Facial Recognition and Digital World: technology at the service of convenience?
How many of us unlock our smartphones, make an online payment, authorize the download of an app and/or access a web portal simply by bringing the mobile device closer to our face? How easily do we "tag" our friends in our pictures on the most well-known social networks? And again: how many and what advantages may be obtained from knowing the number of passers-by who stop, even if just for a moment, to look at a billboard?
Statistics show that facial recognition technology is at the service of a digital world that "runs" faster and faster and which forces us to keep up with the times. But at what price for the protection of our personal data?
1. Introduction
Social networks, e-commerce websites, online magazines, home banking and mobile apps: there are millions of digital services available online that we can use through the creation of personal accounts.
When creating profiles, the most widespread trend, especially among young people, is to rely on easy and intuitive passwords (such as date of birth or first name) which are not so secure from an IT point of view and often identical for all the services those people use[1].
In order to deal with these bad habits - which only feed the already high number of data breaches – it has now become common to use so-called "facial recognition" technology (in Italian, "riconoscimento facciale"): this is a type of IT process that associates the features of a person's face with a digital image and stores that image in an electronic device for the purpose of reusing it not only as a means of identification but also for the authentication, verification and/or profiling of individuals.
But is it really always safe to rely on facial recognition? Does a biometric system always guarantee sufficient protection of our personal data?
2. The most frequent uses of facial recognition technology
It’s well known that different biometric techniques lend themselves to being used mainly in the IT context (for example, for authenticating access to a device) and the trend of the main high-tech companies is to invest ever greater amounts of money in this field.
However, facial recognition is also used outside the digital world: take for example the use of biometric systems for the control of physical access to reserved areas, for the opening of gates or for the use of dangerous devices and machinery.
But that's not all. Facial recognition techniques are also capable of serving public authorities and even research. The police in New Delhi has in fact tested facial recognition to identify almost 3,000 missing children; some researchers have used it to detect a rare genetic disease found in subjects from Africa, Asia and Latin America[2].
Faced with such a large number of uses of facial recognition, it is worrying that in our country a specific national legislation on this matter has not yet been enacted. Indeed, agreeing to the detection and collection of the features of our face by a data controller means sharing with the latter a wide range of personal data and exposing ourselves to the processing that the controller decides to make of such data.
Think about a simple "selfie" made with our smartphone: in these cases our device collects our personal image and stores it in a memory. Or again think about passing in front of billboards that detect our presence, the measurement of our body temperature using video and digital thermometers or the boarding systems with video-recognition installed in the largest airports of the world.
3. A quick vademecum for the processing of biometric data
The biometric characteristics of a face that allow for the unique identification of a natural person fall within the notion of "biometric data" provided by European Regulation no. 679/2016 ("GDPR")[3]. In fact, biometric data is defined by the GDPR as data "resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person"[4]. This means that an image / a photograph is not always qualifiable as biometric data if it is not processed through specific technical means that allow for the unique identification or authentication of a natural person[5].
Biometric data also fall within the category of "special categories of personal data" pursuant to art. 9 of GDPR (referred to by art. 2-septies of Legislative Decree no. 196/2003 - "Privacy Code") and can be processed only when the data controller complies with certain legal obligations. Let's try to list some of these obligations here below:
A. Compliance with the fundamental principles of the processing. In an increasingly digital world, the principles of "privacy by design" (data protection by design) and "privacy by default" (data protection by default) provided for by art. 25 GDPR play a leading role[6]. In order to comply with these principles, starting from the design and definition phases of the processing tools the data controllers who use facial recognition for the processing of personal data must provide adequate security measures to ensure the protection of fundamental rights and freedoms of individuals as well as the compliance with the principles set out in Article 5 of GDPR.
Specifically, attention should be paid to the principle of "data minimization" which requires the data controller to configure a biometric recognition system in order to collect and process only a limited number of information, excluding the acquisition of additional data that is not necessary for the purpose to be achieved in the specific case (for example, if the purpose of the processing is that of computer authentication, biometric data should not be processed in such a way as to infer any information of a sensitive nature belonging to the data subject including, for example, clearly visible skin diseases).
B. Information notice. The data controller must provide the data subjects with a privacy notice in accordance with art. 13 of GDPR, which, in a clear and transparent manner, indicates the purposes of the processing, the security measures that have been adopted, the possible centralization of the biometric data that has been collected, the storage periods of the personal data. In this regard, it is appropriate to point out that, as clarified by the Italian data protection Authority[7], such privacy notice has to be delivered before the so-called "enrolment" phase which take place before the creation of a biometric sample[8].
