By Nicole Daniel
The proceedings between Apple and Qualcomm began in January 2017 in the U.S. District Court in San Diego when Apple filed suit against Qualcomm over its allegedly abusive licensing practices with its wireless patents. Qualcomm then filed unfair competition law counterclaims. This case is being overseen by U.S. District Judge Gonzalo Curiel.
Apple then sued Qualcomm for similar violations in the UK, China, Japan, and Taiwan.
In July 2017 Qualcomm filed patent claims against Apple also in the U.S. District Court in San Diego. This case is being overseen by U.S. District Judge Dana M. Sabraw. At the same time Qualcomm filed a complaint with the U.S. International Trade Commission accusing the Apple iPhone of infringing five Qualcomm patents.
District Court Case I
In November 2017, Judge Curiel issued a split decision in the first patent and antitrust case between Apple and Qualcomm.
Apple has been seeking a declarative judgment that it had not infringed the nine Qualcomm patents at issue and asked the court to decide on a fair and reasonable licensing rate. Judge Curiel denied those claims, holding instead that no detailed infringement analysis as to the Additional Patents-in-Suit had been conducted.
Judge Curiel further held that Qualcomm had not adequately pleaded claims against Apple based on California’s Unfair Competition Law. These allegations stemmed from Apple’s decision to use both Qualcomm and Intel chips in its iPhone. Before, Apple exclusively used Qualcomm’s chips in earlier versions of the iPhone.
In a hearing in October 2017 the lawyers for Qualcomm claimed that Apple executives threatened to end their business relationship if Qualcomm publicly claimed that its own chipsets were superior to Intel’s. In his order judge Curiel held that Qualcomm had not adequately pleaded the specific facts indicating its own reliance on an alleged omission or misrepresentation by Apple. Accordingly, Qualcomm lacked standing under Unfair Competition Law.
District Court Case II
In the district court patent case, Apple filed counterclaims arguing that Qualcomm infringed patents relating to enabling extended battery life in a smartphone or other mobiles devises by supplying power only when needed. This technology serves to maximize battery life.
Apple further argued that it created the smartphone as its own product category in 2007 when it introduced the iPhone. Qualcomm merely developed basic telephone technology which is now dated.
Qualcomm, on the other hand, argued that the success of the iPhone is due to its technology as Qualcomm has developed high-speed wireless connectivity over decades.
The discussion of who essentially invented the smartphone is of importance since under U.S. President Trump the term “innovator” has become very significant. On 10 November 2017 Makan Delrahim, the new chief of the Department of Justice’s antitrust division, made a policy speech and stated that the government aims to rebalance the scales in antitrust enforcement away from implementers who incorporate the inventions of others into their own products. There will be more emphasis on the innovators’ rights so as to protect their patent-holder rights in cases concerning patents essential to technology standards.
Further Cases filed and the Case at the US International Trade Commission
In November 2017, Qualcomm filed three new district court patent cases against Apple as well as one new complaint for the case pending before the U.S. International Trade Commission. In sum, Qualcomm accuses Apple of infringing 16 non-standard essential patents for technology implemented outside the wireless modern chip.
Despite this litigation, Qualcomm has so far remained a key supplier of chips to Apple.
By Marie-Andrée Weiss
A 5-page copyright infringement complaint filed last April in the Southern District of New York (SDNY) is being closely watched by copyright practitioners, as it may lead the court to rule on whether a Twitter post incorporating a copyrighted photograph, without permission of the author, is copyright infringement. The case is Goldman v. Breitbart News Network LLC et al., 1:17-cv-03144.
In the summer of 2016, Justin Goldman took a picture of the Boston Patriots quarterback, Tom Brady, walking in the streets in the Hamptons, in New York, with members of the basketball team the Boston Celtics. The picture was of interest as it could be implied from it that Tom Brady was helping the Celtics to acquire star player Kevin Durant.
