Our point of view

Technology Newsletter Issue 3/2014

1 October 2014
Technology Newsletter Issue 3/2014

Print pdf-version

Contents of the newsletter:

Linking To Copyright Protected Material - Developments After Svensson Case

Layout of a Retail Store May Be Registered As a Trademark

Ratification of Unified Patent Court Agreement - Five Down, Eight To Go

Unsuccessful Trademark Injunction: Wheels on the Bus Go Round and Round

New EU Guidelines For Cloud Service Level Agreements

Privacy Concerns Raised About Mobile Apps

Update on the EU Data Protection Regulation

Personal Data Localization in Russia - New Requirements

European DPA’s Meet with Search Engines on the “Right to Be Forgotten”

Legal Implications in Sweden and Finland Following the CJEU’s Ruling Invalidating the Data Retention Directive

EU Adopts New rules on Cross-border Electronic Identification and E-signatures

Consumer Protection Regarding Automatic Contract Extension to be Strengthened in Sweden

Finnish Supreme Court: Delay Penalties to Third Parties Are Indirect Damages

Regulation on Clinical Trials entered into force on 16 June 2014

Linking to Copyright Protected Material - Developments since the Svensson Case

By Tom Jansson

In the well-known Svensson case (C-466/12), the Court of Justice of the European Union (the “CJEU”) clarified the interpretation of the Copyright Directive 2001/29/EC. The CJEU found that the provision of clickable hyperlinks fell outside the scope of “communication to the public” in Article 3(1) of the Directive when the links did not extend the communication to a “new public” (please see summary of the case in HS Technology Newsletter Issue 1/2014).

Since the Svensson decision, two other cases relating to linking have been pending before the CJEU. The first one is C More Entertainment AB v Linus Sandberg (C-279/13), in which Mr Sandberg had provided links to C More Entertainment’s broadcasts of two ice hockey matches. C More Entertainment had protected the broadcasts by a paywall, but they could, nevertheless, be accessed through the links provided by Mr Sandberg. The CJEU was asked to clarify, in particular, whether the manner in which the linking had been done was relevant to the assessment of the linking and whether it was relevant that access to the material had been restricted.

The other pending case, BestWater International GmbH v Michael Mebes and Stefan Potsch (C-348/13), relates to the embedding of another person’s work without consent. BestWater International had made a promotional video, which later appeared on YouTube and was embedded in the website of BestWater’s direct competitor. The question was whether the embedding constituted a communication to the public, even though the work had not been communicated to a new public and the communication of the work was not technically different from the original communication.

The Finnish Copyright Council, functioning under the Ministry of Education and Culture, provided its view on some of the open questions in its statement 2014:4. The Copyright Council firstly confirmed the CJEU’s conclusion in the Svensson case regarding the requirement of a “new public” and stated that the provision of clickable links to copyright protected material does not constitute a communication to the public when the links lead to materials already freely available on other websites with the copyright holder’s consent. The Copyright Council then expressed its opinion that in the case of non-clickable links, such as embedding, the emphasis should be placed on the reasonable interests of the parties, for example the commercial interests and the scope and systematic nature of the linking. A similar conclusion was expressed by the Copyright Council last year in its previous statement on linking (2013:22). In the Svensson decision, the CJEU did not discuss the interests of the parties, and so it will be interesting to see whether the CJEU will in the upcoming cases be willing to broaden its analysis to also encompass the interests of the parties and the effects the linking may have on those interests.

Layout of a Retail Store May Be Registered as a Trademark

By Janne Joukas

The European Court of Justice confirmed in its ruling C-421/13 (Apple Inc. v. Deutsches Patent- und Markenamt, 10 July 2014) that the layout of an Apple flagship retail store may be registered as a trademark. Apple’s trademark application, which consisted of an integral collection of lines, curves and shapes, may constitute a trademark, even though the trademark application did not refer to any indication of size or proportions of the layout in question.

In its ruling, the court first noted the basic requirements that a trademark application must satisfy in order to comply with the Trademarks Directive, namely that the subject-matter of the application must constitute a sign, be capable of graphic representation and be capable of distinguishing the goods or services of one undertaking from those of other undertakings. It then continued that it cannot be ruled out that a mere representation of a retail store, by design alone, may allow the goods and services for which registration is sought to be identified as originating from a particular undertaking.

However, the court noted that the fact that a sign is generally capable of constituting a trademark does not imply that the sign necessarily has a distinctive character required by the Directive, but this character must be assessed by reference to the goods or services in question and to the perception of the relevant public. Furthermore, the competent authority must decide case by case whether such a sign is descriptive and whether some other grounds for refusal exist.

Finally, the court also ruled that such layout trademark may be registered not only for the goods offered by the applicant but also for the services intended to induce the consumer to purchase the goods, provided that the services do not form an integral part of the offer for sale of those goods. According to the court, certain services, such as those referred to by Apple, which consist of carrying out demonstrations by means of seminars of the products that are displayed in the store, may constitute remunerated services within the concept of “service” under the Directive.

Ratification of Unified Patent Court Agreement – Five Down, Eight To Go

By Panu Siitonen

Since our previous HS Technology Newsletter 2/2014, a few new Member States have ratified the Agreement on a Unified Patent Court (“Agreement”). At the time of our previous newsletter, Denmark was just about to ratify the Agreement, and the ratification took place on 20 June 2014. In addition to Denmark, Belgium and Sweden also ratified the Agreement in June 2014. Austria and France had already ratified the Agreement earlier, totalling the number of Member States who have ratified the Agreement to five.

As reported earlier, in order to become effective, the Agreement must be ratified by at least 13 Member States including France, Germany, and the United Kingdom. France has already ratified the Agreement and, thus, in addition to Germany and the United Kingdom, six other Member States need to ratify the Agreement before it may become effective. It remains to be seen whether Finland will be among those other six Member States or not.

Unsuccessful Trademark Injunction: Wheels on the Bus Go Round and Round

By Panu Siitonen

The applicant, Onnibus.com Oy (“HappinessBus.com Ltd”), requested that the Market Court prohibit the adverse parties (several entities operating under the brand “OnniExpress” (“HappinessExpress”)) from using (i) trademarks including the word “OnniExpress”, (ii) the domain name “onniexpress.fi”, (iii) the auxiliary trade name “OnniExpress” as well as other trademarks, domain names, trade names, auxiliary trade names or other commercial signs including the word “Onni”. Onnibus.com Oy claimed the injunction on the basis of (i) its registered trademark ONNIBUS, (ii) the established trade name “Onnibus Oy”, (iii) the fact that the trademark ONNIBUS is a well-known trademark, and (iv) the reputation and goodwill of ONNIBUS signs.

The Market Court rejected the applicant’s other claims and stated that the only remaining question was whether it was probable under the applicable law that trademarks including the word “OnniExpress”, the domain onniexpress.fi and the auxiliary trade name OnniExpress used by the defendants infringe on the applicant’s right to the trademark ONNIBUS (which was registered in class 39 for transportation, public transport and bus transport in particular).

Taking into consideration the common prefix “onni” of both the ONNIBUS and OnniExpress signs and the fact that the said signs are used in connection with similar services, the Market Court was of the opinion that it was somewhat more probable that OnniExpress signs are confusingly similar to the trademark ONNIBUS than that they would not be. Based on the above-mentioned, the Market Court stated that the applicant had managed to demonstrate that it is probable that the applicant has on the basis of its trademark a right against the defendants that could be enforced in accordance with the law. However, the prerequisites for an injunction also require that the applicant must be able to demonstrate that there is a danger that the defendants’ actions infringe the said right. On the basis of the evidence provided, the Market Court stated that the applicant’s claim regarding the danger being existent could not be considered unlikely.

