Privacy Shield for EU - US data transfer has been ruled invalid by the European Court of Justice

image-asset.jpeg

The ”Privacy Shield” is an agreement between the European Commission and the U.S. Secretary of Commerce that allowed the transfer of data from EU to U.S. and followed the declaration of invalidity of the “Safe Harbour Pact” , the previous agreement between EU and US for the transfer of data.

The decision issued by the European Court of Justice on July , 16, 2020  will have serious political consequences for the  EU-US relations and for US providers and European companies.

The decision

In accordance with the General Data Protection Regulation (hereinafter referred to as the 'GDPR'), the transfer of data outside the EU can take place only if the third country can ensure  an adequate level of protection.

The European Commission can find that a third country ensures an adequate level of protection because of its national legislation or because it is part of an international agreement  (such as the Safe Harbour Pact which was declared invalid in Decision 206/1250 and it was related to  the export of data from EU to USA).

In the absence of an adequacy decision, a transfer of data can take place only  if the data controller, established in EU, provides adequate safeguards, which may result from standard contractual clauses adopted by the Commission (Decision 2010/87), and if the data subjects have enforceable rights and effective remedies.

In the absence of an adequacy decision or adequate guarantees, the GDPR shall ultimately determine the conditions under which such a transfer may take place.

The level of protection required in the context of a non-EU data transfer is equivalent to level of guarantee within the EU Member States.

The assessment of this level of protection concerns both what is contractually agreed between the parties (data exporter established in the Union and the recipient of the transfer established in an extra EU country) and the access for extra EU public authorities to the data, as well as other elements of the legal system of the country where data are transferred.

Specifically, the legislation governing the US surveillance programmes do not minimize the processing of data of EU data subjects and  do not limit the power of US authorities establishing adequate guarantees for European citizens who may potentially be subject to US mass surveillance.

For all these reasons, the Court – with the Decision 2016/1250 – declared the Privacy Shield Agreement invalid.

The Court also held that, in the absence of a valid adequacy decision adopted by the Commission, the Data Protection Authority must suspend or prohibit a transfer of personal data to a third country when it considers that the conditions required are not met.

The Court stated that the Decision 2010/87 on standard contractual clauses for the transfer of personal data to entities established in third countries was valid. It is certain that the reasons for the deletion of the Privacy Shield will also have effects on the standard contractual clauses.

Therefore, US providers who have used the legal basis of the Privacy Shield for data transfer from the EU to the US will have to adopt a different solution, such as standard contractual clauses.

The Italian company, as data exporter, and the data Protection Authority, will have to make a complex assessment of the adequacy of the guarantees offered by the party importing the data and the regulations in force in that country, with relevant liability profiles.

Practical implications

Impact on business activities

  • Decision 2016/1250 does not cover necessary data transfers to the USA (e.g. sending e-mails to a person in the USA, booking travel in the USA).

  • Can European companies continue to use US providers? At the moment the answer appears to be no, as all major providers are subject to potential US government oversight.

  • Can companies continue to use US providers based in the EU? In such cases, European companies are responsible for ensuring that "intra-Group" personal data flows to the US are GDPR compliant. Companies will now need to carefully review such data flows and determine whether to retain data in Europe or any other country that provides better privacy protection, instead of being transferred to the US.

Impact on consumer rights

Users are free to send their personal data directly to a third country, for example when using a Chinese or US website. However, consumers may not directly share other people's data (e.g. friends, colleagues) with a US provider unless they have obtained  free, specific, informed and unequivocal consent.

The Data Protection Authority’s Report: activities overview and prominent issues in 2019 and 2020

image-asset.jpeg

On 23 June 2020, the Italian Data Protection Authority (DPA) presented the report on its activities during the year 2019.

During the course of such year, the DPA supervised the application of Regulation 679/2016 (GDPR) and intervened on issues relating to the protection of fundamental rights in the digital age, the ethical implications arising from the use of artificial intelligence and the use of new surveillance systems, as IoT tools.

In light of the peculiar situation arising from the covid-19 pandemic, in its report the Authority has also expressed its views on specific issues relating to the first half of 2020.

Figures

In 2019, the DPA adopted 232 collegial measures and responded to 8000 complaints, including in relation to telephone marketing, consumer credit, employment law matters, and IT security, and carried out 147 inspections, both in the public and private sector.

The DPA also responded to 15,800 questions from citizens who asked for clarifications regarding the requirements related to the entry into force of the GDPR and issues related to unwanted promotional activities such as telephone calls, text messages, video surveillance in the public and private sector and banking data.

Platforms

With regard to online data breaches, in 2019 the DPA sanctioned Facebook Ireland Ltd for €1 million, following the investigation on the "Cambridge Analytica" case, which also involved data of Italian citizens.

In the same year, the authority strengthened its activities aimed at protecting the "Right to be Forgotten" and promoted an international debate to redefine the role played by Internet Service Providers in this specific context.

In 2020, the DPA also raised concerns about TikTok, a Chinese platform that has become extremely popular among millennials all over the world and which allows users to share videos and images. The Italian Authority requested and obtained the establishment of a “task force” at European level to investigate this platform.

Activities in the field of cybersecurity

In 2019, 1443 data breaches were notified and the DPA commented on the inadequacy of cybersecurity measures enacted by public administrations and private companies that collect data online. The Authority has also provided guidelines against ransomware and other malicious software.

Ransomware

Ransomware are computer programs that encrypt data, making them no longer accessible, and that request the payment of a "ransom" in order to re-obtain possession of the contents stored on the device. In its recommendations, the DPA pointed out that these malware are often installed on users' devices through free gaming or other apps, which users download being completely  unaware of the potential threats hidden thereunder.

Digital Assistants

The DPA has also examined the risks associated to the use of digital assistants. These are programs which interpret human language through algorithms and artificial intelligence and are therefore able to interact as a "human user", responding to various types of requests (such as finding information on the web, searching for a certain route, making an online purchase, adjusting the temperature or home lighting, closing or opening home locks).

The DPA observed that these digital assistants collect and process a huge amount of data, while users are often unaware of how data are processed and of the identity of the data controller.



