10 things IP practitioners need to know about GDPR

If your organisation carries out significant business in the Europe Union, chances are that you have participated in some kind of mandatory training relating to the EU General Data Protection Regulation (GDPR) in the past year. If not, you may have noticed the flood of emails from services that you have used, stores that you have patronised and non-profits that you have supported, all stating: “We have updated our privacy policy.”

GDPR is far-reaching, but for many IP practitioners (with a few exceptions outlined below), the new EU data privacy regime brings no significant day-to-day changes. However, it could present several conflicts with rights holders’ interests – many of which are likely to have been overlooked as companies scramble to achieve basic compliance. The following 10 points may raise more questions than answers, but they could herald some key IP issues arising in the data economy.

The basics

The GDPR legislation was signed in April 2016 and became effective on 25 May 2018. At over 55,000 words, the regulation lays out the rights that individuals within the European Union and European Economic Area have over their personal data, and the obligations of companies and other organisations that collect and process such data. The more high-profile rights of so-called ‘data subjects’ include:

• Right of access – “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information.”
• Right to erasure (also known as the right to be forgotten) – “The controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies.”
• Right to data portability – “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.”
• Automated individual decision making – “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

The GDPR replaces the EU Data Protection Directive (95/46/EC), but why is it a bigger deal?

First, it has a much broader reach. The GDPR applies to all entities that offer goods and services to individuals in the European Union or that collect data on EU data subjects – comprising a large swathe of organisations across numerous sectors.

Second, the penalties for non-compliance could be drastic. Financial penalties of up to 4% of worldwide annual sales or €20 million (whichever is higher) can be assessed.

On the heels of the EU Trade Secrets Directive

The GDPR is separate from the new EU rules on trade secrets. However, there has been some confusion over this, particularly among overseas counsel who do not follow developments in the European Union closely.

The EU Trade Secrets Directive (2016/943/EC) was finalised in 2016, not long after the signing of the Defend Trade Secrets Act in the United States. The directive sets out the minimum standards for trade secrets protection, which EU member states are supposed to have implemented through national legislation by the end of 2018. However, according to Donal O’Connell, managing director at Chawton Innovation Services, the trade secret rules have been somewhat overshadowed by the GDPR. This may help to explain why some outside observers have confused the two. The implementation of the GDPR has been so complex and has affected so many organisations in and outside the European Union that many other legal issues were placed on the back burner in the lead up to its May enforcement date.

Nevertheless, as both measures continue to take effect at a national level, the ways in which they interact and conflict are likely to become more apparent. At first glance, personal data privacy and trade secrets may appear to be separate legal matters for separate legal departments, but that changes on closer inspection. “GDPR is all about data, and in particular personal data. But what’s most obvious is that there’s no stopping data also qualifying as a trade secret – either in raw or processed form,” states O’Connell.

IP rights limit GDPR rights and vice versa – but privacy considerations may weigh stronger

The GDPR legislation makes one explicit reference to trade secrets in Recital 63, which addresses the right of access. While a data subject has the right to obtain their personal data, “that right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software”. However, Recital 63 continues: “the result of those considerations should not be a refusal to provide all information to the data subject.” Therefore, IP rights will seemingly be weighed, but do not provide a blanket excuse for refusing to hand over data to data subjects.

The EU Trade Secrets Directive also anticipates scenarios where IP rights may be competing with personal data rights. Specifically, it refers to the EU Data Protection Directive, which was the forerunner to the GDPR:

Thus, this Directive should not affect the rights and obligations laid down in Directive 95/46/EC, in particular the rights of the data subject to access his or her personal data being processed and to obtain the rectification, erasure or blocking of the data where it is incomplete or inaccurate and, where appropriate, the obligation to process sensitive data in accordance with Article 8(5) of Directive 95/46/EC.