The final prerequisite set forth in the law is the court’s obligation to see that the defendants do not suffer undue inconvenience when compared to the benefit to be secured. According to the Market Court, if the court did not grant the injunction, it was likely that it would cause harm to the reputation of the applicant’s Onnibus signs at least to some extent. In contrast, if the court did grant the injunction, according to the Market Court it would not, as such, cause a direct prohibition to the defendants to practise and continue their bus business. However, the defendants have already commenced their own bus businesses under the OnniExpress signs, even though it only commenced in May 2014. If the injunction were to be granted, the defendants would be forced to change their signs. In practice, this would very likely mean a need to discontinue the business, at least temporarily, as well as additional costs. On this basis, the Market Court was of the opinion that the injunction would cause undue inconvenience to the defendants when compared to the benefit sought to be secured and, hence, the prerequisites for granting an injunction were not fulfilled. The Market Court rejected the application.

The deadline for applying for leave to appeal and for filing an appeal is 23 September and, hence, the Market Court’s decision is not yet final. However, at least after the first round, the wheels on the OnniExpress buses will continue to go happily round and round, unlike the wheels on the applicant’s buses.

New EU Guidelines For Cloud Service Level Agreements

By Anssi Suominen

On 24 June 2014, the European Commission’s Cloud Select Industry Group introduced new Cloud Service Level Agreement Standardisation Guidelines to help businesses to achieve a common approach in cloud service contracts as well as to ultimately increase productivity in cloud computing. The guidelines have been developed as part of the European Commission’s European Cloud Computing Strategy, which was adopted in September 2012, to increase trust in cloud computing across all economic sectors.

The guidelines, which aim to facilitate the relationships between cloud service providers and business customers, promote the idea of a technology and business model neutral, world-wide and transparent approach in the standardisation of service level agreements. This standardised approach will help to better ensure that essential elements and service level objectives are included in plain language in cloud contracts, including, among others:

  • Availability and reliability of the cloud service
  • Data capacity
  • Data security levels
  • Quality and availability of support services
  • Incident management and reporting
  • Data back-up
  • Post-contract business continuity including data portability
  • Data protection requirements

The European Commission hopes that the adoption of the Cloud Service Level Agreement Standardisation Guidelines within the European Union will speed up the establishment of international standards on service level agreements for cloud computing. The European Commission’s press release, including the link to the guidelines, can be found here.

Privacy Concerns Raised about Mobile Apps

By Anssi Suominen

The Global Privacy Enforcement Network (the “GPEN”), which consists of nearly 30 data protection authorities around the world, examined in its annual international privacy sweep (the “Sweep”) the ways in which mobile apps collect and use personal data. The purpose and aim of the Sweep has been briefed in the previous HS Technology Newsletter (please see HS Technology Newsletter 2/2014 ). The results of the Sweep were published on 10 September 2014.

The Sweep, which took place between 12 and 18 May 2014, assessed a total of over 1,200 mobile apps, including a mix of free and paid apps as well as public sector and private sector apps. The Sweep focused on the types of permissions an app was seeking, whether those permissions exceeded what would be expected based on the app’s functionality, and most importantly, how the app explained to consumers why it wanted the personal information and what it planned to do with it. The overall key findings of the Sweep were:

  • A large majority of the apps (approx. 85%) are accessing personal data without providing adequate information to users on how the apps were collecting, using, and disclosing personal information. At times, it appeared to be difficult to find out who the data controller or the developer of an app was.
  • 75% of all apps examined requested one or more permissions, the most common of which included location, device ID, access to other accounts, camera, and contacts. The sweepers found that the proportion of apps requesting permissions and the potential sensitivity associated with the information highlight the need for apps to be more transparent.
  • For nearly one-third of the apps, the sweepers could not understand why the app would need access to certain information which appeared to exceed its functionality.
  • Some 43% of the apps did not tailor lengthy privacy policies and notices to the small screen of the mobile devices, as a result of which the text becomes too difficult to read properly and users end up scrolling or clicking through multiple pages.
  • However, the most popular apps in the market were generally considered to provide best privacy for their users. This shows that investing in transparency and disclosure of adequate information has no negative effect on the popularity of apps, but in fact, vice versa.

