Transatlantic Summit 2022 (November 16-18, 2022)

The Transatlantic Summit 2022 will take place November 16-18, 2022 at Stanford University, California! The Transatlantic Summit 2022 is where current and future leaders from industry, policy and academia come together to find answers on the most pressing issues at the intersection of digital technology and geopolitics.

Join high-profile leaders from industry, public servants and leading academics at the Transatlantic Summit to discuss the implications of technology on society! Participants of all nationalities are encouraged to join the conference to ask hard questions, shape ideas, and build connections. 

Inspiring speakers include:

Stefan Schnorr, German State Secretary in the Federal Ministry for Digital and Transport

Gerard de Graaf, Head of the EU office in San Francisco

Anna Makanju, Head of Public Policy at OpenAI

Richard Socher, former Chief Scientist at Salesforce and founder of

Andrew Grotto, Director of the Program on Geopolitics, Technology and Governance at

the Stanford Cyber Policy Center

Oliver Schramm, Consulate General of the Federal Republic of Germany in San Francisco

Get your free ticket here:


Participant get-together: Nov 16 | 6 PM – 8 PM

Stanford University, The Treehouse

No registration required

Conference day: Nov 17 | 9 AM – 6 PM

Stanford University, Vidalakis Dining Hall

Get your ticket here (Nov 17th)

Exclusive roundtable and innovation workshop: Nov 18 (by application) | 9 AM – 2 PM

Palo Alto (exact location will be sent to selected participants)

Apply to attend here (Nov 18th)


Transatlantic Antitrust and IPR Developments, Newsletter Issue 2/2022 (October 9, 2022)


Amedeo Rizzo, Christine Carter, Gabriel M. Lentner, Jan Czarnocki,

Marie-Andrée Weiss, Martina Acciaro,
Salome Kohler, Sebastian Pech

Editor-in-chief: Juha Vesala



European Union

The Digital Markets Act: EU’s Big Policy Promise for Big Tech

Intellectual Property

United States

“Royale with Cheese” – Copyright Issues Related to NFTs in Miramax v. Tarantino

What Would Lady Whistledown Say? Prince, Warhol and the Duke (of Hasting)

Other Developments

United States

Can the Current Draft of the American Data Privacy and Protection Act (ADPPA) Be a New Hope for U.S. Federal Data Privacy Law?

European Union

Inferred Sensitive Data in the ECJ OT v Vyriausiojl. Is Everything Sensitive Data?

Turning Point in intra-EU Investment Arbitration: Green Power and Other Developments

DAC 7 – The Exchange of Tax Information for Businesses with Digital Platforms in the European Union

Read More…

The Digital Markets Act: EU’s Big Policy Promise for Big Tech

By Christine Carter

The EU Digital Market Act (DMA) is the latest piece of the European Commission’s digital reform agenda to create a comprehensive and sophisticated regulatory regime for the Big Tech industry. The DMA was originally proposed in December 2020 and has recently passed a final vote with an overwhelming majority in the European Parliament on the 5th of July 2022 with 588 votes in favor and 11 against the act. The act is expected to be formally adopted by the European Council in October 2022. Following such, big tech companies who are subject to the jurisdiction of the act will have to notify the European Commission within a period of 2 months, starting from Spring 2023, as well as then act in compliance with the DMA’s new regulatory obligations by early 2024. In doing so, the DMA contributes to Europe’s digital reform agenda of “making Europe fit for the Digital Age” and will come into force alongside the EU Digital Services Act (DSA)[1].


The DMA is introduced to deal with the rapid proliferation of the digital economy over the last decade which has resulted from the vast growth of big tech companies.  The digital economy is specifically characterized by the technological control of the so-called “GAFA” sector (Google, Amazon, Facebook and Apple). In response to their increased market share in the EU, there has been a series of legislative challenges and investigations that have been litigated in front of both national and EU courts. One of the most seminal of these legal disputes arose in the investigation of the European Commission[2] against Google in what has become to be known as the Google Shopping case. Consequently, concerns have arisen that European Courts are particularly slow to deal with competition law issues arising from the digital market and lag behind the speed in which the digital economy is evolving. 