The EU Trade Secrets Directive also reiterates the mandate to respect the rights enshrined in the Charter of Fundamental Rights of the European Union – one of which is the right to the protection of personal data. Catherine Muyl, partner at Foley Hoag AARPI’s IP department, expects the charter to weigh heavily in any conflict that may arise between IP and GDPR obligations. While no such case has made it to the EU courts as far as we know, Muyl states that “normally, the data protection should prevail” because of its association with a fundamental right.

Tinder data request provides an early example of potential GDPR-IP conflict

In March 2017 – before GDPR took effect but evidently influenced by its impending enactment – French journalist Judith Duportail requested access to all of her personal data held by dating app Tinder. Although the right of access already existed, according to the privacy lawyer assisting Duportail, the company turned over 800 pages of information “only on a voluntary basis, and only after she identified herself as a journalist”.

Despite this, Durportail did not receive some of the information in which she was most interested. The proprietary desirability score that Tinder assigns to each user was withheld from her, as were various details about how Tinder matched her to potential partners and the types of profile that she was shown as a result. “Our matching tools are a core part of our technology and intellectual property, and we are ultimately unable to share information about these proprietary tools,” the Texas-based company stated.

Rather than a legal battle, the conflict ended with a thought-provoking article by Duportail in the Guardian. As such, it remains uncertain as to what will happen if cases featuring similar facts are brought before EU judges.

Article 15 of GDPR states that further to raw data obtained from users, data controllers must disclose “the existence of automated decision-making, including profiling” in addition to “meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject”.

Then again, it is easy to imagine how disclosing information about an algorithm (eg, the logic involved in Tinder’s matching tools) could adversely affect a company’s right to safeguard what it regards as its trade secrets. For the Match Group, which owns Tinder, this forms a key part of its IP strategy. In March 2018 the Match Group sued Bumble – a competitor established by former employees – for trade secret misappropriation and unfair competition, among other grounds.

Corporates will be keen to determine how much “meaningful information” short of actual algorithms should be disclosed – whether that comprises metadata or a general description.

Kalliopi Spyridaki, chief privacy strategist for software developer SAS Institute in Europe, summarised one interpretation of the provision:

Meaningful information about the logic involved in relation to Article 22 of the GDPR should be understood as information around the algorithmic method used rather than an explanation about the rationale of an automated decision. For example, if a loan application is refused, Article 22 may require the controller to provide information about the input data related to the individual and the general parameters set in the algorithm that enabled the automated decision. But Article 22 would not require an explanation around the source code, or how and why that specific decision was made.

For the time being, decisions about how to handle these requests should involve not only data and compliance-focused counsel, but IP professionals as well.

Not only right of access that raises IP-related questions

While the right of access has existed for years under the data privacy directive, the GDPR has introduced new rights, including the right of portability. Not only are data subjects entitled to view their personal data, they are also entitled to receive it in “a structured, commonly used and machine-readable format” and subsequently transmit it to another service provider.

This raises many of the same trade secret-related questions as the right of access – but the stakes are potentially higher, given that any data turned over under the right of portability could be passed on to a competitor. Thomas Jackson, partner at Phillips Nizer LLP, reiterates that the right of portability is not necessarily unlimited, and that cases relating to this new right will necessitate the same balancing act, while numerous issues will be left in the hands of enforcement authorities. “There is not a lot out there on the subject of balancing under the directive,” Jackson notes, “but there is a fear that the balance will be struck in many cases to protect the fundamental right of privacy with regard to personal data, and that’s where the intersection of the two is most critical”.

Nevertheless, data portability need not result in the turning over of proprietary information to competitors. Muyl notes that, in practice, “the scope of data portability is limited to the raw personal data provided by the data subjects themselves, and should not include data which is inferred or derived from the raw data”.

Muyl also points to two other issues raised by the GDPR for specific subsets of rights holders. First, platforms that deliver copyrighted material (eg, music, videos, books and news) to customers will often create profiles of individual users based on their consumption habits and use this to, among other things, recommend further content. However, Muyl warns that GDPR takes a dim view of profiling; therefore, companies that operate a digital rights management system aimed at countering infringement should ensure that the scheme is not “linked to an individual except to the extent that this link is necessary for the performance of the service or if the individual has been informed and has consented to it”.