It remains to be seen whether the data protection authorities that participated in the Sweep are to launch any actions in their jurisdictions, or whether the results are going to encourage app developers and companies to better comply with respective privacy legislations.

Update on the EU Data Protection Regulation: Negotiations Continued in the European Commission and Council

By Erkko Korhonen

During the summer, the European Commission and Council continued negotiations on the European Union data protection reform. The Commission proposal for a data protection regulation (the “Regulation”) was approved with amendments in the European Parliament plenary session on 12 March 2014, in a form substantially amended by the Committee on Civil Liberties, Justice and Home Affairs, LIBE Committee (please see HS Technology Newsletter 2/2014).

On 6 June 2014, the Council reached a partial general approach on specific aspects of the draft Regulation. The approach includes provisions on territorial scope of the Regulation, the respective definitions of “binding corporate rules” and “international organisations”, and the transfer of personal data to third countries or international organisations. The Council also held a policy debate on the “one-stop-shop” mechanism on the basis of a document prepared by the Presidency.

The current Presidency (Greece) has proposed that the “one-stop-shop” mechanism, designating one lead data protection authority (DPA) determined by the establishment of the data controller, be entirely disregarded in cases where the subject matter of the specific processing concerns only the processing carried out in a single Member State, and involves only data subjects in that single Member State. The designation of a lead data protection authority and “one-stop-shop” mechanism has been the subject of heated debate throughout the drafting process of the Regulation. Member States have raised concerns on the constitutionality of the “one-stop-shop” mechanism in relation to ensuring adequate protection of Member State nationals under the new data protection regime. The incoming Council Presidency (Italy) will continue to work on the issue at technical level.

On 10 June 2014, the Commission reached a partial agreement regarding its position on the Parliament amendments of 12 March 2014. After the Council reaches agreement on the wording of the draft Regulation, the negotiations will continue as a trialogue between the Parliament, the Council, and the Commission. The final Regulation proposal is expected to be ready for a Parliamentary vote in 2015, in which case the Regulation would become enforceable in 2017.

Personal Data Localization in Russia – New Requirements

By Pavel Falileev

Recent changes have been made to the Russian personal data legislation which will require, among other things, that personal data concerning Russian citizens be stored locally in Russia. In addition, the amendments will introduce a new blacklist which would effectively block sites which do not comply with personal data regulations. However, the companies may only be added to the blacklist based on a court decision. At present, the amendments will become effective on 1 September 2016; however, a new draft law has been introduced to the State Duma that would make them become effective already on 1 January 2015.

Personal data “operators” to which the local legislation and new requirements on personal data storage applies are Russian companies, individuals, and representative offices of foreign companies (i.e. residents in Russia). Individuals and companies with no presence in Russia are currently treated as non-residents and therefore should not fall under the Russian Law on Personal Data, although this issue is still unclear.

Also, there are no restrictions requiring that the processing of Russian citizens’ personal data be solely processed in the Russian Federation, nor are there any new restrictions on the cross-border transmission of personal data. We assume that the amendments to the legislation will not affect the collection of personal data by an operator using a Russian-based server and its subsequent transfer to a server located abroad. Therefore, it is fair to assume that the new requirements permit the storing of personal data both in Russia and on the foreign servers simultaneously.

Unfortunately, due to the ambiguity of the wording of the amendments and statements from lawmakers in the press, it is unclear how the new regulations will be interpreted and enforced by the competent Russian authorities. There are a number of issues which remain unclear, and the Russian government has already formed a working group to consider changing the wording of the amendments. In the upcoming issues of HS Technology Newsletter, we will provide you with updates on the enforcement practices and any changes with respect to the recent amendments.

