Archive | Legislation and policy-making RSS for this section

The European Commission’s FinTech Action Plan and Proposed Regulation on Crowdfunding

By Jonathan Cardenas

On 8 March 2018, the European Commission (“Commission”) introduced its FinTech Action Plan, a policy proposal designed to augment the international competitiveness of the European Single Market in the financial services sector.[1]  Together with the FinTech Action Plan, the Commission introduced a proposal for a regulation on European crowdfunding services providers (“Proposed Regulation on Crowdfunding”).[2]  Both of these proposals form part of a broader package of measures designed to deepen and complete the European Capital Markets Union by 2019.[3]  This article briefly summarizes both the FinTech Action Plan and the Proposed Regulation on Crowdfunding.

 

  1. FinTech Action Plan

With the goal of turning the European Union (“EU”) into a “global hub for FinTech,”[4] the FinTech Action Plan introduces measures that build upon several of the Commission’s prior initiatives, including the regulatory modernization objectives set forth by the Commission’s internal Task Force on Financial Technology,[5] the capital market integration objectives identified in the Commission’s Capital Markets Union Action Plan,[6] and the digital market integration objectives identified in the Commission’s Digital Single Market Strategy.[7]  Responding to calls from the European Parliament[8] and European Council[9] for a proportional, future-oriented regulatory framework that balances competition and innovation while preserving financial stability and investor protection, and also drawing upon the conclusions of the March–June 2017 Public Consultation on FinTech,[10] the FinTech Action Plan consists of a “targeted,”[11] three-pronged strategy, that sets out 19 steps[12] to enable the EU economy to cautiously embrace the digital transformation of the financial services sector.

  • “Enabling Innovative Business Models to Reach EU Scale”

The first prong of the FinTech Action Plan is focused on measures that will enable EU-based FinTech companies to access and scale across the entire Single Market.

Recognizing the need for regulatory harmonization, the Commission calls for uniformity in financial service provider licensing requirements across the EU to avoid conflicting national rules that hamper the development of a single European market in emerging financial services, such as crowdfunding (Step 1).  With crowdfunding specifically in mind, the Commission has proposed a regulation on European crowdfunding service providers (“ECSPs”), which, as discussed in further detail below, would create a pan-European passport regime for ECSPs that want to operate and scale across EU Member State borders.  In addition, the Commission invites the European Supervisory Authorities (“ESAs”) to outline differences in FinTech licensing requirements across the EU, particularly with regard to how Member State regulatory authorities apply EU proportionality and flexibility principles in the context of national financial services legislation (Step 2).  The Commission encourages the ESAs to present Member State financial regulators with recommendations as to how national rules can converge.  The Commission also encourages the ESAs to present the Commission with recommendations as to whether there is a need for EU-level financial services legislation in this context.  Moreover, the Commission will continue to monitor developments in the cryptocurrency asset and initial coin offering (“ICO”) space in conjunction with the ESAs, the European Central Bank, the Financial Stability Board and other international standard setters in order to determine whether EU-level regulatory measures are needed (Step 3).

Recognizing the importance of common standards for the development of an EU-wide FinTech market, the Commission is focused on developing standards that will enhance interoperability between FinTech market player systems.  The Commission plans to work with the European Committee for Standardization and the International Organization for Standardization to develop coordinated approaches on FinTech standards by Q4 2018, particularly in relation to blockchain technology (Step 4).  In addition, the Commission will support industry-led efforts to develop global standards for application programming interfaces by mid-2019 that are compliant with the EU Payment Services Directive and EU General Data Protection Regulation (Step 5).

In order to facilitate the emergence of FinTech companies across the EU, the Commission encourages the development of innovation hubs (institutional arrangements in which market players engage with regulators to share information on market developments and regulatory requirements)[13] and regulatory sandboxes (controlled spaces in which financial institutions and non-financial firms can test new FinTech concepts with the support of a government authority for a limited period of time),[14] collectively referred to by the Commission as “FinTech facilitators.”[15]  The Commission specifically encourages the ESAs to identify best practices for innovation hubs and regulatory sandboxes by Q4 2018 (Step 6).  The Commission invites the ESAs and Member States to take initiatives to facilitate innovation based on these best practices, and in particular, to promote the establishment of innovation hubs in all Member States (Step 7).  Based upon the work of the ESAs, the Commission will present a report with best practices for regulatory sandboxes by Q1 2019 (Step 8).

  • “Supporting the Uptake of Technological Innovation in the Financial Sector”

The second prong of the FinTech Action Plan is focused on measures that will facilitate the adoption of FinTech across the EU financial services industry.

The Commission begins the second prong by indicating that its policy approach to FinTech is guided by the principle of “technology neutrality,” an EU regulatory principle that requires national regulators to ensure that national regulation “neither imposes nor discriminates in favour of the use of a particular type of technology.”[16]  In this regard, the Commission plans to setup an expert group to assess, by Q2 2019, the extent to which the current EU regulatory framework for financial services is neutral toward artificial intelligence and distributed ledger technology, particularly in relation to jurisdictional questions surrounding blockchain-based applications, the validity and enforceability of smart contracts, and the legal status of ICOs (Step 9).

In addition to ensuring that EU financial regulation is fit for artificial intelligence and blockchain, the Commission also intends to remove obstacles that limit the use of cloud computing services across the EU financial services industry.  In this regard, the Commission invites the ESAs to produce, by Q1 2019, formal guidelines that clarify the expectations of financial supervisory authorities with respect to the outsourcing of data by financial institutions to cloud service providers (Step 10).  The Commission also invites cloud service providers, cloud services users and regulatory authorities to collaboratively develop self-regulatory codes of conduct that will eliminate data localization restrictions, and in turn, enable financial institutions to port their data and applications when switching between cloud services providers (Step 11).  In addition, the Commission will facilitate the development of standard contractual clauses for cloud outsourcing by financial institutions, particularly with regard to audit and reporting requirements (Step 12).

Recognizing that blockchain and distributed ledger technology will “likely lead to a major breakthrough that will transform the way information or assets are exchanged,”[17] the Commission plans to hold additional public consultations in Q2 2018 on the possible implementation of the European Financial Transparency Gateway, a pilot project that uses distributed ledger technology to record information about companies listed on EU securities markets (Step 13).  In addition, the Commission plans to continue to develop a comprehensive, cross-sector strategy toward blockchain and distributed ledger technology that enables the introduction of FinTech and RegTech applications across the EU (Step 14).  In conjunction with both the EU Blockchain Observatory and Forum, and the European Standardization Organizations, the Commission will continue to support interoperability and standardization efforts, and will continue to evaluate blockchain applications in the context of the Commission’s Next Generation Internet Initiative (Step 15).

Recognizing that regulatory uncertainty and fragmentation prevents the European financial services industry from taking up new technology, the Commission will also establish an EU FinTech Lab in Q2 2018 to enable EU and national regulators to engage in regulatory discussions and training sessions with select technology providers in a neutral, non-commercial space (Step 16).

  • “Enhancing Security and Integrity of the Financial Sector”

The third prong of the FinTech Action Plan is focused on financial services industry cybersecurity.

Recognizing the cross-border nature of cybersecurity threats and the need to make the EU financial services industry cyberattack resilient, the Commission will organize a public-private workshop in Q2 2018 to examine regulatory obstacles that limit cyber threat information sharing between financial market participants, and to identify potential solutions to these obstacles (Step 17).  The Commission also invites the ESAs to map, by Q1 2019, existing supervisory practices related to financial services sector cybersecurity, to consider issuing guidelines geared toward supervisory convergence in cybersecurity risk management, and if necessary, to provide the Commission with technical advice on the need for EU regulatory reform (Step 18).  The Commission also invites the ESAs to evaluate, by Q4 2018, the costs and benefits of developing an EU-coordinated cyber resilience testing framework for the entire EU financial sector (Step 19).

 

  1. Proposed Regulation on Crowdfunding

In line with the Commission’s Capital Markets Union objective of broadening access to finance for start-up companies,[18] the Proposed Regulation on Crowdfunding is aimed at facilitating crowdfunding activity across the Single Market.  The proposed regulation plans to enable investment-based and lending-based ECSPs to scale across Member State borders by creating a pan-European crowdfunding passport regime under which qualifying ECSPs can provide crowdfunding services across the EU without the need to obtain individual authorization from each Member State.  The proposed regulation also seeks to minimize investor risk exposure by setting forth organizational and operational requirements, which include, among others, prudent risk management and adequate information disclosure.

[1] COM (2018) 109/2 – FinTech Action plan: For a more competitive and innovative European financial sector. Available at: https://ec.europa.eu/info/sites/info/files/180308-action-plan-fintech_en.pdf.

[2] COM (2018) 113 – Proposal for a regulation on European Crowdfunding Service Providers (ECSP) for Business. Available at: https://ec.europa.eu/info/law/better-regulation/initiative/181605/attachment/090166e5b9160b13_en.

