By Giuseppe Colangelo
On November 29, 2017, the European Commission released the much-awaited Communication on standard essential patents (SEPs) licensing [“Setting out the EU approach to Standard Essential Patents”, COM(2017) 712 final].
The Communication comes in the wake of the UK judgement Unwired Planet v. Huawei, recently delivered by Mr. Justice Birss and analyzed in our previous newsletter. As highlighted by the UK decision, after the judgment in Huawei/ZTE (Case C-170/13), in which the European Court of Justice identified the steps which SEPs owners and users must follow in negotiating a FRAND royalty, there are still several unresolved questions. Notably, the different approaches adopted by Germany and the UK have spurred the Communication to set out “key principles that foster a balanced, smooth and predictable framework for SEPs”.
The key principles reflect two stated objectives: incentivizing the development and inclusion of top technologies in standards by providing fair and adequate returns, and ensuring fair access to standardized technologies to promote wide dissemination.
First, the Commission takes the view that the quality and accessibility of information recorded in standard development organizations (SDOs) database should be improved. Therefore, the Commission calls on SDOs to ensure that their databases comply with basic quality standards, and to transform the current declaration system into a tool providing more up-to-date and precise information on SEPs. Moreover, the Commission stated that declared SEPs should be scrutinized to assess their essentiality for a standard, and will launch a pilot project for SEPs in selected technologies in which an appropriate scrutiny mechanism will be introduced.
Second, the Commission sets out certain general principles for FRAND licensing terms, stating that it is necessary and beneficial to establish a first set of key signposts on the FRAND concept, so as to provide for a more stable licensing environment, guide parties in their negotiations, and reduce costly litigation. In this regard, provided that the parties are best placed to arrive at a common understanding of what are fair licensing conditions and fair rates, the Commission states that:
- there is no one-size-fit-all solution on what FRAND is: what can be considered fair and reasonable can differ from sector to sector and over time;
- determining a FRAND value should require taking into account the present value add of the patented technology: that value should be irrespective of the market success of the product which is unrelated to the value of the patented technology;
- to avoid royalty stacking, parties must take into account whether the aggregate rate for the standard is reasonable;
- the nondiscrimination element of FRAND indicates that rightholders cannot discriminate between implementers that are ‘similarly situated’ (see Unwired Planet);
- for products with a global circulation, SEP licenses granted on a worldwide basis may contribute to a more efficient approach and therefore can be compatible with FRAND (see Unwired Planet).
A third part of the Communication is devoted to providing guidance in order to achieve a balanced and predictable enforcement environment. With regards to the availability of injunctive relief, the FRAND process requires both parties to negotiate in good faith, including responding in a timely manner. The willingness of the parties to submit to binding third-party FRAND determination – should the (counter-)offer be found not to be FRAND – is an indication of a FRAND behavior. Furthermore, in terms of the timeliness of the counter-offer, no general benchmark can be established, as case-specific elements play a role. Nonetheless, there is a probable trade-off between the time considered reasonable for responding to the offer and the detail and quality of the information provided in the SEP holder’s initial offer.
Even if injunctive relief can be sought against parties acting in bad faith (i.e. parties unwilling to take up a license on FRAND terms), courts are bound by Article 3(2) of the IPR Enforcement Directive, and notably the requirement to ensure that injunctive relief is effective, proportionate, and dissuasive.
Finally, the Commission states that patent assertion entities should be subject to the same rules as any other SEP holder.
  E.W.H.C. 711 (Pat).
By Martin Miernicki
On 29 November 2017, the ECJ gave its opinion in VCAST v. RTI (C-265/16). The court ruled on the compatibility of an online service (offered by VCAST) – which provides users with cloud storage space for free-to-air terrestrial programs of TV organizations – with Directive 2001/29/EC (the so-called Copyright Directive), and in particular with its article 5(2)(b) (the so-called private copying exception). Upon the selection of the user, the service autonomously picks up the television signal and records the indicated content in the “cloud”.
Background & questions referred
The case involved questions relating to the private copying exception as well as the concept of the communication to the public, contained in article 3 of the Copyright Directive. The ECJ has repeatedly given its opinion on both matters. Relevant case law includes Padawan v. SGAE (C-467/08), ACI Adam v. Stichting de Thuiskopie (C-435/12), and Copydan Båndkopi v. Nokia Danmark (C-463/12) (on the private copying exception), as well as ITV Broadcasting v. TVCatchup (C-607/11), Reha Training v. GEMA (C-117/15), and AKM v. Zürs.net (C-138/16) (on the communication to the public). In essence, the referring (Italian) court asked the ECJ whether an online cloud service as described above was compatible with the Copyright Directive.
The decision of the court
The ECJ reached the same result as proposed by Advocate General (AG) Szpunar in his opinion and held VCAST’s cloud service is incompatible with EU law. First of all, the court recalled its case law and stated that natural persons can benefit from the private copying exception also in situations where the copying services are provided by a third party (para 35). However, in the opinion of the court, the service at issue did not merely assist users in making lawful reproductions but also, by picking up the television signals, provided access to the protected content (para 38). For this reason, the services in question also qualified as a communication to the public within the meaning of article 3 of the Copyright Directive. Since this act required the consent of the rightholders, the provision of the services at issue infringed their exclusive rights and was hence not permissible under EU law.
What does the judgment mean?
The judgement gave the court the opportunity to reconfirm and clarify its opinion on two recurring issues of the more recent copyright case law: First, the lawfulness of the source of the reproduction which is made under the private copying exception; second, the concept of the communication to the public. With regard to the former, the ECJ held that the private copying exception cannot be invoked where the third party provides access to the protected content (para 37). In principle, this is in line with the prior case law of the court. With regard to the latter, the court referred to the principles established in ITV Broadcasting, holding that acts of communication to the public – different than the original transmission – carried out under specific technical conditions using different means of transmissions are subject to the right holder’s consent (para 48). In such circumstances, the new public criterion is irrelevant (para 50). Obviously, the principles established in AKM were, as indicated by the AG, not relevant for the court (para 52-56 of the AG’s opinion).
In this light, providers of online services will have to assess whether they merely enable natural persons to obtain private copies or whether they also provide access to protected content. As illustrated by the court’s decision, this requires a delineation of the different exclusive rights involved. In this context, it is noticeable that the answer given to the national court appears to be broader than might be expected from the grounds of the judgement. The ECJ stated that cloud services as described above conflict with the Copyright Directive where the provider “actively [involves] itself in the recording, without the right holder’s consent”. Apparently, one way to be “actively involved” in the recording is to communicate the work to the public, thereby providing access to the copyrighted content. However, other ways are also conceivable. For instance, it is unlikely that the private copying exception applies to cases where the service provider takes the initiative to make reproductions, or defines its object and modalities (para 25 of the AG’s opinion). It will be up to the court to shed further light on such questions in future cases.