Privacy and Marketing

The DPA intervened against "aggressive" telemarketing activities by applying significant penalties (including penalties amounting to euro 27.8 million and euro 11.5 million respectively) to companies that have utilized data without the data subject’s prior consent.

Privacy and Right to Report

The Authority intervened on several occasions to condemn the gruesome details published by some newspapers and television stations in relation to certain news, in order to ensure appropriate protection for the victims of crimes, and especially minors.



Privacy and Work

The DPA defined the necessary safeguards required in relation to the collection of employees’ fingerprints in order to contrast absenteeism in public administrations. The Authority affirmed that the collection of biometric data is an extremely sensitive proceeding, due to the nature of the data processed. Specifically, in the event the collection of fingerprints is coupled with the use of video-surveillance technologies, such procedure appears to be in contrast with the principle of proportionality.

Similarly, the DPA considered that a broad and generalized introduction of biometric survey systems for all public administrations would not appear to be justified under the GDPR.



Privacy and Justice

In relation to the "Exodus case" -  in which the communications of hundreds of citizens not involved in police investigations were tapped due to an error in the functioning of an electronic tapping device - the Italian Authority proposed measures to ensure increased safeguards in relation to the use of tools potentially threatening the citizens' freedom.

Privacy and Health

With regard to health data, the DPA intervened several times on the procedures for the collection and processing of health data in the context of the pandemic. The authority stated that, even in an emergency context, the principles of the GDPR must nonetheless be complied with.

The DPA also provided its opinions and indications regarding the "Immuni" app  (i.e., the app chosen by the Ministry of Economic Development to provide contact tracing technology to Italian health authorities). The DPA expressed its views on the methods for carrying out serological tests and for the collection of health data of employees and customers.

The several actions put in place by the DPA show the continuing efforts to monitor the application of the new European regulation, and to prevent and sanction violations that may pose a threat to individual freedoms.

,

Cars, Sneakers and Social Media: Ferrari vs. Philipp Plein

,
plein-ferrari.jpg

The origin of the lawsuit between Ferrari and Philipp Plein dates back to  August 2019, after the publication of some posts on Plein’s personal Instagram profile.

Specifically, the German designer published some pictures and videos showing one of his Ferrari with a pair of sneakers (the “Moneybeast” model, on sale for almost €5000) resting on the trunk of the car.

Only few days after such publication, Ferrari's lawyers warned Plein inviting him to remove the above mentioned contents, within a 48-hour term, as they constituted illicit use of the Ferrari’s trademark.

Ferrari therefore accused Philipp Plein of having exploited the notoriety of Ferrari’s brand to advertise its products and to confuse consumers, leading them to assume the existence of a partnership between Ferrari and Plein’s brand in relation to such specific model of shoes.

Ferrari also believed that the posts published by Plein were offensive, since they also “objectified” the female bodies of the models included in the pictures. Therefore, the posts were considered not in line with the values promoted by Ferrari, which did not intend to be associated with such type of content.

In response, Plein approached Ferrari's CEO directly, stating to be a dissatisfied customer and that he did not intend to proceed with the removal of the posts.

The Court of Milan was called to rule on the matter and, in June 2020, ordered Philipp Plein to delete all the posts in which the Ferrari trademark had been unlawfully represented and to pay €300,000 as compensation for damages.

In order to make a conscious use of social networks, every user must be aware that a picture  posted online could constitute an infringement of intellectual property rights of third parties.

While this concept should be familiar to every user, influencers and public figures with a significant social media following should be required to pay specific attention to these issues when posting content that depicts trademarks or other IP-protected contents without the express permission of the owner.

Philipp Plein's personal Instagram profile has more than 2 million followers. As such, the posts violating the Ferrari trademark were potentially able to reach a huge number of users.

The assessment of an infringement of third parties’ trademarks in connection with posts published on social media is based on whether such publication has a commercial or advertising purpose.

The Court of Milan held that the Instagram posts published by Plein had a clear commercial purpose (despite the fact that the pictures had been posted on the designer's personal profile and showed a car owned by him) and that Plein’s products would be perceived as more exclusive and desirable thanks to the connection with the Ferrari brand. 

Cloud Computing: infrastructure features and legal profiles.

cloudrossogrigio.jpeg.png

The European Network and Information Security Agency (ENISA) defines Cloud Computing as the infrastructure that a Provider makes available to the user to enable him/her to access resources, spaces, software or development environments accessible through remote servers owned by third parties.

In terms of volume, the Cloud Computing market is growing significantly every year. In Italy alone, the estimated sales for cloud computing for 2020, exceeds 2.5 billion euros.

The success of Cloud technology is due to the flexibility of a systema that does not require complex configurations and substantially simplify the management and use of company resources without requiring major economic investments.

  Types of Cloud Computing

There are 3 different types of Cloud structures:  

  • Infrastructure as a Service (Iaas): this is the hardware infrastructure that is the basis of every Cloud system. The provider provides the user with hardware without having to manage it himself. An example of IaaS is the storage space made available by the provider.

  • Platform as a Service (Paas): these are conceived as "bridge" platforms between an IaaS structure and a SaaS structure in which the Provider makes the structure available but it is up to the user to install and implement the software. This type of Cloud is normally aimed at developers who use the Paas to exploit specific automation features and avoid having to write ad hoc code.

  • Software as a Service (SaaS): this is the most widely used Cloud structure and offers a service that is easily accessible even to non-professionals. The end user, in fact, does not need any technical expertise and can use the swrvices provided by the Provider through any device. The Provider that provides a SaaS service via the web provides users with a series of application services that can be directly used by end customers.

SaaS infrastructures are systems that allow the use of spreadsheets via the web or applications that allow the insertion of e-commerce forms to websites that originally did not foresee them.

Cloud Computing Models

Private Cloud Computing: this is a Cloud structure that is created by the Provider to meet the specific needs of individual customers and is intended for their exclusive use. Large companies sometimes opt for a private Cloud model in order to maintain greater control over exported data: in the internal Cloud, in fact, the data stored remains in the organizational structures over which the user has full and exclusive control. By adopting this system, the wealth of personal and sensitive data is processed directly within the organization itself. In the Private Computing system it is possible to negotiate the contract that governs the relationship between the company using the service and the Provider.

  • Ibrid Cloud Computing: this is the model often used by public administrations and represents a middle way between Private Cloud Computing and Public Cloud Computing. Using a hybrid Cloud model allows the user to delegate to a public Cloud system the services or applications that involve the processing of non-sensitive data, while certain processes involving sensitive data and requiring enhanced security measures remain managed solely within the organization.

  • Public Cloud Computing: is the infrastructure owned by the Cloud Provider whose use is not dedicated to a single user but to a multiplicity of indeterminate users. In Public Cloud Computing you do not have the possibility to negotiate terms and conditions of use because you are faced with an "as it is" service. In fact, the user can have access to the service by adhering to a standardized contract prepared unilaterally by the Provider.

Cloud Contracts as atypical agreements

Cloud contracts are characterized by not having its own structure, but it can be defined using two different typical negotiating schemes: the service contract and the license agreement.

  • Service contract: the obligation - on the part of the contractor is to provide a service for a specific consideration. If a SaaS system is taken into account, it is easy to see that its main characteristic is precisely that it makes an IT structure external to the private or corporate IT structure accessible and allows the user to use software services managed by third parties. It seems therefore simple to trace a contract with a SaaS Provider to the case provided for by art. 1665 cc.

  • License Agreement: is a legal instrument that allows the use of a product (software) and establishes the manner of use of the product itself through the imposition of constraints and limits for the user.

Since Cloud contracts have common characteristics of both the license agreement and the service contract, it did not seem convenient to drastically opt for one or the other solution, but it seems more appropriate to configure the Cloud contract as an atypical contract.  In addition to the general conditions of service, Cloud contracts require some specific documentation such as the Service Legal Agreement and the Service Legal Objective.

The Service Legal Agreement is a specific document that contains the reference parameters for the provision of the Cloud Provider service and for monitoring the level of quality of service actually provided.

The Service Level Objective, on the other hand, is the document in which the parameters for measuring the performance of the provider are agreed in order to limit the emergence of disputes between the two parties on the quality and quantity of the service provided.

Cloud Provider and GDPR: how to choose a Cloud Provider

The European Data Protection Regulation (2016/679) provides that where processing is to be carried out on behalf of the data controller, the controller must only use controllers offering sufficient guarantees to implement all appropriate technical and organisational measures which meet the requirements of the Regulation and ensure the protection of the data subject's rights.

It would therefore be good practice for the data controller, before signing the contract with the Cloud Provider, to verify the latter's adherence to a code of conduct referred to in Article 40 GDPR or other certification mechanism.

The adherence to a code of conduct can in fact be assessed as a guarantee of the Provider's sufficient reliability. For example, the CISPE (Cloud Infrastructure Services Provider in Europe) code of conduct is a coalition of more than 20 Cloud Infrastructure Providers operating in the territory of the Member States and ensures compliance with GDPR and best security practices in data processing.

In addition to adhering to a code of conduct, before signing a contract with the Cloud Provider, it is important to ensure that the Cloud Provider guarantees:

Data portability i.e. the transition of data from one Provider to another in case of need (e.g. in the event that the Provider inserts a pejorative and unilateral change of the service conditions in the T&C and the customer wants to withdraw from the contract)

The adoption of data encryption tools or their pseudonymisation

The storage and processing of data within the EU as it is always preferable to rely on providers that process data within the European Union or in countries for which an adequacy decision has been made.

,

Dior files for protection of the Saddle Bag as a Three-dimensional Trademark.

,
saddle.jpg

20 years after the launch of a now iconic model, Dior has applied to the Us Patent and Trademark Office for registration of the famous 'Saddle' bag as a three-dimensional trademark.

The Saddle bag has been re-introduced from the F/W 2018-19 collection with the addition of new details, prints and materials to the saddle bag accessory.

A three-dimensional mark is a sign consisting of the three-dimensional shape of a product or its appearance and is governed by a specific regulation, both at European and Italian level, which provides for the exclusion of registrability for signs that:

  1. consist of the shape, or other characteristic, imposed by the very nature of the product;

  2. the shape, or other characteristic, of the product necessary to obtain a technical result;

  3. the shape, or other characteristic, which gives substantial value to the product.

    With regard to the first limitation, the rationale of this rule is to prevent a renewable right, potentially unlimited in time, such as a trade mark, from monopolising forms which derive from the natural form of the product, or which in any case are devoid of distinctive character because they coincide with a standard form in the opinion of consumers.

    With reference to the prohibition to register a functional form, the rationale of the standard is to protect the market by preventing a person from becoming the owner of a perpetual right on technical solutions or functional characteristics of a product which, on the contrary, can be protected through patents for inventions.

    Finally, as regards the limit on registering a substantial form, the rule is intended to prevent the registration of a form which, on its own, is capable of determining consumer choice. That characteristic, in fact, falls within the protection of patents for design rights which, unlike trade marks, is limited in time. On this point, Italian case law has ruled that a three-dimensional trademark can be registered if the shapes for which protection is sought have a functional or aesthetic value, such that they do not configure a particular character of ornament or utility.

    In one case, registration as a three-dimensional trademark was refused on the grounds that it was possible to perceive the aesthetic element as predominant, if not exclusive, and in any case with such prominence as to determine the consumer's choice. If Dior wanted to extend the protection of the three-dimensional mark, also at Community level, this third requirement will most likely be the most difficult obstacle to overcome for the French maison. Moreover, it is worth remembering that in two judgments in 2013, the General Court of the European Union denied Bottega Veneta the registration as a three-dimensional Community trademark of two different shapes of handbag, one characterized by the particular shape of the handles and the other by the absence of closing devices. In the present case, the judges considered that the shapes for which Bottega Veneta applied for registration did not fulfil the essential function of a trademark, that is, as an indicator of the origin of a product.

,

Photography and fashion. Clovers obtains a favorable ruling from the Court of Milan on the unauthorized use of a photograph on a fashion collection.

,
One of the gaments of the collection.

One of the gaments of the collection.

Last week the Court of Milan sentenced the company founded by stylist Antonio Marras to pay damages to the American photographer, Daniel J. Cox, for the unauthorized reproduction of a photograph of the latter on clothing.