[3] COM (2018) 114 final – Completing the Capital Markets Union by 2019 – time to accelerate delivery. Available at: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52018DC0114&from=EN.

[4] European Commission Press Release, “FinTech: Commission Takes Action For a More Competitive and Innovative Financial Market,” 8 March 2018. Available at: https://ec.europa.eu/info/sites/info/files/180308-action-plan-fintech_en.pdf.

[5] European Commission Banking and Finance Newsletter, Task Force on Financial Technology, 28 March 2017. Available at: http://ec.europa.eu/newsroom/fisma/item-detail.cfm?item_id=56443&utm_source=fisma_newsroom&utm_medium=Website&utm_campaign=fisma&utm_content=Task%20Force%20on%20Financial%20Technology&lang=en.  See also European Commission Announcement, Vice President’s speech at the conference #FINTECHEU “Is EU regulation fit for new financial technologies?,” 23 March 2017.  Available at: https://ec.europa.eu/commission/commissioners/2014-2019/dombrovskis/announcements/vice-presidents-speech-conference-fintecheu-eu-regulation-fit-new-financial-technologies_en.  See also European Commission Blog Post, “European Commission sets up an internal Task Force on Financial Technology,” 14 November 2016.  Available at: https://ec.europa.eu/digital-single-market/en/blog/european-commission-sets-internal-task-force-financial-technology.

[6] COM/2015/0468 final – Action Plan on Building a Capital Markets Union.  Available at : http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52015DC0468&from=EN.

[7] COM(2015) 192 final – A Digital Single Market Strategy for Europe, 6 May 2015.  Available at: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52015DC0192&from=EN.  See also COM (2017) 228 final – Mid-Term review on the implementation of the Digital Single Market Strategy: A Connected Digital Single Market for All, 10 May 2017.  Available at: http://eur-lex.europa.eu/resource.html?uri=cellar:a4215207-362b-11e7-a08e-01aa75ed71a1.0001.02/DOC_1&format=PDF.

[8] European Parliament Committee on Economic and Monetary Affairs, Report on FinTech: the influence of technology on the future of the financial sector, Rapporteur: Cora van Nieuwenhuizen, 2016/2243(INI), 28 April 2017.  Available at: http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A8-2017-0176+0+DOC+PDF+V0//EN.

[9] EUCO 14/17, CO EUR 17, CONCL 5, European Council Meeting Conclusions, 19 October 2017. Available at:  http://www.consilium.europa.eu/media/21620/19-euco-final-conclusions-en.pdf.

[10] European Commission Directorate-General for Financial Stability, Financial Services and Capital Markets Union, “Summary of contributions to the ‘Public Consultation on FinTech: a more competitive and innovative European financial sector,’” 2017.  Available at: https://ec.europa.eu/info/sites/info/files/2017-fintech-summary-of-responses_en.pdf.

[11] FinTech Action Plan.

[12] European Commission Press Release, “FinTech: Commission Takes Action For a More Competitive and Innovative Financial Market,” 8 March 2018. Available at: https://ec.europa.eu/info/sites/info/files/180308-action-plan-fintech_en.pdf.

[13] EBA/DP/2017/02 – Discussion Paper on the EBA’s approach to financial technology (FinTech), 4 August 2017. Available at: https://www.eba.europa.eu/documents/10180/1919160/EBA+Discussion+Paper+on+Fintech+%28EBA-DP-2017-02%29.pdf.

[14] Id.

[15] FinTech Action Plan, p. 8.

[16] Directive 2002/21 on a common regulatory framework for electronic communications networks and services (Framework Directive) [2002] OJ L108/33.  Available at: https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX%3A32002L0021.

[17] FinTech Action Plan, p. 12.

[18] Capital Markets Union Action Plan.

Advertisements

Facebook’s Data Sharing Practices under Unfair Competition Law

By Catalina Goanta

2018 has so far not been easy on the tech world. The first months of the year brought a lot of bad news: two accidents with self-driving cars (Tesla and Uber) and the first human casualty,[1] another Initial Coin Offering (ICO) scam costing investors $660 million,[2] and Donald Trump promising to go after Amazon.[3] But the scandal that made the most waves had to do with Facebook data being used by Cambridge Analytica.[4]

 

Data brokers and social media

In a nutshell, Cambridge Analytica was a UK-based company that claimed to use data to change audience behavior either in political or commercial contexts.[5] Without going too much into detail regarding the identity of the company, its ties, or political affiliations, one of the key points in the Cambridge Analytica whistleblowing conundrum is the fact that it shed light on Facebook data sharing practices which, unsurprisingly, have been around for a while. To create psychometric models which could influence voting behavior, Cambridge Analytica used the data of around 87 million users, obtained through Facebook’s Graph Application Programming Interface (API), a developer interface providing industrial-level access to personal information.[6]

The Facebook Graph API

The first version of the API (v1.0), which was launched in 2010 and was up until 2015, could be used to not only gather public information about a given pool of users, but also about their friends, in addition to granting access to private messages sent on the platform (see Table 1 below). The amount of information belonging to user friends that Facebook allowed third parties to tap into is astonishing. The extended profile properties permission facilitated the extraction of information about: activities, birthdays, check-ins, education history, events, games activity, groups, interests, likes, location, notes, online presence, photo and video tags, photos, questions, relationships and relationships details, religion and politics, status, subscriptions, website and work history. Extended permissions changed in 2014, with the second version of the Graph API (v2.0), which suffered many other changes since (see Table 2). However, one interesting thing that stands out when comparing versions 1.0 and 2.0 is that less information is gathered from targeted users than from their friends, even if v2.0 withdrew the extended profile properties (but not the extended permissions relating to reading private messages).

Table 1 – Facebook application permissions and availability to API v1 (x) and v2 (y)[7]

Cambridge Analytica obtained Facebook data with help from another company, Global Science Research, set up by Cambridge University-affiliated faculty Alexandr Kogan and Joseph Chancellor. Kogan had previously collaborated with Facebook for his work at the Cambridge Prosociality & Well-Being Lab. For his research, Kogan collected data from Facebook as a developer, using the Lab’s account registered on Facebook via his own personal account, and he was also in contact with Facebook employees who directly sent him anonymized aggregate datasets.[8]

Table 2 – The History of the Facebook Graph API

The Facebook employees who sent him the data were working for Facebook’s Protect and Care Team, but were themselves doing research on user experience as PhD students.[9] Kogan states that the data he gathered with the Global Science Research quiz is separate from the initial data he used in his research, and it was kept on different servers.[10] Kogan’s testimony before the UK Parliament’s Digital, Culture, Media and Sport Committee does clarify which streams of data were used by which actors, but none of the Members of Parliament attending the hearing asked any questions about the very process through which Kogan was able to tap into Facebook user data. He acknowledged that for harvesting information for the Strategic Communication Laboratories – Cambridge Analytica’s affiliated company – he used a market research recruitment strategy: for around $34 per person, he aimed at recruiting up to 20,000 individuals who would take an online survey.[11] The survey would be accessible through an access token, which required participants to login using their Facebook credentials.

Access Tokens

On the user end, Facebook Login is an access token which allows users to log in across platforms. The benefits of using access tokens are undeniable: having the possibility to operate multiple accounts using one login system allows for efficient account management. The dangers are equally clear. On the one hand, one login point (with one username and one password) for multiple accounts can be a security vulnerability. On the other hand, even if Facebook claims that the user is in control of the data shared with third parties, some apps using Facebook Login – for instance wifi access in café’s, or online voting for TV shows – do not allow users to change the information requested by the app, creating a ‘take it or leave it’ situation for users.

Figure 1 – Facebook Login interface

On the developer end, access tokens allow apps operating on Facebook to access the Graph API. The access tokens perform two functions:

  • They allow developer apps to access user information without asking for the user’s password; and
  • They allow Facebook to identify developer apps, users engaging with this app, and the type of data permitted by the user to be accessed by the app.[12]

Understanding how Facebook Login works is essential in clarifying what information users are exposed to right before agreeing to hand their Facebook data over to other parties.

 

Data sharing and consent

As Figure 1 shows, and as it can be seen when browsing through Facebook’s Terms of Service, consent seems to be at the core of Facebook’s interaction with its users. This being said, it is impossible to determine, on the basis of these terms, what Facebook really does with the information it collects. For instance, in the Statement of Rights and Responsibilities dating from 30 January 2015, there is an entire section on sharing content and information:

  1. You own all of the content and information you post on Facebook, and you can control how it is shared through your privacyand application settings. In addition: 
  1. For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it. 
  2. When you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer. However, you understand that removed content may persist in backup copies for a reasonable period of time (but will not be available to others).
  3. When you use an application, the application may ask for your permission to access your content and information as well as content and information that others have shared with you.  We require applications to respect your privacy, and your agreement with that application will control how the application can use, store, and transfer that content and information.  (To learn more about Platform, including how you can control what information other people may share with applications, read our Data Policy and Platform Page.)
  4. When you publish content or information using the Public setting, it means that you are allowing everyone, including people off of Facebook, to access and use that information, and to associate it with you (i.e., your name and profile picture).
  5. We always appreciate your feedback or other suggestions about Facebook, but you understand that we may use your feedback or suggestions without any obligation to compensate you for them (just as you have no obligation to offer them).