Legislative Objective

Against this background, the European Commission introduced the DMA as a series of ex ante obligations that can react quickly and meaningfully to the legal challenges raised by the Big Tech industry. The DMA takes an unprecedented step in shifting from a largely self-regulated to a regulated model of law enforcement in the Big Tech industry.  Margrethe Vestager, Vice President of European Commission described the act as a “global movement” that will “inspire all over the planet[3]. The DMA implements the policy agenda in a series of regulatory obligations for large tech corporations and provides the European Commission with a new set of enforcement powers to take action where those obligations are not met by Big Tech. This regulatory approach seeks to address the current short comings of EU competition law in regulating the digital market and ensuring an equal-level playing field among large tech corporations.

Gatekeepers and Core Platforms Services

To fall within the act’s definition of a gatekeeper, a company must provide one or more of the core platform services defined in Article 2(2) of the DMA and meet a series of qualitative and quantitative criteria which are listed in Article 3(1).

  • A company must have a significant impact on the market: this is presumed where companies have an annual turnover of  € 7.5 billion within the European Economic Area (EEA) or a worldwide market valuation of € 75 billion and it provides the same core platform service in at least three Member States (Articles 3(1)(a) and 3(2)(a));
  • A company must operate one or more important gateways to customers: this is presumed where companies have at least 45 million monthly individual end-users or 100,000 business users located in the EU in the last financial year (Articles 3(1)(b) and 3(2)(b);
  • A company possesses an entrenched and durable position: this is presumed to be met if the meets the above two criteria) in each of the last 3 financial years (Articles 3(1)(c) and 3(2)(c))

Companies that do not meet the quantitative criteria may still be designated as gatekeepers on the basis of a qualitative assessment carried out by the European Commission pursuant to Article 4. Companies that fall within the definition of gatekeepers must comply with the obligations laid out in Articles 5 – 7 and 14 of the DMA. These obligations are roughly split into the following themes: obligations of data protection, device neutrality, transparency in online advertising, ranking neutrality, neutrality towards intermediaries and distributers, and enforcement obligations. The obligations are divided into two different levels of severity. The first type are black list obligations which are directly applicable to gatekeepers without further details. The others are grey list obligations that contain obligations that may be specified in further detail by the Commission following a dialogue with the gatekeeper.

Black List Obligations

These include; prohibiting gatekeepers from processing, combining, signing or cross-using personal data without users’ consent (Article 5(2)), prohibiting gatekeepers from preventing business users from offering products or services through other channels (Article 5(3)), prohibiting anti-steering provisions (Articles 5(4)-(5)), prohibiting restrictions on businesses from raising issues with authorities (Article 5(6)), prohibiting gatekeepers from requiring users to use gatekeepers’ identification or payment services in third party apps or web browsers (Article 5(7)), prohibiting gatekeepers from bundling subscriptions or registrations (Article 5(8)), requiring gatekeepers’ disclosure of advertisements, prices, revenue share information (Articles 5(9)-(10)).

Grey List Obligations

These include prohibiting gatekeepers’ use of users’ data that is not publicly available to compete with business users (Article 6(2)), requiring gatekeepers to allow app uninstallation, changing defaults and choice screens and, allow the installation of third party apps and app stores on their operating systems (Article 6((3)-(4)), prohibiting gatekeepers from deploying of discriminatory rankings against third party services and products (Article 6(5)), prohibiting restrictions on multi-homing (Article 6(6)), requiring interoperability of operating systems and virtual assistants (Article 6(7)), requiring the provision of access to performance measuring tools (Article 6(8)), requiring data portability (Article 6(10)), requiring search data sharing (Article 6(11), requiring fair access to app stores, search engines and social networking services (Article 6(12)), preventing restrictions on the termination of end-users’ use (Article 6(13)), requiring interoperability for messaging services (Article 7).

Notification of Mergers

The DMA also imposes a duty on gatekeepers to inform the European Commission about planned mergers with other platform services or digital entities under Article 14 of the act.  This provision will apply to gatekeepers regardless of whether they are subject to merger controls at either national or international law and is designed to keep the European Commission informed about their market share and aware of any potential killer acquisitions that would create barriers to the entry of the internal market. The DMA therefore allows the European Commission to deal with these issues preemptively without requiring the threshold of Article 22 of the EU Merger Regulation to be met. In so doing, the DMA considerably strengthens the merger control regime of the EU. 