Daniel J Cox is one of the most successful nature photographers and author of several covers of National Geographic magazine and he know as being the author of a monographic book dedicated to wolves.

The controversy arose when Fashion designer Antonio Marras used this image without the author's consent to develop its fashion collection.

The image was reproduced on a series of women's garments and presented during the woman’s 2014-2015 F/W fashion show in Milan and the collection was distributed and marketed worldwide.

After the parties unsuccessfully completed negotiations aimed at settling the case, the photographer invoked injunctive relief against unauthorized use of the image as well as compensation for damages quantified at the request of the same in the so-called price of consent.

The Court ruled that the image printed on several garments created by Marras coincided with the photograph shot by the plaintiff and met the requirements of the artistic and creative character necessary to access the "enhanced" protection provided by the Copyright Law.

Indeed, Italian copyright law grants photographs a dual level of protection, distinguishing between photographic works (or artistic photographs) and simple photographs.

The orginal photograph. Copyright Daniel J. Cox. - Natural Exposures. All rights reserved.

The orginal photograph. Copyright Daniel J. Cox. - Natural Exposures. All rights reserved.

The difference - which is not always easy in practice - is traced by art. 87 of Italian Copyright Law which define as simple photographs "images of people or aspects, elements or facts of natural and social life, obtained by photographic or similar process, including reproductions of works of figurative art and film stills" and recognize the same protection as neighboring right.

 Conversely, there is no explicit legislative definition of an artistic photographic work  in the Copyright Law and this is left to a “case by case” "practical" evaluation by judges on the basis of a series of indexes.

Artistic photographs are treated like other artistic works have access full protection (up to 70 after the death of their author), whereas simple photographs, on the other hand, enjoy limited protection (20 years from the date of photograph’s production) and the photographer is only entitled to fair compensation in case of unlawful use.

A first and fundamental point of the decision rendered in the Cox/Marras case, concerns the recognition of the artistic value of photography: in the Court’s opinion the artistic value lies "in the creative capacity of the author, i.e. in his personal imprint, in the choice of the subject to be portrayed as well as in the moment of realization and reworking of the shot, such as to arouse suggestions that transcend the common aspect of the reality represented.

The choice to portray the animal in its natural environment and in adverse climatic conditions makes the shot "the result of study and careful photographic analysis by the author" and contributes to the recognition of its artistic value according to the Court.

It is also the technique that comes in this case in relief in order to correctly frame the image within the protected and protectable photographic works: "a wise blurring of the surrounding environment, thus enhancing the expression of the represented subject ... and evoking, in this way, peculiar suggestions in the observer such as to go beyond the mere graphic representation of the animal (...) "a wise use of chiaroscuro and the use, with creative purposes, of light ". Last, the specific authoritative recognition of the artist in the United States and the publishing of the photograph in a monographic work also helped the Court understand the nature of the work.

Therefore, once the artistic nature of the work has been ascertained, the use by the defendant company for commercial purposes of the photograph, by placing it on an item of clothing included in the women's collection, in the absence of any authorization from the author, "constitutes an open violation of the author's right to compensation for damages".

It is interesting to note that the Court of Milan rejected the defendant's objections to the alleged lawfulness of the use of the photograph, since the same can be found on the Google search engine.

The Court found that - "the mere availability on the web of a photograph certainly does not constitute a presumption of absence of authoritative rights, on the contrary, the burden of ascertaining whether or not third parties have rights".

In conclusion, the Court stated that the work of the photographer Daniel J. Cox should be considered to be protected by copyright law, as a creative work in the particular field of photography, ordering the defendants, jointly and severally, to pay damages to the applicant and ordering the publication of the operative part of the judgment by and at the expense of the defendants in the periodical Vanity Fair.

Through this judgment, the Court of Milan has analyzed several legal issues which are constantly being debated experts in the world of intellectual property.

E-commerce. Does your site comply with online sales regulations?

mike-petrucci-c9FQyqIECds-unsplash.jpg

The exponential increase in online shopping in a world marked by the Covid-19 pandemic should convince many operators to assess the legal compliance of their e-commerce sites. This also in light of the fact that the Agicom, the Privacy Guarantor and the judicial authorities are certainly more active in times of great expansion of the Internet and it is then easy to get checks by the authorities on reports of customers or competitors that can lead to the elevation of penalties often high.

For our part, we have identified five macro areas where it might be useful to think about a "legal check-up" to avoid sanctions by the competent authorities.

  1. General Terms and Conditions of Business

If the owner of an online shop intends to introduce clauses in the relationship with consumers, these must always be specified in the general terms of contact. The general terms and conditions must state the general terms and conditions of sale as well as all information regarding the right of withdrawal, the method of returning the goods, delivery times and costs of the goods and shipping, in full compliance with the provisions of the Consumer Code.

2. Privacy and Cookie Policy

The Privacy Policy is a document that informs your users about the processing of their personal data, it is mandatory by law even in case of tracking visits by means of web analytics tools.

Unfortunately, many companies still pay little attention to the obligations regarding the processing of personal data but if you do not want to incur significant fines from the Privacy Guarantor it is important that your company site is in compliance with the law.

Legislative Decrees 69/2012 and 70/2012 have established the obligation to insert a banner when opening the website, which requires the user's consent to the processing of data, in order to be able to continue with the navigation. The consent will also be required when you intend to share your customer's data with third parties.

In addition, if the site uses certain types of cookies for user profiling, it is mandatory to insert a specific information banner on the nature of the cookies used.

3. Indication of company data

The owner of an e-commerce must always provide certain data such as: name, registered office, e-mail address, registration number in the REA or in the Commercial Register. For corporations, the paid-up share capital (or liquidation status) must always be indicated.

4. VAT and business register notices

Except in the case of purely occasional activities and earnings of less than 5,000 euros, the opening of an online store involves the opening of a VAT number and registration in the Register of Companies, at the Chamber of Commerce.

5. Copyright and industrial property rights.

A website (shop windows, blogs, e-commerce, portals, etc.) consists of multiple elements that can be protected:

  • the domain name;

  • the logo;

  • the graphic configuration;

  • the structural and organized conception that emerges when you navigate through your pages: comparable to the "scenography" of the site;

  • the texts and images of the pages

  • It is important to check whether your site complies with copyright law and does not violate the industrial property rights of third parties.

SOS Italia App. Privacy and Big Data at the time of Covid 19.

hqdefault.jpg

The dramatic evolution of the health crisis linked to Covid-19 in Italy has required the Government to put in place exceptional measures to deal with this emergency, including the use of new technological tools never previously used by national institutions.

On March 20, 2020, the Ministry for Technological Innovation, together with the Ministry of Economic Development and the Ministry of University and Research, issued an invitation to all operators in the Italian digital ecosystem to help simplify the management of the pandemic through the development of digital platforms and other data processing systems.

Thus the mobile app "SOS Italia" was launched, a project developed by the Italian Digital Revolution Association, in collaboration with the software house Sielte, which is expected to be soon available on the digital stores of iOs and Android operating systems.

"SOS Italia" aims to monitor and contain the spread of Covid-19 through a user-friendly interface (log in via Google, Facebook, SMS with OTP on phone number and native integration with SPID) that will allow citizens to easily find the official communications made by the Government, the rules of conduct to be adopted, the numbers to call in case of emergency and other useful information.

Citizens will be able to fill in a questionnaire for self-diagnosis purposes and communicate to the authorities their state of compulsory or preventive isolation, the presence of symptoms and positivity to the virus.

Each user will also be able to choose to digitize their self-diagnosis for permitted travel and receive notifications if there is a risk of infection. This will be possible because, once the subject has voluntarily downloaded the app, GPS functionality will remain active even if the user is not using the app. In this way it will be possible to create a mapping of all the places frequented by the individual and build a register of the people with whom the subject has come into contact.

Similarly to what has already been experimented in South Korea, also in Italy, therefore, a technological response is attempted, based on the use of Big Data and algorithms, to put a brake on the contagion curve. But, if, on the one hand, the technical functionalities of the application provide tools of undisputed importance for the monitoring and containment of the pandemic, on the other hand, the inevitable implications in matters of data protection are worrying.

During a national and global health crisis, the protection of the primary right to health is potentially at odds with a number of other values worthy of protection. The management of the current emergency inevitably entails the restriction by the authorities of fundamental rights, including personal freedom and the protection of personal data (privacy).

Let us look at the privacy aspects. GDPR provides for the lawfulness of data processing, even for special categories, even without the express consent of the data subject, when the processing is necessary to safeguard his/her vital interests (or those of another natural person), or when it is indispensable for the performance of a task in the public interest. On the basis of this provision, therefore, the processing of the natural person's data, including data relating to his/her health, may take place independently of the granting of consent when the purpose of such processing is to limit the dissemination of Covid-19.

With regard to the processing of telecommunications data, such as location data, national laws implementing the ePrivacy Directive must also be respected. The ePrivacy Directive allows Member States to introduce legislative measures to safeguard public security.

Legislative Decree 14/2020, which contains urgent provisions for the strengthening of the National Health Service in relation to the Covid-19 emergency, provides for the possibility that the subjects operating in the National Civil Protection Service, the offices of the Ministry of Health and the Istituto Superiore di Sanità and all other subjects in charge of monitoring and ensuring the implementation of the pandemic containment measures, may share and exchange among themselves personal data of citizens (including those relating to their state of health) that are necessary for the performance of their duties. They may also omit to provide the privacy policy (as well as instructions to data processors) or provide it only orally.

This decree also makes clear that personal data processing must in any case be carried out in accordance with the principles of lawfulness, transparency and correctness provided for in Article 5 of the GDPR, reducing their processing to a minimum (principle of minimisation).

To date, however, it is not clear how these principles will be punctually implemented and who, among the various authorities at stake, will in fact be identified as the data controller and which entities, public and private, will be responsible for the aforementioned processing.

One of the issues of greatest concern is the processing of data relating to the location of citizens and how these data can be used by the authorities.

In various interviews, the Privacy Guarantor, in the person of its president, has reiterated that the right to privacy may be subject to certain limitations in the face of a collective interest, provided that the necessary balance is ensured between the protection of individual rights and the safeguarding of collective legal assets, including by providing that any law in derogation has a defined duration and coincides with the emergency period.

Moreover, an inevitably related issue concerns the data retention time, which will also have to be limited to the aforementioned emergency period and it will have to be clarified beforehand what processing operations will be allowed at the end of the emergency period and what will happen to the data collected.

The Privacy Guarantor has clarified that "data protection can even be a very useful tool in the fight against the epidemic, when this action is based on data and algorithms, of which accuracy, quality and "human" review must be guaranteed, where necessary, as in the case of wrong automated decisions based on bias". 

In this regard, continues the Privacy Guarantor, a decree-law could combine timeliness of the measure and parliamentary participation. It goes without saying that the duration must be closely linked to the continuation of the emergency.

In the joint statement of the President of Convention 108 and the Commissioner for Data Protection of the Council of Europe there is an interesting indication on the use of preliminary tests in "sandbox", namely the advice to test the app in a safe and private environment before releasing it to the public.

The Privacy Guarantor may, if necessary, be involved in prior consultation, but in any case, the logic of processing and security measures must be verified by expert consultants able to develop correct privacy architectures and set up processing operations - by design and by default - respecting our fundamental rights.

In conclusion, privacy is not an obstacle to the massive processing of data, even sensitive data, but such operations, which affect our fundamental rights, must be effective, gradual and adequate.

The Italian Antitrust dictates guidelines on the Relationship between Clients , Agencies and Infuencers.

influencer-1-e1544542658891.jpg

On March 15, the Antitrust Authority concluded a misleading advertising procedure, involving for the first time 9 micro influencers who worked in the launch of the "Pan di Stelle" chocolate cream produced by Barilla.

For some time now, the Antitrust Authority has been dealing with various issues of hidden advertising published through new media, as the recent Alitalia / Alberta Ferretti case.

Also in the Pan di Stelle case, the Antitrust Authority has not imposed any sanctions against the parties involved, accepting the commitments that Barilla and the micro-influencers are willing to take on.

The Antitrust Authority has positively assessed the commitments made by the parties involved in the proceedings, which are beginning to emerge as real guidelines, both for the companies launching the marketing campaign and for the influencers promoting the products/services covered and for the agencies mediating the relationship between customers and influencers.

The guidelines that emerge from the Antitrust Authority's decision can be summarized as follows.

As for companies:

  1. These should use a contractual standard in their dealings with influencers that contain penalty clauses (such as reduction of fees and/or penalties and/or suspension of payments) against influencers in case of breech;

  2. Contracts between the client and the agencies should include clauses aiming at making the agencies responsible.

As for agencies, these must carefully monitor the work of the influencers and take prompt action, also at the customer's request, to ensure compliance with the Guidelines.

With regard to micro-influencers they should:

  1. include, in posts containing the image or mention of products received from brands to which they have no obligation to carry out promotional activities, hashtags such as #suppliedbybrand or #brandgift or #fornitodabrand, or other similar wording;

  2. include, in posts published as part of a collaborative relationship with the brand, hashtags such as #suppliedbybrand or #advertisingbrand or #advertisingbrand;

  3. refrain from publishing the content authorized and selected by the commissioning brands, unless the contract expressly provides for it with the relevant constraints. This decision sets out guidelines that give greater certainty in contractual relations between companies and influencers.

Coronavirus (Covid-19) and Repercussions on Employment.

download.jpg

In the infamous health emergency situation due to the spread of the Coronavirus, the Italian Government adopted a series of urgent restrictive measures to contain the epidemiological spread from Covid-2019.

In particular, Decree n.6, provided that, in order to "avoid the spread of COVID-19, in municipalities or areas where at least one person is positive for whom the source of transmission is unknown ... the competent authorities are required to take all measures of containment" and "among the measures may be taken" among others, the "closure of all commercial activities", the "closure or limitation of the activity of public offices", "suspension of work for companies": in a word, the suspension of all potential work activities (except for essential or essential public services) both in red areas where "outbreaks" have been identified and in "yellow" areas, i.e., areas at risk of spread (Lombardy, Veneto, Piedmont, Liguria, Trentino-Alto Adige, Friuli and Emilia Romagna).

This paralysis has led to the need to resort to "relocated" forms of work to reduce the impact of the suspension of activities, so much so that, with the subsequent Prime Ministerial Decree of 25/2/2020, the Government established that "the agile working method governed by Articles 18 to 23 of Law no.  81, is provisionally applicable, until 15 March 2020, for employers with registered or operational headquarters in the Regions of Emilia Romagna, Friuli Venezia Giulia, Lombardy, Piedmont, Veneto and Liguria, and for workers resident or domiciled there who work outside those territories, to all employment relationships, in compliance with the principles dictated by the aforementioned provisions, even in the absence of the individual agreements provided for therein".

Outside of government regulations, the further measures to be used to contain the negative consequences deriving from the suspension of work activities could consist of recourse to the Wages Guarantee Fund (Cassa Integrazione Guadagni) or the Wages Guarantee Fund (Fondi di Integrazione Salariale), provided that the conditions are met.

Another measure that could be used could be to place employees on vacation or have them take time off, provided, of course, that such measures are agreed upon and not imposed on employees.

Without claiming to be exhaustive, the above suggestions are merely food for thought while awaiting the desired return of the health emergency situation.

Human Feelings as Drugs. The Court of Appeal of Milan overturns the decision.

valerio-loi+(1).jpg

Recently the Court of Appeal overturned a judgment rendered in September 2018 by the Court of Milan, which we discussed in this blog

The case was inspired by the alleged violation of copyright of a photograph entitled "Human Feelings as Drugs", consisting in the creation of photographs, prints and posters reproducing vials of medicines of various colors, bearing the words "empathy", "hope", "love", "peace" and "joy" with the expressive phrases of the related feeling or emotion. Artist Valerio Loi intended to realize the idea of taking "feelings like medicine", so as to "allow the patient an instantaneous awakening of perception and a reintegration within the vital flow of emotions".

The plaintiff complained about the illegal reproduction by defendant, Queriot de la Bougainville of a series of pendants - combined with necklaces and bracelets - that would have reproduced their own vials, with identical names of feelings, accompanied by the same illustrative sentences. He therefore invoked injunctive relief, damages and publication of the judgment. The Court of First Instance had reiterated that with regard to photographic works, the artistic character presupposes the existence of a creative act as the expression of an intellectual activity which takes precedence over mere material technique.

That is to say, the photographer's method of reproduction must convey a message which is additional and different from the crystallized objective representation, that is to say, it must be a subjective interpretation capable of distinguishing a work from similar works having the same subject matter.

According to case Law, the requirement of creativity of the photographic work exists whenever the author has not limited himself to a reproduction of reality, but has inserted in the shot his fantasy, his taste, his sensitivity, so as to transmit his emotions. As far as photographic works are concerned, the artistic nature of the reproduction cannot be deduced from the notoriety of the subject or object that is portrayed, since the value of the artistic work is appreciated by virtue of formal canons - which express the author's personality in an absolutely characteristic and individualizing way - since the relative judgement must be made regardless of the object or subject itself reproduced.

QueriotPozioni.jpg

The Court of first instance had excluded the artistic nature of the litigious images, since it was impossible to recognize precisely those aspects of originality and creativity that are indispensable to recognize the full protection under Italian Copyright Law. According to the Court, the plaintiff did not indicate precise shots or a careful selection of lights or particular dosages of light and dark tones that the Court could appreciate. Nor did the photograph highlight a personal and peculiar imprint of the photographer.

In overturning the decision, the Court of Appeal of Milan, held that: "the presence of the creative or non-creative character in the photographic work must be verified, assessing unitarily the subject, reproduced in the photograph, and the photographic modalities with which the subject was rendered, given that the emotional suggestion of the photographic work derives precisely from the close connection existing between the subject photographed, obviously three-dimensional, and the particular modalities with which the same is rendered in the two-dimensional photographic image. On the other hand, the creativity, suitable to give the photographic work artistic value, on the one hand, does not coincide with the concept of creation, originality and absolute novelty, but refers to the personal and individual expression of an objectivity, belonging to the categories listed in the Italian copyright Law, so that the existence of a creative act, even a minimal one, is sufficient, on the other hand, is not constituted by the idea itself, but by the form of its expression, that is to say by the way in which the idea is concretized in the external world [...]" and that therefore "There is no doubt that the photographic work in question presents a relevant rate of creativity [...]".

In conclusion, the Court decided that Valerio Loi's work 'Human Feelings as Drugs' should be considered to be protected by copyright law as a creative photographic work.

How Blockchain can help the Protection of Unregistered Trademarks.

unnamed.png

As many may know, blockchain shares the task of recording transactions among the people making them, and the underlying technology verify that all users are keeping matching records.

However, the registration of a Trademark can imply high costs if the application is filed in different jurisdictions.

Trademark law recognizes rights to unregistered trademarks, that is to say those trademarks used to distinguish products and services, but never filed nor registered.

Trademark holders are beginning to leverage blockchain technology to secure and document proof of first and continuous use.

In the trademark area, Blockchain technology seems to have at least two immediately applicable uses:

  • Creating blockchain-based records as a more secure and trustworthy recordkeeping system to prove trademark use; and

  • Proving the provenance and legitimacy of goods in anticounterfeiting efforts.

There is unequivocal evidence of use in case of infringement for holders of unregistered trademarks as the blockchain technology can create immutable timestamps that can provide proof of first use, continuous use filing and lock in a highly credible date on which certain information related to a trademark was captured.

This can bring to the creation of a record of unregistered trademarks on the same distributed ledger, creating a comprehensive picture of all trademarks in use and the extent of use in a particular jurisdiction.

Blockchain records can be made for trademark use in any jurisdiction, that are quick to obtain and always accessible.

Nike Shoes will be Protected by the Blockchain

nike-lead-1562962246.jpg

Nike has been recently awarded a blockchain patent by the USPTO to create digital versions of its shoes. Nike said that its customers will now be able to register the purchase of their shoes with a unique identification number.

An equivalent digital version of the shoe will be created through a cryptocurrency wallet connected with the user’s unique ID. The Blockchain will help users verify the authenticity of the shoes that the customers are purchasing.

The digital version of the shoes will contain a cryptographic token based on the Ethereum platform. In addition, it will also have information about the physical features of the product, including color, the material used, manufacturing details, and their “eco-sustainability” factor.

The registration of the product on blockchain would allow users to “securely sell or trade” the tangible form of the shoes.

It is noted that the “rights” to sneakers can be stored in a digital wallet along with the cryptocurrency. Also, with the help of digital media, Nike will be able to control sales volumes of CryptoKicks. The company has not yet announced the launch date.

The Story behind Tiffany's "1837 Blue Trademark"

audrey_tiffany_blue_21538672058_medium_master.jpg

Over the years, courts around the world have witnessed disputes involving a wide variety of intellectual property claims. Of these, those concerning the different shades of "colour" are of particular importance and have been of particular importance.

Since the early nineties, several brands, such as T-Mobile (magenta) and UPS (dark brown), have registered their colors over the years as proof of their power to retain customers and communicate a company's ethos.

In 1837, Charles Lewis Tiffany and John B. Young opened their first Tiffany & Young store in Lower Manhattan, right in front of City Hall Park.

Even before the brand became a major supplier of silver, the store sold stationery and other high-end products and the now iconic Blue Book, first published in 1845, already had a blue cover that was greener than the redbreasted egg that we now associate with the brand. Over the years, and into the next century, the Blue Book varied in tone until around 1966, when the company adopted a colour close to Tiffany Blue.

It is hard to pinpoint the exact moment when turquoise began to be associated with the company. The exact reason why the founders agreed on that particular shade is also unknown.

However, there is evidence that as early as 1889, the company had used color at the Universal Exhibition in Paris, demonstrating that even at that time, even in America, turquoise was a precious stone.

Again, Tiffany's famous orchid-shaped brooch, now owned by the Metropolitan Museum of Art, was housed in an elegant turquoise case with a cream-coloured lining. Even at that time, therefore, the company was already linking colour to the packaging.

This is not a marketing triviality, on the contrary, the blue box "is most likely the most recognizable and desired retail container in history". Charles Lewis, in fact, has always refused to sell the boxes on their own, claiming that they were a real symbol - "you can't get one of the most significant symbols of love and commitment without the Tiffany box".

With the advent of 1998, Tiffany & Co. finally registered its colour and packaging. Three years later, the brand also collaborated with Pantone to give life to its personal shade, the "1837 Blue", in memory of its founding year.

No other registered colour has become so closely associated with its trademark.

Over the years, in fact, many companies have successfully chosen objects and symbols, such as an apple, a swoosh, number 57, to represent their brand but no one has managed to claim something that was substantially more specific and applicable than 1837 Blue.

Supreme sued for alleged copyright infringement

supreme.png

A few days ago, ASAT Outdoors LLC, a clothing and fashion company based in Stevensville, Montana, sued Supreme Chapter 4 Corp. before a federal court in New York for violating the copyright of its camouflage press. In this regard, in fact, ASAT has accused Supreme of having "reproduced and exposed to the public without any authorization" its mimetic design, protected by copyright, using it as a print on a series of jackets, sweaters, cargo trousers and hats offered for sale on websites and in stores.

The Montana-based clothing company has claimed that it has never licensed the design to Supreme, nor has it given it permission or consent to use or sell the "camo" on its clothing, such as, for example, "work" jackets of 218 dollars and cargo trousers of 145 dollars.

ASAT also accused Supreme of intentionally and deliberately "violating its exclusive right, as the copyright owner, to reproduce, copy, display and make derivative works - that is, works based on or derived from an existing copyrighted work - of the protected camouflage print" in total violation of federal copyright laws.

In this regard, ASAT has asked the court to order Supreme to pay compensation for all damages, including but not limited to any profit that Supreme itself has obtained from the unlawful use of camo graphics or, alternatively, depending on what is the greater amount, "to pay compensation for legal damages up to $150,000 for each work infringed in the case of intentional infringement of the design”.

From the analysis of the above case, what is particularly interesting is that ASAT, in protecting its intellectual property right, has acted to claim its ownership over the design and not over the trademark.

This strategy seems curious because the Montana company would have had all the powers to demonstrate that consumers connect its specific camouflage print - a print that looks as if it could be somehow distinctive with respect to other types of camouflage on the market - with ASAT Outdoors LLC.