European Commission Presents Comprehensive Soft Law Measures to Ensure that Intellectual Property Rights are Well Protected, Including Issuing Guidance on the Enforcement Directive
By Kletia Noti
On November 29, 2017, the European Commission (“Commission”) adopted a comprehensive package of measures aimed at further improving the application and enforcement of intellectual property rights (IPRs) within the EU Member States, in the EU and internationally (hereinafter, “IPRs enforcement package”). The measures encompass several soft law instruments in the form of Communications, accompanied by staff working documents and reports.
The IPRs enforcement package is the last in a series of efforts undertaken by the Commission over the last few years to enhance enforcement of IPRs and ensure that these rights are well-protected in the online environment. In its July 2014 communication, the Commission laid down an Action Plan proposing ten specific actions marking a shift in its policy approach towards new enforcement tools to fight IPR infringements. Instead of focusing on penalizing users for IPRs infringements, the Commission announced that it would seek to foster better enforcement of IPRs through the “follow the money” approach, aimed at depriving commercial-scale infringers of their revenue flows. The Commission also expressed the view that non-legislative measures (including cooperation between stakeholders) should be encouraged. In its Digital Single Market and the Single Market communications, the Commission announced its commitment towards improving IPR enforcement in light of the digital developments. In the May 2017 Mid-Term Review on the implementation of the Digital Single Market Strategy, the Commission indicated that it was finalizing its evaluation of the current legal framework for the enforcement of all IPRs, including copyright. Against this background, the IPRs enforcement package constitutes a culmination of the Commission’s efforts on this front.
The IPR package: an overview
Communication COM (2017) 707 describes the different measures adopted as part of the broader package and provides the framework for the Commission’s proposed actions on IPRs enforcement. First, it sets out measures aimed at further improving the judicial enforcement of IPRs in the EU. These measures encompass guidance on the application of the Enforcement Directive (contained in a separate Communication, also adopted as part of the package); awareness raising and improving cooperation with national judges (whose specialization in IPR-related matters is encouraged); increasing transparency of EU Member States’ judgments on IPRs enforcement, as well as fostering the development of alternative dispute resolution mechanisms to solve IPR disputes. Second, the Communication prescribes actions to support industry-led initiatives to fight IP infringements, including self-regulatory initiatives (such as voluntary agreements between rights-holders and intermediaries) and steps to better protect supply chains against counterfeiting. A Staff Working Document on self-regulation measures to fight the sale of counterfeited products accompanies the Communication. In addition, the Commission announces that a new MoU aimed at withholding advertising on IP infringing websites is being developed by stakeholders. At the same time, it encourages stakeholders to further cooperate through voluntary agreements. It also encourages the industry to further promote due diligence in supply chains, explore the potential of new technologies (e.g. blockchain) and encourage the further inclusion of IP protection in accreditation processes. Third, the Communication also lays down initiatives to strengthen the administrative authorities’ capacity to enforce IPRs. Fourth, in this Communication the Commission announces its support for measures to strengthen efforts to fight IP infringements at a global scale, including through the promotion of best practices and stepping up co-operation with third countries.
In addition to the above measures, in its IPRs enforcement package, the Commission also issued its long-awaited guidance on the EU approach to Standard Essential Patents (SEPs).
The Commission’s Guidance on the Enforcement Directive
The Commission’s Guidance on the Enforcement Directive (hereinafter, “Guidance”) follows its public consultation launched in 2015, as well as its evaluation of the Enforcement Directive carried out in 2016 in the context of its steps to further improve the application and enforcement of IPRs, as announced in the Single Market Strategy and Digital Single Market Strategy communications. While the evaluation found the Enforcement Directive to be fit for purpose, the consulted stakeholders asked for more clarity as to how its provisions should be applied.
First, the purpose and scope of the Guidance will be briefly highlighted. Subsequently, the article will zoom into the Commission’s clarifications on injunctions which national courts can adopt on the basis of Articles 9 and 11 of the Enforcement Directive.
A piece of EU legislation of minimum harmonization, adopted more than a decade ago, the Enforcement Directive has led to diverging interpretations of its provisions across the EU Member States, many of which prompted national courts to refer questions to the Court of Justice in preliminary rulings. The Commission considers this to be due to several reasons, not the least of which the different procedural frameworks across Member States. Such divergence may reduce legal predictability for the stakeholders involved. Against this background, the Guidance aims at clarifying certain aspects of the Enforcement Directive, so as to ensure a more consistent and effective interpretation and application of its provisions by competent judicial authorities and other parties involved in the enforcement of IPRs.
The Commission acknowledges that, in all cases where the Enforcement Directive provisions interpreted and applied and where various conflicting fundamental rights protected in the EU’s legal order are at stake, a fair balance must be struck between these rights, in light of the principle of proportionality. Its clarifications encompass several aspects of the Directive, including its scope, the rules on evidence, damages, reimbursement of legal costs, the right for rights-holders to obtain information on the infringers enshrined under Article 8, and the right to provisional and precautionary measures and injunctions under Section 4 of the Directive. Additionally, it seeks to clarify what “fair and equitable” measures and remedies means, as laid down under Article 3(1) of the Directive.
In particular, the Enforcement Directive requires EU Member States to make certain measures available to rights-holders, including the ability to apply for an (interlocutory or permanent) injunction to prevent an imminent infringement, or to prohibit the continuation of the alleged infringement (see Article 9(1)(a) for interlocutory injunctions and Article 11 for permanent injunctions), subject to the requirements set out under Article 3.
While the interpretation of these provisions under EU law has led to a rich body of case law of the Court of Justice of the European Union (CJEU), uncertainties as to the scope of injunctions issued by national judges remain. In order to provide guidance to national courts and parties involved in IPRs disputes, the Commission tackles the following aspects:
- Liability and injunctions. The Commission clarifies that, under EU law, liability for an alleged infringement and the possibility for the competent judicial authorities to issue injunctions are two separate questions. According to the Commission, the possibility to issue an injunction on the basis of Article 9(1)(a) and Article 11 of the Enforcement Directive does not depend on the intermediaries’ liability for the alleged infringement. Therefore, the competent judicial authorities cannot compel plaintiffs to prove that the intermediary is liable (even indirectly) as a condition for an injunction to be granted.