The DMA gives the European Commission several enforcement powers in the event of a gatekeeper’s non-compliance with the aforementioned obligations. The European Commission may impose a fine of up to 10% of the gatekeeper’s worldwide turnover from the previous financial year (or in the case of less serious infringements up to 1%) or additionally may impose a further fine of up to 20% of a gatekeeper’s worldwide turnover from the previous financial year in the event of a repeated violation under Article 30 of the DMA. The imposition of periodic penalty payments is also permitted under Article 31 of the DMA. In the event of systematic non-compliance, the European Commission may also open up an investigation against the gatekeeper. In addition to these sanctions granted to the European Commission, it is expected that individuals may also take private actions against gatekeepers in front of national courts under Article 39 and 42 of the DMA.

Taxonomy within the EU Legal Order

Recital 10 of the DMA explains that the act is without prejudice to Articles 101 and 102 of the TFEU and therefore will operate in parallel to the existing body of EU Competition law and relevant EU Merger Control laws. The hierarchy between the DMA and national member state laws will depend on whether the national law is a regulatory or a competition law. Where the national measure is a regulatory law, the DMA will have the effect of superseding such pursuant to Article 1(5) of the DMA. Where the national measure is a competition law, the DMA does not supersede such subject to the exception in Article 1(6) that applies to national laws that are applied to undertakings other than gatekeepers or amount to the imposition of further obligations on gatekeepers.


The DMA certainly brings a lot of legislative promise to the table, which has been met with a great deal of hope in the legal world. The act itself is extremely detailed and concise and leaves little room for ambiguity. The act also creates a hierarchy between Black and Grey list obligations to enable the European Commission to deal with the former in a manner that is rather strict and with the latter in a manner that is more conducive to further collaboration and cooperation in the resolution of these legal requirements. From this perspective, the DMA symbolizes a fair compromise between the need to protect digital rights and competition interests in a technological world, as well as the need to recognize the political, social and economic reality in which these rights operate, and the ability to strike economic and political compromise where necessary to reach consensus. This is achieved in a manner that is efficient and innovative, which will hopefully provide certainty and clarity on the regulatory status of many Big Tech companies in Europe and avoid elongated legal proceedings in front of national and supranational courts and tribunals in cases of dispute. However, what will remain left to be seen is how effective the act will be on emerging gatekeepers and companies that do not meet the Article 3 requirements. This will be subject to the intensity of the impact assessment review of the European Commission and it will be extremely interesting to see how the EU will go about in exercising its regulatory mandate to subject companies to the DMA.

[1] European Commission (2022), Shaping Europe’s Digital Future

[2] EU Commission, Press release of Nov 30, 2010, Antitrust: Commission probes allegations of antitrust violations by Google

[3] European Parliament, Press Release March 24, 2022, Deal on Digital Markets Act: EU rules to ensure fair competition and more choice for users

“Royale with Cheese” – Copyright Issues Related to NFTs in Miramax v. Tarantino

By Sebastian Pech

Recently, non-fungible tokens (NFTs) have received a lot of attention owing to some spectacular digital art sales. Thereupon, several artists have started selling their work in the form of NFTs, including the award-winning filmmaker Quentin Tarantino, who was later sued by the film production company Miramax. This contribution analyses the copyright issues surrounding NFTs that emerge from the lawsuit.

I. Details of the Lawsuit

In November 2021, Quentin Tarantino, in collaboration with Scrt Labs, announced that he would auction off seven different parts of the handwritten screenplay of the 1994 blockbuster Pulp Fiction in the form of NFTs.[1] The so called “Private NFTs” provide their owners with specific privacy features, especially “content viewable only by the owner of the NFT”.[2]

Shortly after the announcement of the Tarantino NFT Collection, Miramax sued Tarantino in the Central District of California for breach of contract, copyright infringement, trademark infringement, and unfair competition.[3]

In 1993, Tarantino hadgranted Miramax “all rights (including all copyrights and trademarks) in and to [Pulp Fiction] (and all elements thereof in all stages of development and production) now or hereafter known”.[4] However, Tarantino expressly reserved some rights, namely the “soundtrack album, music publishing, live performance, print publication (including without limitation screenplay publication, ‘making of’ books, comic books and novelization, in audio and electronic formats as well, as applicable), interactive media, theatrical and television sequel and remake rights, and television series and spinoff rights”.[5]

Miramax argues that selling parts of the screenplay in the form of NFTs violates its right to create derivate works set forth in § 106(2) Copyright Act.[6] Tarantino, on the other hand, claims that he did not grant Miramax any rights to the screenplay[7] and even if this should be the case, he was acting within his reserved rights, especially the right to print publication.[8]

