Data Protection – The Sheriff Comes to Town

Ireland has been described as the Wild West of European finance and yesterday the sheriff came to town. For the first time the US government looked to join Irish proceedings destined for the European courts in Luxembourg so that it can make the case for transferring personal data across the Atlantic. But it needs to be careful what it wishes for because if its application is successful it may have to provide details on oath to the Irish and European courts of surveillance by the US security services. Will this be the first time the world can really see what happens to their personal data which is held by the US internet giants? All will be revealed by the end of the month when Mr Justice Brian McGovern decides who can intervene in the Schrems II case.

This week in the Irish High Court an unprecedented ten parties applied to the to become amicus curiae, or friends of the court, in the Schrems II case – a case between the Irish Data Protection Commissioner and Max Shrems, an Austrian privacy activist, concerning transfers of personal data from Europe to the US by social network Facebook.

Proceedings had been taken by the Irish Data Protection Commissioner seeking to establish the legality of so-called Standard Contractual Clauses (SCCs), which are intended to legalise the transfer of personal data from Europe to the US. The Commissioner is asking the Court to refer questions concerning the legality of the SCCs to the Court of Justice of the European Union (CJEU).

An amicus curiae, although not party to the proceedings, has a strong interest in the matter at hand and acts to assist the court in its deliberation. A party must be a party to the Irish proceedings is it wishes to participate in a reference to the CJEU. The parties that applied to the Court include the US government; the Irish Human Rights and Equality Commission; Irish Council for Civil Liberties, American Civil Liberties Union, the Electronic Frontier Foundation and the Electronic Privacy Information Center. Also making applications were the Business Software Alliance, the Irish Business and Employers Confederation (IBEC), Digital Europe and data privacy campaigner Kevin Cahill.

The US government, acknowledged that this is an unusual case and the US is in a “unique and unprecedented position”. Counsel stated that the US has a bona fide interest in the proceedings and the US government’s expertise in US law is crucial. It was contended that it is critical that the Court, and the CJEU in the case of a referral, have the assistance of the US authorities. It was also contended that Facebook had not only consented to the joining of the US, but also stated that the US has the strongest case to be an amicus curiae. According to the US government Mr Schrems had no objection to the US joining provided that other civil society organisations were also joined and that the role of the US was strictly constrained by the court.

The Electronic Privacy Information Center submitted that it has expertise in US privacy issues and information technology. It also said that it has unrivaled experience in acting as an amicus in US courts.

Mr Justice McGovern is expected to give his ruling by the end of July.

We will then know if the truth will finally be told about the relationship between the US intelligence services and the internet giants.

Article written by Conor Fynes

Photo by Larry Lamsa

Information Commissioner and Commissioner for Environmental Information publishes 2015 annual report

The Information Commissioner and the Commissioner for Environmental Information, Peter Tyndall, launched his offices’ annual report today. The report is Mr Tyndall’s third since taking office and highlights the welcome improvement in his offices capacity against a backdrop of an increasing workload.

The report notes:

  • A 32% increase in applications to review FOI decisions of public bodies reflecting a 38% increase in requests.
  • A 20% increase of the number of applications for review disposed of within four months
  • The Commissioner’s intention to pay closer scrutiny to failures of public bodies to issue timely decisions
  • An 80% increase in appeals to the Commissioner for Environmental Information
  • The appointment of two investigators expressly for the purpose of conducting AIE appeals.

 

This firm advised on several key decisions made in 2015 which were highlighted by the Commissioner:

  • A decision that a new provision of the FOI Act 2014 prevented disclosure of Oireachtas members’ expenses (link)
  • The decision to order release of documents relating to lobbying on the Legal Services Regulation Bill (link)
  • Information on the usage of Garda aircraft, contract for the provision of fuel and an electricity bill were not environmental information (link).
  • That the Irish Fish Producers’ Organisation was not a public authority under the AIE Regulations (link)
  • NAMA v Commissioner for Environmental Information – judgment delivered by the Supreme Court in June 2015 – definition of public authority (link)
  • Minch -v- Commissioner for Environmental Information – judgment delivered by the High Court in February 2016 – definition of environmental information (link)

 

A copy of the report is available on the Commissioner’s website.