The picture was published by several Twitter users on the microblogging site, and these tweets were then embedded in the body of articles about Tom Brady’s trip to the Hamptons published by Defendants including Yahoo!, Time, the New England Sports Network, Breitbart and others.
Justin Goldman registered his work with the Copyright Office and filed a copyright infringement suit against the platforms which had reproduced his photograph. Defendants moved to dismiss, claiming that the use was not infringing because it was merely embedding, and also because it was fair use. Judge Katherine B. Forrest denied the motion to dismiss on August 17, 2017, because whether embedding a tweet is equivalent to in-line linking could not be determined at this stage of the procedure.
Defendants, minus Breitbart, then filed a motion for partial summary judgment on 5 October 2017. Plaintiff moved to oppose it on 6 November 2017.
The Exclusive Right to Display a Work
Section 106(5) of the Copyright Act gives the copyright owner the exclusive right “to display the copyrighted work publicly.” Section 101 of the Copyright Act defines displaying a work as “to show a copy of it, either directly or by means of a film, slide, television image, or any other device or process or, in the case of a motion picture or other audiovisual work, to show individual images nonsequentially.” Plaintiff argues that “embedding” is one of the processes mentioned in Section 106(5).
Is Embedding a Tweet Just Like In-Line Linking?
Defendants claimed that incorporating an image in a tweet is not different from ‘in-line linking,’ which the Ninth Circuit found to be non-infringing in Perfect 10, Inc., v. Amazon.com, Inc.. In this case, the issue was whether the thumbnail versions of copyrighted images featured by Google on its image search result pages were infringing.
The Ninth Circuit had defined “in-line linking” in Perfect 10 as the “process by which the webpage directs a user’s browser to incorporate content from different computers into a single window”. In this case, Google had provided HTML instructions directing a user’s browser to access a third-party website, but did not store the images on its servers. This was found not to be infringing, as Google did not store the images as it not have a have a copy of the protected photographs, and thus did not display then, since to “display” a work under Section 101 of the Copyright Act requires to show a copy of it. This reasoning is known as the “Server Test”.
Plaintiff distinguished the facts in our case from Perfect 10, claiming that his photograph was shown in full size, that it was not “framed” and that it was featured prominently on Defendant’s websites. He argued that the thumbnails in Perfect 10 were low-resolution pictures which users had to click in order to access the full photos, whereas an embedded tweet allows the user to see the full high-resolution image without further maneuvers.
Defendants argued instead that, similarly to the Perfect 10 facts, tweets were embedded using code which directed user’s browsers to retrieve the Tom Brady picture from Twitter’s servers, and the picture was indeed framed, with a light gray box. They had, as publishers, merely provided an in-line link to the picture already published by the Twitter users, and this was not direct copyright infringement. They argued that the embedded tweets were not stored on, hosted by or transmitted from servers owned or controlled by them.
Meanwhile, in the European Union…
Defendants argued that an embedded tweet functions as a hyperlink, since clicking on it brings the user to the Twitter site. This case is somewhat similar to the European Court of Justice (ECJ) GS Media (see here for our comment) and Swensson cases. In Swensson, the ECJ had found that posting a hyperlink to protected works which had been made freely available to the public is not a communication to the public within the meaning of article 3(1) of the InfoSoc Directive, which gives authors the exclusive right of public communication of their works. Recital 23 of the Directive specifies that this right covers “any… transmission or retransmission of a work to the public by wire or wireless means, including broadcasting.” The ECJ reasoned that providing a hyperlink is not a communication to a new public and is thus not infringing.
In GS Media, the ECJ found that posting hyperlinks to protected works, which had been made available to the public, but without the consent of the right holder, is not a communication to the public within the meaning of article 3(1) of the InfoSoc Directive either. However, if the links were posted by a person who knew or could have reasonably known that the works had been illegally published online, or if they were posted for profit, then posting these hyperlinks are a new communication to the public and thus infringing.
