Does a Brand Owner Have Legitimate Interest in Processing Infringer and/or Suspect’s Personal Data?
On May 25, 2018, the General Data Protection Regulation (the “GDPR”) was applied in all Member States of the European Union (“EU”), replacing the Directive 95/46/CE (“the Directive”). GDPR strengthens data protection policies for residents of EU member nations, and, as a regulation instead of a directive, applies immediately on enforcement date without requiring individual transpositions by member state legislation.
To which extent that GDPR affects brand protection activities? According GDPR Art. 1, GDPR applies when a data controller/processor has an establishment in the Union, or when the data subjects are in the Union. Translating it to our language, only when a brand owner has an establishment in the Union, or when the infringer/suspect is in the Union, GDPR may apply.
Within this scope, brand owners need to justify their lawful grounds in processing of personal data, and to rely on “legitimate interest” when it comes to personal data of the infringer/suspect.
In Art.6, GDPR regulates that processing of personal data shall be lawful only if and to the extent at least one of the listed lawful grounds applies, among which is the ‘legitimate interests of the controller or third party’.
“(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child…Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.” (GDPR Article 6)
“Legitimate interest” is not something new introduced by the GDPR. Art.7 of the 95/46/CE Directive (“the Directive”) has an almost identical version:
“ (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).” (the Directive Article 7)
Further to the Directive, the GDPR specifies two scenarios:
1. Claim stricter protections for child;
2. Exclude lawful processing by public authorities.
How To Justify Brand Owners’ Legitimate Interest?
During brand protection and anti-counterfeiting activities, in order to enforce IP rights, brand owners have to target infringers/suspects, who can be a seller of products on the internet, or a distributor in the distribution chain. When brand owners conduct investigations to identify potential infringers, they are collecting and processing personal data. When brand owners conduct raid actions or civil litigations, they will probably collect and share the data with authorities or external partners.
Will brand owners have the solid / valid “legitimate interest” in collecting and processing such personal data?
“Legitimate interest” may be one of the most confusing points in the GDPR. There are various interpretations available, but it’s difficult for brand owners to decide on which ones they shall follow.
In general, I would like to take that legitimate interest will apply in cases where there is a strong, justified reason for the brand owners to carry out the processing to enforce their IP Rights. The Directive 2004/48/EC on the enforcement of intellectual property rights requires Member States to ensure that in IP infringement proceedings, national courts may order infringers or persons who have been involved in the production or sale of the goods, to disclose information regarding the origin and distribution networks of such goods. This provides a justified reason, i.e., IP infringement proceedings for enforcement of IP rights.
In Recital 47, GDPR provides examples where legitimate interest could exist. It says,
“the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.”
Accordingly, if counterfeiting and infringing activities count as a form of fraud, necessary processing of personal data for the purpose of anti-counterfeiting and combating infringement in protection of intellectual property rights should constitute a legitimate interest.
In Recital 50, GDPR also says,
“Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller.”
Accordingly, transmitting/sharing of relevant personal data in individual cases, such as raid actions and civil litigation, to competent authority should be regarded as being in the legitimate interest pursued by the brand owners.
ICANN v EPAG Domainservices, GmbH
Up to now, we haven’t seen any precedent cases where a clear interpretation is given. However, there is closely related interpretation in the case ICANN v EPAG Domainservices, GmbH, where the “WHOIS” services are under examination.
With WHOIS services, data collected and stored in connection with new registrations are published on a publicly accessible internet portal for identification purposes. WHOIS registries are very helpful to law enforcement agencies in preventing fraud, phishing, illicit online activities and other serious internet-based crimes. Brand owners are able to do registry searches of domain names at “WHOIS.net” to collect information of potential online infringers.
In the case ICANN v EPAG Domainservices, GmbH, the court indicated that the processing of personal data of the domain holder is of legitimate interest according to GDPR, given it is relevant to punishable infringements.
In the Court Order of Regional Court of Bonn of 30 May 2018, it’s said,
“…under the impression of the GDPR which recently entered into force…in the future allocation of domain names only the data of the domain holder itself will be collected and the additional collection of data of a technical and administrative contact will be waived.
…In so far as the general interests to be ensured by the Applicant relate primarily to criminally relevant or otherwise punishable infringements or security problems which the Applicant watches over, the Chamber considers that this need is satisfied solely by the collection and storage of the data of the domain holder willing to register …” (Translation of Court Order of Regional Court of Bonn of 30 May 2018 Certified copy Docket no. 10 O 171/18. Link: https://www.icann.org/en/system/files/files/litigation-icann-v-epag-request-court-order-prelim-injunction-redacted-30may18-en.pdf)
One such interpretation has provide a strong support to brand owners’ processing of personal data when it’s strictly in need of enforcement of their IP rights.
Under the GDPR, brand owners will have solid lawful grounds to process personal data of infringers and/or suspects, as it is of their legitimate interests to enforce IP rights.
Hanwei Wang, Legal Officer & Project Manager, DH Anticounterfeit