web Services, IBM, Google, Oracle or Microsoft. I would anticipate that huge cloud player Alibaba Cloud could suffer the same proscription if Europe’s privacy panjandrums decide that China’s privacy protection is as threatening as the US.

The Austrians held that all the sophisticated measures taken by Google to encrypt analytic data meant nothing, because if Google could decrypt it, so could the US government. By this logic, no US cloud provider – the world’s primary business data support network – could “safely” hold EU data. Which means that the Euro-crats are preparing to fine any EU company that uses a US cloud provider. Max Schrems saw this decision in stark terms, stating, “The bottom line is: Companies can’t use US cloud services in Europe anymore.”

This decision will ultimately support the Euro-crats’ goal of data localization as companies try to organize local storage/processing solutions to avoid fines. Readers of this blog have seen coverage of the EU’s tilt toward data localization (for example, here and here) and away from the open internet that European politicians once held as the ideal. The Euro-crats are taking serious steps toward forcing localized data processing and cutting US businesses out of the ecommerce business ecosystem. The Google Analytics decision is likely to be seen as a tipping point in years to come.

In a second major practical online privacy decision, earlier this month the Belgian Data Protection Authority ruled that the Interactive Advertising Bureau Europe’s Transparency and Consent Framework (TCF), a widely-used technical standard built for publishers, advertisers, and technology vendors to obtain user consent for data processing, does not comply with the GDPR. The TCF allows users to accept or reject cookie-based advertising, relieving websites of the need to create their own expensive technical solutions, and creating a consistent experience for consumers. Now the TCF is considered per-se illegal under EU privacy rules, casting thousands of businesses to search for or design their own alternatives, and removing online choices for European residents.

The Belgian privacy authority reached this conclusion by holding that the Interactive Advertising Bureau was a “controller” of all the data managed under its proposed framework. As stated by the Center for Data Innovation, this decision implies “that any good-faith effort to implement a common data protection protocol by an umbrella organization that wants to uphold GDPR makes said organization liable for the data processing that takes place under this protocol.” No industry group will want to put itself in this position, leaving businesses to their own devices and making ecommerce data collection much less consistent and much more expensive – even if that data collection is necessary to fulfill the requests of consumers.

For years companies thought that informed consumer consent would be a way to personalize messaging and keep consumer costs low online, but the EU has thrown all online consent regimes into question. EU regulators have effectively decided that people can’t make their own decisions about allowing data to be collected. If TCF – the consent system used by 80% of the European internet and a system designed specifically to meet the demands of the GDPR – is now illegal, then, for a second time in a month, all online consumer commerce is thrown into confusion. Thousands were operating websites with TCF and Google Analytics, believing they were following the letter of the law.  That confidence has been smashed.

We are finally seeing the practical effects of the GDPR beyond its simple utility for fining US tech companies.  Those effects are leading to a closed-border internet around Europe and a costlier, less customizable internet for EU citizens. The EU is clearly harming businesses around the world and making its internet a more cramped place. I have trouble seeing the logic and benefit of these decisions, but the GDPR was written to shake the system, and privacy benefits may emerge.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more articles about international privacy, visit the NLR Cybersecurity, Media & FCC section.

UK Withdrawal Agreement Becomes Law

On January 23, the European Union (Withdrawal Agreement) Bill became an Act of Parliament and is now legally binding in the UK. The purpose of this legislation is to give binding force to the withdrawal agreement that was made between the UK and the EU on October 19, 2019.

The next step will be for the withdrawal agreement to be ratified by the European Parliament, which is scheduled for January 29. If this vote is passed, the UK will leave the EU on January 31, 2020. The UK will then enter an ‘implementation period,’ during which all EU laws will continue to apply in the UK, while the UK and the EU negotiate their future relationship. This implementation period is scheduled to end on December 31.

©2020 Katten Muchin Rosenman LLP

For more Brexit developments, see the Global Law section of the National Law Review.

FCA Publishes “Brexit Special” Market Watch

On October 7, the Financial Conduct Authority (FCA) published a “Brexit Special” of its monthly Market Watch newsletter, in which it summarized some recent developments and publications in connection with the regulated sector’s preparedness for the forthcoming departure of the UK from the EU on November 1.

In the newsletter, the FCA noted that Andrew Bailey, FCA CEO, gave a speech in September at Bloomberg London on the Brexit “state of play”. Mr. Bailey outlined recent developments and the outstanding issues, such as the desire for an equivalence agreement for the Share Trading Obligation (STO). (For more information, please see the June 14 edition of Corporate & Financial Weekly Digest).

The FCA explained that transaction reporting rules under the Markets in Financial Instruments Regulation (MiFIR) will not be subject to the temporary transitional power. (For more information, please see the September 27 edition of Corporate & Financial Weekly Digest). Therefore, firms, trading venues and approved reporting mechanisms will need to take “reasonable steps to comply with the changes to their regulatory obligations”. Firms who cannot comply on the day that the UK leaves the EU will need to back-report missing, incomplete or inaccurate transaction reports as soon as possible thereafter.

The FCA provided an updated statement on the operation of the Markets in Financial Instruments Directive (MiFID) transparency regime following Brexit. The FCA published a statement on this topic in March 2019 (please see the March 8 edition of Corporate & Financial Weekly Digest), and the main purpose of this update was to change dates to reflect the extension of the departure date from March to October 2019.

The FCA’s MiFID transparency regime update also reflects a statement made on October 7 from the European Securities and Markets Authority (ESMA). In addition to other updates, ESMA described how reference data submitted by UK trading venues and systematic internalisers will be phased out of EU calculations. ESMA will “freeze” the quarterly calculations until Q1 2020, during which time the EU will re-determine the relevant competent authority (RCA) for all financial instruments that remain available for trading in the EU, for which the FCA is currently the RCA.

Finally, the FCA announced that industry testing for the FCA Financial Instruments Transparency Systems (FITRS) would start on October 10 and noted that it continues to update the Brexit material available on its website.

The Market Watch newsletter is available here.

Andrew Bailey’s speech is available here.

The FCA’s updated statement is available here.

ESMA’s statement is available here.

©2019 Katten Muchin Rosenman LLP