Data Protection: European Data Protection Authorities Meet with Search Engines on the "Right to Be Forgotten"

By Erkko Korhonen

The European Union’s data protection authorities, united in the Article 29 Working Party (WP29), met on 24 July 2014 with representatives of Google, Microsoft, and Yahoo!. The objective of the meeting was to ask search engines about their practical implementation of the CJEU’s ruling on the “Right to Be Forgotten”, established in decision C-131/12, Google Spain v AEPD and Mario Costeja González. (For more detailed analysis on the decision, please see HS Technology Newsletter 2/2014). Following the CJEU’s ruling, the European Commission announced that it would push for a speedy adoption of the wider EU data protection reform, including the implementation of the right to be forgotten.

The questions presented for the search engines in the July meeting mainly concerned modalities of their delisting process, e.g. i) the scope of application of the ruling, ii) the particular reasons for which there would be a preponderant interest of the general public in having access to the information, iii) the notification of the delisting to third parties, and iv) the justification for refusal.

A further objective of the meeting was to gather information for drafting the WP29 guidelines on right to be forgotten, expected to be issued later in the autumn 2014. The WP29 may organise additional meetings with other stakeholders before the guidelines are published.

On 18 September 2014, the WP29 announced its decision to establish a common approach to the right to be forgotten (the “tool-box”) in order to ensure a coordinated approach to the handling of complaints resulting from search engines’ refusals to “delist” complainants from their results. This tool-box will be used by all EU data protection authorities to help address complaints from search engine users whose requests to delete their search result links containing their personal data were refused by the search engines. WP29 also decided to put in place a network of dedicated contact persons in order to develop common case-handling criteria to handle complaints by the data protection authorities. This network will provide the authorities with i) a common record of decisions taken on complaints and ii) a dashboard to help identify similar cases as well as new or more difficult cases. The WP29 also noted that it would continue to analyse search engines’ compliance with the ruling.

Legal Implications in Sweden and Finland Following the CJEU’s Ruling Invalidating the Data Retention Directive

By Petra Lennhede and Erkko Korhonen

On 8 April 2014, the Court of Justice of the European Union (the “CJEU”) declared the Data Retention Directive (2006/24/EC, the “Directive”) to be invalid. In summary, the CJEU ruled that the Directive was not in compliance with the principle of proportionality (for further information, please see HS Technology Newsletter 2/2014). However, the CJEU did not comment on the validity of national legislation.

In Sweden, an inquiry was set up in order to examine the legislative implications of the CJEU’s ruling. In a recent memorandum (Ds 2014:23), the examiner states that the Swedish rules on data retention and transmission, which in substance can be found in the Swedish Electronic Communications Act, are not contrary to the EU law. The examiner assessed that the obligation to retain data according to the Swedish rules is proportionate. In Sweden, the period of retention is limited to six months and only data necessary for the purpose of preventing and investigating crimes can be retained. Furthermore, unlike in the Directive, there are clear Swedish rules regarding the conditions for the transmission of retained data. The security and protection with respect to the retained data is also strictly regulated in Sweden.

However, as the EU law only sets up minimum requirements for the protection of fundamental rights and freedoms, the examiner found that there are reasons why to consider taking measures in order to further strengthen law and order and the right to respect for private life. Such considerations will be presented by the examiner at the turn of the year.

In Finland, following the CJEU’s ruling, the Finnish Minister of Education and Communications declared a full review of Finnish legislation in force under the Directive. In Finland, the Directive is currently implemented into the Finnish Act on the Protection of Privacy in Electronic Communications, which is included in a legislation proposal for the Finnish Information Society Code. In June 2014, the Finnish Constitutional Law Committee (the “CLC”) gave its evaluation on the proposed legislation in light of the CJEU’s ruling. The CLC concluded that the proposed legislation does not essentially contradict with the interpretations established in the CJEU’s ruling. However, the CLC instructed specifications to the proposal in order to remove references to the invalid Directive, and to specify the provisions of the proposal to comply with the level required by the Finnish Constitution. The Government Proposal for the Information Society Code was submitted to the Finnish Parliament in January 2014, and the act is scheduled to enter into force at the beginning of 2015.