In January 2022, the first NFT based on a scene where the movie’s protagonists Jules and Vincent are talking about life in Europe and in particular the French term for a “quarter pounder with cheese” (“royale with cheese”) was sold for $1.1 Million.[9]

Only a few days later, the sale of the other six scenes was indefinitely postponed due to “extreme market volatility”.[10] This gave rise to speculations ranging from fear of the pending litigation and insufficient demand from buyers to technical problems.[11]

In September 2022, the lawsuit ended by a surprising settlement between Miramax and Tarantino,[12] shortly after the parties had informed the court that previous negotiations had failed.[13]

II. NFTs in a Nutshell

Tokens are digital representations of assets on the blockchain. A blockchain is a highly tamper-resistant and transparent database. The term “token” is often used as a synonym for cryptocurrency, but a token can represent any form of economic value, such as commodities, real estate, company shares, or copyright protected works. Tokens can be bought and sold using blockchain-based “smart contracts,” which are computer programs that execute transactions and enforce contractual terms automatically.

Fungible and non-fungible tokens are distinct from each other. Fungible tokens are interchangeable with other tokens. Cryptocurrencies, such as Bitcoin, are examples of fungible tokens. Every unit of Bitcoin is equivalent to another and has the same value. By contrast, a non-fungible token (NFT) is unique and thus not replaceable by other tokens.

Due to this feature, NFTs are used to represent unique assets on the blockchain, especially (digital) art or, in the present case, parts of a screenplay. Associating assets with an NFT allows authors, collectors, and owners to document and verify the provenance of the asset in question. In summary, an NFT can be best described as a forgery-proof certificate that confirms the ownership of a specific asset and/or the rights with respect to the said asset.

III. Analysis of the Copyright Issues Related to NFTs

Creating (or “minting”) an NFT for a copyright protected work does not, in most cases, lead to a reproduction of the work in the sense of § 106(1) Copyright Act. A reproduction requires a copy of the work which is defined under § 101 Copyright Act as a “material object[…] in which a work is fixed by any method now known or later developed, and from which the work can be perceived, reproduced, or otherwise communicated, either directly or with the aid of a machine or device”.[14] Since storing information on a blockchain is very expensive, in most cases no copy of the work itself, but only its digital representation is saved on the blockchain, comprising data identifying the underlying work, specifically a hyperlink pointing to a file stored somewhere on the web.

In the case of the Tarantino NFT Collection, it is not entirely clear whether the digital version of the screenplay is saved on the blockchain or “off-chain”. The definition of a “Secret NFT” in the terms and conditions for the sale as “a Non-Fungible Token minted on the Secret blockchain network containing a digital file of a Publication”[15] indicates that it is indeed stored on the blockchain. However, Scrt Labs’ description of a “Secret NFT” on its website only mentions metadata and links to files, not works themselves stored on the blockchain.[16] Due to the high costs associated with saving high-resolution scans on the blockchain, storage “off-chain” is far more likely.

The right to prepare derivative works based upon the copyrighted work (§ 106(2) Copyright Act) is not infringed either. A derivative work has to “contain[…] a substantial amount of material” from the preexisting work,[17] as it is the case with “translation, musical arrangement, dramatization, fictionalization, motion picture version, sound recording, art reproduction, abridgment, condensation, or any other form in which a work may be recast, transformed, or adapted”.[18] Metadata which contains information about a work, such as a hyperlink, cannot be considered a substantive part of that work.

Furthermore, the distribution right set forth in § 106(3) Copyright Act is also not violated, because the sale of the NFT does not affect the work as such, but only its representation on the blockchain. In Perfect 10 v. Amazon, the Ninth Circuit held that posting a hyperlink to a work on the Internet is not distribution of the work because the person who provides the link just enables others to access the work but does not “own” the work by hosting it on his server.[19]

Therefore, in the Copyright Act, there is no exclusive right of the copyright owner to create an NFT. This is a reasonable result since an NFT serves as a certificate of ownership of the underlying asset. No one would suggest that creating an equivalent certificate for traditional art, such as an oil painting or a marble sculpture, could constitute a copyright infringement.

As a result, for minting an NFT, it is irrelevant whether Tarantino assigned the rights to the screenplay to Miramax or whether an NFT creation for the screenplay is covered by Tarantino’s reserved rights, for example the right to publication.