This section appears to establish Facebook as a user-centric platform that wants to give as much ownership to its customers. However, the section says nothing about the fact that app developers used to be able to tap not only into the information generated by users, but also that of their friends, to an even more extensive degree. There are many other clauses in the Facebook policies that could be relevant for this discussion, but let us dwell on this section.

Taking a step back, from a legal perspective, when a user gets an account with Facebook, a service contract is concluded. If users reside outside of the U.S. or Canada, clause 18.1 of the 2015 Statement of Rights and Responsibilities mentions the service contract to be an agreement between the user and Facebook Ireland Ltd. For U.S. and Canadian residents, the agreement is concluded with Facebook Inc.[13] Moreover, according to clause 15, the applicable law to the agreement is the law of the state of California.[14] This clause does not pose any issues for agreements with U.S. or Canadian users, but it does raise serious problems for users based in the European Union. In consumer contracts, European law curtails party autonomy in choosing applicable law, given that some consumer law provisions in European legislation are mandatory, and cannot be derogated from.[15] Taking the example of imposing the much lesser protections of U.S. law on European consumers, such clauses would not be valid under EU law. As a result, in 2017 the Italian Competition and Market Authority gave WhatsApp a €3 million fine on the ground that such contractual clauses are unfair.[16]

Apart from problems with contractual fairness, additional concerns arise with respect to unfair competition. Set between competition law and private law, unfair competition is a field of law that takes into account both bilateral transactions, as well as the broader effect they can have on a market. The rationale behind unfair competition is that deceitful/unfair trading practices which give businesses advantages they might otherwise not enjoy should be limited by law.[17] As far as terminology goes, in Europe, Directive 2005/29/EC, the main instrument regulating unfair competition, uses the terms ‘unfair commercial practices’, whereas in the United States, the Federal Trade Commission refers to ‘unfair or deceptive commercial practices’.[18] The basic differences between the approaches taken in the two federal/supranational legal systems can be consulted in Figure 2 below:

Figure 2 – U.S. & EU unfair competition law (van Eijk, Hoofnagle & Kannekens, 2017)[19]

 

Facebook’s potentially unfair/deceptive commercial practices

In what follows, I will briefly refer to the 3 comparative criteria identified by van Eijk et al.[20]

The fact that a business must do something (representation, omission, practice, etc.) which deceives or is likely to deceive or mislead the consumer is a shared criterion in both legal systems. There are two main problems with Facebook’s 2015 terms of service to this end. First, Facebook does not specify how exactly the company shares user data and with whom. Second, this version of the terms makes no reference whatsoever to the sharing of friends’ data, as could be done through the extended permissions. These omissions, as well as the very limited amount of information offered to consumers, through which they are supposed to understand Facebook’s links to other companies as far as their own data is concerned, are misleading.

The second criterion, that of the reasonable/average consumer, is not so straight forward: the information literacy of Facebook users fluctuates, as it depends on demographic preferences. With the emergence of new social media platforms such as Snapchat and Musical.ly, Facebook might not be the socializing service of choice for younger generations. However, official statistics are based on data that includes a lot of noise. It seems that fake accounts make up around 3% of the total number of Facebook accounts, and duplicate accounts make up around 10% of the same total.[21] This poses serious questions regarding the European standard of the average consumer, because there is no way to currently estimate how exactly this 13% proportion would change the features of the entire pool of users. There are many reasons why fake accounts exist, but let me mention two of them. First, the minimum age for joining Facebook is 13; however, the enforcement of this policy is not easy, and a lot of minors can join the social media platform by simply lying about their age. Second, fake online profiles allow for the creation of dissociate lives: individuals may display very different behavior under the veil of anonymity, and an example in this respect is online bullying.

Figure 3 – Distribution of Facebook users worldwide as of April 2018, by age and gender (Statista, 2018)

These aspects can make it difficult for a judge to determine the profile of the reasonable/average consumer as far as social media is concerned: would the benchmark include fake and duplicate accounts? Would the reasonable/average consumer standard have to be based on the real or the legal audience? What level of information literacy would this benchmark use? These aspects remain unclear.

The third criterion is even more complex, as it deals with the likelihood of consumers taking a different decision, had they had more symmetrical information. Two main points can be made here. On the one hand, applying this criterion leads to a scenario where we would have to assume that Facebook would better disclose information to consumers. This would normally take the form of specific clauses in the general terms and conditions. For consumers to be aware of this information, they would have to read these terms with orthodoxy, and make rational decisions, both of which are known not to be the case: consumers simply do not have time and do not care about general terms and conditions, and make impulsive decisions. If that is the case for the majority of the online consumer population, it is also the case for the reasonable/average consumer. On the other hand, perhaps consumers might feel more affected if they knew beforehand the particularities of data sharing practices as they occurred in the Cambridge Analytica situation: that Facebook was not properly informing them about allowing companies to broker their data to manipulate political campaigns. This, however, is not something Facebook would inform its users about directly, as Cambridge Analytica is not the only company using Facebook data, and such notifications (if even desirable from a customer communication perspective), would not be feasible, or would lead to information overload and consumer fatigue. If this too translates into a reality where consumers do not really care about such information, the third leg of the test seems not to be fulfilled. In any case, this too is a criterion which will very likely raise many more questions that it aims to address.

In sum, two out of the three criteria would be tough to fulfill. Assuming, however, that they would indeed be fulfilled, and even though there are considerable differences in the enforcement of the prohibition against unfair/deceptive commercial practices, the FTC, as well as European national authorities can take a case against Facebook to court to order injunctions, in addition to other administrative or civil acts. A full analysis of European and Dutch law in this respect will soon be available in a publication authored together with Stephan Mulders.

 

Harmonization and its discontents

The Italian Competition and Market Authority (the same entity that fined WhatsApp) launched an investigation into Facebook on April 6, on the ground that its data sharing practices are misleading and aggressive.[22] The Authority will have to go through the same test as applied above, and in addition, will very likely also consult the black-listed practices annexed to the Directive. Should this public institution from a Member State find that these practices are unfair, and should the relevant courts agree with this assessment, a door for a European Union-wide discussion on this matter will be opened. Directive 2005/29/EC is a so-called maximum harmonization instrument, meaning that the European legislator aims for it to level the playing field on unfair competition across all Member States. If Italy’s example is to be followed, and more consumer authorities restrict Facebook practices, this could mark the most effective performance of a harmonizing instrument in consumer protection. If the opposite happens, and Italy ends up being the only Member State outlawing such practices, this could be a worrying sign of how little impact maximum harmonization has in practice.

 

New issues, same laws

Nonetheless, in spite of the difficulties in enforcing unfair competition, this discussion prompts one main take-away: data-related practices do fall under the protections offered by regulation on unfair/deceptive commercial practices.[23] This type of regulation already exists in the U.S. just as much as it exists in the EU, and is able to handle new legal issues arising out of the use of disruptive technologies. The only areas where current legal practices are in need of an upgrade deal with interpretation and proof: given the complexity of social media platforms and the many ways in which they are used, perhaps judges and academics should also make use of data science to better understand the behavior of these audiences, as long as this behavior is central for legal assessments.

[1] Will Knight, ‘A Self-driving Uber Has Killed a Pedestrian in Arizona’, MIT Technology Review, The Download, March 19, 2018; Alan Ohnsman, Fatal Tesla Crash Exposes Gap In Automaker’s Use Of Car Data, Forbes, April 16, 2018.

[2] John Biggs, ‘Exit Scammers Run Off with $660 Million in ICO Earnings’, TechCrunch, April 13, 2018.

[3] Joe Harpaz, ‘What Trump’s Attack On Amazon Really Means For Internet Retailers’, Forbes, April 16, 2018.

[4] Carole Cadwalladr and Emma Graham-Harrison, ‘Revealed: 50 Million Facebook Profiles Harvested for Cambridge Analytica in Major Data Breach’, The Guardian, March 17, 2018.

[5] The Cambridge Analytica website reads: ‘Data drives all we do. Cambridge Analytica uses data to change audience behavior. Visit our political or commercial divisions to see how we can help you.’, last visited on April 27, 2018. It is noteworthy that the company started insolvency procedures on 2 May, in an attempt to rebrand itself as Emerdata, see see Shona Ghosh and Jake Kanter, ‘The Cambridge Analytica power players set up a mysterious new data firm — and they could use it for a ‘Blackwater-style’ rebrand’, Business Insider, May 3, 2018.

[6] For a more in-depth description of the Graph API, as well as its Instagram equivalent, see Jonathan Albright, The Graph API: Key Points in the Facebook and Cambridge Analytica Debacle, Medium, March 21, 2018.