Could ECJ case law on hyperlinks inspire U.S. courts to revisit Perfect 10?
By Nicole Daniel
In October and November 2017 significant developments occurred in the two Apple-Samsung patent cases.
The first concerns litigation between Apple and Samsung that started in 2011 and went to trial in 2012. In October 2017, a retrial was ordered.
A second case between Apple and Samsung was filed in 2012 and went to trial in 2014. In November 2017, the Supreme Court declined to hear Samsung’s appeal—thereby effectively ending the case.
Judge Lucy Koh, a District Judge in the Northern District of California, oversaw both cases.
The first Apple and Samsung case
In an order issued on 22 October 2017, Judge Koh ordered a new trial. This will be the second retrial. A damages retrial took place in November 2013.
This order for retrial comes more than five years after a federal jury ordered Samsung to pay $1.05 billion to Apple for patent infringement regarding the design and software of the iPhone. This sum was reduced to $929.8 million in the damages retrial. In the new trial, the jury will have to reconsider approximately $399 million in damages for design patents. Accordingly, the new trial has the potential to reduce the original damages by nearly 40%.
The decision for the new trial was triggered by a December 2016 Supreme Court decision in this case which held that an “article of manufacture” need not just be the whole product, but could also refer to the specific patented elements of the final product. The damages however, were set considering the infringement of the product as a whole and not of certain parts only.
Judge Koh also set out a four-factor test for the jury to use to determine what the “article of manufacture” in the present case is:
- What is the “scope of design claimed in the plaintiff’s patent”
- What is the “relative prominence of the design within the product as a whole”
- Whether the patented design elements are “conceptually distinct” from the whole phone
- Whether the patented components could be sold separately from the whole iPhone itself
By setting out this test Judge Koh rejected the tests proposed by Apple and Samsung respectively. Judge Koh determined that Samsung’s proposed test was too restrictive whereas Apple’s proposed test was too broad. Judge Koh adopted the test as argued by the Solicitor General in Supreme Court in 2016.
This second retrial will be significant for the development of design patent law as the definition of “article of manufacture” will be central and this is only the second time a federal judge will weigh in on this definition since the 2016 Supreme Court decision.
The second retrial will start on 14 May 2018 and Judge Koh has said that she will adopt an aggressive schedule leading up to the retrial.
Judge Koh further granted Samsung’s request for time for limited new evidence discovery since the law is currently being developed and it would be more prejudicial for Samsung if it was denied discovery.
She also imposed strict time limits on Apple’s and Samsung’s demands and even though the parties proposed a six-day trial she decided that five days would have to suffice. Judge Koh further rejected Samsung’s request to vacate the partial judgment for $548 million she entered in 2015.
The second Apple and Samsung case
On 6 November 2017 the Supreme Court decided not to hear Samsung’s appeal against a $120 million decision in favor of Apple. The Court of Appeal for the Federal Circuit had preserved the original verdict by the jury.
The Supreme Court followed the US Solicitor General’s recommendation to deny the petition for certiorari.
Only some smaller items are left before the case is fully resolved; these regard ongoing royalties to be paid by Samsung and will be decided on by the trial court in San Jose, California.
The original decision for the $119.6 million verdict in favor of Apple was handed down in May 2014 by a federal jury. The Court of Appeal for the Federal Circuit in early 2016 overturned the jury’s verdict. However, then the Court of Appeal for the Federal Circuit met en banc and reversed the three-judge panel. The en banc panel affirmed the lower court decision in an 8-3 decision that denied Samsung’s request for a judgment as a matter of law. Samsung had argued that the three Apple patents that the jury found infringed by Samsung were either not infringed or invalid. This was a rather controversial decision.