C. Legal basis of the processing. The data controller must ask for the prior consent of the data subjects in order to process their biometric data, or alternatively the data controller should assess the possibility of relying on another legal basis under Article 9 of the GDPR (including, for example, the existence of reasons of public interest in the area of public health, such as the protection against serious cross-border threats to health).
D. DPIA. As provided for by art. 35 of the GDPR and Annex 1 to Provision no. 467/2018 of the Italian data protection Authory, the data controller must assess the impact of the processing of biometric data and specifically assess the risks that such processing may entail for the rights and freedoms of individuals and, at the same time, identify the security measures adopted and to be adopted to address these risks.
E. Appointment of the data processor. Where the data controller engages a third party for the processing of biometric data, the latter must be appointed as "data processor" pursuant to art. 28 of GDPR, following the verification of the third-party's possession of suitable guarantees for the protection of the rights of the data subjects whose biometric data is processed.
F. The implementation of alternative systems. The data controller must offer alternative solutions that do not involve the processing of biometric data, without imposing restrictions or additional costs to the data subject. Such alternative solutions are necessary especially for those who are not able to comply with the constraints imposed by a biometric system (think about a disabled person who is not able to reach, with his face, the height of a thermoscanner) and in case such device is unavailable due to technical problems (for example, in case of malfunction).
4. Conclusions
The applicable data protection regulations are not and should never be considered as an obstacle to the development of new technologies applied to the IT and digital industry. On the contrary, compliance with existing legislation should be an incentive for creating practical solutions in a way that respects the confidentiality of our information.
This should also be the case for facial recognition technology, in relation to which it is important to make users aware of the security of the processing of their personal data. Also because generating awareness means gaining trust from consumers, which is the first step for a correct marketing strategy.
Just as Apple has done with the recent update to "iOS 14" which allows the owners of the latest mobile devices to know - through different color indicators (green and orange) that appear on the status bar of the device - if an installed app is using the camera and then detecting the user's image.
On the other hand, the protection of our personal data must never be sacrificed. And to do this, in our opinion, it is essential that our country enact regulations governing this technology. The added values that facial recognition is able to provide to our economy are in fact under the eyes of everyone for a long time, but if we do not act at the regulatory level in the short term the risk is to have to face in a few years the development and uncontrolled use of these technical solutions, with the consequence of having to spend time and economic resources to solve multiple problems rather than bringing about new advantages.
[1] This is confirmed by an interesting (and worrying, for all of us) study that was published during the “Safer Internet Day”, according to which more than half of Italian millennials (55%) uses the same password to access different services and 19% uses extremely simple passwords such as a numbered sequence.
[2] Also noteworthy is the new project "Telefi" funded by the European Commission and called "Towards the European Level Exchange of Facial Images" (TELEFI). It is a study on the benefits that the use of facial recognition can provide to crime investigation in EU Member States and the exchange of data collected within the "Prüm" system, through which DNA, fingerprints and vehicle registration data are exchanged between EU countries to combat cross-border crime, terrorism and illegal migration.
[3] Classic examples of biometric data, in addition to the characteristics of the face, are: the fingerprints, handwritten signature placement dynamics, the retinal vein pattern, the iris shape, the characteristics of the voice emission.
[4] See, for more details, the Opinion of the Working Party ex art. 29 (now replaced by the “European Data Protection Board”) no. 2/2012 - https://www.pdpjournals.com/docs/87997.pdf.
[5] See Recital no. 51 GDPR.
[6] See “Guidelines no. 4/2019 on Article 25 Data Protection by Design and by Default” - Version 2.0 Adopted on 20 October 2020.
[7] See on this matter “Guidelines on biometric recognition and graphometric signature” issued by the Italian data protection Authority on 12 November 2014.
[8] With the term "enrolment" it is understood the process through which a subject is accredited to the biometric system, through the acquisition of one of its biometric characteristic. Indeed, to enable biometric recognition is necessary to acquire the biometric characteristic by way of a procedure ensuring that biometric enrolment is performed appropriately, that the link with the capture subject is retained, and that the quality of the resulting biometric sample is safeguarded. Generally, the facial biometric sample is used to extract, via algorithms that are sometimes based on so-called “neural networks”, a given set of features such as the location of eyes, nose, nostrils, chin and ears in order to build up a biometric template.
Insight welcomes Caterina!
Our team continues to grow… we are excited to announce that Ms. Caterina Bo has joined our team as a trainee. She will deal with Intellectual property and Litigation.
Caterina participated in the 25th edition of the Willem C. Vis International Arbitration Moot as oralist on the merits of the case and is now junior coach of the University of Pavia team for the preparation of the written and oral phases of the competition.
She is also clerk assistant at the Court of Appeal of Milan, first division (Business division), where she assists the assigned judge in preparing for hearings and in the drafting of decisions.
For her complete profile click here.
Welcome on board Caterina!
Trade secrets: is civil or criminal protection more effective?
By virtue of articles 623 of the Criminal Code and 98 of Legislative Decree of 10 February 2005, no. 30, the legislator has laid the foundations for the legal protection of industrial secrets specifically with a view to safeguarding all those activities and investments that the holder of the secret keeps confidential insofar as it assures him a competitive advantage within the market.
Firstly, we should start from the well-known definition of “trade secret” found in art. 98 of the Industrial Property Code (henceforth “IPC”) which provides that only information that is secret, economically valuable and subject to strict protection measures may be safeguarded as know-how.
However, it would not be correct to state that civil protection of know-how concerns just information that can be shown to possess the aforesaid three characteristics. Indeed, art. 99 of the IPC, without prejudice to the law on unfair competition, recognizes the existence of trade secrets which, despite not meeting the criteria set out in art. 98 of the IPC, are nevertheless deemed worthy of protection.
In essence it is possible for an entrepreneur to proceed legally with a claim of unfair competition in relation to the unlawful misappropriation of information that is considered objectively confidential, despite the absence of all the appropriate protection measures. However, in this case the entrepreneur must overcome another obstacle, namely the burden of proving that the misappropriated information was understood to be objectively confidential by virtue of its inherent value.
Beside this type of civil protection, national law also offers protection under the criminal law, especially via art. 623 of the Criminal Code. Such provision does not expressly define what is meant by “know-how”, confining itself to stating as follows: “trade secrets or information destined to remain secret, discoveries or scientific inventions”. This is one initial difference that may be found between the civil and criminal provisions that concern the object and the requirements of know-how.
As a result of the extensive amount of criminal case law on the subject-matter of know-how, and in light of what has been said by the greater amount of academics, it is possible to state that what is being protected by article 623 of the Criminal Code is the interest of the holder of the trade secret in avoiding the disclosure of information which concerns the methods and procedures that define the industrial structure of a corporation.
Consequently, the so-called “know-how” – as defined by the case law of the Supreme Court – must be understood to be that knowledge and organisational plan that combined are necessary for the construction, operation and maintenance of an industrial apparatus. Such hypothesis, which has been recently stated by the Supreme Court in the well-known criminal judgment no. 16975/2020, refers therefore not just to a single technique or custom or corporate information, but rather to the entire knowledge of a company, the result of experience accrued as well as research and investments made over the years.
The aforementioned judgment of the Supreme Court reads as follows: “doctrine and case law agree that the protection offered by Article 623 of the Criminal Code goes beyond that provided by the civil law with respect to patentable inventions, and indeed the Supreme Court has repeatedly stated that, for the purposes of protection of industrial secrets under the criminal law, novelty (inherent or external) and originality are not essential requirements of industrial applications, since they are not expressly required by legislative provisions and also because the interest in the protection of confidentiality under the criminal law must not necessarily be inferred from these characteristics applicable to protected information.
This means that, even if the sequence of information – which constitutes a single whole for the implementation of a specific economic phase of the company's activity – is made up of single items of information which are in themselves known, if such entire sequence is not known and is actually considered secret by the company, then it is in itself worthy of protection. In other words, it is not necessary that every single information that makes up the sequence is "unknown"; rather, it is necessary that the organic whole is the result of an elaboration of the company. Indeed, it is through this process that the final information acquires an additional economic value in comparison to the individual elements that make up the cognitive sequence. This is what happens, precisely, in the case of a company that adopts a complex strategy to launch a product on the market: its individual elements are undoubtedly known to operators in the sector, but the whole may have been designed in such a way as to represent something new and original, thus constituting for the creator a real treasure trove from a competitive point of view[1]”.
The aforementioned principles define with greater clarity the contours of the notion of “trade secret” relevant within the field of criminal law, and favour – we believe, rightly so – a wider interpretation that can assure a more meaningful protection of the knowledge and experiences of a company.