Conversely, making scans of the screenplay and storing them on a server is a reproduction in the sense of § 106(1) Copyright Act. In addition, selling these scans to the public constitutes distribution in the sense of § 106(3) Copyright Act. In dealing with these actions, it is indeed relevant whether Tarantino kept the rights to the screenplay, or at least the publication rights. However, this has nothing to do with NFTs; rather, it is a question of interpreting the contract between Miramax and Tarantino.

IV. Conclusion

From a legal perspective, the lawsuit’s crux revolves around the question of how the contract between Tarantino and Miramax is to be interpreted, and not the fact that the screenplay was sold in the form of an NFT. However, since the lawsuit ended in a settlement, it will be unknow whether the court would nevertheless have made any comments on the copyright issues with respect to NFTs discussed here.

[1] Quentin Tarantino Revealed as Iconic Artist Behind First-Ever Secret NFTs, Showcasing Never-Before-Seen Work Revealed Only to NFT Owner, Globe Newswire (Nov. 2, 2021),

[2] Id.

[3] Miramax, LLC v. Tarantino, 2:21-cv-08979-FMO-JC (C.D. Cal. 2021).

[4] Complaint at 24, Miramax, LLC v. Tarantino, 2:21-cv-08979-FMO-JC (C.D. Cal. 2021).

[5] Id.

[6] Id. at 17.

[7] Notice of Motion and Motion for Judgement on the Pleadings at 14, Miramax, LLC v. Tarantino, 2:21-cv-08979-FMO-JC (C.D. Cal. 2021).

[8] Id. at 17.

[9] SCRT Labs Announces Triumphant Sale of First Never-Before-Seen-Or-Heard Tarantino NFT for $1.1 Million, Business Wire (Jan. 24, 2022),

[10] @LegendaoNFT, Twitter (Jan. 28, 2022, 9:59 PM),

[11] Eduardo Próspero, What Happened To Tarantino ’s “Pulp Fiction” NFT Collection? The Strange Finale, NewsBTC, (last visited Sept. 9, 2022).

[12] Notice of Settlement at 1, Miramax, LLC v. Tarantino, 2:21-cv-08979-FMO-JC (C.D. Cal. 2021).

[13] Edvard Pettersson, Tarantino, Miramax settle lawsuit over ‘Pulp Fiction’ screenplay NFTs, Courthouse News Service (Sept. 8, 2022),

[14] 17 USC § 101.

[15] Secret NFT Purchase and License Agreement, Tarantino NFTs, (last visited Sept. 14, 2022).

[16] See Secret NFTs, Secret Network, (last visited Sept. 14, 2022).

[17] Twin Peaks Prods. v. Publ’ns Int’l, Ltd., 996 F.2d 1366, 1373 (2d Cir. 1993).

[18] 17 USC § 101.

[19] See Perfect 10, Inc. v. Amazon.Com, Inc., 508 F.3d 1146, 1162 (9thCir. 2007).

What Would Lady Whistledown Say? Prince, Warhol and the Duke (of Hasting)

By Marie-Andrée Weiss

Fair use is a statutory exception to copyright infringement. The Copyright Act, 17 U.S.C. § 107, identifies four factors which may be considered by the courts when determining whether an unauthorized use of a work protected by copyright was fair: (1) the purpose and character of the use; (2) the nature of the copyrighted work; (3) the substantiality of the portion used in relation to the copyrighted work as a whole; and (4) the effect on the potential market for or value of the copyrighted work.

The first factor, the purpose and character of the use, has been interpreted in 1994 by the Supreme Court of the United States (SCOTUS), in Campbell v. Acuff-Rose Music, Inc., as requiring that the use is transformative, meaning that the new work “adds something new, with a further purpose or different character, altering the first with new expression, meaning, or message” (Campbell, at 579).

SCOTUS revisited its fair use doctrine last year, holding in Google v. Oracle that Google’s copying of the Java SE AP was a fair use of that material as a matter of law, finding Google’s use to be “transformative” as it sought “to expand the use and usefulness of Android-based smartphones […] offer[ing] programmers a highly creative and innovative tool for a smartphone environment” and being as such a use “consistent with that creative “progress” that is the basic constitutional objective of copyright itself”, citing Feist Publications, Inc. v. Rural Telephone Service Co., at 349-350:

“The primary objective of copyright is not to reward the labor of authors, but `[t]o promote the Progress of Science and useful Arts'”. 

Indeed, Article I, Section 8, Clause 8, of the United States Constitution grants Congress the power “To promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries.”

Now SCOTUS has an opportunity to rule further on what use is transformative and thus, as an upcoming case is likely to influence fair use case law in the upcoming years.

Fair use and Prince: the Andy Warhol case

The Southern District Court of New York (SDNY) found in 2019 that the Prince Series created by Andy Warhol from a photograph of musical artist Prince, taken in 1981 by professional photographer Lynn Goldsmith, was transformative.

Goldsmith’s agency had licensed the photograph to Vanity Fair magazine in 1984 to be used as an artist reference to create an illustration. This artist was Andy Warhol, who created not only the illustration commissioned for the magazine, but also fifteen additional works, the sixteen works series now known as the Prince Series.

Goldsmith was not aware of the Prince Series, only learning about it after Prince’s death in 2016, when Vanity Fair published on the cover of its tribute issue to Prince a work from the Prince Series different from the one originally commissioned by Vanity Fair. The work had been licensed to Vanity Fair by the Andy Warhol Foundation for the Visual Arts (AWF), which owns the copyright in the Prince Series.

AWF sued Goldsmith for a declaratory judgment of non-infringement. The Southern District Court of New York granted summary judgment to AWF, finding that the Prince Series was transformative, noting that that photograph taken by Goldsmith portrayed Prince as “not a comfortable person” and a “vulnerable human being,” while Warhol’s Prince Series portrayed him as an “iconic, larger-than-life figure.”

The United States Court of Appeals for the Second Circuit, held, however, that the use was not transformative. AWF successfully petitioned to have the case heard by SCOTUS, which will hear next month the Andy Warhol Foundation for the Visual Arts, Inc., v. Lynn Goldsmith case, answering petitioner’s question:

Is a work of art “transformative” when it conveys a different meaning or message from its source material, a view taken by the U.S. Court of Appeals for the Ninth Circuit, or should a court be forbidden to consider the meaning of the derivative work where it “recognizably deriv[es] from” its source material, as held by the Second Circuit Court of Appeals?

Fair use and the Duke (of Hastings): the Unofficial Bridgerton Musical case

AWF noted in its petition that it is the legality of the Prince Series which is the issue of the case. Fair use is the somewhat elusive concept allowing thousands of new works to be created each year, including many works created by “fans”.

Abigail Barlow and Emily Bear (“Barlow & Bear”) are fans of the Netflix series Bridgerton. They are also Grammy® award winners for their work, the Unofficial Bridgerton Musical. The work, first developed in real time on the social media platform TikTok on the premise “but what if Bridgerton was a musical?” found viral fame online, leading to a full album which won the 2021 Grammy® for Best Musical Theater Album.

Barlow & Bear performed their work on July, 28 2022 at the Kennedy Center in Washington D.C. in front of a sold-our audience. This concert appeared to have been the proverbial last drop for Netflix, which filed a copyright infringement suit against the two musicians two days later, in the United States District Court for the District of Washington. Barlow & Bear were set to play at the Royal Albert Hall in London on September 20, 2022, but the show has been cancelled.

Netflix does not view these endeavors as fan fiction but argues that the Unofficial Bridgerton Musical “stretches “fan fiction” well past its breaking point. It is blatant infringement of intellectual property rights.” Netflix alleges that some of the lyrics copy “verbatim” the dialogue of the show, for instance, in the opening number “Tis the Season,” which allegedly copies the opening scene of the first episode of the series, using the character, the setting (Grosvenor Square, London, in 1813), “while also incorporating substantial dialogue verbatim. For instance, both works include the following dialogue regarding the setting and plot, spoken by Lady Whistledown: “Grosvenor Square, 1813. Dearest reader, the time has come to place our bets for the upcoming social season. Consider the household of the Baron Featherington.”

Netflix further argues that Netflix has exclusive right to authorize derivative works based on the series. While the Bridgerton actors are dressed in costumes fit for characters living in 1813 London, the show features contemporary music played by classical musicians, such as Ariana Grande’s thank u, next, played by the Vitamin String Quartet. Netflix may have plans to create its own Bridgerton musical, and the quality of the Unofficial Bridgerton Musical may well have a significant effect on the potential market or value of an official Bridgeton musical, the fourth fair use factor. 

This case reflects the tension created by copyright between the need to “reward the labor of authors” as an incentive to create more works, which in turn benefits the public while “promot[ing] the Progress of Science and useful Arts” and the need for an exception to copyright, allowing some derivative works to be fair, even if using original works without permission, which also benefit the public and “promotes the Progress of Science and useful Arts”

There is no doubt that Barlow & Bear’s music is creative, delights many members of the public, and that the two musicians have likely a long and successful career ahead of them (their latest creation is Mexican Pizza The Musical, created for Taco Bell and featuring… Dolly Parton.)

The Unofficial Bridgerton Musical is hardly the only “TikTok musical” and is not even the only TikTok musical to have gained fame outside of the social media platform. Ratatouille the Musical is a work created collaboratively with multiple TikTok users during the first phase of the pandemic, which was then presented online as a way to raise money for The Actor Fund, at the time where the closure of theaters prevented actors to make a living. The musical is a derivative work of the Walt Disney Ratatouille movie, but no legal threat was made against it.

The defendants in Unofficial Bridgerton Musical have not filed an answer. If the parties do not settle, the ultimate outcome of the case is likely to be influenced by the 2023 SCOTUS decision in the Andy Warhol Foundation for the Visual Arts, Inc., v. Lynn Goldsmith case and a possible new “transformative use as fair use” test.

Will Prince help the Duke?

Can the Current Draft of the American Data Privacy and Protection Act (ADPPA) Be a New Hope for U.S. Federal Data Privacy Law?

By Salome Kohler

1. Some key provisions

In the U.S., there are once again attempts to improve privacy protection through a federal privacy act. Since it is still a draft, it is nevertheless worth mentioning the direction in which the main provisions of the act[1] are heading. The bill addresses concepts as the issue of data minimization, privacy by design, the right to consent and object, transparency, third-party collecting entities, the protection of sensitive data and vulnerable persons as children.[2] Privacy advocates say that the draft is still not strict enough to provide real privacy protection.[3] However, the bill provides substantial improvements to privacy as it intentions to reduce data collection by businesses to necessary issues and thus places a strong focus on data minimization, which is familiar from the approach of the European General Data Protection Regulation (GDPR).[4] The bill would also, among others, ban targeting ads to children and targeting based on sensitive data such as health data.[5]

2. Possible disadvantages

Critics fear, however, that a major goal of this comprehensive privacy bill is to limit future attempts to strengthen privacy protections by putting forward a federal law that would override state privacy laws (‘preemption’).[6] Unfortunately, such a provision is also included in the current draft, which could stop progressive states in their tracks toward strong privacy laws – much better would be a federal standard that allows for stronger state laws.[7]

A federal privacy law that sets U.S. privacy regulation at a rather low standard would also increase legal differences with the internationally significant European General Data Protection Regulation (GDPR), making it more difficult to do business internationally.

3. Expected advantages

However, while a reduction in the strength of state laws is regrettable for consumers, it is welcomed by businesses, which could benefit from the legal certainty and simplification of the current legal situation and thus reduce the barriers to doing business caused by a multiplicity of privacy protection laws.[8]

Moreover, this would be a convenient solution for states that do not intend to enact privacy legislation but still want to benefit from a certain standard of privacy protection.

In addition, a comprehensive federal privacy law will ensure that the United States can play a leading role in setting the legal regime for privacy around the world.[9]

  • Conclusion

The appropriate level of privacy protection is still a point of contention, but the technological characteristics of data as such require a strong and protective federal law; a global legal approach would be even better.[10] A new federal law should be flexible and provide a good standard of protection for future and potentially broader threats to the right to privacy.

[1] American Data Privacy and Protection Act (H.R. 8152),

[2] Id.

[3] H. Tsukayama, A. Schwartz, I. McKinney,

L. Tien, Americans Deserve More Than The Current American Data Privacy Protection Act, EFF (Jul 24, 2022),

[4] G. Edelman, Don’t Look Now, but Congress Might Pass an Actually Good Privacy Bill, Wired (Jul. 21, 2022),

[5] Id.

[6] Id.

[7] Id.

[8] L. Porter, B. E. Justice, Federal Privacy Legislation – Is it finally happening?, The Nat. L. Rev. (Jul. 26, 2022),

[9] Id.

[10] European Commission, Proposal for a Regulation of the European Parliament and of the Council Laying down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending certain Union Legislative Acts, COM(2021) 206 final, 6, 18 (2021).