Data Protection: It’s a long way from Portarlington to Luxembourg

“Mr Nowak’s legal journey continues”

Thus concludes Mr Justice O’Donnell in delivering a seven-judge Supreme Court decision in Peter Nowak -v- Data Protection Commissioner [2016] IESC 18. The case concerned a claim by Mr Nowak that his exam script in a professional accountancy exam was personal data and therefore should be provided to him under data protection law.

Having began his journey at the Data Protection Commissioner’s office in Portarlington and stopping off at four (yes four!) levels of appellate court along the way Mr Nowak is off to Luxembourg for the final word on the issue.

Mr Nowak wanted to see the exam script from his failed attempt to pass one of four second level exams set by Chartered Accountants Ireland. Having been refused access under the Data Protection Acts he complained to the Data Protection Commissioner who took the view, without reviewing the script, that an exam script such as his could not be personal data. The Commissioner dismissed Mr Nowak’s complaint as being “frivolous or vexatious” since it had no foundation in law.

Three levels of appellate court agreed but the Supreme Court wasn’t sure and referred to question to the CJEU.

Following Schrems, this is the second time in less than two years that a complaint dismissed by the Data Protection Commissioner as hopeless has ended up in the highest court in Europe. A situation described by O’Donnell J as “incongruous”.

The underlying issue here, whether an examination script is ever capable of being personal data within the meaning of the Acts, and if so, whether this script is such personal data, is one of some difficulty and complexity that requires the analysis of a number of different texts and provisions. It might appear rather incongruous, therefore, that the Commissioner, while clearly respectful of Mr Nowak’s complaints, determined them to be frivolous and vexatious, and now maintains that this decision can only be reviewed through the mechanism of judicial review. This incongruity is highlighted by the fact that perhaps the most important data protection case to emanate from this jurisdiction, and which has resulted in a landmark decision of the Court of Justice of the European Union,  Schrems v. The Data Protection Commissioner (Case C-362/14), judgment of the Grand Chamber, 6th October 2015, to which Digital Rights Ireland was added as a party, concerned an issue which was determined by the Commissioner to be frivolous and vexatious under s.10(1)(b)(i).

 

Meanwhile and arguably more importantly, the Court finally put to bed a glaring anomaly in the rights of data subjects to appeal decisions of the Commissioner in the courts.

Arising out of Mr Nowak’s complaint the Circuit Court, High Court and Court of Appeal all held that where a complaint is dismissed as “frivolous or vexatious” by the Commissioner the data subject has no statutory right of appeal to the Circuit Court under section 26 of the Data Protection Acts. The only route available in that case is the costlier and less extensive remedy of judicial review in the High Court.

According to the Supreme Court this was not what the legislature intended in drafting the Data Protection Acts which provide for a Circuit Court appeal against all Commissioner decisions. It must be assumed, according to O’Donnell J, that the law is intended to make sense and to “achieve some purpose which is to be discerned from the words of the Act, its structure and the background against which it is enacted.”

O’Donnell J didn’t think the Commissioner was looking for a broad definition of “frivolous or vexatious” in order to avoid launching investigations since there was nothing stopping him from making preliminary decisions in any particular circumstance, thereby retaining the ability to filter out clearly misconceived complaints but always subject to appeal to the Circuit Court.

Substance over form

The Court reserved its position on the issue of what form such a statutory appeal would take until a more suitable case arises clearly signalling that it will hear such a case when and if once comes along.

Clarke J in his concurring judgment went a step further and criticised the legislature for not clearly defining the scope of statutory appeals generally, referring to his previous judgment in Fitzgibbon v. The Law Society of Ireland [2014] IESC 48.