It is worth clarifying that the type of conduct that is sanctioned by art. 98 of the IPC may still be qualified as a crime punished by art. 623 of the Criminal Code. Therefore, the person who believes his trade secret has been violated may commence a civil action for the recovery of damages that have been suffered pursuant to art. 98 of the IPC, as well as criminal proceedings with a view to obtaining a conviction of the perpetrator of the violation. However, in the civil action the claimant will have to prove that the violated trade secret was not known, was economically valuable and was protected with adequate security measures, whereas in criminal proceedings the same person will have to prove the dissemination and/or utilization – for personal or another’s gain – of the secret on part of the person who learned of its existence within the scope of his duties. This is a second difference between the two types of protection that concerns, in this case, a different regime applicable to the burden of proof.
Finally, from a procedural standpoint it must be evidenced that within civil proceedings the action may be brought equally against the natural person who reveals the trade secret and/or the company that benefits from such revelation, whereas criminal proceedings – pursuant to article 27 of the Constitution – must be commenced against the person who reveals the secret and against the person who holds a security position within the company thereby using to his own advantage the information that makes up the trade secret. Therefore, an additional difference (this time of a procedural nature) may be found between the legal provisions here being discussed.
In summary, the main differences between protection under the civil and criminal laws on know-how concern:
- the object and requirements of know-how;
- a different regime applicable to the burden of proof of know-how;
- procedural aspects (such as a different legal standing).
[1] Supreme Court, Division V (criminal) - 11/02/2020, no. 16975
Insight Studio Legale 법무법인 in the Public Tender published by the INAF (National Institute for Astrophycis)
Insight Studio Legale is proud to have given its contribution to research and science!
The firm assisted KASI (Korea Astronomy and Space Science Institute), the South Korean Institute responsible since 1974 for national research in astronomy and specialized in the development of large and medium sized infrastructures and observation equipment.
In particular, the legal support provided by Insight helped KASI to win the tender for the supply to INAF of 3 microwave receivers, each having three frequencies, for a total value close to 3 million Euros. The receivers will be used for strengthening the Sardinia Radio Telescope that is used at high radio frequencies for the study of the Universe.
On behalf of Insight Studio Legale the operation was followed by Managing Partner Ju Yeon Park, Associate Carmine Perri and Junior Associate Liam Nowak.
Brompton case - can the shape of the famous folding bike model "Brompton" be protected by copyright?
Introduction
Last June 11th represented an important date for all copyright enthusiasts and for the experts in this field of law.
On such date, the European Court of Justice has issued a judgment of considerable interest in relation to a point of law raised in the course of a counterfeiting action of the well-known bicycle model commenced by Brompton Bicycle Ltd against the Korean company Chedech/Get2Get before the Liège Business Court (Belgium).
(1. Brompton model) | (2. Chedech/Get2Get model) |
Background
The English company Brompton Bicycle Ltd had patented the well-known folding bicycle model in 1975, protecting the distinctive feature that allows the product to take three different positions, namely: (i) folded position, (ii) open position and (iii) intermediate position (which allows the bicycle to remain balanced on the ground).
However, once the 20-year period had expired and Brompton's industrial property rights over the bicycle folding mechanism had expired, other companies, such as Get2Get, started to offer products with the same characteristics on the market. As a result, Get2Get was sued by Brompton, which claimed that its copyright on the product had been infringed and, consequently, asked the Belgian court to order Get2Get the withdrawal of the bicycle model it had marketed from all the stores.
In its defense brief, the latter argued that the particular aspect of its product was attributed by the technical solution sought, which was capable of enabling the bicycle in question to take the three different positions and that, therefore, such an aspect could not be protected by copyright law since its protection was exclusively provided by patent law.
On the contrary, the applicant replied that the three positions of the Brompton bicycle could be obtained through different shapes, others than those identified for that bicycle by its creator and that, therefore, its shape could be protected under copyright law due to that creative characteristic.
Therefore, the Liège Business Court having found that under Belgian law any creation which expresses itself in a particular form and which is original is protected by copyright law, appealed the European Court of Justice to demand whether such protection should be excluded if the shape of the object is "necessary to achieve a technical result" and what criteria should apply for the purposes of that assessment.
In addition, the Belgian court submitted a further question to the ECJ, asking whether the following criteria should be taken into account for assessing the requirement of a given shape in order to obtain a technical result:
- the existence of other possible shapes achieving the same result;
- the effectiveness of the shape to achieve that result;
- the willingness of the alleged infringer to achieve that result;
- the existence of an earlier patent, later expired, on the procedure for achieving the technical result pursued.
Analysis of the judgement
The Court of Justice, appointed by the Belgian judge, has issue an historic decision stating that the shape of a product can be protected under copyright law even if it is partially intended to obtain a technical result.