Samsung then asked the Supreme Court to decide whether the Court of Appeal for the Federal Circuit had erred in interpreting the four-factor test set out by the Supreme Court in the 2006 decision in eBay v. MercExchange, which states the conditions for when a court may issue an injunction against an infringer of a patent. Samsung argued that there had to be proof that the patented features directly drove demand for the product in question. The Solicitor General argued that no such proof was necessary.
Samsung also argued that the decision Court of Appeal for the Federal Circuit harmed competition and innovation, and that it conflicted with other Supreme Court precedent on patent law. Furthermore, the obviousness of patent claims was treated by the Court of Appeal for the Federal Circuit entirely as a factual rather than a legal question.
Finally, according to Samsung, the Court of Appeal for the Federal Circuit erred in stating that it only needed to consider one out of the three elements of a patent claim.
By Gabriel M. Lentner
As reported by IAReporter, the pharmaceutical company Pfizer served a notice of dispute under the US-Ecuador Bilateral Investment Treaty involving a patent dispute between Pfizer and Argentine generics producer Acromax.
Pfizer holds a patent, obtained in 1999 from the Institute of Intellectual Property of Ecuador, for “the preparation of sildenafil”. Sildenafil is a medication treating erectile dysfunction (better known under the brand name Viagra).
The dispute arises out of several court rulings involving the Argentine-owned pharmaceutical laboratory Acromax, which produced and marketed sildenafil, against which Pfizer pursued claims in defense of its intellectual property rights. Several court rulings dealt with this issue. In the latest ruling, the Ecuadorian Constitutional Court heard an appeal and issued a ruling upholding Acromax’s rights to seek damages against Pfizer.
What Pfizer is allegedly asking is an intervention similar to an international investment tribunal’s issuing of interim measures, such as in the case of Chevron v Ecuador II, which required Ecuador to stop domestic proceedings against the company in the cases related to the dispute.
Should the dispute be brought before an arbitral tribunal, it will be another interesting case dealing with IP-related issues in international investment law.
By Martin Miernicki
On 29 November 2017, the ECJ gave its opinion in VCAST v. RTI (C-265/16). The court ruled on the compatibility of an online service (offered by VCAST) – which provides users with cloud storage space for free-to-air terrestrial programs of TV organizations – with Directive 2001/29/EC (the so-called Copyright Directive), and in particular with its article 5(2)(b) (the so-called private copying exception). Upon the selection of the user, the service autonomously picks up the television signal and records the indicated content in the “cloud”.
Background & questions referred
The case involved questions relating to the private copying exception as well as the concept of the communication to the public, contained in article 3 of the Copyright Directive. The ECJ has repeatedly given its opinion on both matters. Relevant case law includes Padawan v. SGAE (C-467/08), ACI Adam v. Stichting de Thuiskopie (C-435/12), and Copydan Båndkopi v. Nokia Danmark (C-463/12) (on the private copying exception), as well as ITV Broadcasting v. TVCatchup (C-607/11), Reha Training v. GEMA (C-117/15), and AKM v. Zürs.net (C-138/16) (on the communication to the public). In essence, the referring (Italian) court asked the ECJ whether an online cloud service as described above was compatible with the Copyright Directive.
The decision of the court
The ECJ reached the same result as proposed by Advocate General (AG) Szpunar in his opinion and held VCAST’s cloud service is incompatible with EU law. First of all, the court recalled its case law and stated that natural persons can benefit from the private copying exception also in situations where the copying services are provided by a third party (para 35). However, in the opinion of the court, the service at issue did not merely assist users in making lawful reproductions but also, by picking up the television signals, provided access to the protected content (para 38). For this reason, the services in question also qualified as a communication to the public within the meaning of article 3 of the Copyright Directive. Since this act required the consent of the rightholders, the provision of the services at issue infringed their exclusive rights and was hence not permissible under EU law.
What does the judgment mean?
The judgement gave the court the opportunity to reconfirm and clarify its opinion on two recurring issues of the more recent copyright case law: First, the lawfulness of the source of the reproduction which is made under the private copying exception; second, the concept of the communication to the public. With regard to the former, the ECJ held that the private copying exception cannot be invoked where the third party provides access to the protected content (para 37). In principle, this is in line with the prior case law of the court. With regard to the latter, the court referred to the principles established in ITV Broadcasting, holding that acts of communication to the public – different than the original transmission – carried out under specific technical conditions using different means of transmissions are subject to the right holder’s consent (para 48). In such circumstances, the new public criterion is irrelevant (para 50). Obviously, the principles established in AKM were, as indicated by the AG, not relevant for the court (para 52-56 of the AG’s opinion).
In this light, providers of online services will have to assess whether they merely enable natural persons to obtain private copies or whether they also provide access to protected content. As illustrated by the court’s decision, this requires a delineation of the different exclusive rights involved. In this context, it is noticeable that the answer given to the national court appears to be broader than might be expected from the grounds of the judgement. The ECJ stated that cloud services as described above conflict with the Copyright Directive where the provider “actively [involves] itself in the recording, without the right holder’s consent”. Apparently, one way to be “actively involved” in the recording is to communicate the work to the public, thereby providing access to the copyrighted content. However, other ways are also conceivable. For instance, it is unlikely that the private copying exception applies to cases where the service provider takes the initiative to make reproductions, or defines its object and modalities (para 25 of the AG’s opinion). It will be up to the court to shed further light on such questions in future cases.
By Paul Opitz
The Third Chamber of the General Court of the European Union (EGC) ruled on 5 December 2017 that the Chinese smartphone maker Xiaomi, Inc., may not register the EU word mark MI PAD for its tablet computers, since it is likely to be confused with Apple’s iPad. (Xiaomi, Inc., v. European Union Intellectual Property Office, Case T-893/16)
In April 2014, Xiaomi, Inc., (Xiaomi) filed an application for registration of an EU trade mark with the European Union Intellectual Property Office (EUIPO) to register the word sign MI PAD. Registration was sought for Classes 9 and 38 of the Nice Agreement concerning the International Classification of Goods and Services, which correspond to the descriptions of inter alia portable and handheld electronic devices and telecommunication access services.
In August 2014, Apple Inc., (Apple) filed a notice of opposition to registration of the mark in respect of all the goods and services in the applied classes. The opposition was based on Apple´s earlier EU word mark IPAD, which was filed in January 2010 and registered in April 2013, covering goods and services in the same classes. The relative grounds relied on in the opposition were those of identity with, or similarity to an earlier trademark, currently set out in Article 8 (1) (b) of Regulation 2017/1001. This opposition was upheld by the Opposition Division in December 2015, which rejected Xiaomi´s application.
Thereafter, Xiaomi filed an appeal with EUIPO against the Opposition Division´s decision, which was again dismissed in September 2016 on the grounds that the marks MI PAD and IPAD were highly visually and phonetically similar and could lead to a confusion of the relevant public. This decision by the EUIPO was now contested by Xiaomi.
Decision of the General Court
First, the Court established some background on the scope of decisions concerning the relative ground of similarity. According to settled case law, the risk that the public may believe that goods come from the same undertaking or economically-linked undertakings constitutes a likelihood of confusion. Also, this likelihood must be assessed globally and taking into account all factors relevant to the case (Laboratorios RTB v OHIM – Giorgio Beverly Hills, Case T-162/01). For the application of Article 8 (1) (b) of Regulation 2017/1001, a likelihood of confusion presupposes both that the marks are identical or similar and that the goods which they cover are identical or similar (Commercy v OHIM – easyGroup IP Licensing, Case T-316/07).
The relevant public
The Court referred to the decision of the Board of Appeal and emphasized that the goods in question are aimed at both the general public and professional consumers with specific knowledge. Regarding the relevant public´s level of attention, the Court elaborates that although the purchase price of some goods covered by the mark are relatively high, most electronics aimed at the general public are, nowadays, relatively inexpensive and have short lifespans. Therefore, they do not require any particular technical knowledge and leave the level of attention between average and high. Secondly, the Court upheld the Board of Appeal’s finding that the relevant territory is the European Union as a whole.
Comparison of the signs
At first, the Court notes that a global assessment of the likelihood of confusion must be based on the overall impression of the signs, including the visual, phonetic, and conceptual similarity. In the case at issue, the comparison of the marks must be carried out by considering each mark as a whole, since there are no dominant elements. The Court holds that the marks are visually highly similar, since the earlier trade mark IPAD is entirely reproduced in the mark MI PAD. Moreover, they coincide as to the letter sequence “ipad” and differ only as to the presence of the letter “m” at the beginning. Phonetically, the marks are also highly similar, referring to the pronunciation of their common syllable “pad” and of the vowel “I”. The latter will be likely be pronounced as the first person singular possessive pronoun “my” in English and thereby similar to the “I” in Apple’s iPad. The Court clarifies that even minor differences in pronunciation due to the letter “m” are not capable to offset the overall similarities. Conceptually, the English-speaking part of the EU understands the common element “pad” as a tablet or tablet computer, which makes it only weakly distinctive and sufficient for a finding of similarity (Xentral v OHIM – Pages jaunes, Case T-134/06).
The likelihood of confusion
For determining the likelihood of confusion, the interdependences between the similarity of the marks and that of the goods covered must be examined. The court states that the visual and phonetic differences resulting from the presence of the additional letter “m” are not able to rule out a likelihood of confusion as a result of the overall similarities. Neither are the conceptual differences resulting from the prefixes “mi” and “I” sufficient to remove this likelihood created by the common element “pad”. Taking into account that the goods in question are identical, the conceptual similarities overweigh the discrepancies.
In conclusion, the Court could not exclude the possibility that the public might believe that both tablets come from the same undertaking or economically-linked undertakings. Hence, the Court rejected and dismissed the applicant’s plea in law.
CJEU’s General Advocate Bot: Administrators of Facebook Fan Pages May Be Held Responsible for the Data Processing Carried out by Facebook
By Katharina Erler
The opinion of Advocate General Bot delivered on 24 October 2017 and issued in relation to case C-210/16 of the Court of Justice of the European Union (CJEU) suggests that administrators of fan pages on the Facebook social network may as controllers under Article 2(d) of the EU Data Protection Directive (95/46/EC) be held responsible for the data processing carried out by Facebook and for the cookies which Facebook installed for that purpose. In particular, the administrator should be regarded as being, along with Facebook Inc. and Facebook Ireland itself, a controller of the personal data that is carried out for the purpose of compiling viewing statistics for that fan page. Furthermore, Advocate General Bot rejected Facebook’s assertion that its EU data processing activities fall solely under the jurisdiction of the Irish Data Protection Commissioner. The related case is Unabhängiges Landeszentrum für Datenschutz v. Wirtschaftsakademie, C-210/16.
Facebook fan pages are user accounts that may be set up by individuals as well as businesses. Administrators may use their fan page to present themselves or their businesses for commercial purposes. Facebook also offers the administrators the opportunity to obtain viewing statistics containing information on the characteristics and habits of the visitors of their fan page. These statistics are compiled by Facebook, which collects data of the visitors via cookies, and then personalized by the fan page administrator using selection criteria. This may help administrators to better craft the communications on their fan pages. To compile these statistics Facebook stores at least one cookie containing a unique ID number, active for two years, on the hard disk of every fan page visitor.
A German company “Wirtschaftsakademie Schleswig-Holstein GmbH”, which provides education and training services via a fan page hosted on the website of the social network Facebook was ordered on November 3, 2011 by a German regional data-protection authority “Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein” to deactivate its fan page. This decision was based on the fact that neither the “Wirtschaftsakademie” as administrator nor Facebook had informed visitors of the fan page that Facebook was collecting and processing their personal data.
