The regulatory requirements of the GDPR should therefore be observed not only by clients, but also by legal advisers in their dealings with and on behalf of clients. While the changes in data privacy law that have been introduced are properly described as “an evolution in data protection, not a revolution,”4 the most significant change and the reason why most businesses are paying close attention to compliance is the greatly extended powers of regulatory bodies to issue fines as part of their enforcement powers. The maximum fine that can be imposed is the greater of €20 million (approximately US$22 million) or 4 percent of worldwide turnover of a corporate group.
This article examines some issues that may be of particular interest or concern to intellectual property practitioners in a variety of different contexts, and provides some practical tips to assist in complying with the GDPR.
Personal Data Required for Intellectual Property Applications and Registrations
Under the GDPR, intellectual property attorneys will need valid legal grounds to collect, keep, and communicate personal data5 about individuals and to share those data with anyone else. This includes patent, trademark, and design offices; overseas attorneys; corporate or institutional clients; opponents; or any other third-party service providers.
One key question for intellectual property practitioners will be whether they are acting as joint or sole data controllers, or as data processors of personal data. The distinction between them is easy to state but hard to apply. A controller is responsible for determining the purposes and means of processing personal data, while a processor does not decide the purposes of processing (although it may decide the means) but rather undertakes the processing on behalf of a controller. A straightforward illustration is the situation where a business outsources its payroll to an IT services company. The business will be the controller of the personal data of its employees. It alone will determine that it needs to process that data for the purpose of paying their salaries. The IT company acts as processor, using its software to ensure that payments are made on time, in the correct amounts, to the right people strictly as instructed by the controller. It acts entirely on those instructions and does not make any independent decisions about the purposes for which the personal data is used.
In the intellectual property context, an attorney will often need to collect the personal data of inventors for the purposes of an application and will also need to communicate those data to a patent office. Who is the data controller? Is it the attorney’s client, the attorney, or the individual? The answer may be different in different circumstances. If the inventors are current employees of the client, a patent attorney could be acting as a data processor on the instructions of the client, who in this case is probably the data controller. But if the attorney needs to use those data for another purpose, which the client has not previously disclosed to the inventor, then that may make the attorney a sole or joint controller rather than a processor. This matters, because controllers have more extensive obligations than processors to data subjects.
Whether an attorney is acting as a data controller or a data processor will also likely determine what contractual arrangements should be put in place to regulate the sharing of personal data, particularly in relation to transfers to foreign attorneys acting in other jurisdictions, for example as part of prosecuting and managing a client’s international portfolio of rights.
The next issue to consider will then be the legal bases for processing of any personal data in furtherance of the client’s instructions. The legal bases are set out in GDPR Article 6, and briefly summarized in the checklist below. Several grounds might apply in any given situation.
If disclosure of an individual inventor’s personal data to a patent office is necessary for the application to proceed—for example, in the United Kingdom, Patents Act 1977 section 13(2) obliges the patentee to file the inventor’s personal details—there could be a justification under GDPR Article 6(1)(c): processing is necessary to comply with a legal obligation to which the controller is subject. However, it could be argued that the filing of a patent application is itself a voluntary act by the patentee, so any legal obligation ground should not be engaged in circumstances where the inventor objects to the filing.
A further possible justification may be under GDPR Article 6(1)(e); that the disclosure of the inventor’s personal data is necessary for the purposes of the legitimate interests of the data controller (the patentee), provided that those interests are not overridden by those of the data subject. Again, an objection could be raised, but it is difficult to see why the inventor’s interests should prevail when there is a public interest in the accuracy of this data being maintained on the Patent Register.
If this is a cause for concern to clients, the inventor could be approached to give express consent to his or her details being provided, under GDPR Article 6(1)(a). On the one hand, refusing consent to being named in a patent application seems as though it would not be in the inventor’s interest. However, the risk is that the inventor is then entitled to refuse or subsequently withdraw consent.
Consent is generally less than satisfactory for data controllers because the data subject can refuse and must be reminded that he or she has the right to withdraw it at any time. For this reason, where another legal basis for processing applies, and consent is therefore not “required,” it may be preferable to rely on the alternative basis instead. However, in certain circumstances the withdrawal of consent would not necessarily have to be complied with, where legal or regulatory reasons exist as to why the data controller is obliged to process the personal data, such as the importance of the accuracy of the public record of patent registrations.
Similar considerations to those discussed above could also apply wherever assignments or licences of intellectual property rights are recorded on the relevant intellectual property registers, to the extent that personal data will need to be processed.
The GDPR has the potential to introduce further issues when it comes to enforcement of intellectual property rights. One of the biggest challenges in enforcement can be identifying the infringer in the first place, particularly where infringing products are being sold online. If individuals are involved whose personal data need to be disclosed, the GDPR will potentially make this more difficult still.