Specifically, the ECJ moved from the notion of work, as defined in Articles 2 and 5 of Directive 2001/29, in order to establish that it necessarily consists of two elements:
- the originality, which implies that the work is an intellectual creation belonging to its author, and
- the free and creative expression of the author of the work in a factual reality.
Therefore, with reference to the first element, the ECJ found that a work can be considered original even in cases where its creation was dictated by technical evaluations, in all those cases where it reflects the personality of its author, showing the latter's free and creative choices.
On the contrary, it has been specified that, in accordance with settled case law within the Court, in all those cases where the creation of a work has been exclusively determined by technical considerations, rules or other constraints which leave no room for creative freedom, it cannot acquire the status of a work and therefore it cannot enjoy the protection granted by copyright law (as stated in Cofemel – Sociedade de Vestuário SA v. G-Star Raw CV, C‑683/17[1]).
In reaching those considerations the Court did not follow, first of all, the theory of the multiplicity of forms, observing that, for the purposes of establishing the originality of a given work, it cannot be regarded as a straightforward factor the consideration that the same technical result can also be achieved through different shapes of the product.
With regard to the second element, the Court also stated that the concept of “work” in Directive 2001/29 necessarily implies the existence of an object which can be identified with sufficient precision and objectivity (see Cofemel above).
It follows that an object which satisfies the requirement of originality will be eligible for protection under copyright law, even if its creation was determined by technical considerations provided that such determination did not prevent the author from reflecting his or her personality in that object by showing free and creative choices.
Likewise, as also stated in Article 2 of the WIPO Copyright Treaty, the criterion of originality cannot be met by those components of an object which are solely characterized by their technical function since, otherwise, it would be possible to monopolize ideas to the detriment of technical progress and industrial development.
It must be noticed that, in the present case, although the particular shape of the bicycle is necessary to obtain a specific technical result, namely the suitability of that product to take the said three positions, the Court nevertheless does not, a priori, exclude the possibility that the peculiarity, given by the folding mechanism of the bicycle, may become a creative characteristic of the author.
As the matter of fact, in the judgment of last June, the ECJ established that the national Judge will have to assess whether the bicycle in question constitutes an original work resulting from an intellectual creation.
In this framework (also considering that only the originality of the product will have to be assessed), the existence of other possible shapes that would lead to the same technical result will not be considered as decisive in order to assess the factors that guided the choice made by the creator.
Similarly, the willingness of the alleged infringer will have no relevance in the context of such an assessment, whereas the existence of prior patents on the work should be regarded as merely indicative and not decisive for the purposes of its attribution to copyright protection.
Conclusions
The judgment under exam had, without doubt, the merit to apply properly certain key principles of European copyright law, derived from the tradition of common law, namely the dichotomy theory, which separates idea and expression, the originality theory and "merger doctrine", with reference to the assumption that some ideas can be expressed in a comprehensible way only in one or a limited number of ways.
However, there is still room for some criticisms relating, firstly, to the failure of this ruling to refer to the relevance of the creator's intentions in the context of his creation, given that, in his conclusions presented at the hearing on 6 February 2020, the Advocate General had stressed its importance for the purposes of identifying the character of the creativity and originality of the work and that the failure to refer to that aspect would contradict what was already stated in Case C-310/17 (i.e. Levola Hengelo BV v. Smilde Foods BV[2]).
A further issue in the judgment under examination should be recognized in its failure to identify an exhaustive list of factors that can provide a parameter in the assessment of the originality of the work in a similar order of cases (as in Doceram[3]).
Consequently, this assessment will be left, on a case-by-case basis, to the national courts of the Member States and, therefore, it could lead to a lack of uniformity with respect to its application.
It cannot be excluded that the Belgian court, which now has to issue a decision, in the light of the Court of Justice's ruling, may recognize the creativity and originality of the Brompton bicycle and its folding mechanism, given that, in some recent rulings in France on aspects similar to those taken into account by the ECJ in the present case, different type of IPRs have been granted to the holder (e.g. patent and design), since they were not found to be exactly based on the same aspects of the product.
Finally, it is worth noting that, in Italy as well, copyright protection has recently been granted to the shape of a car[4] and a motorcycle[5], as well as to the shape of after-ski boots[6].
We therefore have no other option than to wait for the ruling of the Liège Business Court, aware that the relevance of the ruling delivered by the European Court of Justice will have such an impact that it will determine in any case an evolutionary effect of copyright law in Europe.
