The Good and Bad of Privacy
Data is often described as the new oil, but, like oil, it can be difficult to access and unwieldly to handle, as Peter Scott finds out.
When the EU General Data Protection Regulation (GDPR) came into force on May 25, 2018, it transformed the way in which data was processed and protected, not just in the European Union, but across the world. Indeed, it has since become something of a model for other data protection laws worldwide.
At its heart, the regulation is designed to protect individuals from having their personal data misused, outlining six lawful scenarios in which companies can process personal data. Today, according to United Nations Conference on Trade and Development data, 71 percent of countries worldwide now have data protection legislation, while another 9 percent have draft laws.
While that is undoubtedly a good thing for individuals—who are now more and more empowered to find out what data a company holds on them, how a company uses that data, and how individuals can withdraw consent for the data use—the implications for brand owners have been more challenging.
Perhaps the clearest flashpoint is in the online sphere. Companies that face online counterfeiting threats and phishing used to be able to find out the identities of those behind fake websites by accessing the Internet Corporation for Assigned Names and Numbers’ (ICANN) WHOIS Lookup protocol; it enabled identification of the ownership of domain names, including detailed information on, for example, the name and address of proprietors. Since the arrival of GDPR in particular, much of that information is now hidden, and it has made online enforcement much harder.
WHOIS used to be “the best bet” for identifying bad actors operating fraudulent websites, but that has changed, said Shelley Back, IP director EMEA at Techtronic Industries Ltd. (UK). “GDPR has, in my view, made life more difficult.”
That’s a view shared widely, according to GoDaddy Corporate Domains’ (US) Fifth Annual Domain Management Survey, in which 45 percent of respondents label dealing with GDPR and an inability to access WHOIS records a “major challenge.”
Cathy Wu, partner at Watson & Band (China), agrees that data regulation has increased the difficulty of identifying potential infringers, especially when it comes to domain name squatters.
Alongside the implications of GDPR for the global Internet, China has its own laws that cover data use, and those have widespread ramifications for intellectual property (IP) counsel, Ms. Wu explained. In 2021, China’s Personal Information Protection Law came into effect, on top of the jurisdiction’s Data Security Law (2021) and Cybersecurity Law (2017) which also limit companies’ ability to operate effectively against bad actors.
“The trademark owner is the data controller. There will be legal liability for the brand owners, and this can cause reputational damage.”
Cathy Wu, partner, Watson & Band (China)
In practice, even going to court to obtain the identity of a website owner is challenging. For example, a 2019 case in which curtain systems manufacturer AluK S.A. (Luxembourg) sued Alibaba (China) for trademark infringement resulted in a judgment from the Beijing Municipality Haidian District People’s Court that Alibaba was not required to disclose the identities of the holders of potentially infringing domain names.
Ms. Wu said that to obtain that information, companies should ask a court for an investigation order, which is “extremely difficult” and time consuming.
Data privacy has implications for brick-and-mortar infringement too. Ms. Wu noted that in China, trademark owners often engage third parties as private investigators to gather evidence of wrongdoing.
“In the past, they perhaps used ‘grey investigation methods’ such as tracking the cars of infringers or the location of warehouses,” she said.
However, under data privacy legislation, Chinese courts will no longer accept evidence obtained from such methods, and the company may face other privacy lawsuits as a result.
“The trademark owner is the data controller. There will be legal liability for the brand owners, and this can cause reputational damage,” Ms. Wu added.
Security Concerns
While many countries around the world have updated existing data protection laws or enacted new ones in the wake of GDPR, others have not. In Pakistan, for example, the Personal Data Protection Bill 2021 is pending in the legislature, but at present there is no data protection regulation in force.
According to Ali Kabir Shah, partner at Ali & Associates (Pakistan), brands in the country face similar basic obstacles to those in Europe. “Even though GDPR is supposed to be for the European Union, it affects everyone,” he said.
For example, in the aftermath of GDPR, PKNIC, which operates the country’s local .pk domain space, will not share detailed information about the owners of websites located there. Obtaining information from e-commerce platforms is also extremely difficult, though law enforcement can help, Mr. Shah said.