Second, companies that operate databases have also been massively affected by the GDPR, and Muyl reiterates that this too has an IP element. EU Directive 96/9/EC on the legal protection of databases created a so-called ‘neighbouring right’ similar to copyright protection for the owners of databases. “It is similar to copyright, except that the burden of proof is heavier,” Muyl explains. Companies looking to sell or license access to these types of database will need to keep a close eye on potential GDPR implications.

Figure 1. Where organisations manage data privacy

Source: Deloitte GDPR Benchmarking Survey 

The new rules are already affecting trademark enforcement

Trademarks may represent the area of intellectual property in which the GDPR’s implications have been most acknowledged. This is because the law’s implementation created an overnight change that has significantly increased the difficulty for brand owners to counter online infringement.

Trademark enforcement depends heavily on the WHOIS protocol to identify the owners of online domains selling counterfeit goods or otherwise infringing IP rights. As the GDPR came into force on 25 May, this previously public data became much more difficult to access – temporary measures put in place by the Internet Corporation for Assigned Names and Numbers (ICANN) mean that for now, rights holders must rely on anonymous email addresses or online forms to contact domain name owners. “We may yet find that cybercriminals anywhere in the world could be one of the biggest fans of GDPR,” David Taylor, partner at Hogan Lovells, told IAM’s sister publication World Trademark Review in the run-up to the new policy.

Roughly one month after the GDPR took effect, ICANN finally unveiled its proposed long-term solution to reconciling WHOIS with the new legislation. The framework envisions a list of users with “legitimate interests”, who will be able to gain access to non-public WHOIS data from registries. It is assumed that IP rights holders will be one of the groups eligible for this access, along with law enforcement agencies.

However, plenty of uncertainties remain about what the system will look like in practice. Who will handle the accreditation of rights holders on this privileged list? Will companies be forced to pay usage-based fees for requesting information that was previously free? How will the code of conduct that accredited parties must sign limit their use of the data?

Regardless of how online enforcement shapes up in the future, the saga itself is quite telling. While GDPR has been in the pipeline for several years, it is only now after implementation that we are starting to see the draft version of a potential solution to combat the disruption caused to trademark owners. IP rights conflicts, it seems, are far from a top priority for EU privacy authorities.

Figure 2. Status of GDPR preparation among affected organisations – May 2018

Source: Spiceworks 

Electronic discovery in US litigation could get even harder

Discovery is a key stage in all kinds of US commercial litigation, and patent and trade secrets cases are no exception. Today, much of the relevant information is stored electronically – but when it comes to gaining access to information through the process known as e-discovery, EU jurisdictions have long posed a barrier to US litigants.

“Some EU member states, France and Germany in particular, have taken a rather dim view of the scope of e-discovery in US litigations,” relates Jackson, who points out that the trend can be traced further back than the 1995 data privacy directive. In the United States, lines have been drawn around attorney-client privileged communications, but the courts generally have a strong stance against permitting filings under seal, unless in limited and extraordinary circumstances. “Think about that in contrast with a broad right of personal privacy – it’s the antithesis.”

Jackson echoes other practitioners in warning that GDPR-related concerns could present another impediment to gaining access to documents from EU jurisdictions that were already challenging from an enforcement perspective. “From an IP point of view, e-discovery is so critical in so many of those cases, and this could present yet additional barriers to companies looking to protect their intellectual property and conduct robust investigations of infringers.”

Figure 3. Top concerns among IT professionals in affected organisations

Source: Spiceworks 

GDPR will affect AI innovation – for better or worse

Due to its extraterritorial reach, GDPR could have a wide-ranging effect on the ways in which tech companies do business. Nowhere is this more true than in the rapidly developing field of artificial intelligence (AI).