After it challenged this order and the data-protection authority again dismissed that objection, the “Wirtschaftsakademie” brought an action before a regional German Administrative Court. It ruled on October 9, 2013, that the administrator of a fan page is not a “controller” within the meaning of the German data protection act and therefore cannot be addressee of an order to deactivate the fan page under § 38(5) of the German data protection act (“BDSG”). The Higher Administrative Court, however, dismissed an appeal of the data-protection authority holding that the prohibition of the data processing was unlawful. According to its ruling this was, because prohibition of data processing under this provision is only possible if it is the only way to end the infringement. Facebook was in that position to end the processing of data, and therefore the “Wirtschaftsakademie” was not a “controller” of data processing under § 38(5) of the German data protection act.
In the appeal proceedings, the German Federal Administrative Court, however, confirmed that ruling by considering that the administrator of a fan page is not a data controller within the meaning of neither § 38(5) of the German data protection act not the Article 2(d) of EU-Directive 95/46/EC. Hence, the Court referred several questions to the CJEU, which – questions (1) and (2) – as a core issue concern the question, whether a body, which is non-controller under Article 2(d) of EU-Directive 95/46/EC may be also the addressee of orders of the supervisory bodies.
It is worth mentioning that in order to rule on the lawfulness of the order in question, the referring courts also asked – in its questions (3) and (4) – about the distribution of powers among the supervisory bodies in cases where a parent company has several establishments throughout the EU. Finally – questions (5) and (6) concern questions regarding the necessary network to coordinate and align the decisions of the supervisory bodies in order to avoid different legal appraisal.
Article 2(d) of EU Data Protection Directive 95/46/EC provides that a ‘controller’ is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;
Article 17(2) of the EU Data Protection Directive 95/46/EC states that the Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.
Article 24 of the EU Data Protection Directive 95/46/EC states that the Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.
Article 28(3) of EU Data Protection Directive 95/46/EC stipulates that each authority shall in particular be endowed with: investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties; effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions; and the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities. Decisions by the supervisory authority which give rise to complaints may be appealed through the courts.
Advocate Bot’s assessment of the questions referred to the CJEU
First, Advocate Bot emphasizes that the referred questions do not touch upon the material matter whether the processing of personal data in the case at hand is contrary to the rules of EU-Directive 95/46/EC.
Under the assumption that the administrator of a fan page is not a controller under Article 2(d) of EU-Directive 95/46/EC, the German Federal Administrative Court especially stresses the question whether Article 2(d) may be interpreted as definitively and exhaustively defining the liability for data protection violations or whether scope remains for responsibility for a body with is no controller within the meaning of this article. This leads to the central question, which is pointed out by General Advocate Bot, whether supervisory bodies are permitted by Article 17(2), 24 and Article 28(3) of Directive 95/46/EC to exercise their powers of interventions against such non-controller.
Advocate General Bot, however, considers the underlying premise to be incorrect and clearly emphasizes that, in his opinion, the administrator of a Facebook fan page must be regarded as jointly responsible for the phase of data processing which consists in the collecting by Facebook of personal data. By referring to CJEU’s Google Spain judgment C-131/12 of 13 May 2014, Advocate General Bot, as a starting point, stresses the importance and fundamental role of the controller under the EU Data Protection Directive and its responsibility to ensure the effectiveness of Directive 95/46/EC and its full protection of data subjects. Therefore, and in view of the history of CJEU’s case law, the concept of the “controller” must be given a broad definition. As the “controller” is the person that decides why and how personal data will be processed, this concept leads to responsibility where there is actually influence.