[7] Iraklis Symeonidis, Pagona Tsormpatzoudi & Bart Preneel, ‘Collateral Damage of Facebook Apps: An Enhanced Privacy Scoring Model’, IACR Cryptology ePrint Archive, 2015, p. 5.

[8] UK Parliament Digital, Culture, Media and Sport Committee, ‘Dr Aleksandr Kogan questioned by Committee’, April 24, 2018; see also the research output based on the 57 billion friendships dataset: Maurice H. Yearwood, Amy Cuddy, Nishtha Lamba, Wu Youyoua, Ilmo van der Lowe, Paul K. Piff, Charles Gronind, Pete Fleming, Emiliana Simon-Thomas, Dacher Keltner, Aleksandr Spectre, ‘On Wealth and the Diversity of Friendships: High Social Class People around the World Have Fewer International Friends’, 87 Personality and Individual Differences 224-229 (2015).

[9] UK Parliament Digital, Culture, Media and Sport Committee hearing, supra note 8.

[10] Ibid.

[11] This number mentioned by Kogan in his witness testimony conflicts with media reports which indicate a much higher participation rate in the study, see Julia Carrie Wong and Paul Lewis, ‘Facebook Gave Data about 57bn Friendships to Academic’, The Guardian, March 22, 2018.

[12] For an overview of Facebook Login, see Facebook Login for Apps – Overview, last visited on April 27, 2018.

[13] Clause 18.1 (2015) reads: If you are a resident of or have your principal place of business in the US or Canada, this Statement is an agreement between you and Facebook, Inc.  Otherwise, this Statement is an agreement between you and Facebook Ireland Limited.

[14] Clause 15.1 (2015) reads: The laws of the State of California will govern this Statement, as well as any claim that might arise between you and us, without regard to conflict of law provisions.

[15] Giesela Ruhl, ‘Consumer Protection in Choice of Law’, 44(3) Cornell International Law Journal 569-601 (2011), p. 590.

[16] Italian Competition and Market Authority, ‘WhatsApp fined for 3 million euro for having forced its users to share their personal data with Facebook’, Press Release, May 12, 2018.

[17] Rogier de Vrey, Towards a European Unfair Competition Law: A Clash Between Legal Families : a Comparative Study of English, German and Dutch Law in Light of Existing European and International Legal Instruments (Brill, 2006), p. 3.

[18] Nico van Eijk, Chris Jay Hoofnagle & Emilie Kannekens, ‘Unfair Commercial Practices: A Complementary Approach to Privacy Protection’, 3 European Data Protection Law Review 1-12 (2017), p. 2.

[19] Ibid., p. 11.

[20] The tests in Figure 2 have been simplified by in order to compare their essential features; however, upon a closer look, these tests include other details as well, such as the requirement of a practice being against ‘professional diligence’ (Art. 4(1) UCPD).

[21] Patrick Kulp, ‘Facebook Quietly Admits to as Many as 270 Million Fake or Clone Accounts’, Mashable, November 3, 2017.

[22] Italian Competition and Market Authority, ‘Misleading information for collection and use of data, investigation launched against Facebook’, Press Release, April 6, 2018.

[23] This discussion is of course much broader, and it starts from the question of whether a data-based service falls within the material scope of, for instance, Directive 2005/29/EC. According to Art. 2(c) corroborated with Art. 3(1) of this Directive, it does. See also Case C‑357/16, UAB ‘Gelvora’ v Valstybinė vartotojų teisių apsaugos tarnyba, ECLI:EU:C:2017:573, para. 32.

 

 

The Move Towards Explainable Artificial Intelligence and its Potential Impact on Judicial Reasoning

By Irene Ng (Huang Ying)

In 2017, the Defense Advanced Research Projects Agency (“DARPA”) launched a five year research program on the topic of explainable artificial intelligence.[1] Explainable artificial intelligence, or also known as XAI, refers to an artificial intelligence system whereby its decisions or output are explainable and understood by humans.

The growth of XAI in the field of artificial intelligence research is noteworthy considering the current state of AI research, whereby decisions made by machines are opaque in its reasoning and, in several cases, not understood by their human developers. This is also known as the “black box” of artificial intelligence; when input is being fed into the “black box”, an output based on machine learning techniques is produced, although there is no explanation behind why the output is as it is.[2] This problem is not undocumented – there have been several cases when machine learning algorithms have made certain decisions, but developers are puzzled at how such decisions were reached.[3]

The parallel interest in the use of artificial intelligence in judicial decision-making renders it interesting to consider how XAI will influence the development of an AI judge or arbitrator. Research in the use of AI for judicial decision-making is not novel. It was reported in 2016 that a team of computer scientists from UCL managed to develop an algorithm that “has reached the same verdicts as judges at the European court of human rights in almost four in five cases involving torture, degrading treatment and privacy”.[4] Much however remains to be said about the legal reasoning of such an AI-verdict.

The lack of an explainable legal reasoning is, unsurprisingly, a thorny issue towards pressing for automated decision-making by machines. This sentiment has been echoed by several authors who have written in the field of AI judges or AI arbitrators.[5] The opacity in the conclusion of an AI-verdict is alarming for lawyers, especially where legal systems are predicated on the legal reasoning of judges, arbitrators or adjudicators. In certain fields of law, such as criminal law and sentencing, the lack of transparency in the reasoning by an AI-judge in reaching a sentencing verdict can pose further moral and ethical dilemmas.

Furthermore, as AI judges are trained by datasets, who ensures that such datasets are not inherently biased so as to ensure that the AI-verdict will not be biased against specific classes of people as well? The output generated by a machine learning algorithm is highly dependent on the data that is fed to train the system. This has led to reports highlighting “caution against misleading performance measures for AI-assisted legal techniques”.[6]

In light of the opacity in legal reasoning provided by AI judges or AI arbitrators, how would XAI change or impact the field of AI judicial decision-making? Applying XAI in the field of judicial decision-making, an XAI judge or arbitrator would produce an AI verdict and produce a reasoning for such a decision. Whether such reasoning is legal or factual, or even logical, is not important at this fundamental level – what is crucial is that a reasoning has been provided, and such reasoning can be understood and subsequently challenged by lawyers, if disagreed upon. Such an XAI judge would at least function better in legal systems whereby appeal of the verdict is based on challenges to the reasoning of the judge or arbitrator.

This should also be seen in light of the EU’s upcoming General Data Protection Regulation (“GDPR”), whereby a “data subject shall have the right not to be subject to a decision based solely on automated processing”[7] and it appears uncertain at this point whether a data subject has the right to ask for an explanation about an algorithm that made the decision.[8] For developers that are unable to explain the reasoning behind their algorithm’s decisions, this may prove to be a potential landmine considering the tough penalties for flouting the GDPR.[9] This may thus be an implicit call to move towards XAI, especially for developers building AI judicial decision-making software that uses personal data of EU citizens.

As the legal industry still grapples with the introduction of AI in its daily operations, such as the use of the ROSS Intelligence system,[10] the development of other fields of AI such as XAI should not go unnoticed. While the use of an AI judge or AI arbitrator is not commonplace at the present moment, if one considers how XAI may be a better alternative for the legal industry as compared to traditional AI or machine learning methods, development of AI judges or arbitrators using XAI methods rather than traditional AI methods might be more ethically and morally acceptable.

Yet, legal reasoning is difficult to replicate in an XAI – the same set of facts can lead to several different views. Would XAI replicate these multi-faceted views, and explain them? But before we even start to ponder about such matters, perhaps we should first start getting the machine to give an explainable output that we can at least agree and disagree about.

[1] David Gunning, Explainable Artificial Intelligence (XAI), https://www.darpa.mil/program/explainable-artificial-intelligence.

[2] BlackBox, AI, https://www.sentient.ai/blog/understanding-black-box-artificial-intelligence/

[3] Will Knight, The Dark Secret at the Heart of AI, April 11, 2017, https://www.technologyreview.com/s/604087/the-dark-secret-at-the-heart-of-ai/.

[4] Chris Johnston and agencies, Artificial intelligence ‘judge’ developed by UCL computer scientists, October 24, 2016, online: https://www.theguardian.com/technology/2016/oct/24/artificial-intelligence-judge-university-college-london-computer-scientists.

[5] See José Maria de la Jara & Others, Machine Arbitrator: Are We Ready?, May 4, 2016, online: http://arbitrationblog.kluwerarbitration.com/2017/05/04/machine-arbitrator-are-we-ready/.

[6] AI Now 2017 Report, online: https://assets.ctfassets.net/8wprhhvnpfc0/1A9c3ZTCZa2KEYM64Wsc2a/8636557c5fb14f2b74b2be64c3ce0c78/_AI_Now_Institute_2017_Report_.pdf.

[7] Article 22, General Data Protection Regulation.

[8] https://medium.com/trustableai/gdpr-and-its-impacts-on-machine-learning-applications-d5b5b0c3a815

[9] Penalties of GDPR can range from 10m eur or 2% of the worldwide annual revenue on the lower scale and 20m or 4% of the worldwide revenue on the upper scale. See Article 83, General Data Protection Regulation.

[10] ROSS Intelligence, online: https://rossintelligence.com/.

The Commission Launches the EU Blockchain Observatory and Forum

By Nikolaos Theodorakis

The European Commission (“Commission”) recently launched the EU Blockchain Observatory and Forum (“Observatory”) with the support of the European Parliament. The Observatory aims to highlight relevant developments and facilitate collaboration between the EU and involved stakeholders.

 

What is the blockchain technology? What are its benefits?

Blockchain is a distributed ledger technology. In essence, it is a database that keeps a final and definitive record of transactions that no one can penetrate or alter. As a result, Blockchain technology increases trust, traceability and security.

Distributed Ledger Technology (“DLT”), which is the backbone of blockchain technology, was introduced about a decade ago, aiming to develop new financial applications and facilitate decentralized data storage and management. The decentralization of the Internet has been an idea discussed for several decades since it allows for user freedom and democracy in the web. The implementation effort in practice involves avoiding one centralized location, and the need for intermediaries to perform transactions. Blockchain information is shared, verifiable, public, and accessible.

The abovementioned traits can increase accountability. Blockchain has the potential to lead this technological breakthrough. The enhanced trust that it creates can be used for legal services (e.g. smart contracts), financial services, transportation services (e.g. bill of lading disputes), energy, or healthcare issues.

Naturally, the European Commission wishes to further investigate blockchain’s potential, consolidate expertise, and address the challenges created by new blockchain paradigms. To achieve this, it created the Observatory within the Financial Technology pillar, and plans to further help develop the single market, Banking Union, the Capital Markets Union and retail financial services.

As an example of blockchain’s game-changing potential, 10% of global GDP could be stored, via digital assets, through this technology in less than 10 years.[1] This means that governments can take advantage of blockchain to issue IDs that cannot be replicated, or monitor taxation reporting in a unique and transparent way. Insurance companies can utilize automatic execution of contracts, financial bodies can secure money and financial asset transfers, and the intellectual property sector can distribute IP rights pertinent to music, videos or other protected content.

 

Next Steps

Even if only a fraction of the above benefits materializes, blockchain can significantly change the way digital services are communicated. The European Commission needs to assess, in the form of a feasibility study, whether this technology is fully compliant, particularly with EU law (more on this below). Despite recognizing blockchain as a key emerging trend, it is equally important to manage it in a compliant way.

In essence, the Commission wants to build on existing initiatives launched by the EU members that relate to offering blockchain-based solutions. The broader role of the Observatory is to help Europe fully grasp and exploit the opportunities that this technology offers and allow the continent to remain on the forefront of technological developments. The blockchain will enable cross border cooperation and regulator to discuss and develop new ideas to learn, engage and contribute in an open way.

In a nutshell, the Observatory aims to:

  • map key existing initiatives in Europe and beyond;
  • monitor developments, analyze trends and address emerging issues;
  • become a knowledge hub on blockchain;
  • promote European actors and reinforce European engagement with multiple stakeholders;
  • represent a major communication opportunity for Europe to set out its vision and ambition on the international scene;
  • inspire common actions based on specific use-cases of European interest.

 

Smooth sailing?

Despite the multiple benefits of blockchain, and its use for cryptocurrencies and multiple other options, this technology comes with a number of drawbacks. For instance, blockchain is in direct conflict with an upcoming EU privacy legislation (the General Data Protection Regulation), which has strict privacy requirements (including privacy by design and by default, encryption, enhanced subject rights etc.). Blockchain makes it more difficult to attribute liability, due to its decentralized nature, and practically impossible to comply with certain privacy rights, like the right to be forgotten (since the blocks cannot be erased, once generated). This direct conflict with EU regulatory standards may cause some bumps in the future development of this technology.

Further, other concerns pertinent to the use of blockchain relate to broader skepticism about security – and whether this technology can remain immune to attacks in the long-run, lack of regulation that leads to unsafe exchange environments particularly regarding cryptocurrencies, and funding of illicit activities and circumvention of international sanctions.

[1] World Economic Forum Surbey on Technological Tipping Points

European Commission Communication on Standard Essential Patents

By Giuseppe Colangelo

On November 29, 2017, the European  Commission released the much-awaited Communication on standard essential patents (SEPs) licensing [“Setting out the EU approach to Standard Essential Patents”, COM(2017) 712 final].

The Communication comes in the wake of the UK judgement Unwired Planet v. Huawei,[1] recently delivered by Mr. Justice Birss and analyzed in our previous newsletter. As highlighted by the UK decision, after the judgment in Huawei/ZTE (Case C-170/13), in which the European Court of Justice identified the steps which SEPs owners and users must follow in negotiating a FRAND royalty, there are still several unresolved questions. Notably, the different approaches adopted by Germany and the UK have spurred the Communication to set out “key principles that foster a balanced, smooth and predictable framework for SEPs”.

The key principles reflect two stated objectives: incentivizing the development and inclusion of top technologies in standards by providing fair and adequate returns, and ensuring fair access to standardized technologies to promote wide dissemination.

First, the Commission takes the view that the quality and accessibility of information recorded in standard development organizations (SDOs) database should be improved. Therefore, the Commission calls on SDOs to ensure that their databases comply with basic quality standards, and to transform the current declaration system into a tool providing more up-to-date and precise information on SEPs. Moreover, the Commission stated that declared SEPs should be scrutinized to assess their essentiality for a standard, and will launch a pilot project for SEPs in selected technologies in which an appropriate scrutiny mechanism will be introduced.

Second, the Commission sets out certain general principles for FRAND licensing terms, stating that it is necessary and beneficial to establish a first set of key signposts on the FRAND concept, so as to provide for a more stable licensing environment, guide parties in their negotiations, and reduce costly litigation. In this regard, provided that the parties are best placed to arrive at a common understanding of what are fair licensing conditions and fair rates, the Commission states that:

  1. there is no one-size-fit-all solution on what FRAND is: what can be considered fair and reasonable can differ from sector to sector and over time;
  2. determining a FRAND value should require taking into account the present value add of the patented technology: that value should be irrespective of the market success of the product which is unrelated to the value of the patented technology;
  3. to avoid royalty stacking, parties must take into account whether the aggregate rate for the standard is reasonable;
  4. the nondiscrimination element of FRAND indicates that rightholders cannot discriminate between implementers that are ‘similarly situated’ (see Unwired Planet);
  5. for products with a global circulation, SEP licenses granted on a worldwide basis may contribute to a more efficient approach and therefore can be compatible with FRAND (see Unwired Planet).

A third part of the Communication is devoted to providing guidance in order to achieve a balanced and predictable enforcement environment. With regards to the availability of injunctive relief, the FRAND process requires both parties to negotiate in good faith, including responding in a timely manner. The willingness of the parties to submit to binding third-party FRAND determination – should the (counter-)offer be found not to be FRAND – is an indication of a FRAND behavior. Furthermore, in terms of the timeliness of the counter-offer, no general benchmark can be established, as case-specific elements play a role. Nonetheless, there is a probable trade-off between the time considered reasonable for responding to the offer and the detail and quality of the information provided in the SEP holder’s initial offer.

Even if injunctive relief can be sought against parties acting in bad faith (i.e. parties unwilling to take up a license on FRAND terms), courts are bound by Article 3(2) of the IPR Enforcement Directive, and notably the requirement to ensure that injunctive relief is effective, proportionate, and dissuasive.

Finally, the Commission states that patent assertion entities should be subject to the same rules as any other SEP holder.

[1] [2017] E.W.H.C. 711 (Pat).

European Commission Presents Comprehensive Soft Law Measures to Ensure that Intellectual Property Rights are Well Protected, Including Issuing Guidance on the Enforcement Directive

By Kletia Noti

Introduction

On November 29, 2017, the European Commission (“Commission”) adopted a comprehensive package of measures aimed at further improving the application and enforcement of intellectual property rights (IPRs) within the EU Member States, in the EU and internationally (hereinafter, “IPRs enforcement package”)[1]. The measures encompass several soft law instruments in the form of Communications, accompanied by staff working documents and reports[2].

The IPRs enforcement package is the last in a series of efforts undertaken by the Commission over the last few years to enhance enforcement of IPRs and ensure that these rights are well-protected in the online environment. In its July 2014 communication[3], the Commission laid down an Action Plan proposing ten specific actions marking a shift in its policy approach towards new enforcement tools to fight IPR infringements. Instead of focusing on penalizing users for IPRs infringements, the Commission announced that it would seek to foster better enforcement of IPRs through the “follow the money” approach, aimed at depriving commercial-scale infringers of their revenue flows. The Commission also expressed the view that non-legislative measures (including cooperation between stakeholders) should be encouraged. In its Digital Single Market[4] and the Single Market[5] communications, the Commission announced its commitment towards improving IPR enforcement in light of the digital developments[6]. In the May 2017 Mid-Term Review on the implementation of the Digital Single Market Strategy[7], the Commission indicated that it was finalizing its evaluation of the current legal framework for the enforcement of all IPRs, including copyright[8]. Against this background, the IPRs enforcement package constitutes a culmination of the Commission’s efforts on this front.

 

The IPR package: an overview

Communication COM (2017) 707[9] describes the different measures adopted as part of the broader package and provides the framework for the Commission’s proposed actions on IPRs enforcement. First, it sets out measures aimed at further improving the judicial enforcement of IPRs in the EU. These measures encompass guidance on the application of the Enforcement Directive (contained in a separate Communication, also adopted as part of the package[10]); awareness raising and improving cooperation with national judges (whose specialization in IPR-related matters is encouraged); increasing transparency of EU Member States’ judgments on IPRs enforcement, as well as fostering the development of alternative dispute resolution mechanisms to solve IPR disputes. Second, the Communication prescribes actions to support industry-led initiatives to fight IP infringements, including self-regulatory initiatives (such as voluntary agreements between rights-holders and intermediaries) and steps to better protect supply chains against counterfeiting. A Staff Working Document on self-regulation measures to fight the sale of counterfeited products accompanies the Communication[11]. In addition, the Commission announces that a new MoU aimed at withholding advertising on IP infringing websites is being developed by stakeholders. At the same time, it encourages stakeholders to further cooperate through voluntary agreements. It also encourages the industry to further promote due diligence in supply chains, explore the potential of new technologies (e.g. blockchain) and encourage the further inclusion of IP protection in accreditation processes. Third, the Communication also lays down initiatives to strengthen the administrative authorities’ capacity to enforce IPRs. Fourth, in this Communication the Commission announces its support for measures to strengthen efforts to fight IP infringements at a global scale, including through the promotion of best practices and stepping up co-operation with third countries.

In addition to the above measures, in its IPRs enforcement package, the Commission also issued its long-awaited guidance on the EU approach to Standard Essential Patents (SEPs)[12].

 

The Commission’s Guidance on the Enforcement Directive

The Commission’s Guidance on the Enforcement Directive (hereinafter, “Guidance”) follows its public consultation launched in 2015, as well as its evaluation of the Enforcement Directive carried out in 2016 in the context of its steps to further improve the application and enforcement of IPRs, as announced in the Single Market Strategy and Digital Single Market Strategy communications.   While the evaluation found the Enforcement Directive to be fit for purpose, the consulted stakeholders asked for more clarity as to how its provisions should be applied.

First, the purpose and scope of the Guidance will be briefly highlighted. Subsequently, the article will zoom into the Commission’s clarifications on injunctions which national courts can adopt on the basis of Articles 9 and 11 of the Enforcement Directive.

A piece of EU legislation of minimum harmonization, adopted more than a decade ago, the Enforcement Directive has led to diverging interpretations of its provisions across the EU Member States, many of which prompted national courts to refer questions to the Court of Justice in preliminary rulings. The Commission considers this to be due to several reasons, not the least of which the different procedural frameworks across Member States. Such divergence may reduce legal predictability for the stakeholders involved. Against this background, the Guidance aims at clarifying certain aspects of the Enforcement Directive, so as to ensure a more consistent and effective interpretation and application of its provisions by competent judicial authorities and other parties involved in the enforcement of IPRs.

The Commission acknowledges that, in all cases where the Enforcement Directive provisions interpreted and applied and where various conflicting fundamental rights protected in the EU’s legal order are at stake, a fair balance must be struck between these rights, in light of the principle of proportionality[13]. Its clarifications encompass several aspects of the Directive, including its scope, the rules on evidence, damages, reimbursement of legal costs, the right for rights-holders to obtain information on the infringers enshrined under Article 8, and the right to provisional and precautionary measures and injunctions under Section 4 of the Directive. Additionally, it seeks to clarify what “fair and equitable” measures and remedies means, as laid down under Article 3(1) of the Directive[14].

In particular, the Enforcement Directive requires EU Member States to make certain measures available to rights-holders, including the ability to apply for an (interlocutory or permanent) injunction to prevent an imminent infringement, or to prohibit the continuation of the alleged infringement (see Article 9(1)(a) for interlocutory injunctions and Article 11 for permanent injunctions), subject to the requirements set out under Article 3[15].

While the interpretation of these provisions under EU law has led to a rich body of case law of the Court of Justice of the European Union (CJEU), uncertainties as to the scope of injunctions issued by national judges remain[16]. In order to provide guidance to national courts and parties involved in IPRs disputes, the Commission tackles the following aspects:

  • Liability and injunctions. The Commission clarifies that, under EU law, liability for an alleged infringement and the possibility for the competent judicial authorities to issue injunctions are two separate questions. According to the Commission, the possibility to issue an injunction on the basis of Article 9(1)(a) and Article 11 of the Enforcement Directive does not depend on the intermediaries’ liability for the alleged infringement. Therefore, the competent judicial authorities cannot compel plaintiffs to prove that the intermediary is liable (even indirectly) as a condition for an injunction to be granted.

To this end, the Commission references the CJEU’s case law, both applicable to the online and offline world. In the landmark L’Oréal v eBay judgment[17], which among others concerned the interpretation of Article 11 of the Enforcement Directive, the CJEU (in Grand Chambers) held inter alia that “the third sentence of Article 11 of Directive 2004/48, according to which the Member States must ensure ‘that rights-holders are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe an intellectual property right …’ (…) involves determining whether that provision requires the Member States to ensure that the operator of an online marketplace may, regardless of any liability of its own in relation to the facts at issue, be ordered to take, in addition to measures aimed at bringing to an end infringements of intellectual property rights brought about by users of its services, measures aimed at preventing further infringements of that kind”[18]. In addition, the Commission also references the more recent Tommy Hilfiger judgment[19]. This latter judgment interestingly did not concern online intermediaries, but rather the imposition of an injunction on Delta Center, a physical marketplace, which the CJEU considered as caught by the scope of Article 11 of the Enforcement Directive.

  • Notion of “intermediary” caught by the scope of Articles 9(1)(a) and 11 of the Enforcement Directive. Both these provisions refer to “any intermediary whose services are used by a third party to infringe intellectual property rights”. However, the Commission recalls that the notion of “intermediary” is not further clarified in the Enforcement Directive. Against this background, the Commission draws attention to the CJEU’s UPC Telekabel[20] and Tommy Hilfiger[21] judgments: importantly, the Commission notes that in Tommy Hilfiger the CJEU clarified the notion of “intermediary” in the sense of UPC Telekabel. In UPC Telekabel the CJEU considered that the notion of “intermediary” whose services are used by a third party to infringe copyrights under Directive 2001/29[22] also encompasses those internet service providers which do not have a specific relationship with the person infringing the copyright and the related rights. In Tommy Hilfiger the CJEU declared that an intermediary in the sense of the Enforcement Directive need not have a specific relationship, such as a contractual link, with the IPR infringing party. The Commission also reiterates that “the application of Articles 9(1)(a) and 11 of the Enforcement Directive spans across different sectors and includes both online and offline services.” Importantly, the Commission considers that the case law of the CJEU acknowledging that several categories, such as internet service providers (“ISPs”), social networking platforms, online marketplaces and physical marketplaces should be seen as “intermediaries” for the purposes of the Enforcement Directive is merely illustrative but not exhaustive. Therefore, the notion of “intermediary” is flexible and capable of being interpreted on a case by case basis.

In addition, the Commission[23] considers that when the intermediary is so distant from the (alleged) infringement he cannot reasonably be expected to contribute to the enforcement of IPRs and its involvement in such enforcement would be “disproportionate” and “unnecessarily burdensome”[24]. However, the Commission does not further clarify what an involvement “so distant or immaterial to the alleged infringement.” is. What does this mean concretely and—where is the line drawn between “distant” and “close involvement”? Does this mean that the rights-holders can ask intermediaries “close to the infringement” to bear the burden of ensuring the effective enforcement of IPRs and under which criteria? This is likely to lead to additional preliminary references before the CJEU, since it is likely judges in various EU Member States may interpret this notion differently.

  • Scope of injunctions. In the context of the balancing of rights and interests which underpins how the scope of injunctions can be interpreted, the Commission reiterates the importance of the principle of proportionality, one of the primary law principles of the European Union[25]. It also recalls the respect for Art. 3 of the Enforcement Directive, as well as fundamental rights by national courts. When it comes to proportionality, the Commission considers that judges ought not to issue injunctions which require measures that go beyond what is appropriate and necessary in light of the facts and circumstances of the case at hand to prevent an imminent infringement or to prohibit the continuation of an infringement. Recalling the limitations to the scope of injunctions[26] that the CJEU gave in UPC Telekabel[27], the Commission frames them in the following fashion: “the CJEU also clarified that[28] the competent judicial authorities may decide not to explicitly describe the specific measures which the provider must take to achieve the result sought. However, the CJEU also made it clear that in such cases a number of conditions are to be respected, notably that the measures do not go beyond what is reasonable, respect the principle of legal certainty, compliance with the fundamental rights of the parties concerned including the internet users’ freedom of information, strict targeting of the measures and a possibility for the competent judicial authorities to verify that these conditions have been complied with, notably through a possibility for the internet users concerned to assert their rights once those measures are known”[29].