The Court felt that the appeal was less than a full rehearing but more than judicial as was set out by a previous Supreme Court in Orange Communications Ltd v. The Director of Telecommunications Regulation and anor (No 2)  [2000] IESC 79 (a case in which O’Donnell J acted as a senior counsel). The Court hinted that even this test in the context of data protection law may need to need to considered again in the future if a suitable case comes along.

The decision on scope of appeal is a welcome one for data subjects who now have a more accessible appeal to the Circuit Court against all decisions of the Data Protection Commissioner even against decisions that a complaint does not come within the scope of data protection law at all.

It is likely that this finding will read across into other statutory appeals regimes, particularly where for costs reasons appeals on procedure and jurisdiction are less common such as those under the Freedom of Information Act 2014 and the Access to Information on the Environment Regulations.

Sunday Business Post 100 Hot Start-ups

The Sunday Business Post has published its list of 100 Hot Start-ups showcasing a cross section of the vibrant startup scene in Ireland. Aside from a curious inclusion of a Five Guys franchise as an Irish start-up, the publication is excellent and highlights innovative entrepreneurs and companies across a wide range of industry sectors.

Something that immediately strikes us as IP lawyers is the range of creative brand names for these ventures. No doubt some have put a huge amount of time and effort into ideating the brand names, and believe that they own them…

However, the only way for a start-up or emerging business to legally own a brand name is to register it as a trademark. Moreover, trademark registrations are territorial, meaning rights only extend to the geographical markets covered by any registrations. While company name registration, business name registration and domain name registration are all very important, none actually grants exclusive rights in the name. The only way to get exclusive legal rights in a brand name is to register it as a trademark.

A quick search on trademark registers for a representative sample of the brand names in the publication shows that a surprising number have not yet been protected as trademarks. In Europe registered trademark rights are obtained on a “first to file” basis. It’s important for start-ups and emerging companies to get this sorted early, and to secure legal ownership of the brand name by trademark registration, before someone else gets there first and causes a problem… At the very least get advice on it so you know where you stand. Any start-ups with questions about how to protect a brand name as a registered trademark efficiently and cost-effectively, do get in touch with us to discuss.

Information law: Privacy constraints on access to information seized under warrant

A recent judgment of the Irish High Court illustrates the fine balance that must be struck between privacy rights and the right of investigators to access information seized under warrant.

Opening his judgment like a whodunit, judge Max Barrett of the Irish High Court sets the scene for a thriller concerning the rights of the Irish Competition regulator (the CCPC) to access information seized during a dawn raid and exposes the dangers of not privacy-proofing search and seizure laws.

For those who want to skip to the end, let’s just say it doesn’t end well for the CCPC which had ventured into Terra Incognita to find that the only discernible feature in the otherwise desolate landscape consists of a rock and a hard place.

The facts are simple – in May 2015 the CCPC obtained a warrant to search the premises of Irish Cement Limited (ICL) at its factory North of Dublin. During the raid, the CCPC took copies of large amounts of electronic information including the entirety of the email box of a senior ICL executive. It transpired that the seized information included both personal and private information that was not covered by the CCPC warrant. Recognizing this, the CCPC indicated that it would review all of the seized information and that it would decide which information came within the scope of the warrant. Naturally ICL objected and proposed a procedure whereby an independent party would conduct the review and only hand over relevant information to the CCPC. The parties were unable to reach agreement and so ICL issued proceedings asking the court to determine the scope of CCPC’s right to access private and personal information falling outside of the scope of the search warrant.

Barrett J sets the scene:

One has arrived at a place that seems largely, if not entirely, ungoverned by law. The [CCPC] maintains, not that this provided anywhere in the 2014 Act, that the proper thing to be done is that it should go through of the materials it now possess … weeding out the wheat to which it is entitled from the chaff.