Indeed, it is possible in Pakistan to obtain very good information under the Prevention of Electronic Crimes Act, which has provisions against spoofing websites and electronic fraud. The country’s Federal Investigation Agency can be a powerful ally, and has the power to compel online providers to give up IP addresses, track cell phones, and track IP addresses, “all of which is great for a trademark lawyer,” Mr. Shah suggested.
“Even though GDPR is supposed to be for the European Union, it affects everyone.”
Ali Kabir Shah, partner, Ali & Associates (Pakistan)
However, there are reportedly concerns among some commentators in Pakistan about the potential dangers of this law, parts of which were suspended by the Islamabad High Court because the law threatened to stifle free speech and dissent in the country.
Getting Through the Shop Windows
In Pakistan, as in some other countries, many counterfeiters use social media as a channel for selling counterfeit goods.
According to Mr. Shah, Facebook Marketplace is by far the most popular in Pakistan, though counterfeiters also use WhatsApp and other platforms. While it is possible to ask these platforms to take down listings of counterfeit merchandise using their respective takedown procedures, it normally requires law enforcement to find out who is behind the listings.
“In the absence of that, how do I enforce it, how do I prevent anybody repeating that offense?” noted Mr. Shah. “The ability to track and trace is essential for trademark enforcement.”
For Ms. Back, e-commerce platforms are also hotbeds of potential infringement, though, she said, many have “really good” IP violation complaints systems. In practice, that means companies are often tackling the visible manifestations of a bad actor’s activities, rather than being able to address the problem at the source.
GDPR has made it “really hard to take action against [individuals behind fraudulent listings and websites], which then allows them just to keep going around setting up new websites, which perpetuates the whack-a-mole problem,” she said.
Different Approaches
This is also a challenge in Saudi Arabia, which issued its Personal Data Protection Law in September 2021. Initially slated to come into force in March 2022, the launch date has been pushed back to March 2023 to give companies more time to get ready for it.
While it is difficult to fully assess the impact of the new law on brand owners in the absence of implementing guidelines, “it will mostly affect the ability of trademark owners to enforce their trademarks online and track the details of violators,” according to Rimi Kbar, attorney at law at Alyafi IP Group (Saudi Arabia).
She noted that the Saudi Arabia law is similar to GDPR in many ways, but there are some differences, most notably in the respective approaches to transferring data cross-border, including intercompany data. The Saudi law contains “significant restrictions” on the cross-border transfer of personal data, forbidding it in all but exceptional cases, which has implications for how brands manage data internally.
“[The new law] will mostly affect the ability of trademark owners to enforce their trademarks online and track the details of violators.”
Rimi Kbar, attorney at law, Alyafi IP Group (Saudi Arabia)
As for the challenges posed by lack of access to WHOIS information for online enforcement, said Bahia Al Yafi, managing director of innovation at Alyafi IP Group (United Arab Emirates), it “doesn’t put a complete block in the road for rights holders to enforce their brands online in Saudi.”
Ms. Al Yafi explained that as part of the Kingdom’s stated aim to promote IP in the country, it has set out new requirements for local country domain names. This can help IP owners enforce their brands online while allowing them to remain compliant with GDPR and the new Saudi law, she said.
One such requirement is that applicants for local domain registration in Saudi must have a trademark registration. “This alone will assist in fishing out infringements by only granting domain names to the rightful owners of the brand,” she said.
It is also likely that under the new requirements, even if the local domain name owner’s information is not published, information about their agents will be, which, she added, “would make it easier for contact to be made” if an infringement is detected.
The Way Forward
There are no easy answers to the difficulties of trademark enforcement in an environment where data privacy is paramount. In practical terms, Ms. Wu cautioned companies to do good due diligence on third-party suppliers to understand whether they have good compliance practices on data protection.
Her second tip is to prepare well before initiating a new case. “You need to plan the investigation and should set up some general good practice guidelines, as well as specific blacklist ‘don’ts’ and some good ‘dos’ for how to conduct investigations,” she said.
As for the online environment, Ms. Back uses a third-party supplier to help manage and streamline the takedown process for problematic listings and websites. That has made fighting counterfeiters more effi-cient, but the problems with tackling the bad actors at the source remain, with limited prospect of relief on the horizon.
Video courtesy of Envato Elements / OlgaVELES
Sunday, May 1, 2022
Published by:
