Are exam scripts personal data?

Does an examination script contain personal data in such a way that an examination candidate might therefore ask the examination body for access to his own script on the basis of the Data Protection Directive?

That is the question that the Court of Justice of the European Union was asked by the Supreme Court in Nowak.

Today saw the publication of Advocate General Kokott’s opinion and her view that exam scripts are personal data and in principle are accessible under the Data Protection Directive. She went on to find that the right of access is unlikely to be used as a way for candidates to look to correct errors in the exam under the right of rectification. She also went on to observe that the right of access and the definition of personal data itself is not to be construed merely in the context of the rights of objection, erasure and rectification.

So why is an exam script personal data?

The Data Protection Commissioner had argued that an exam script merely recorded information, i.e. the answers to questions and at the very most only the result of the exam could be construed as personal data.

Dismissing this narrow interpretation AG Kokott noted that rather than simply recording information independent of an individual, an exam script shows how a candidate thinks and works and is used to determine the strictly personal and individual performance of the exam candidate. She found support for this conclusion from the fact that a candidate would have a legitimate interest in objecting to the processing of his script for purposes outside of the context of the examination process.

AG Kokott provided an extensive discussion of the purpose of the right of access to personal data and noted that the definition of what is personal data could not be constrained by concerns about other matter such as the right of rectification.

She noted that accuracy and completeness must be judged in light of the context in which the personal data was created and that in the context of an exam, incorrect answers could not be said to be inaccurate or incomplete in the same way as, for example, would be the case if exam scripts were mixed up or parts of it were missing.

The issue of whether Mr Nowak was abusing the right of access given that he could have availed of an appeal process was also addressed. Again AG Kokott noted that the legislature had given precedence to Data Protection Rights. She also noted that when the GDPR  comes into effect there will be new provisions which qualify the right of access to protect the rights and freedoms of others and for other important public interest reasons.

However the mere existence of other national legislation that also deals with access to exam scripts could not give rise to an assumption that the subject access right was being misused nor could the possibility of circumventing the examination complaints procedure be a reason for excluding the application of data protection legislation.

This is a very thorough opinion and highlights the fundamental importance of the right of access as well as the need to adopt a purposive approach to the definition of what is personal data. The connection between the individual and the context is key rather than simply considering the nature of the information itself.

So what happens next?

The CJEU will issue its decision later this year in what is likely to be a significant precedent for interpretation of the GDPR.

Photo credit https://www.flickr.com/photos/comedynose

The State shouldn’t get a free pass when Europe’s data law comes into effect

There are only 314 days to go; fewer if you subtract weekends and holidays. On May 25, 2018, the General Data Protection Regulation comes into effect.

This new European Union law, better known as the GDPR, will make fundamental changes to how our information is used and protected, giving greater rights to the individual and creating much more severe penalties for non-compliance.

This tight deadline creates severe pressures for businesses and other organisations such as charities which must completely review how they handle personal information by then.

Some are already in the process of doing this; the majority are scrambling to catch up.

It also puts all parts of the Irish State under significant time pressure.

Although the GDPR is a European law, parts of it require national legislation to implement. The Department of Justice and Equality is responsible for preparing a Bill to give effect to the GDPR in Irish law.

That Bill must then pass the Dáil and Seanad to put in place a new legal framework for enforcement, including a restructured Data Protection Commission. All of this must be done in good time prior to May 2018 to enable planning for the transition.

So far, the Department has produced a draft Heads of Bill, and with commendable speed the Oireachtas Joint Committee on Justice and Equality has already held three hearings examining this draft.

Most of the draft is relatively technical and uncontroversial. But the hearings have exposed aspects which could significantly undermine the position of individuals against the State.

On behalf of Digital Rights Ireland, I gave evidence to the Joint Committee about two of these issues.

The first is that the draft Head 23 proposes to exempt public bodies from fines for breach of the GDPR. The argument for the exemption is that these fines would be circular – that they would merely shuffle money from one public fund into another public fund.

But this ignores the experience in the United Kingdom where fines have been an important deterrent, encouraging public bodies to improve their information security.

The exemption also gives the wrong impression – that the public sector is to be held to a lower standard than others.

And it would be practically unworkable: as a matter of European law, one cannot have a situation where a public body such as a hospital is given preferential treatment over private market competitors. The Data Protection Commissioner, Helen Dixon, has described the exemption as a serious concern and pointed out that it would create a real burden for her office by forcing it to assess, in every case, whether a public body has private competition.

The second issue with the draft is that in Head 20 it gives the power to any Minister to make regulations in any area restricting any individual rights on the basis that this is necessary for any “important objective of general public interest”.

The effect of this is to create an open-ended power to limit the rights created by the GDPR on the basis of a ministerial signature only – with no requirement for any approval from the Dáil or Seanad.

There are, of course, situations where data protection rights should be restricted in the public interest. For example, the right to know what information is held about you does not apply where that would undermine a criminal investigation.

But until now those have almost always been provided for in primary legislation, subject to scrutiny by lawmakers.

An unconstrained power to make new restrictions will in practice mean government departments being the judge of what rights individuals should have against those departments and their agencies.

As with the proposed exemption from fines, the intention is that the state will receive more lenient treatment.

It is worth remembering that shortly before his retirement the last Data Protection Commissioner, Billy Hawkes, summed up his term in office by saying that public bodies had “in too many cases, shown scant regard by senior management to their duty to safeguard the personal data entrusted to them”.

He said that “the state system in general is not paying sufficient attention to its responsibilities for the quantum of data it holds on all of us” and that there was a need for “system-wide action” before “an inevitable crisis” was triggered.

Given this background, and the fact that the state holds so much data on us, it should be held to a higher, not a lower standard.

[This post is an edited version of an opinion piece by TJ McIntyre which ran in the Irish Independent on 8 July 2017]

SMEs can now access KDB tax relief without filing a patent

Irish SMEs can now apply for Knowledge Development Box (KDB) tax relief without owning a patent if their invention is certified by the Patents Office to be novel, non-obvious and useful.  This is known under the KDB scheme as ‘intellectual property for small companies’.

All that is required is an application to the Patents Office for a KDB Certificate – which must include an opinion from a Patent Agent attesting that the invention is novel, non-obvious and useful. However, this is a new departure for Irish Patent Agents and it remains to be seen how this will work in practice.

Applying to accounting periods commencing on or after 1 January 2016, the KDB relief provides for a 6.25% corporation tax rate on profits arising from certain (1) patents, (2) copyrighted software, and (3) ‘intellectual property for small companies’ resulting from qualifying R&D activity carried out in Ireland. For more information see the Revenue website.

GDPR Resource for Charities and NGOs

Dóchas is the umbrella body for Irish charities and NGOs involved in international development and relief overseas.

We recently worked with Dóchas to create a resource to help charities and NGOs prepare for the General Data Protection Regulation (GDPR). This free resource is available for download here.

The GDPR will apply in Ireland from 25 May 2018 and will introduce significant changes to data protection law including increased compliance obligations for data controllers and enhanced rights for individuals.

Leading privacy lawyer Dr TJ McIntyre joins FP Logue

We are delighted to announce that Dr TJ McIntyre has joined the firm as a consultant.

TJ is a solicitor and a lecturer in law at University College Dublin specialising in information technology and privacy issues.

Recognised as one of Ireland’s leading experts in his field, TJ has advised a range of public and private sector organisations and is the current Chairman of Digital Rights Ireland, an advocacy group best known for successfully having the Data Retention Directive struck down by the European Court of Justice.

This appointment bolsters our information law practice and underscores our commitment to serving our clients as they adapt to the General Data Protection Regulation coming into effect from May 2018.

Our picture shows (l to r): Niall Rooney, partner, TJ McIntyre, consultant and Fred Logue, senior partner

Pic by Pearl Phelan

 

ACHILL trade mark declared partially invalid

Registering a name as a trade mark gives the owner exclusive rights to prevent others using the same name (or a confusingly similar name) in a commercial way for particular goods and services.

The question often arises whether place names can be registered as trade marks for goods or services. In general, geographical names are not registrable as trade marks if the place is currently associated with the goods or services in the mind of the consumer, or it is reasonable to assume the place will be associated with these goods or services. The test is whether the name is descriptive of objective characteristics of the goods or services, such as place of production of the goods, subject matter of the goods, or place where the services are rendered.

The Cancellation Division of the European Union Intellectual Property Office (EUIPO) recently considered these principles and declared a trade mark for an Irish place name invalid for meat and lamb products, restaurants, food service, holidays and holiday accommodation.

The case relates to Achill Island off the coast of County Mayo, Ireland, the largest island in the country and a popular tourist destination.

Uaineoil Sléibhe Acla Teoranta, an Irish company of Achill Island, Co. Mayo is the owner of EU Trade Mark No. 013435573 ‘ACHILL’ which was registered on 31 March 2015 for “Meat and meat products; lamb meat and lamb meat products; lamb meals and constituents of meals predominantly of lamb” (Class 29), “Equestrian holidays, holidays and holiday accommodation, holiday information; restaurant services; catering services” (Class 43) and “Healthcare services; health resort services; convalescent homes services; saunas, beauty salon services, sanatorium, hairdressing services; massage services; nursing services; baths for hygiene purposes and turkish baths; flower arranging; manicure services; physiotherapy” (Class 44).