For its part ICL contended that such a process is a violation of the European Convention on Human Rights, the Charter of Fundamental Rights, the Data Protection Acts and the Irish Constitution.

Barrett J agreed firstly observing that while there was no illegality in the seizure of the information, the accessing of it by the CCPC would constitute a breach of the ECHR and Constitutional rights to privacy and while there were statutory protections for legally privileged information, no such protections were provided for private or personal information. The CCPC could not assume that it had carte blanche in respect of such information and, according to the court, that the only way to access any of the seized information was through negotiation and agreement with ICL.

This undoubtedly makes it difficult, if not impossible, for the CCPC to continue its investigation.

While the judgment may be appealed the law as it stands makes it virtually impossible for the CCPC to conduct an investigations since, with electronic information in particular, there is almost always an intermingling of personal and irrelevant private information in any seizure. Without a statutory framework for accessing seized information it is difficult to see how the CCPC can confidently gather evidence if it has to rely solely on the cooperation of the undertaking which is subject to investigation.

The case highlights the importance of privacy-proofing legislation. While the legislature saw fit to provide safeguards for legally privileged information, it doesn’t seem to have considered the possibility that a seizure would “hoover up” mixed information and didn’t provide similar protections for the privacy rights of individuals and corporates.

The judgment may be appealed but until a final decision is issued it seems that the CCPC is stymied and ultimately there may be a need for a statutory amendment to resolve the issue.

Thanks to TJ McIntyre for posting a copy of the judgment online.

Chief EU data protection regulator launches blog ushering in a new era of global data protection

April fool’s day is not the best day to launch a blog, but Giovanni Buttarelli, the European Data Protection Supervisor decided to put his digital pen to paper to launch a blog heralding the advent of a new era of data protection where European standards will be the “digital gold standard”

Buttarelli is referring to the General Data Protection Regulation which is expected to become law before the Summer.

Mr Buttarelli sees the two major strategic consequences of the GDPR which he describes as a “game changer” and at the core of our human dignity setting the standard for a generation:

The first consequence is that the GDPR sets up a genuine platform for global partnerships. This reflects the global nature of data flows, enabled by technologies and driven by creative, disruptive business models.Over half the countries in the world now have a data protection and/or privacy law, and most are strongly influenced by the European approach, a trend towards the ‘global ubiquity’ of data privacy. The regulation promises a wider scope for cooperation between authorities and data controllers both within the EU and internationally. It should galvanise efforts for a more consistent standard contractual clauses, speed up the validation process for binding corporate rules, and help them dovetail with similar arrangements elsewhere in the world. I hope that the new provisions for codes of conduct, seals, certification and accreditation processes will incentivise controllers inside and outside the EU to take the initiative in devising standards which are both business friendly and in the interests of individuals.

The second consequence is that data protection is no longer an optional extra. The Court of Justice of the European Union applies these rules strictly, interpreting them in the light of the EU Charter of Fundamental Rights, and favouring the rights and interests of the individual above corporate or business aims, however reasonable and legitimate. The EU cannot retreat from these core values. Data protection authorities will have to be vigilant in monitoring implementation of the GDPR, and applying the newly- amplified range of possible sanctions in case of violation.

 

 

Trunki decision: What Irish businesses need to know

Rob Law, inventor of the Trunki children’s ride-on suitcase was interviewed on RTE Radio 1 yesterday (Podcast: Successful Rejects – Trunki – 31st March) and told the story of the successful brand.

Trunki has been in the media recently for other reasons as it failed to enforce its EU registered design in the UK against the discount rival Kiddee case – even though the rival product was intended as a discount version of the Trunki product.

An EU registered design is an IP right that protects the appearance of the whole or part of a product, to the extent that the design is new and has individual character. In considering the scope of protection what matters is the overall impression produced by the design.

Trunki’s EU registered design consists of six CAD drawings with greyscale shading and grey/black colour contrasts. See below, alongside a sample view of the rival product.