To this end, the Commission references the CJEU’s case law, both applicable to the online and offline world. In the landmark L’Oréal v eBay judgment, which among others concerned the interpretation of Article 11 of the Enforcement Directive, the CJEU (in Grand Chambers) held inter alia that “the third sentence of Article 11 of Directive 2004/48, according to which the Member States must ensure ‘that rights-holders are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe an intellectual property right …’ (…) involves determining whether that provision requires the Member States to ensure that the operator of an online marketplace may, regardless of any liability of its own in relation to the facts at issue, be ordered to take, in addition to measures aimed at bringing to an end infringements of intellectual property rights brought about by users of its services, measures aimed at preventing further infringements of that kind”. In addition, the Commission also references the more recent Tommy Hilfiger judgment. This latter judgment interestingly did not concern online intermediaries, but rather the imposition of an injunction on Delta Center, a physical marketplace, which the CJEU considered as caught by the scope of Article 11 of the Enforcement Directive.
- Notion of “intermediary” caught by the scope of Articles 9(1)(a) and 11 of the Enforcement Directive. Both these provisions refer to “any intermediary whose services are used by a third party to infringe intellectual property rights”. However, the Commission recalls that the notion of “intermediary” is not further clarified in the Enforcement Directive. Against this background, the Commission draws attention to the CJEU’s UPC Telekabel and Tommy Hilfiger judgments: importantly, the Commission notes that in Tommy Hilfiger the CJEU clarified the notion of “intermediary” in the sense of UPC Telekabel. In UPC Telekabel the CJEU considered that the notion of “intermediary” whose services are used by a third party to infringe copyrights under Directive 2001/29 also encompasses those internet service providers which do not have a specific relationship with the person infringing the copyright and the related rights. In Tommy Hilfiger the CJEU declared that an intermediary in the sense of the Enforcement Directive need not have a specific relationship, such as a contractual link, with the IPR infringing party. The Commission also reiterates that “the application of Articles 9(1)(a) and 11 of the Enforcement Directive spans across different sectors and includes both online and offline services.” Importantly, the Commission considers that the case law of the CJEU acknowledging that several categories, such as internet service providers (“ISPs”), social networking platforms, online marketplaces and physical marketplaces should be seen as “intermediaries” for the purposes of the Enforcement Directive is merely illustrative but not exhaustive. Therefore, the notion of “intermediary” is flexible and capable of being interpreted on a case by case basis.
In addition, the Commission considers that when the intermediary is so distant from the (alleged) infringement he cannot reasonably be expected to contribute to the enforcement of IPRs and its involvement in such enforcement would be “disproportionate” and “unnecessarily burdensome”. However, the Commission does not further clarify what an involvement “so distant or immaterial to the alleged infringement.” is. What does this mean concretely and—where is the line drawn between “distant” and “close involvement”? Does this mean that the rights-holders can ask intermediaries “close to the infringement” to bear the burden of ensuring the effective enforcement of IPRs and under which criteria? This is likely to lead to additional preliminary references before the CJEU, since it is likely judges in various EU Member States may interpret this notion differently.
- Scope of injunctions. In the context of the balancing of rights and interests which underpins how the scope of injunctions can be interpreted, the Commission reiterates the importance of the principle of proportionality, one of the primary law principles of the European Union. It also recalls the respect for Art. 3 of the Enforcement Directive, as well as fundamental rights by national courts. When it comes to proportionality, the Commission considers that judges ought not to issue injunctions which require measures that go beyond what is appropriate and necessary in light of the facts and circumstances of the case at hand to prevent an imminent infringement or to prohibit the continuation of an infringement. Recalling the limitations to the scope of injunctions that the CJEU gave in UPC Telekabel, the Commission frames them in the following fashion: “the CJEU also clarified that the competent judicial authorities may decide not to explicitly describe the specific measures which the provider must take to achieve the result sought. However, the CJEU also made it clear that in such cases a number of conditions are to be respected, notably that the measures do not go beyond what is reasonable, respect the principle of legal certainty, compliance with the fundamental rights of the parties concerned including the internet users’ freedom of information, strict targeting of the measures and a possibility for the competent judicial authorities to verify that these conditions have been complied with, notably through a possibility for the internet users concerned to assert their rights once those measures are known”.
Importantly, the Commission considers that the measures ordered via an injunction need not lead to a complete cessation of the IPR infringements, as long as they make the infringing acts difficult or seriously discourage them. However, the intermediary should not be required to bear “unbearable sacrifices”.
Against the above background, two observations are necessary: first, the Commission clarified that the limitations to the scope of injunctions that the CJEU laid down in UPC Telekabel, a case concerning copyright, apply also to other IPRs. Second, the Commission reiterates that injunctions should respect Article 15 of the E-Commerce Directive, laying out a ban on general monitoring and any such broad injunction violating such provision, according to the Commission, would concomitantly infringe Article 3 of the Directive. However, the Commission recalls that the E-Commerce Directive at Recital 47 allows for specific monitoring obligations and Recital 48 adds that this Directive does not affect the possibility for Member States to require the service providers concerned to apply reasonable duties of care in order to detect and prevent certain types of illegal activities. In the light of this, according to the Commission “where appropriate and within the limits of the abovementioned provisions, certain due diligence obligations may be imposed e.g. on providers of online hosting services with a view to preventing the upload of IPR infringing content identified by rights-holders and in cooperation with them”.
Can an injunction ordering the prevention of future infringements be a possible example of “due diligence” obligations? What is the scope of these obligations in the light of the limitations that the Commission recalls? Recent doctrine interprets the Tommy Hilfiger ruling as confined to allowing only the extent of specific injunctions to prevent future infringements to measures which contribute to avoiding new infringements of the same nature by the same market trader.
At the same time, while as an example of such obligations, the Commission refers to Article 13 of the Commission’s proposed Copyright Directive, some authors, in response to questions asked by various EU Member States in the context of the Commission’s proposal, consider that the current drafting of this proposed article itself may raise concerns in terms of compliance with EU law.
 Commission Press Release, Intellectual property: Protecting Europe’s know-how and innovation leadership, November 29, 2017.
 Communication “A balanced IP enforcement system responding to today’s societal challenges”, COM (2017) 707, accompanied by Staff Working Document SWD (2017) 430 “Overview of the functioning of the Memorandum of Understanding (MoU) on the sale of counterfeit goods via the internet.”, Communication “Guidance on certain aspects of Directive 2004/48/EC of the European Parliament and of the Council on the enforcement of intellectual property rights”, COM (2017) 708 (hereinafter “Guidance on the Enforcement Directive”), accompanied by Staff Working Document Report on the Evaluation of Directive on the enforcement of intellectual property rights, SWD (2017) 431, COM(2017) 712 final, Communication “Setting out the EU approach to standard essential patents”.
Commission Communication, COM/2014/0392 final, “Towards a renewed consensus on the enforcement of Intellectual Property Rights: An EU Action Plan”. Also see, for its strategy on improving the fight against IPR infringements in third countries, Commission Communication, “Trade, growth and intellectual property – Strategy for the protection and enforcement of intellectual property rights in third countries”, COM(2014) 389 final, 1 July 2014.
Commission Communication, “A Digital Single Market Strategy for Europe”, COM/2015/0192, May 6, 2015.
Commission Communication, “Upgrading the Single Market: more opportunities for people and businesses”, COM/2015/0550, October 28, 2015.
 Between 2015 and 2016, the Commission ran a public consultation to assess the functioning of Directive 2004/48/EC of the European Parliament and of the Council on the enforcement of intellectual property rights (“Enforcement Directive”).
 Commission Communication, COM(2017) 228 final, May 10, 2017.
The Commission also adopted initiatives aimed at updating the legal framework applicable to copyright in order to adapt the existing rules to the Internet technological developments: see Communication “Promoting a fair, efficient and competitive European copyright-based economy in the Digital Single Market”, COM(2016)592, September 14, 2016 and Proposal for a Directive of the European Parliament and of the Council on Copyright in the Digital Single Market of September 14, 2016 (“proposed Copyright Directive”).
 See supra, fn. 2.
See Guidance on the Enforcement Directive, supra, fn. 2.
 Staff Working Document SWD (2017) 430 “Overview of the functioning of the Memorandum of Understanding (MoU) on the sale of counterfeit goods via the internet.” On the basis of a set of key performance indicators (KPIs), the Staff Working Document provides an empirical overview on how the MoU, first adopted in 2011 and subsequently updated in 2016, functioned between June 21, 2016 and June 21, 2017. Such indicators show that the MoU is proving effective and has already significantly contributed to curbing online counterfeiting.
 See supra, fn. 2.
 See, Enforcement Directive Guidance, Section III, page 11.
 Under Article 3(1) of the Enforcement Directive, the measures, procedures and remedies necessary to ensure the enforcement of the intellectual property rights covered by this Directive (…) shall be fair and equitable and shall not be unnecessarily complicated or costly, or entail unreasonable time-limits or unwarranted delays.
 See supra, fn. 14. Under Article 3(2), “those measures, procedures and remedies shall also be effective, proportionate and dissuasive and shall be applied in such a manner as to avoid the creation of barriers to legitimate trade and to provide for safeguards against their abuse.”
 For a thorough overview, see M.Husovec, Injunctions Against Intermediaries in the European Union, Accountable but not Liable, Cambridge University Press, 2017.
 See Judgment of the CJEU (Grand Chamber) of 12 July 2011, C-324/09, L’Oréal SA and Others v eBay International AG and Others, para. 127. In this judgment, the court considered that measures to prevent further infringements can be applied under Article 11 of the Directive.
 Id. The Commission also recalls cases C-70/10, Scarlet Extended, para. 31; C-360/10, SABAM, para. 29.
 Case C-494/15, Tommy Hilfiger, para. 22. In this case, the Court of Justice recalled para. 127 of the L’Oréal v eBay judgment, reiterating it, and said that the matter was thus “settled case law”. Arguing that the limitations to the scope of the injunction set out by the CJEU in Tommy Hilfiger bind national judges also in granting injunctions to intermediaries in the online world, see M.Husovec, Injunctions Against Intermediaries in the European Union, Accountable but not Liable, Cambridge University Press, 2017, pages 120-121.
 C-314/12, UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH and Wega Filmproduktionsgesellschaft mbH, EU:C:2014:192.
 Tommy Hilfiger, supra, para. 23: according to the Court, “for an economic operator to fall within the classification of ‘intermediary’ within the meaning of those provisions, it must be established that it provides a service capable of being used by one or more other persons in order to infringe one or more intellectual property rights, but it is not necessary that it maintain a specific relationship with that or those persons”.
Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonization of certain aspects of copyright and related rights in the information society (hereinafter, “Copyright Directive” or “InfoSoc Directive”).
 The Commission recalls Recital 59 of the Copyright Directive, which states that without prejudice to any other sanctions and remedies available, rights-holders should have the possibility of applying for an injunction against an intermediary who carries a third party’s infringement of a protected work or other subject-matter in a network. Such possibility is concretely foreseen under Article 8(3) of the Directive.
 Accordingly, on the one hand, the involvement of such economic operators, which did not themselves engage in any infringing activity, in the process of IPR enforcement under the Enforcement Directive can be required to ensure that rights-holders are in a position to effectively enforce their rights. On the other hand, there may in a given case be no justification for such involvement where the services provided are so distant or immaterial to the (alleged) infringement that the economic operator in question cannot reasonably be expected to significantly contribute to such effective enforcement, meaning that its involvement would be disproportionate and unnecessarily burdensome.
 In the context of measures tackling infringements of IPRs, the principle of proportionality has been codified under Art. 3(2) of the Enforcement Directive.
 In that case at stake was a blocking injunction against UPC Telekabel, an internet service provider, taken on the basis of Article 8(3) of the InfoSoc Directive.
C-314/12, UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH and Wega Filmproduktionsgesellschaft mbH, EU:C:2014:192, paras. 52-57.
 C-314/12, UPC Telekabel, para. 52-57.
 Section IV(3) of the Enforcement Directive Guidance.
 C-484/14, Tobias Mc Fadden v Sony Music Entertainment Germany GmbH, EU:C:2016:689, para. 93-95; C-314/12 UPC Telekabel, para. 56 and paras. 58-62.
 C-314/12, UPC Telekabel, para. 53.
 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, OJ L 178, 17.7.2000, p. 1-16.
 The Commission recalls that in the abovementioned Scarlet and Sabam judgments the Court of Justice considered the measures at stake (broad injunctions ordered by a national judge) to be incompatible both with Article 15 of the E-Commerce Directive and Article 3(2) of the Enforcement Directive, when read with in conjunction with the requirement to respect fundamental rights.
 The Commission considers that, in certain specific circumstances, dynamic injunctions, which are forward looking and allow for a targeting of URLs when the infringement reoccurs (namely, in the presence of a whac-a-mole effect) can be an effective way to ensure enforcement of IPRs without the plaintiff having to reapply for a separate injunction,.
 Namely, Article 15 of the E-Commerce Directive, Article 3of the Enforcement Directive, the case law of the CJEU and fundamental rights as enshrined in the Charter of Fundamental Rights of the European Union.
 Husovec, supra, note 14, page 106. Arguing that: “providing policy plug-ins by means of injunctions isn’t a good way forward”, see again Husovec, id, page 18.
 See Max Planck Institute for Competition and Innovation contribution in response to the questions raised by the authorities of Belgium, the Czech Republic, Finland, Hungary, Ireland and the Netherlands to the Council Legal Service regarding Article 13 and Recital 38 of the Proposal for a Directive on Copyright in the Digital Single Market, available at: http://www.ip.mpg.de/fileadmin/ipmpg/content/stellungnahmen/Answers_Article_13_2017_Hilty_Moscon-rev-18_9.pdf. The proposed Copyright Directive is expected to be considered by the JURI committee of the European Parliament in the next few months.
By Paul Opitz
The Third Chamber of the General Court of the European Union (EGC) ruled on 5 December 2017 that the Chinese smartphone maker Xiaomi, Inc., may not register the EU word mark MI PAD for its tablet computers, since it is likely to be confused with Apple’s iPad. (Xiaomi, Inc., v. European Union Intellectual Property Office, Case T-893/16)
In April 2014, Xiaomi, Inc., (Xiaomi) filed an application for registration of an EU trade mark with the European Union Intellectual Property Office (EUIPO) to register the word sign MI PAD. Registration was sought for Classes 9 and 38 of the Nice Agreement concerning the International Classification of Goods and Services, which correspond to the descriptions of inter alia portable and handheld electronic devices and telecommunication access services.
In August 2014, Apple Inc., (Apple) filed a notice of opposition to registration of the mark in respect of all the goods and services in the applied classes. The opposition was based on Apple´s earlier EU word mark IPAD, which was filed in January 2010 and registered in April 2013, covering goods and services in the same classes. The relative grounds relied on in the opposition were those of identity with, or similarity to an earlier trademark, currently set out in Article 8 (1) (b) of Regulation 2017/1001. This opposition was upheld by the Opposition Division in December 2015, which rejected Xiaomi´s application.
Thereafter, Xiaomi filed an appeal with EUIPO against the Opposition Division´s decision, which was again dismissed in September 2016 on the grounds that the marks MI PAD and IPAD were highly visually and phonetically similar and could lead to a confusion of the relevant public. This decision by the EUIPO was now contested by Xiaomi.
Decision of the General Court
First, the Court established some background on the scope of decisions concerning the relative ground of similarity. According to settled case law, the risk that the public may believe that goods come from the same undertaking or economically-linked undertakings constitutes a likelihood of confusion. Also, this likelihood must be assessed globally and taking into account all factors relevant to the case (Laboratorios RTB v OHIM – Giorgio Beverly Hills, Case T-162/01). For the application of Article 8 (1) (b) of Regulation 2017/1001, a likelihood of confusion presupposes both that the marks are identical or similar and that the goods which they cover are identical or similar (Commercy v OHIM – easyGroup IP Licensing, Case T-316/07).
The relevant public
The Court referred to the decision of the Board of Appeal and emphasized that the goods in question are aimed at both the general public and professional consumers with specific knowledge. Regarding the relevant public´s level of attention, the Court elaborates that although the purchase price of some goods covered by the mark are relatively high, most electronics aimed at the general public are, nowadays, relatively inexpensive and have short lifespans. Therefore, they do not require any particular technical knowledge and leave the level of attention between average and high. Secondly, the Court upheld the Board of Appeal’s finding that the relevant territory is the European Union as a whole.
Comparison of the signs
At first, the Court notes that a global assessment of the likelihood of confusion must be based on the overall impression of the signs, including the visual, phonetic, and conceptual similarity. In the case at issue, the comparison of the marks must be carried out by considering each mark as a whole, since there are no dominant elements. The Court holds that the marks are visually highly similar, since the earlier trade mark IPAD is entirely reproduced in the mark MI PAD. Moreover, they coincide as to the letter sequence “ipad” and differ only as to the presence of the letter “m” at the beginning. Phonetically, the marks are also highly similar, referring to the pronunciation of their common syllable “pad” and of the vowel “I”. The latter will be likely be pronounced as the first person singular possessive pronoun “my” in English and thereby similar to the “I” in Apple’s iPad. The Court clarifies that even minor differences in pronunciation due to the letter “m” are not capable to offset the overall similarities. Conceptually, the English-speaking part of the EU understands the common element “pad” as a tablet or tablet computer, which makes it only weakly distinctive and sufficient for a finding of similarity (Xentral v OHIM – Pages jaunes, Case T-134/06).
The likelihood of confusion
For determining the likelihood of confusion, the interdependences between the similarity of the marks and that of the goods covered must be examined. The court states that the visual and phonetic differences resulting from the presence of the additional letter “m” are not able to rule out a likelihood of confusion as a result of the overall similarities. Neither are the conceptual differences resulting from the prefixes “mi” and “I” sufficient to remove this likelihood created by the common element “pad”. Taking into account that the goods in question are identical, the conceptual similarities overweigh the discrepancies.
In conclusion, the Court could not exclude the possibility that the public might believe that both tablets come from the same undertaking or economically-linked undertakings. Hence, the Court rejected and dismissed the applicant’s plea in law.
European Patent Office Adopts Study on Patents and Publishes First Edition of the Unitary Patent Guide
By Kletia Noti
On November 14, 2017, the European Patent Office (“EPO”) published a study titled “Patents, trade and foreign direct investment in the European Union” (hereinafter, “Study”). Inter alia, the Study assesses “the impact of the European patent system on the circulation of technologies through trade and foreign direct investment in the EU single market. The Study opines that the current patent system in Europe could bring increased benefits if further harmonization were accomplished. Under the current patent system, fragmentation post-grant gives rise to limitations which may hinder cross-border trade and investment in IP- and technology-intensive industries. According to the Study, the Unitary Patent will remove many of these limitations.