Importantly, the Commission considers that the measures ordered via an injunction need not lead to a complete cessation of the IPR infringements[30], as long as they make the infringing acts difficult or seriously discourage them[31]. However, the intermediary should not be required to bear “unbearable sacrifices”[32].

Against the above background, two observations are necessary: first, the Commission clarified that the limitations to the scope of injunctions that the CJEU laid down in UPC Telekabel, a case concerning copyright, apply also to other IPRs. Second, the Commission reiterates that injunctions should respect Article 15 of the E-Commerce Directive[33], laying out a ban on general monitoring and any such broad injunction violating such provision, according to the Commission, would concomitantly infringe Article 3 of the Directive[34]. However, the Commission recalls that the E-Commerce Directive at Recital 47 allows for specific monitoring obligations and Recital 48 adds that this Directive does not affect the possibility for Member States to require the service providers concerned to apply reasonable duties of care in order to detect and prevent certain types of illegal activities[35]. In the light of this, according to the Commission “where appropriate and within the limits of the abovementioned provisions,[36] certain due diligence obligations may be imposed e.g. on providers of online hosting services with a view to preventing the upload of IPR infringing content identified by rights-holders and in cooperation with them”.

Can an injunction ordering the prevention of future infringements be a possible example of “due diligence” obligations? What is the scope of these obligations in the light of the limitations that the Commission recalls? Recent doctrine interprets the Tommy Hilfiger ruling as confined to allowing only the extent of specific injunctions to prevent future infringements to measures which contribute to avoiding new infringements of the same nature by the same market trader[37].

At the same time, while as an example of such obligations, the Commission refers to Article 13 of the Commission’s proposed Copyright Directive, some authors, in response to questions asked by various EU Member States in the context of the Commission’s proposal, consider that the current drafting of this proposed article itself may raise concerns in terms of compliance with EU law[38].

[1] Commission Press Release, Intellectual property: Protecting Europe’s know-how and innovation leadership, November 29, 2017.

[2] Communication “A balanced IP enforcement system responding to today’s societal challenges”, COM (2017) 707, accompanied by Staff Working Document SWD (2017) 430 “Overview of the functioning of the Memorandum of Understanding (MoU) on the sale of counterfeit goods via the internet.”, Communication “Guidance on certain aspects of Directive 2004/48/EC of the European Parliament and of the Council on the enforcement of intellectual property rights”, COM (2017) 708 (hereinafter “Guidance on the Enforcement Directive”), accompanied  by  Staff  Working  Document Report on the Evaluation of Directive on the enforcement of intellectual property rights, SWD (2017) 431,  COM(2017) 712 final, Communication “Setting out the EU approach to standard essential patents”.

[3]Commission Communication, COM/2014/0392 final, “Towards a renewed consensus on the enforcement of Intellectual Property Rights: An EU Action Plan”. Also see, for its strategy on improving the fight against IPR infringements in third countries, Commission Communication, “Trade, growth and intellectual property – Strategy for the protection and enforcement of intellectual property rights in third countries”, COM(2014) 389 final, 1 July 2014.

[4]Commission Communication, “A Digital Single Market Strategy for Europe”, COM/2015/0192, May 6, 2015.

[5]Commission Communication, “Upgrading the Single Market:  more opportunities for people and businesses”, COM/2015/0550, October 28, 2015.

[6] Between 2015 and 2016, the Commission ran a public consultation to assess the functioning of Directive 2004/48/EC of the European Parliament and of the Council on the enforcement of intellectual property rights (“Enforcement Directive”).

[7] Commission Communication, COM(2017) 228 final, May 10, 2017.

[8]The Commission also adopted initiatives aimed at updating the legal framework applicable to copyright in order to adapt the existing rules to the Internet technological developments: see Communication “Promoting a fair, efficient and competitive European copyright-based economy in the Digital Single Market”, COM(2016)592, September 14, 2016 and Proposal for a Directive of the European Parliament and of the Council on Copyright in the Digital Single Market of  September 14, 2016 (“proposed Copyright Directive”).

[9] See supra, fn. 2.

[10]See Guidance on the Enforcement Directive, supra, fn. 2.

[11] Staff Working Document SWD (2017) 430 “Overview of the functioning of the Memorandum of Understanding (MoU) on the sale of counterfeit goods via the internet.” On the basis of a set of key performance indicators (KPIs), the Staff Working Document provides an empirical overview on how the MoU, first adopted in 2011 and subsequently updated in 2016, functioned between June 21, 2016 and June 21, 2017. Such indicators show that the MoU is proving effective and has already significantly contributed to curbing online counterfeiting.

[12] See supra, fn. 2.

[13] See, Enforcement Directive Guidance, Section III, page 11.

[14] Under Article 3(1) of the Enforcement Directive, the measures, procedures and remedies necessary to ensure the enforcement of the intellectual property rights covered by this Directive (…) shall be fair and equitable and shall not be unnecessarily complicated or costly, or entail unreasonable time-limits or unwarranted delays.

[15] See supra, fn. 14. Under Article 3(2), “those measures, procedures and remedies shall also be effective, proportionate and dissuasive and shall be applied in such a manner as to avoid the creation of barriers to legitimate trade and to provide for safeguards against their abuse.”

[16] For a thorough overview, see M.Husovec, Injunctions Against Intermediaries in the European Union, Accountable but not Liable, Cambridge University Press, 2017.

[17] See Judgment of the CJEU (Grand Chamber) of 12 July 2011, C-324/09, L’Oréal SA and Others v eBay International AG and Others, para. 127. In this judgment, the court considered that measures to prevent further infringements can be applied under Article 11 of the Directive.

[18] Id. The Commission also recalls cases C-70/10, Scarlet Extended, para. 31; C-360/10, SABAM, para. 29.

[19] Case C-494/15, Tommy Hilfiger, para. 22. In this case, the Court of Justice recalled para. 127 of the L’Oréal v eBay judgment, reiterating it, and said that the matter was thus “settled case law”. Arguing that the limitations to the scope of the injunction set out by the CJEU in Tommy Hilfiger bind national judges also in granting injunctions to intermediaries in the online world, see M.Husovec, Injunctions Against Intermediaries in the European Union, Accountable but not Liable, Cambridge University Press, 2017, pages 120-121.

[20] C-314/12, UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH and Wega Filmproduktionsgesellschaft mbH, EU:C:2014:192.

[21] Tommy Hilfiger, supra, para. 23: according to the Court, “for an economic operator to fall within the classification of ‘intermediary’ within the meaning of those provisions, it must be established that it provides a service capable of being used by one or more other persons in order to infringe one or more intellectual property rights, but it is not necessary that it maintain a specific relationship with that or those persons”.

[22]Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonization of certain aspects of copyright and related rights in the information society (hereinafter, “Copyright Directive” or “InfoSoc Directive”).

[23] The Commission recalls Recital 59 of the Copyright Directive, which states that without prejudice to any other sanctions and remedies available, rights-holders should have the possibility of applying for an injunction against an intermediary who carries a third party’s infringement of a protected work or other subject-matter in a network. Such possibility is concretely foreseen under Article 8(3) of the Directive.

[24] Accordingly, on the one hand, the involvement of such economic operators, which did not themselves engage in any infringing activity, in the process of IPR enforcement under the Enforcement Directive can be required to ensure that rights-holders are in a position to effectively enforce their rights. On the other hand, there may in a given case be no justification for such involvement where the services provided are so distant or immaterial to the (alleged) infringement that the economic operator in question cannot reasonably be expected to significantly contribute to such effective enforcement, meaning that its involvement would be disproportionate and unnecessarily burdensome.

[25] In the context of measures tackling infringements of IPRs, the principle of proportionality has been codified under Art. 3(2) of the Enforcement Directive.

[26] In that case at stake was a blocking injunction against UPC Telekabel, an internet service provider, taken on the basis of Article 8(3) of the InfoSoc Directive.

[27]C-314/12, UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH and Wega Filmproduktionsgesellschaft mbH, EU:C:2014:192, paras. 52-57.

[28] C-314/12, UPC Telekabel, para. 52-57.

[29] Section IV(3) of the Enforcement Directive Guidance.

[30] C-484/14, Tobias Mc Fadden v Sony Music Entertainment Germany GmbH, EU:C:2016:689, para. 93-95; C-314/12 UPC Telekabel, para. 56 and paras. 58-62.

[31] Id.

[32] C-314/12, UPC Telekabel, para. 53.

[33] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, OJ L 178, 17.7.2000, p. 1-16.