Some practitioners have warned that, if enforced stringently, the regulations could severely hamstring the development of AI and other technologies based on machine learning – especially in the European Union. Developers programming these sorts of tools require vast amounts of data to feed into their algorithms in order to make them more efficient and refined. However, the principles behind the GDPR hold that data retention should be minimised and personal data should be used only for the purposes for which the data subject consents.

Some observers, including University of Strathclyde law professor Lilian Edwards, have warned that GDPR poses a greater problem than many in the industry realise. “You can’t consent lawfully without knowing to what purposes you’re consenting,” Edwards told Fortune magazine. “Algorithmic transparency means you can see how the decision is reached, but you can’t with [machine-learning] systems because it’s not rule-based software.”

Others have argued that by forcing organisations to fully digitise their data and organise it into an easily accessible architecture, GDPR may spur firms to reconsider how to extract business value from their data holdings. A Deloitte survey found that 21% of companies expect to derive “significant benefits” in terms of competitive advantage from GDPR compliance, above and beyond simply avoiding penalties. The consultancy is pushing the idea that privacy can be a business enabler.

Spyridaki argues that GDPR is neither friend nor foe to AI development. While she concedes that the regulations will likely restrict or complicate various aspects of data processing in an AI context, she hopes that the law “may eventually help create the trust that is necessary for AI acceptance by consumers and governments as we continue to progress toward a fully regulated data market”.

Some corporates are re-thinking the IP department’s role in data management

For now, most corporates are employing a scatter-shot approach to data compliance. Deloitte found that 45% of surveyed companies have a dedicated privacy function, 32% handle it within another function and 23% have no formal function. Although IP departments do not seem to be playing much of a role, there are indications that IP executives in some cutting-edge organisations are examining these issues carefully.

This became a topic of discussion at the recent IPBC Global conference in San Francisco. Nokia Vice President Ilkka Rahnasto stated: “Data is a new asset class… it’s a very prominent question who in the company is actually managing the data going forward and what role the IP department plays.” However, he sounded an overall note of caution: “I don’t think that IP departments are necessarily the best units to take over that activity.”

Things may look somewhat different in Silicon Valley-based companies, where machine learning is central to building tools for customers. Lisa McFall, deputy general counsel for intellectual property at Workday, admitted that the work done by the company’s data scientists to train their algorithms raises numerous questions: “Where are you getting training data? Do you have rights to use that data? If the training data is tainted, how does it impact the model? Do you owe damages to the owner of the data used to train it?” Indeed, McFall expects legal changes to come hard and fast as machine-learning models become more commercially valuable. “I just don’t know how that law’s going to develop, but it’s something we’re training our data scientists to think about as they’re developing their models.” Further, it is clear to see the kinds of complications that GDPR could layer onto what is already a complex and uncertain field.

China’s new standards look tough, while the United States has shown little interest in following suit

GDPR places the European Union in a position of global leadership when it comes to data law, and the importance of the EU market – not to mention GDPR’s extraterritoriality – could lead to a ‘race to the top’ effect.

One major jurisdiction which looks to be following the European Union’s lead is China – although relatively few seem to have noticed. The Personal Information Security Specification came into force on 1 May 2018, just a few weeks before GDPR. According to Samm Sacks, senior fellow at the Center for Strategic and International Studies, the Chinese standard is modelled on the GDPR and reflects the EU approach more than its US counterpart. However, there are key differences that make it less strict than the EU regulation. As Sacks explains: “The government does not want to undermine efforts to developing fields seen as crucial for China’s economy like artificial intelligence, which relies on access to massive datasets.”

Jackson notes that US entities face significant challenges in implementing the GDPR, including mapping personal data to determine where it resides and determining how to respond to EU data subjects exercising their rights. Nevertheless, he does not see the EU regulation as the impetus for big changes in the US approach to privacy law. “I don’t really see a true escalation of privacy regulation in the United States. There are laws on the books and the enforcement agencies are quite serious about them,” he states. The existing standard – full disclosure of a company’s privacy policy and ensuring that such policies represent the facts – looks here to stay. However, Jackson can see the potential for broader legislation in the specific area of data breaches.