The Study follows the EPO publication, on 18 August 2017, of the first edition of the Unitary Patent Guide (hereinafter, “Guide”). The Guide aims to provide companies, inventors and their representatives with an outline of the procedure involved in obtaining a Unitary Patent from the EPO, once the EPO has granted a European patent on the basis of the provisions laid down in the European Patent Convention (“EPC”). In particular, the Guide addresses the mechanisms to obtain and renew a Unitary Patent, the information which will be rendered available about the already granted Unitary Patents, who can act before the EPO with regard to a Unitary Patent and how to record changes of ownership and licenses.
In addition to the classic routes to obtain a patent in the EU (i.e. the national route; the European patent), a Unitary Patent can be sought as a result of the Unitary Patent reform. The Unitary Patent will make it possible to get patent protection in up to 26 EU Member States by submitting a single request to the EPO, making the procedure simpler and more cost effective for applicants. More specifically, the Unitary Patent is a “European patent with unitary effect”, which means a European patent granted by the European Patent Office under the rules and procedures of the European Patent Convention (EPC).
At the pre-grant phase, the procedure will follow the same steps as those for European patents granted by the EPO under the rules of the EPC. If the criteria set out under the EPC are met, the EPO grants a European patent. Once the European patent is granted, the patent proprietor will be able to request unitary effect, thereby obtaining a Unitary Patent which provides uniform patent protection in up to 26 EU Member States. Namely, what distinguishes the European patent from the Unitary Patent is that, after the grant, the proprietor may ask the EPO for unitary effect to be attributed for the territory of the participating EU Member States in which the Agreement on a Unified Patent Court (hereinafter, “UPCA”) , an international treaty, has taken effect at the date of registration.
Against the above background, the Unitary Patent will thus cover the territories of those participating EU Member States in which the UPCA has taken effect at the date of registration of unitary effect by the EPO. The EPO clarifies that, as it is likely that the ratification will occur successively, there will be different generations of Unitary Patents with different territorial coverage. This means that, although 26 EU Member States are currently participating in the Unitary Patent scheme, Unitary Patents registered at the outset will not cover all 26 of their territories, because some of them have not yet ratified the UPCA.
On November 20, 2017, the President of the Council of the EU published a summary of the situation in the 25 Member States which have signed the Unified Patent Court Agreement (UPCA) concerning both their ratification of the UPCA and their consent to be bound by its Protocol on Provisional Application (PPA).
While France has already ratified the UPCA and has expressed consent to be bound by the PPA, the UK and Germany have not done so yet.
In particular, what the impact of Brexit on the Unitary Patent project would be is still unclear. On December 4, 2017, the UK House of Commons formally approved the draft Unified Patent Court (Immunities and Privileges) Order 2017. The House of Lords Grand Committee also met on December 6, 2017 to consider this draft Order. The approval of such an Order by the House of Lords and its subsequent approval (along with the corresponding Scottish Order) by the Privy Council are the final steps in the UK’s ratification process that need to be completed before the UK can formally ratify the UPC Agreement.
Earlier in 2017, a constitutional complaint was lodged with the Federal Constitutional Court in Germany. The complaint is currently pending and, if upheld, is expected to likely cause delay to the German ratification of the UPCA and Germany consenting to be bound by the PPA.
 Whether the United Kingdom continues to participate in the Unitary Patent and the Unified Patent Court after its withdrawal from the EU will be a political decision for the EU, its remaining Member States and the United Kingdom and may be addressed as part of the exit negotiations. See Guide, Section 15.
 In February 2013, 25 EU Member States, i.e. all EU Member States except Spain, Poland and Croatia, signed the Agreement on a Unified Patent Court (UPCA), Date of entry into force unknown (pending notification) or not yet in force, OJ C 175, 20.6.2013, p. 1–40. The UPCA is the third component of the Unitary Patent package. The Unified Patent Court (UPC) is a common court for all the Member States party to the UPCA and therefore, it is part of their judicial system. It has exclusive competence in respect of Unitary Patents as well as in respect of classic European patents validated in one or several of those states. See: https://www.epo.org/law-practice/legal-texts/html/upg/e/uppg_a_v_3.html. In September 2015, Italy joined the Unitary Patent and became the 26th member of the enhanced cooperation on Unitary Patent protection.
 The EU regulations establishing the Unitary Patent system (No 1257/2012 and No 1260/2012) entered into force on 20 January 2013, but they will only apply as from the date of entry into force of the UPCA, namely on the first day of the fourth month following the deposit of the 13th instrument of ratification or accession (provided those of the three Member States in which the highest number of European patents had effect in the year preceding the signature of the Agreement, i.e. France, Germany and the United Kingdom, are included). See EPO, When will the Unitary Patent start: https://www.epo.org/law-practice/unitary/unitary-patent/start.html
See, for a list of the (so far) 14 Member States which have already ratified the UPCA: http://www.consilium.europa.eu/en/documents-publications/treaties-agreements/agreement/?id=2013001# (last accessed 17 December 2017)
 Note from Presidency to the Council, Unitary Patent and Unified Patent Court – Information on the State of Play, 20 November 2017.
 On December 22, 2017, a note was sent to the UK Government by the UK Law Society which had been contributed to and signed by other IP stakeholder organisations, asking the Government to provide legal certainty regarding the UPC post-Brexit.
See, for an overview: https://publications.parliament.uk/pa/cm201719/cmvote/171204v01.html
 M.Richardson, The Lords Consider the UPC: Where is it?, 12 December 2017, available at: https://ipcopy.wordpress.com/2017/12/12/the-lords-consider-the-upc-where-is-it/
Juve, UPC: Düsseldorfer Rechtsanwalt Stjerna legte Verfassungsbeschwerde ein, September 6, 2009: https://www.juve.de/nachrichten/verfahren/2017/09/upc-duesseldorfer-rechtsanwalt-stjerna-legte-verfassungsbeschwerde-ein
 For the PPA to come into effect, 13 signatory states – which have signed the UPCA (and which must include France, UK and Germany) and have ratified the UPCA or informed the depositary that they have received parliamentary approval to ratify the UPCA – must have signed and ratified, accepted or approved the Protocol or declared themselves bound by Article 1 of the Protocol. Therefore, Germany’s consent to the PPA is needed before the provisional application phase can start.