On that basis, in fact, and in view of its wide commercial footprint (consider the sale of its products to giants such as Walmart and Black Ovis) could have acted to ascertain the counterfeiting of its trademark.

In March 2018, Jordan Outdoor Enterprises ("JOE") sued Kanye West's Yeezy LLC before a federal court in Georgia for using some of its copyrighted camouflage prints on a number of Yeezy Season 5 garments and accessories. However, in this case the dispute was resolved in September 2018 after Yeezy and JOE reached "a separate agreement to resolve the complaints and related legal costs".

AC Milan scores against Marriot Hotels

6184c71d2a05ad31c7fe47c2002b336c-1305413884.jpeg

The football club from Milan filed its logo in 2013 in the European Union for various products and services, among which class 43. However, the application in class 43 finds resistance, from AC Hotels, not the most usual opponent for AC Milan.

The AC-element is the most dominant element of AC Hotels and they have to keep AC-trademarks away in class 43, the most important class for AC Hotels. Besides their logo and the wordmark AC HOTELS BY MARRIOTT, their best weapon is the wordmark AC.

But the opposition is rejected. The trademarks are sufficient different. The only corresponding element is AC. According to EUIPO, “the letters AC are negligible elements due to their minuscular size and position in the middle of the other letters in the contested sign, and are not noticeable at first sight, considering also that this complex sign has other visually outstanding elements and, therefore, it is very likely that the letters AC are being disregarded by the relevant public.”

On 19 June 2019, the EU General Court ruled that the EUIPO had been correct in granting registration of the figurative sign that Associazione Calcio Milan SpA (AC Milan) had applied for. [Case T‑28/18].

FERRARI 250 GTO IS A WORK OF ART PROTECTED BY COPYRIGHT .

250 gto.jpg

The Court of Bologna, Section specialized in business matters, has recently added the protection of copyright to the model of Ferrari, perhaps the best known and most appreciated ever: the 250 GTO.

The number, 250, stands for the displacement of each cylinder in cubic centimetres of the V12 3000 cc engine displacement. GTO stands for "Gran Turismo Omologata". This acronym will not be used for several years until the presentation in 1984 of the Ferrari 288 GTO.

According to the Court, "the personalization of the lines and aesthetic elements have made the Ferrari 250GTO a unique example of its kind, a true automotive icon". "Its artistic value has found objective and generalized recognition in numerous awards and official certificates", in "copious publications" and in the "artistic" reproduction on coins and in the form of "sculptures", periodically exhibited in museums.

The Court has thus issued an order prohibiting the defendant to reproduce the form of the 250 GTO in rendering and in car models.

The resistant company was in fact ready to launch on the market a dozen replicas of the 250 GTO, at a price of about 1 million euros each, which reproduced the legendary model of the '60s.

PEAR TRADEMARK IS NOT CONFUSING WITH APPLE

s-l225.jpg

The EU Court recently ruled on the visual and conceptual similarity between brands and, reversing the decision of the EUIPO on this point, found that the well-known Apple brand and the Pear brand cannot be confused with each other.

The story takes its cue from the opposition presented by Apple to the application for registration of the European figurative mark 'Pear', filed by Pear Technologies Ltd. Following the acceptance of the opposition, the latter lodged an appeal before the EUIPO, which confirmed but the first decision. Consequently, Pear Technologies challenged the provision before the EU Court which denied the existence of a similarity between the two signs, comparing them both visually and conceptually.

At first the EUIPO Board of Appeal recognized a remote degree of similarity between the two signs, as both represented rounded shapes of a fruit with the related stem / leaf in an identical position but the Court then came to a different conclusion.

PTL-1.png
apple-1.jpg

The judge in fact observed that the two signs are visually very different from each other: in fact, they represent two distinct fruits and the one (the Apple brand) constitutes a solid form, while the other (Pear) is a set of separate objects between them; moreover, the element in the upper right corner represents in one case a leaf (Apple) and in the other a stem (Pear); finally, the word element of the Pear brand cannot be underestimated, as it has significant dimensions with respect to the shape, a different color, a particular font and is in capital letters. In conclusion, the judge ruled that the reputation of the earlier sign does not matter in a similarity judgment, and that the marks in question are visually different.

From a conceptual point of view, the Court overturned the conclusions of the Board of Appeal EUIPO, emphasizing that there is conceptual similarity only when two signs evoke images having a similar or identical semantic content.

In the present case, the EUIPO had at first considered that the two marks represented two distinct fruits but that however they were similar for biological characteristics but the court held that the signs in question evoke the idea of ​​a certain fruit, while they recall the general concept of "fruit" only indirectly.

Secondly, he reiterated that, in many states, members of apples and pears are used in proverbs as examples of different things and not comparable, and the possible similarity in size, color or consistency (characteristics that, moreover, share with many others fruits) is however an element that can be perceived by the public only in the context of a very detailed analysis, without considering that it is unlikely to assume that the consumer is aware of their origin from the same family of plants.

Based on these considerations, therefore, the EU Court annulled the decision of the EUIPO Board of Appeal, recognizing the possible influence exercised by the reputation of the earlier trademark.

EBAY JUDGED RESPONSIBLE FOR LATE SCAM REACTION

ebay_antitrust.jpg

For the first time, a judgement by the Court of Milan establishes that eBay must reimburse users for the scams suffered when they buy online.

In the case analysed by the Court of Milan, 150 people had bought cellphones at bargain prices from a user on eBay, that were never delivered.

Some of them had finalized the purchase after the seller had already been reported to eBay by other users.

The judge was the first to correctly apply the law 70 of 2003 on the protection of consumers , according to which the provider assumes the responsibility of damages if the provider does not immediately act after having been informed by user. In this case, eBay took three months to close the scammer's account.

In dozens of previous cases, providers have always been considered not responsible because it was established that users should provide with a formal report, by registered mail. But the judge in Milan assessed that the normal reporting tool provided on the web by eBay itself was sufficient.

For its part, eBay has made it known that it will appeal the judgment and underlines how the judge limited himself to acknowledging the reimbursement but not damages and how he clarified that eBay cannot be considered responsible for the activities of the users.