It is often necessary to ask third parties, such as Internet service providers or domain name registrars, for information to help identify infringers. However, wherever this involves the disclosure of personal data (which can include e-mail and even IP addresses), such processing must now be justified to the third party by the rights owner and potentially also by the third party to the data subject! Obtaining disclosure is likely to be a slower and more expensive process, possibly requiring a court order to protect the discloser from an allegation of breach of data privacy rights.
Pursuant to the Intellectual Property Rights Enforcement Directive, European member states must ensure that national courts can order infringers or third parties involved in producing or selling infringing items to disclose information.6 However, it is currently unclear how this will be interpreted in light of the GDPR.
The Internet Corporation for Assigned Names and Numbers (ICANN) requires a network of directories and databases of domain name registrants to be maintained in the form of the WHOIS system. Until recently, a lot of personal data was freely searchable on WHOIS. However, having the personal data of individual registrants publicly searchable online creates a tension with the data protection principles under the GDPR. In the run up to the implementation of the GDPR in May 2018, there was heated debate by users and maintainers of the WHOIS system over the question of how to strike the right balance. On the one hand, individual domain name registrants have a legitimate expectation of privacy, but on the other hand intellectual property rights owners should be able to obtain information about ownership of domains to support infringement claims, and others may also have legitimate reasons for wanting to discover the details of the registrants of domain name addresses.
In the United Kingdom and elsewhere, the main domain registrars have reacted by choosing to restrict public access to individual domain name owners’ details without the owner’s express consent. Instead, anyone seeking that information will now need to demonstrate a “legitimate interest” in accessing that individual’s personal data before the registrar can determine whether it is appropriate to comply.7
Suggestions from the Anti-Counterfeiting Group (ACG)8 on how to show a legitimate interest include taking time to explain, as part of any request to the registrar, why the site is deceptive, “highlighting the deception and harm” before setting out the legal basis for the request. Then, emphasize the legitimate interest in protecting the public, whether from fakes, fraudsters, or in enforcing intellectual property rights, and spell out why these outweigh the registrant’s individual rights under the GDPR. Finally, the ACG recommends restricting any requests to the minimum of personal data actually required, including justification as to why each bit of data is needed so as to be seen still to comply with the GDPR principle of data minimization.
Direct Dealings with Data Subjects
The GDPR also empowers data subjects directly with greater control over the personal data that businesses hold on them; for example, the right of access under Article 15 entitles individual data subjects to obtain on request a copy of all the personal data a data controller has collected about them.
In the United Kingdom, there has been recent media coverage regarding a data subject access request (DSAR) made to Tinder by a journalist writing for the Guardian, which returned a staggering 800 pages of data she had herself provided in the course of subscribing to and using the matchmaking service. However, what her DSAR did not reveal was the detail of how Tinder was using all that information to personalize her user experience and identify potential matches. When she requested this information, Tinder’s response was reportedly that its “matching tools are a core part of our technology and intellectual property, and we are ultimately unable to share information about these proprietary tools.”9
This validity and effectiveness of this response has yet to be tested in the courts, but it neatly illustrates the difficulty of separating “personal data” from related data that a business would wish to withhold in order to protect its intellectual property and/or confidential know-how. GDPR Article 15 provides that the right of access “shall not adversely affect the rights or freedoms of others,” while Recital 73 also states that the right can be restricted to protect trade secrets or intellectual property.
Similar concerns arise in connection with the right to portability under Article 20, a right principally intended to assist data subjects seeking to switch their data between suppliers of goods or services to avoid having to provide a large volume of the same data twice. Data subjects are entitled to receive their personal data in a structured, commonly used, and machine readable format on request. However, as above for DSARs, it is conceivable that the compilation and organization of data presented in that format could attract copyright protection or form part of the business’s confidential know-how, which it would clearly not want disclosed to competitors. In fact, the scope of this right is limited by GDPR Article 20 to personal data which that data subject has himself or herself provided to the data controller. It does not therefore include the controller’s (possibly more valuable) inferred and derived data or any know-how or intellectual property that the controller has used to process the raw data supplied by the data subject, but it may be difficult in practice to separate the two.
As can be seen from the above discussion, the GDPR impacts the day-to-day practice of intellectual property attorneys in Europe and beyond, wherever that practice involves the processing of the personal data of EU individuals. At this early stage it is very difficult to give clear compliance advice. Regulatory authorities and the courts are likely to set legal precedents and establish codes of practice to give more detailed guidance. However, in order to mitigate any penalties for breach or noncompliance, the best practice is to keep clear records showing that data privacy issues are being considered before or as they arise, and the decisions are taken following an analysis of the situation and giving due weight to the privacy rights of data subjects.
Finally, for those who think (or hope) that the GDPR is likely to be the last word on data privacy, the European Data Protection Board has signaled that a new e-Privacy Regulation is on the way,10 and the clear indications are that there is more to come.