CJEU’s General Advocate Bot: Administrators of Facebook Fan Pages May Be Held Responsible for the Data Processing Carried out by Facebook
By Katharina Erler
The opinion of Advocate General Bot delivered on 24 October 2017 and issued in relation to case C-210/16 of the Court of Justice of the European Union (CJEU) suggests that administrators of fan pages on the Facebook social network may as controllers under Article 2(d) of the EU Data Protection Directive (95/46/EC) be held responsible for the data processing carried out by Facebook and for the cookies which Facebook installed for that purpose. In particular, the administrator should be regarded as being, along with Facebook Inc. and Facebook Ireland itself, a controller of the personal data that is carried out for the purpose of compiling viewing statistics for that fan page. Furthermore, Advocate General Bot rejected Facebook’s assertion that its EU data processing activities fall solely under the jurisdiction of the Irish Data Protection Commissioner. The related case is Unabhängiges Landeszentrum für Datenschutz v. Wirtschaftsakademie, C-210/16.
Facebook fan pages are user accounts that may be set up by individuals as well as businesses. Administrators may use their fan page to present themselves or their businesses for commercial purposes. Facebook also offers the administrators the opportunity to obtain viewing statistics containing information on the characteristics and habits of the visitors of their fan page. These statistics are compiled by Facebook, which collects data of the visitors via cookies, and then personalized by the fan page administrator using selection criteria. This may help administrators to better craft the communications on their fan pages. To compile these statistics Facebook stores at least one cookie containing a unique ID number, active for two years, on the hard disk of every fan page visitor.
A German company “Wirtschaftsakademie Schleswig-Holstein GmbH”, which provides education and training services via a fan page hosted on the website of the social network Facebook was ordered on November 3, 2011 by a German regional data-protection authority “Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein” to deactivate its fan page. This decision was based on the fact that neither the “Wirtschaftsakademie” as administrator nor Facebook had informed visitors of the fan page that Facebook was collecting and processing their personal data.
After it challenged this order and the data-protection authority again dismissed that objection, the “Wirtschaftsakademie” brought an action before a regional German Administrative Court. It ruled on October 9, 2013, that the administrator of a fan page is not a “controller” within the meaning of the German data protection act and therefore cannot be addressee of an order to deactivate the fan page under § 38(5) of the German data protection act (“BDSG”). The Higher Administrative Court, however, dismissed an appeal of the data-protection authority holding that the prohibition of the data processing was unlawful. According to its ruling this was, because prohibition of data processing under this provision is only possible if it is the only way to end the infringement. Facebook was in that position to end the processing of data, and therefore the “Wirtschaftsakademie” was not a “controller” of data processing under § 38(5) of the German data protection act.
In the appeal proceedings, the German Federal Administrative Court, however, confirmed that ruling by considering that the administrator of a fan page is not a data controller within the meaning of neither § 38(5) of the German data protection act not the Article 2(d) of EU-Directive 95/46/EC. Hence, the Court referred several questions to the CJEU, which – questions (1) and (2) – as a core issue concern the question, whether a body, which is non-controller under Article 2(d) of EU-Directive 95/46/EC may be also the addressee of orders of the supervisory bodies.
It is worth mentioning that in order to rule on the lawfulness of the order in question, the referring courts also asked – in its questions (3) and (4) – about the distribution of powers among the supervisory bodies in cases where a parent company has several establishments throughout the EU. Finally – questions (5) and (6) concern questions regarding the necessary network to coordinate and align the decisions of the supervisory bodies in order to avoid different legal appraisal.
Article 2(d) of EU Data Protection Directive 95/46/EC provides that a ‘controller’ is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;
Article 17(2) of the EU Data Protection Directive 95/46/EC states that the Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.
Article 24 of the EU Data Protection Directive 95/46/EC states that the Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.
Article 28(3) of EU Data Protection Directive 95/46/EC stipulates that each authority shall in particular be endowed with: investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties; effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions; and the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities. Decisions by the supervisory authority which give rise to complaints may be appealed through the courts.
Advocate Bot’s assessment of the questions referred to the CJEU
First, Advocate Bot emphasizes that the referred questions do not touch upon the material matter whether the processing of personal data in the case at hand is contrary to the rules of EU-Directive 95/46/EC.
Under the assumption that the administrator of a fan page is not a controller under Article 2(d) of EU-Directive 95/46/EC, the German Federal Administrative Court especially stresses the question whether Article 2(d) may be interpreted as definitively and exhaustively defining the liability for data protection violations or whether scope remains for responsibility for a body with is no controller within the meaning of this article. This leads to the central question, which is pointed out by General Advocate Bot, whether supervisory bodies are permitted by Article 17(2), 24 and Article 28(3) of Directive 95/46/EC to exercise their powers of interventions against such non-controller.
Advocate General Bot, however, considers the underlying premise to be incorrect and clearly emphasizes that, in his opinion, the administrator of a Facebook fan page must be regarded as jointly responsible for the phase of data processing which consists in the collecting by Facebook of personal data. By referring to CJEU’s Google Spain judgment C-131/12 of 13 May 2014, Advocate General Bot, as a starting point, stresses the importance and fundamental role of the controller under the EU Data Protection Directive and its responsibility to ensure the effectiveness of Directive 95/46/EC and its full protection of data subjects. Therefore, and in view of the history of CJEU’s case law, the concept of the “controller” must be given a broad definition. As the “controller” is the person that decides why and how personal data will be processed, this concept leads to responsibility where there is actually influence.
According to Bot, it is, as the designer of the data processing in question, Facebook Inc. alongside Facebook Ireland, which principally decides on the purposes of this data processing as it, especially, developed the economic model containing on one hand the publication of personalized advertisement and on the other hand the compilation of statistics for fan page administrators. Additionally, because Facebook Ireland has been designated by Facebook Inc. as being responsible for the processing of personal data within the European Union and because some or all of the personal data of Facebook’s users who reside in the European Union is transferred to servers belonging to Facebook Inc. that are located in the United States, Facebook Inc. alongside Facebook Ireland are responsible for data processing.
But at this point Bot additionally emphasized that Article 2(d) of Directive 95/46/EC expressly provides the possibility of shared responsibility and that it is also necessary to add to the responsibility of Facebook Inc. alongside Facebook Ireland the responsibility of the fan page administrator. Although Bot recognized that a fan page administrator is first and foremost user of Facebook, he stresses that this does not preclude those administrators from being responsible for the phase of data processing. In his view determination of the “controller” under Article 2(d) means any influence in law or in fact over the purposes and means of data processing, and not carrying out of the data processing itself.