CaptureTT2

On 9 March the UK Supreme Court dismissed Trunki’s appeal against a finding that its EU registered design was not infringed by the rival product. The Kiddee case did not infringe Trunki’s registered design because it made a different overall impression, namely an insect with antennae or an animal with ears. This was significantly different from the overall impression given by Trunki’s registered design, namely a horned animal. Furthermore, Trunki’s registered design was not a claim for the shape alone, but a shape in contrasting colours (appearing in black and grey in the drawings). While the Court sympathised with Trunki, noting the concept was original and clever, it said that design rights are there to protect designs and not ideas or inventions.

This decision against Trunki is a reality check about how far registered design protection goes in practice. It also underscores the importance of getting the graphic representation of the design right. In fact, it may be that the outcome for Trunki might have been different if simpler line drawings were used, instead of CAD drawings with shading and grey/black  colour contrasts which appear to have restricted the scope of protection.

While this decision is based on its own facts, there are a number of important takeaway points from the decision that all design-led businesses need to know:

  • Registered designs remain an important IP right, however the scope of protection can be fairly narrow, especially for mass market products or in crowded design space.
  • Registered designs only protect visual appearance of a product, not the idea or concept underlying a product.
  • Contrary to media reports, registered design infringement is not about comparing two products in the marketplace. It involves comparing the overall impression of the rival product with that of the design as registered. In other words, the registered design determines scope of protection, not the product itself or how it appears in the marketplace.
  • Utmost care is now required when filing a registered design application, in particular how the graphic representation is prepared, to maximise scope of protection while maintaining validity. Applicants have choices about how to depict a design using line drawings, CAD drawings or photographs. Getting the graphic representation right is crucially important as this will define the scope of protection. Applicants also have choices about filing a multiple design application to maximise protection across graphical formats or visual appearances.
  • It is likely that the scope of many existing EU registered designs is more restricted now than previously thought, particularly where graphic representation is based on CAD drawings with unnecessary tonal contrasts or based on photographs.
  • Although this is a UK decision it relates to EU registered design law and has relevance for Ireland.
  • Businesses and designers should take an overall approach and consider best options for IP protection to fit budget and commercial objectives. This means getting professional advice and considering all options whether based on trade marks, patents and copyright, as well as registered designs.

==
The Supreme Court judgement (PMS International Ltd v Magmatic Ltd [2016 ] UKSC 12) is here

High Court rules that broad interpretation of “environmental information” is required

In breaking news the High Court has this morning delivered judgment in Stephen Minch -v- Commissioner for Environmental Information & Anor , a case which concerned the scope of access to environmental information.

This is the first opportunity the Irish courts have had to review the correct test as to whether information falls within the scope of Directive 2003/4/EC on public access to environmental information. The directive gives effect in the EU to provisions of the Aarhus Convention on access to information.

In her judgment, Baker J held that the Commissioner for Environmental Information failed to adopt a purposive interpretation that is required to give effect to the provisions of the Aarhus Convention and its implementation under EU law and that he imposed an overly narrow test of remoteness when characterising the information requested by Mr Minch and the context in which it was created:

I consider in the circumstances that the Commissioner’s approach was too narrow, he failed to adopt the teleological approach that is required to the interpretation and implementation of the Regulations, and imposed an overly narrow test of remoteness in seeking to characterise both the N.B.P. and any report or information within the framework that might inform the Government on the implementation of that plan.

With this judgment the Irish courts have affirmed that laws which give effect to the Aarhus Convention must be interpreted in light of the purpose of the Convention and in the case of access to environmental information a broad approach must be taken to allow for public participation in decisions which affect or may affect the environment.

A copy of the judgment is available here.

FP Logue Solicitors, acted for the Applicant.

We are currently working remotely and are not collecting post - please send all written communications by email to info@fplogue.com. Our switchboard remains open at +353 (0)1 531 3510 during business hours