According to Bot, it is, as the designer of the data processing in question, Facebook Inc. alongside Facebook Ireland, which principally decides on the purposes of this data processing as it, especially, developed the economic model containing on one hand the publication of personalized advertisement and on the other hand the compilation of statistics for fan page administrators. Additionally, because Facebook Ireland has been designated by Facebook Inc. as being responsible for the processing of personal data within the European Union and because some or all of the personal data of Facebook’s users who reside in the European Union is transferred to servers belonging to Facebook Inc. that are located in the United States, Facebook Inc. alongside Facebook Ireland are responsible for data processing.
But at this point Bot additionally emphasized that Article 2(d) of Directive 95/46/EC expressly provides the possibility of shared responsibility and that it is also necessary to add to the responsibility of Facebook Inc. alongside Facebook Ireland the responsibility of the fan page administrator. Although Bot recognized that a fan page administrator is first and foremost user of Facebook, he stresses that this does not preclude those administrators from being responsible for the phase of data processing. In his view determination of the “controller” under Article 2(d) means any influence in law or in fact over the purposes and means of data processing, and not carrying out of the data processing itself.
Advocate General Bot argued that (1) fan page administrators by only having recourse to Facebook for the publication of its information subscribe the principle that visitor’s data will be processed. That data processing would (2) also not occur without the prior decision of the administrator to operate a fan page in the Facebook social network. And (3) by, on the one hand, enabling Facebook to better target the advertisement and, on the other hand, acquiring better insight into the profiles of its visitors the administrator at least participates in the determination of the purposes of data processing. These objectives are according to Advocate General Bot closely related which would support the joint responsibility.
Moreover (4) the administrator has as a decisive influence the power to bring that data processing to an end by closing the page down. Finally, Bot argued that (5) the administrator by defining criteria for the compilation of statistics and using filters is able to influence the specific way in which that data processing tool is used. This classification as a “controller” would also neither be contradicted by imbalances in the relationship of strength nor by any interpretation that is based solely on the terms and conditions of the contract concluded by the fan page administrator and Facebook. With reference to CJEU’s case Google Spain, Bot pointed out that it is not necessary to have complete control over data processing. This result and broad interpretation of “controller” would also serve the purpose of effective data protection and prevents the possibility to evade responsibility by agreeing to terms and conditions of a service provider for the purposes of hosting information on their website.
Furthermore, Advocate General Bot established a parallel with CJEU’s decision Fashion ID, C-40/17, where the manager of a website embeds in its website the Facebook Like Button, which, when activated, transmits personal data to Facebook. As to the question of Fashion ID “controlled” this data processing, Bot holds that there is no fundamental difference between those two cases. Finally, the Advocate General clarified that joint responsibility does not imply equal responsibility. The various parties may be involved in the processing of data to different degrees.
It seems surprising that Advocate General Bot simply rejected the premise of the German Federal Administrative Court, instead bringing to the foreground the question on the interpretation of the “controller” under Article 2(d)—even changing the focus of the referred questions. Furthermore, this broad interpretation and the expansion of the fundamental concept of the “controller” might suggest that, if followed by the CJEU, in the future anyone who has any influence on the data processing, especially by just using a service which is associated with data processing, might be held responsible for infringement of data protection law.
With regard to the question of jurisdiction it is worth mentioning that Advocate General Bot especially emphasized that the processing of data in the case at hand consisted of the collection of personal data by means of cookies installed on the computer of visitors to fanpages and specifically intends to enable Facebook to better target its advertisements. Therefore, in line with CJEU’s decision Google Spain and due to effective and immediate application of national rules on data protection and Advocate General Bot holds that this data processing must regarded as taking place in the context of the activities in which Facebook Germany engages in Germany. The fact that the EU head office of the Facebook Inc. is situated in Ireland does not, according to Bot, therefore, prevent the German data protection authority in any way from taking measures against the “Wirtschaftsakademie”. This, however, may be interpreted differently under the upcoming EU’s General Data Protection Regulation (2016/679), which replaces the existing EU Member State data protection laws based on Directive 95/46/EC when it enters into force on 25 May 2018.