Inferred Sensitive Data in the ECJ OT v Vyriausiojl. Is Everything Sensitive Data?

By Jan Czarnocki

On the 1st of August 2022, the European Court of Justice (ECJ) ruled on the interpretation of Articles 6.1 subparagraph e and 9.1 regarding processing personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and processing of special or sensitive categories of data.

The Regional Administrative Court in Vilnius, Lithuania asked the ECJ whether, among others, in view of Article 9(1) GDPR, which protects sensitive data, the Lithuanian law on reconciliation of interests obliges public officials to disclose their sensitive data publicly, can be reconciled with Art. 7 and Art 8 of the Charter of the Fundamental Rights of the EU. Thus, the question is whether in view of the GDPR, it is lawful to require public officials to disclose sensitive data on the publicly accessible website, including data based on which sensitive data can be inferred, such as the name and surname of the spouses and history of financial transactions. The answer to the question necessitated clarification of what should be considered sensitive data.

Narrow v broad interpretation of sensitive data

According to Art. 9 GDPR, sensitive data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The ECJ stated that the obligation from the law on reconciliation constitutes a serious infringement on the right to privacy and data protection since mandatory disclosure of sensitive data is not proportional to the goal of fighting corruption. In the context of sensitive data disclosure, public interest in fighting corruption does not override the right to privacy and data protection, as well as a prohibition to process sensitive data from Art. 9 GDPR.

There would be perhaps nothing special in this case for data protection law doctrine if not for the reasoning provided by the ECJ, giving a broad interpretation of what is sensitive data. So far, there has been a lot of ambiguity regarding the precise scope of the Art. 9. It was unclear whether the provision should be interpreted narrowly, encompassing only data that directly reveals information classified as sensitive, or whether it matters what can be inferred based on subject data.

According to the ECJ, the goal of the GDPR is to give a high level of privacy and data protection. Therefore, there is a need to understand the notion of sensitive data as also encompassing what can be inferred from the data disclosed, not only data at their “face value”.

The ECJ argues that in view of the law on reconciliation of interests, if the public official is obliged to publicly disclose e.g., name and surname of his or her spouse, or financial transactions, from such data, further information can be inferred, including sensitive information.

It is the first time the ECJ explicitly endorsed a broad interpretation of sensitive data, finally clarifying years-long ambiguity regarding the precise scope of the Art. 9. There is no doubt now that narrow interpretation is not endorsed and that sensitive data is not only data immediately and directly disclosing traits enumerated in the Art. 9.

A challenge for tech giants

Although the case is not concerned with automated data processing, the ruling may have serious global consequences for personal data processing. Given the increasing capacities of AI systems to collect and infer knowledge, it is becoming more and more difficult to delineate between merely personal and sensitive data. Until now, data controllers and processors, such as Google or Facebook, could have argued that they do not process sensitive data since sensitive information is not disclosed immediately.

But from now on, it may turn out that most of the data processed by the tech giants are sensitive since, given their software’s computing and analytics capacity, sensitive knowledge about individuals can be inferred. Thus, if after the ECJ ruling the data protection authorities and courts will adopt the Luxembourg court’s line of reasoning—a likely outcome given that the ECJ is the highest instance interpreting the European Union law—then it means that for the processors and controllers with sophisticated enough analytical tools majority of personal data processed is sensitive data. That, in turn, would mean that the processing of such data is prohibited unless explicit consent is obtained.

This is a challenge because it is hard to obtain explicitly, informed, and valid consent for specified purposes in an online environment without an accusation of creating boilerplate contracts which people cannot understand. But on the other hand, the black box nature of AI systems also poses a legal risk since organizations may not even know whether their software can infer sensitive data, and what sensitive data, and based on what data. As a result, organizations will have to start to be much more self-conscious regarding their technical and organizational capacity to infer sensitive knowledge about people and how to manage this risk.

The more general conclusion from the ruling is that with it, and with more and more court and data protection authorities’ decisions, the scope of ambiguity regarding the GDPR interpretation narrows. Therefore, for proper compliance with the data protection law, it will be increasingly harder to apply creative arguments and paperwork by lawyers to justify the processing without actually complying with the substance of the law. It means a much narrower permitted scope of personal data processing and perhaps even a need to reinvent business models based on revenues from personal data processing, such as those based on targeted ads.