On 24 August 2015 CaorAcla Limited filed an application at the EUIPO to cancel this trade mark registration on grounds of invalidity. The main ground relied on was that ‘ACHILL’ is a known geographical term which is descriptive as it indicates the geographical origin of the goods and services covered by the trade mark registration.

Both sides filed detailed evidence in the case, and the EUIPO issued its decision on 18 April 2017.

Observing that the relevant consumer is the Irish average consumer and that the term ‘ACHILL’ refers to Achill Island in County Mayo, Ireland, the EUIPO found as follows.

Regarding the class 29 goods being meat, lamb meat, lamb meat products, the EUIPO observed from the evidence that “Ireland as a country is rife with sheep”. It is known for its sheep and sheep farming. There are sheep all over Ireland, and “sheep farming has taken place on Achill Island for a long time”. When lamb meat is sold to the consumer, the breed is seldom or never mentioned. On the other hand, geographical provenance is often mentioned when choice foods are offered for sale. Geographical provenance of foods has become important for consumers, for instance, consumers know that feed, such as grass and herbs in a specific place eaten by sheep and livestock, affects the taste of meat. Consumers may choose a meat from a certain place because they like that flavour and other qualities of the meat and increasingly geographical provenance is mentioned in sales and marketing. Taking into consideration that the Irish average consumer is aware sheep farming takes place all over Ireland, they would rightly assume it also takes place on Achill Island. Therefore, when viewing the mark ‘ACHILL’ in relation to the class 29 goods, the consumer will immediately understand that the goods are lamb meat from lambs reared on Achill Island, and would understand it as a term indicating the geographical origin of the goods. Therefore, ‘ACHILL’ is descriptive for the class 29 goods.

Regarding the class 43 services, the term ‘ACHILL’ is descriptive as an indication of destination, location and subject matter for holidays, holiday accommodation and holiday information services. It is also descriptive for restaurant and catering services, which go hand-in-hand with accommodation services. Furthermore, food is an important part of holiday experience and tourists will often connect foods with a certain place. However, equestrian holidays are very specific and cater to a limited number of individuals. There was no evidence that Achill Island is known for horse riding holidays and ‘ACHILL’ is not descriptive for these services.

Regarding the class 44 services, there was no evidence that Achill Island is known for such healthcare, health resort or personal care services, or that the consumer might view the term ‘ACHILL’ as an indication of geographical origin for such services. Therefore, ‘ACHILL’ is not descriptive for these services.

The EUIPO went on to find that ‘ACHILL’ is also devoid of distinctive character for the same goods and services for which the mark has been found to be descriptive.

The EUIPO noted that in these proceedings the trade mark owner did not claim nor did it provide any evidence of acquired distinctiveness of the mark ‘ACHILL’.

The EUIPO upheld the application for cancellation in part and declared the trade mark ‘ACHILL’ invalid for “Meat and meat products; lamb meat and lamb meat products; lamb meals and constituents of meals predominantly of lamb” (Class 29) and “Holidays and holiday accommodation, holiday information; restaurant services; catering services” (Class 43). The trade mark will remain registered only for “Equestrian holidays” (Class 43) and “Healthcare services; health resort services; convalescent homes services; saunas, beauty salon services, sanatorium, hairdressing services; massage services; nursing services; baths for hygiene purposes and turkish baths; flower arranging; manicure services; physiotherapy” (Class 44).

The decision is open to appeal to the EUIPO’s Board of Appeal until 19 June 2017, otherwise it becomes final after that date.

Update:  The registrant filed a Notice of Appeal to EUIPO against the decision on 15/06/2017.

Law and the Engineering Mindset

While a postgraduate qualification in science or engineering is almost obligatory for intellectual property and technology lawyers in advanced economies such as the UK, USA and Germany the same is not the case in Ireland where the vast majority of practising lawyers follow the same path from basic law degree to practice. But research from the USA and the UK shows that poor mathematical skills in lawyers is a real problem.

As one of the few Irish technology lawyers with an engineering background I am often asked what difference technical experience makes to my practice as a lawyer.

Look at the intellectual property and technology departments of the biggest firms in Ireland and you will find non-technical lawyers with qualifications that are identical to their colleagues in areas such as real estate, finance, M&A and family law.

I have thought long and hard about what advantage technically qualified lawyers have and have come to the conclusion that it goes way beyond numeracy and familiarity with technology.

Lawyers with technical training and experience bring an engineering mindset to the practice of law and that is what sets us apart.

Lawyers with technical training and experience bring an engineering mindset to the practice of law and that is what sets us apart.

So what is an engineering mindset?

Well as a practising lawyer who has a PhD in physics, three patents and ten years’ experience working for some of the worlds largest technology companies I think I can finally answer that question.

Engineers have a native curiosity – it’s what drives us to make things better. Engineers are always looking for elegant solutions to hard problems that improve people’s lives – it’s in our DNA.

Research from the USA and the UK shows that poor mathematical skills in lawyers is a real problem.

Engineering depends on collaboration to get the job done. Engineers often have a strong vision but the best ones also have the ability to listen to and take on board other points of view.

Engineering brains are wired to spot patterns in complex data. Because of that we perceive patterns differently breaking things down into their components and putting them back together again to make something new and better.

Lawyers are traditionally conservative and tend to follow the status quo, on the other hand, knowing something has never been done before motivates engineers to innovate. A technical qualification engenders a healthy disrespect for the status quo.

Finally engineers are experts at communicating complex ideas often using data and visualisation to make the point. You won’t see an engineer writing a ten page document when a diagram will do the job.

So when you work with a lawyer who has an engineering mindset you get a numerate problem solver and communicator motivated to craft elegant solutions even for problems that have never been solved before.

If you want to work with lawyers who have this unique engineering mindset please subscribe to my newsletter, Ghost of Electricity, or get in touch with us at www.fplogue.com

Ireland set to extend copyright in industrial works

The Department of Jobs Enterprise and Innovation published the results of its consultation on the proposed harmonization of the term of copyright protection for artistic works exploited by an industrial process.

For most copyrights the protection lasts for a term of the life of the author plus a further 70 years after death. With artistic works that are exploited industrially – for example furniture, lighting etc – the position was unclear since the 2001 design directive appeared to leave it up to the Member States to set the term for works exploited by an industrial process. In the UK and Ireland the copyright in these works was set at 25 years, the same as under the design directive.

However the European Court in the 2011 flos judgment which concerned designer lighting clarified that the term of copyright was harmonized in the EU irrespective of any changes that might have been thought to have been made under European design laws.

The biggest effect of the proposed changes appears be to the business of retailers of replica furniture or furniture inspired by classic designs. These retailers will see the opportunity to manufacture and sell lower cost replicas of classic furniture from periods up until the early 1990’s shut off for the best part of another century.

When the UK changed its law recently it seems that some replica businesses decided to move to Ireland since at that time Ireland had not moved to bring its laws into line with the flos decision.  However that loophole will now be closed off.

With this consultation complete the Irish administration now intends to introduce a 12 month transition period to allow manufacturers to reorient their businesses and run down stocks. After this, classic industrial designs will benefit from a longer term of intellectual property protection.

Revenue streamlines SME R&D tax credits

The Revenue has issued a new practice note indicating that it will not challenge R&D tax credit claims from SMEs valued under the science test where the claim relates to projects supported by IDA or Enterprise Ireland grants and the value is less than €50,000.

The practice note indicates that the this will reduce Revenue’s need to engage experts to perform such verification it also gives claimants certainty if a claim is audited removing the need for independent verification that the claim meets the definition of R&D as defined by the OECD.

The practice note is available here or below:

29-02-07

Photo credit: https://www.flickr.com/photos/snorrtttfrenzy/4315844941

European Data Protection Supervisor calls for coherent approach to regulation in the age of big data

Today, Giovanni Buttarelli, the European Data Protection Supervisor, called for a re-engineering of regulation in the European Union in the age of big data and in light of the Charter of Fundamental Rights. If the actions suggested by the new EDPS opinion on  coherent enforcement of fundamental rights in the age of big data come to fruition we are going to see significant focus on the harms of big data including barriers to privacy-enhancing innovation and the hidden costs of excessive personal data disclosure.

Mr Buttarelli observed that while processing personal data is indispensable to web based services and the Digital Single Market many services have become dependent on covert tracking of individuals. Dominant companies may be able to foreclose the market to new entrants competing on factors which could benefit the rights and interests of individuals or to impose exploitative terms. Imbalances between service providers may also increase the price – in terms of personal data – disclosure far beyond what may be expected in a competitive market.

Pointing to threats posed to several fundamental rights by standards and behaviour that have become the norm in cyberspace, Mr Buttarelli called for dialogue and collaboration between consumer, competition and other regulators, updated rules on merger control to protect privacy and the even the creation of a space on the web where users could interact with a guarantee that they would not be tracked.

This is a bold and ambitious call from Europe’s top data protection supervisor but it echoes similar sentiments which were recently expressed by Competition Commissioner Margrethe Vestager and her acknowledgement that personal data is often the price we pay for web services and that market power can itself derive from control of large unique data sets.

Photo credit: @topgold