EU Adopts New Rules on Cross-border Electronic Identification and E-signatures

By Erkko Korhonen

On 23 July 2014, the European Parliament and the Council adopted a regulation on electronic identification and trust services for electronic transactions in the internal market, which will replace the current Directive (1999/93/EC) on electronic signatures. The new regulation is set to improve the trust in electronic transactions in the European Union by providing a framework for regulating the secure interactions taking place between businesses, citizens, public authorities and private organizations.

As an important improvement, the new regulation will provide a system that enables citizens to use their electronic identification to authenticate themselves in another Member State. This requires a recognition of the electronic identification schemes of another Member States, which is vital, for instance, in making cross-border healthcare a reality for European citizens.

In short, the new regulation will:

  • set conditions for mutual recognition of electronic identification, making cross-border transactions easier and more secure;
  • set rules for trust services, in particular for electronic transactions; and
  • create a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificate services for website authentication

The new regulation will come into full force on 1 July 2016 with the exception of the mandatory mutual recognition which is expected to kick off in the second half of 2018. Full text of the regulation is available here.

Consumer Protection Regarding Automatic Contract Extension to be Strengthened in Sweden

By Petra Lennhede

In a recent Government Bill (prop. 2013/14:242), the Swedish Government proposes new legislation in order to strengthen the consumer protection in relation to automatic contract extension.

It is common that a fixed-term contract is extended if it is not cancelled by the consumer before it expires, i.e. automatic contract extension. The consequence for the consumer may be that he or she, through an oversight, remains bound by the contract, usually for a long time.

According to the proposed legislation, the person carrying on business activities shall, before a contract is extended, remind the consumer that the contract will be extended unless it is cancelled. The reminder must be made in writing and submitted no later than one month prior to the time when the contract should be cancelled. If the consumer is not reminded, the consumer will have the right to cancel the contract.

The new rules will not apply when the consumer, after an extension of a contract, may cancel the contract with up to three months’ notice or when there are specific rules for the renewal of a contract.

The new legislation is proposed to enter into force on 1 March 2015.

Finnish Supreme Court: Delay Penalties to Third Parties Are Indirect Damages

By Ilona Tulokas

The Finnish Supreme Court (KKO 2014:61) took a stand on a long and ongoing discussion in Nordic legal literature regarding the question of whether agreement-based delay penalties to a third party are indirect or direct damages. The Supreme Court ruled that if the buyer is in delay in relation to a third party and such delay is caused by the seller, the agreement-based delay penalties to the third party will be regarded as indirect damages in the relationship between the buyer and the seller.

Hence, if indirect damages are excluded or limited in a delivery agreement, a contracting party should, when agreeing to the delay penalties, ensure that corresponding clauses are included in any and all delivery agreements that the main delivery is dependent on.

Full case available at Supreme Court’s website here: KKO 2014:61

Regulation on Clinical Trials Entered into Force on 16 June 2014

By Juli Mansnérus

The Regulation of the European Parliament and of the Council on clinical trials (the “Regulation”) entered into force on 16 June 2014 but will only be applied as of 28 May 2016. It replaces the national notification and authorisation procedures with an EU-wide authorisation procedure under which the maximum processing times become shorter than the present ones. There are also other changes in the Regulation that are intended to facilitate the conduction of clinical trials and to improve their transparency in the EU.

Until then, the Directive 2001/20/EC on the approximation of the laws, regulations and administrative provisions of the Member States relating to the implementation of good clinical practice in the conduct of clinical trials on medicinal products for human use (the “Directive”) will continue to be applied. Furthermore, the transitory provisions of the Regulation allow the sponsors of clinical trials to decide on between the requirements of the Directive or the Regulation for 1 year from the entry into application of the Regulation.

Disclaimer: Hannes Snellman Technology Newsletter is intended for information purposes only. It should not be relied upon as legal advice nor should it be used as a basis for any action or final decision without specifically verifying the applicability and relevant issues on their merits in each individual case.