[34] The Commission recalls that in the abovementioned Scarlet and Sabam judgments the Court of Justice considered the measures at stake (broad injunctions ordered by a national judge) to be incompatible both with Article 15 of the E-Commerce Directive and Article 3(2) of the Enforcement Directive, when read with in conjunction with the requirement to respect fundamental rights.

[35] The Commission considers that, in certain specific circumstances, dynamic injunctions, which are forward looking and allow for a targeting of URLs when the infringement reoccurs (namely, in the presence of a whac-a-mole effect) can be an effective way to ensure enforcement of IPRs without the plaintiff having to reapply for a separate injunction,.

[36] Namely, Article 15 of the E-Commerce Directive, Article 3of the Enforcement Directive, the case law of the CJEU and fundamental rights as enshrined in the Charter of Fundamental Rights of the European Union.

[37] Husovec, supra, note 14, page 106. Arguing that: “providing policy plug-ins by means of injunctions isn’t a good way forward”, see again Husovec, id, page 18.

[38] See Max Planck Institute for Competition and Innovation contribution  in response  to the questions raised by  the  authorities of  Belgium,  the Czech Republic, Finland, Hungary, Ireland and the Netherlands to the Council Legal Service regarding  Article  13  and  Recital  38  of the  Proposal  for  a  Directive  on Copyright in the Digital Single Market, available at: http://www.ip.mpg.de/fileadmin/ipmpg/content/stellungnahmen/Answers_Article_13_2017_Hilty_Moscon-rev-18_9.pdf. The proposed Copyright Directive is expected to be considered by the JURI committee of the European Parliament in the next few months.

European Patent Office Adopts Study on Patents and Publishes First Edition of the Unitary Patent Guide

By Kletia Noti

On November 14, 2017, the European Patent Office (“EPO”) published a study titled “Patents, trade and foreign direct investment in the European Union” (hereinafter, “Study”). Inter alia, the Study assesses “the impact of the European patent system on the circulation of technologies through trade and foreign direct investment in the EU single market. The Study opines that the current patent system in Europe could bring increased benefits if further harmonization were accomplished. Under the current patent system, fragmentation post-grant gives rise to limitations which may hinder cross-border trade and investment in IP- and technology-intensive industries. According to the Study, the Unitary Patent will remove many of these limitations.

The Study follows the EPO publication, on 18 August 2017, of the first edition of the Unitary Patent Guide (hereinafter, “Guide”)[1]. The Guide aims to provide companies, inventors and their representatives with an outline of the procedure involved in obtaining a Unitary Patent from the EPO, once the EPO has granted a European patent on the basis of the provisions laid down in the European Patent Convention (“EPC”)[2]. In particular, the Guide addresses the mechanisms to obtain and renew a Unitary Patent, the information which will be rendered available about the already granted Unitary Patents, who can act before the EPO with regard to a Unitary Patent and how to record changes of ownership and licenses.

In addition to the classic routes to obtain a patent in the EU (i.e. the national route; the European patent), a Unitary Patent can be sought as a result of the Unitary Patent reform[3]. The Unitary Patent will make it possible to get patent protection in up to 26 EU Member States by submitting a single request to the EPO, making the procedure simpler and more cost effective for applicants. More specifically, the Unitary Patent is a “European patent with unitary effect”, which means a European patent granted by the European Patent Office under the rules and procedures of the European Patent Convention (EPC).

At the pre-grant phase, the procedure will follow the same steps as those for European patents granted by the EPO under the rules of the EPC.  If the criteria set out under the EPC are met, the EPO grants a European patent. Once the European patent is granted, the patent proprietor will be able to request unitary effect, thereby obtaining a Unitary Patent which provides uniform patent protection in up to 26 EU Member States[4].  Namely, what distinguishes the European patent from the Unitary Patent is that, after the grant, the proprietor may ask the EPO for unitary effect to be attributed for the territory of the participating EU Member States in which the Agreement on a Unified Patent Court (hereinafter, “UPCA”) [5], an international treaty, has taken effect at the date of registration[6].

Against the above background, the Unitary Patent will thus cover the territories of those participating EU Member States in which the UPCA has taken effect at the date of registration of unitary effect by the EPO. The EPO clarifies that, as it is likely that the ratification will occur successively, there will be different generations of Unitary Patents with different territorial coverage. This means that, although 26 EU Member States are currently participating in the Unitary Patent scheme, Unitary Patents registered at the outset will not cover all 26 of their territories, because some of them have not yet ratified the UPCA[7].

On November 20, 2017, the President of the Council of the EU published a summary of the situation in the 25 Member States which have signed the Unified Patent Court Agreement (UPCA) concerning both their ratification of the UPCA and their consent to be bound by its Protocol on Provisional Application (PPA)[8].

While France has already ratified the UPCA and has expressed consent to be bound by the PPA, the UK and Germany have not done so yet.

In particular, what the impact of Brexit on the Unitary Patent project would be is still unclear[9]. On December 4, 2017, the UK House of Commons formally approved the draft Unified Patent Court (Immunities and Privileges) Order 2017[10]. The House of Lords Grand Committee also met on December 6, 2017 to consider this draft Order. The approval of such an Order by the House of Lords and its subsequent approval (along with the corresponding Scottish Order) by the Privy Council are the final steps in the UK’s ratification process that need to be completed before the UK can formally ratify the UPC Agreement[11].

Earlier in 2017, a constitutional complaint[12] was lodged with the Federal Constitutional Court in Germany. The complaint is currently pending and, if upheld, is expected to likely cause delay to the German ratification of the UPCA and Germany consenting to be bound by the PPA[13].

[1] Available at: https://www.epo.org/law-practice/unitary/unitary-patent/unitary-patent-guide.html

[2] https://www.epo.org/law-practice/legal-texts/epc.html

[3] http://europa.eu/rapid/press-release_MEMO-12-970_en.htm?locale=en

[4] Whether the United Kingdom continues to participate in the Unitary Patent and the Unified Patent Court after its withdrawal from the EU will be a political decision for the EU, its remaining Member States and the United Kingdom and may be addressed as part of the exit negotiations. See Guide, Section 15.

[5] In February 2013, 25 EU Member States, i.e. all EU Member States except Spain, Poland and Croatia, signed the Agreement on a Unified Patent Court (UPCA), Date of entry into force unknown (pending notification) or not yet in force, OJ C 175, 20.6.2013, p. 1–40. The UPCA is the third component of the Unitary Patent package. The Unified Patent Court (UPC) is a common court for all the Member States party to the UPCA and therefore, it is part of their judicial system. It has exclusive competence in respect of Unitary Patents as well as in respect of classic European patents validated in one or several of those states. See: https://www.epo.org/law-practice/legal-texts/html/upg/e/uppg_a_v_3.html. In September 2015, Italy joined the Unitary Patent and became the 26th member of the enhanced cooperation on Unitary Patent protection.

[6] The EU regulations establishing the Unitary Patent system (No 1257/2012 and No 1260/2012) entered into force on 20 January 2013, but they will only apply as from the date of entry into force of the UPCA, namely on the first day of the fourth month following the deposit of the 13th instrument of ratification or accession (provided those of the three Member States in which the highest number of European patents had effect in the year preceding the signature of the Agreement, i.e. France, Germany and the United Kingdom, are included). See EPO, When will the Unitary Patent start:  https://www.epo.org/law-practice/unitary/unitary-patent/start.html

[7]See, for a list of the (so far) 14 Member States which have already ratified the UPCA: http://www.consilium.europa.eu/en/documents-publications/treaties-agreements/agreement/?id=2013001# (last accessed 17 December 2017)

[8] Note from Presidency to the Council, Unitary Patent and Unified Patent Court – Information on the State of Play, 20 November 2017.

[9] On December 22, 2017, a note was sent to the UK Government by the UK Law Society which had been contributed to and signed by other IP stakeholder organisations, asking the Government to provide legal certainty regarding the UPC post-Brexit.

[10]See, for an overview: https://publications.parliament.uk/pa/cm201719/cmvote/171204v01.html

[11] M.Richardson, The Lords Consider the UPC: Where is it?, 12 December 2017, available at:  https://ipcopy.wordpress.com/2017/12/12/the-lords-consider-the-upc-where-is-it/

[12]Juve, UPC: Düsseldorfer Rechtsanwalt Stjerna legte Verfassungsbeschwerde ein, September 6, 2009: https://www.juve.de/nachrichten/verfahren/2017/09/upc-duesseldorfer-rechtsanwalt-stjerna-legte-verfassungsbeschwerde-ein

[13] For the PPA to come into effect, 13 signatory states – which have signed the UPCA (and which must include France, UK and Germany) and have ratified the UPCA or informed the depositary that they have received parliamentary approval to ratify the UPCA – must have signed and ratified, accepted or approved the Protocol or declared themselves bound by Article 1 of the Protocol. Therefore, Germany’s consent to the PPA is needed before the provisional application phase can start.