Advocate General Bot argued that (1) fan page administrators by only having recourse to Facebook for the publication of its information subscribe the principle that visitor’s data will be processed. That data processing would (2) also not occur without the prior decision of the administrator to operate a fan page in the Facebook social network. And (3) by, on the one hand, enabling Facebook to better target the advertisement and, on the other hand, acquiring better insight into the profiles of its visitors the administrator at least participates in the determination of the purposes of data processing. These objectives are according to Advocate General Bot closely related which would support the joint responsibility.
Moreover (4) the administrator has as a decisive influence the power to bring that data processing to an end by closing the page down. Finally, Bot argued that (5) the administrator by defining criteria for the compilation of statistics and using filters is able to influence the specific way in which that data processing tool is used. This classification as a “controller” would also neither be contradicted by imbalances in the relationship of strength nor by any interpretation that is based solely on the terms and conditions of the contract concluded by the fan page administrator and Facebook. With reference to CJEU’s case Google Spain, Bot pointed out that it is not necessary to have complete control over data processing. This result and broad interpretation of “controller” would also serve the purpose of effective data protection and prevents the possibility to evade responsibility by agreeing to terms and conditions of a service provider for the purposes of hosting information on their website.
Furthermore, Advocate General Bot established a parallel with CJEU’s decision Fashion ID, C-40/17, where the manager of a website embeds in its website the Facebook Like Button, which, when activated, transmits personal data to Facebook. As to the question of Fashion ID “controlled” this data processing, Bot holds that there is no fundamental difference between those two cases. Finally, the Advocate General clarified that joint responsibility does not imply equal responsibility. The various parties may be involved in the processing of data to different degrees.
It seems surprising that Advocate General Bot simply rejected the premise of the German Federal Administrative Court, instead bringing to the foreground the question on the interpretation of the “controller” under Article 2(d)—even changing the focus of the referred questions. Furthermore, this broad interpretation and the expansion of the fundamental concept of the “controller” might suggest that, if followed by the CJEU, in the future anyone who has any influence on the data processing, especially by just using a service which is associated with data processing, might be held responsible for infringement of data protection law.
With regard to the question of jurisdiction it is worth mentioning that Advocate General Bot especially emphasized that the processing of data in the case at hand consisted of the collection of personal data by means of cookies installed on the computer of visitors to fanpages and specifically intends to enable Facebook to better target its advertisements. Therefore, in line with CJEU’s decision Google Spain and due to effective and immediate application of national rules on data protection and Advocate General Bot holds that this data processing must regarded as taking place in the context of the activities in which Facebook Germany engages in Germany. The fact that the EU head office of the Facebook Inc. is situated in Ireland does not, according to Bot, therefore, prevent the German data protection authority in any way from taking measures against the “Wirtschaftsakademie”. This, however, may be interpreted differently under the upcoming EU’s General Data Protection Regulation (2016/679), which replaces the existing EU Member State data protection laws based on Directive 95/46/EC when it enters into force on 25 May 2018.
By Maria E. Sturm
On 12 July 2016, the European Commission issued its implementing decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (Decision 2016/1250). It became necessary after the ECJ declared the safe harbor policy of the EU Commission concerning the USA invalid in Maximilian Schrems v Data Protection Commission (C – 362/14). The new privacy shield contained several alterations to its predecessor, as well as the commitment to an annual review to asses, if an adequate level of data protection is still ensured. The first annual report has been published on 18 October 2017. It is based on meetings between the EU Commission and all relevant U.S. authorities, as well as on input from several stakeholders (companies, NGOs, data protection authorities of the Member States, etc.).
The review covered all aspects of the privacy shield. Those are formally, its implementation, administration, supervision and enforcement and with regard to its content the commercial aspects, as well as aspects of governmental access to personal data. So far, 2400 companies have been certified under the new privacy shield. This means first, that it is used actively and second, that the review commission had sufficient data to examine, if it works and where there are possibilities for improvement and refinement.
The U.S. authorities have introduced complaint-handling and enforcement mechanisms, as well as procedures to protect individual right, including the Ombudsperson mechanism. Furthermore, the relevant safeguards concerning access to personal data by public authorities, namely Presidential Policy Directive 28 (PPD-28), are still in force. Therefore, the report states, that in general, the United States provide an adequate level of protection as required by the European Court of Justice. However, the Commission still made some recommendations for further improvement:
- Companies should not be able to publicly refer to their Privacy Shield certification before the certification is finalized by the Department of Commerce (DoC): some companies referred to their certification after their application, but before the process had been finalized. This discrepancy can lead to wrong public information and can undermine the shield’s credibility.
- The DoC should search proactively and regularly for false claims: this refers to companies who initiated, but never completed the certification process, as well as to companies who never applied for a certification but still publicly suggest they comply with the requirements.
- The DoC should monitor compliance with the Privacy Shield Principles continuously: this could be done e.g. via compliance review questionnaires and/or annual compliance reports (either self-assessment or outside compliance review). The results could be used as starting point for follow up action, in case particular deficiencies are detected.
- DoC and Data Protection Authorities (DPA) should further strengthen awareness rising: in particular, EU citizens should receive information about their rights and how to lodge complaints.
- DoC, DPAs and Federal Trade Commission (FTC) should improve their cooperation: more intensive cooperation between all involved authorities on both sides of the Atlantic can help to implement and enforce the Shield.
- Protections of PPD-28 should be enshrined in the Foreign Intelligence Surveillance Act: this could ensure stability and continuity with regard to the protections of non-US persons.
- Privacy Shield Ombudsperson should be appointed as soon as possible: although the Ombudsperson mechanism already works, the Ombudsperson itself still has not been appointed. This should be done as soon as possible to complete this tool.
- Privacy and Civil Liberties Oversight Board (PCLOB) members should be appointed swiftly: here the same argument applies as in point 7. The board itself already started its work, but is not completely manned and therefore not as efficient as it could be.
- Reports should be released timely and publicly: the U.S. administration should release publicly the PCLOB’s report on the implementation of PPD-28, due to its relevance. In addition, the U.S. authorities should provide the Commission with comprehensive reports on recent relevant developments.
Furthermore, on behalf of the Commission, a study on automated decision-making will take place to collect further information and assess the relevance of automated decision-making for transfers carried out on the basis of the Privacy Shield.
After just one year, on could not expect everything to work perfectly, but the report gives an optimistic evaluation. Thus, with some further refinement, it seems, that the United States and the EU have found a helpful and viable tool that balances the companies’ and the government’s need for data with the individuals’ right to protect their data from unauthorized access.