______
[1] http://curia.europa.eu/juris/liste.jsf?num=C-683/17&language=IT.
[2] http://curia.europa.eu/juris/document/document.jsf?text=&docid=207682&&doclang=EN&.
[3] Court of Justice 8 March 2018 (Second Chamber), Case C-395/16, Doceram GmbH v CeramTec GmbH ECLI:EU:C:2018:172;
[4] Bologna Tribunal 20 June 2019 (order), Ferrari s.p.a. v Design Modena s.r.l., available at https://iusletter.com/wp- content/uploads/Ferrari-250-GTO_prima-automobile-nella-Storia-a-vedersi-garantita-la-tutela-autorale_Tribunale-di- Bologna-ordinanza-del-20-giugno-2019.pdf.
[5] App. Torino 12 dicembre 2018, Zhejiang Zhongneng Industry Group and Taizhou Zhongneng Import and Export Co. v Piaggio s.p.a., Torino Tribunal 6 April 2017, Zhejiang Zhongneng Industry Group and Taizhou Zhongneng Import and Export Co. v Piaggio s.p.a., in Giur. ann. dir. ind. 6528. The matter has been dealt with, from a different angle (a challenge to the validity of the later Community design based on prior Italian designs and trade marks, as well as copyright), by EU General Court 24 September 2019 (Sixth Chamber), Case T-219/18, Piaggio & C. s.p.a. c. EUIPO e Zhejiang Zhongneng Industry Group Co. Ltd.
[6] Milano Tribunal 12 July 2016, Tecnica Group s.p.a. v Gruppo Anniel s.n.c. di Simeoni Anna & C. and Gruppo Coin.
Trade secrets: convergence between Europe and the United States in light of recent legislative reforms
- Introduction
Until 2018 the correct terminology to be used in Italy for identifying information which, by virtue of its inherent economic value, is kept secret by the company that owns it would have been “confidential information”. Subsequently, Legislative Decree of 11 May 2018, no. 63, modified – among other things – article 98 of the Industrial Property Code (henceforth “IPC”) by substituting the aforementioned expression with “trade secrets”, which is now the currently applicable legal terminology.
The reform of the ICP was made necessary as a result of the implementation in Italy of Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure.
The topic of trade secrets is highly relevant for many businesses that in some cases base their entire commercial success on such intellectual assets. Take for example Coca Cola, a product that has had enormous success also as a result of the strategy pursued by the owner of the recipe – the US corporation The Coca Cola Company – who chose to keep secret the formula created by the pharmacist John Pemberton all the way back in 1886 (subject to the innumerable attempts at reverse engineering that have been made in the past 134 years). The Coca Cola recipe may be qualified as a “trade secret” and is often cited by industry experts as a virtuous example of corporate know how.
In this regard the European directive is crucially important within the general context of European industrial property rights inasmuch as it attempts to harmonize the differing trade secrets laws enacted in the various Member States of the European Union.
Within the same time frame the United States of America enacted its Defend Trade Secrets Act, signed into law on 11 May 2016 by the President at the time, Mr. Barack Obama. The American legislation in particular purports to strengthen the protection of trade secrets at a federal level, given that the vast majority of US states had already individually implemented the 1979 Uniform Trade Secrets Act (i.e. a model legislation that essentially codified the principles of American common law on trade secrets).
There are a series of parallels – briefly described here below – that exist between the European directive and the US system which justifiably may be described as a substantial alignment between Europe and the United States on the topic of trade secrets.
- Similarities and analogies between the two legal systems
Firstly, let us consider the definition of “trade secret” found in both the EU directive and the US Defend Trade Secrets Act:
Article 2 of directive (EU) 2016/943
“For the purposes of this Directive, the following definitions apply: 1) “trade secrets” means information which meets all of the following requirements: a) it is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question; b) it has commercial value because it is secret; c) it has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret”. |
Defend Trade Secrets Act (18 U.S. Code § 1839) “The term “trade secret” means all forms and types of financial, business, scientific, technical, economic, or engineering information … whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if: (A) the owner thereof has taken reasonable measures to keep such information secret; and (B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information”.
|
As may be seen, both of the above definitions specify the same constituent elements of a trade secret. In particular, both the European and American definitions provide that a trade secret is information (which also includes data, documents, etc.) which is:
- secret, inasmuch as the information in question is not ordinarily within the availability of those operating in the relevant industry;
- economically valuable, given that such information must be economically quantifiable (namely, the company that owns the information has invested significant economic resources in the information);
- subject to protection measures, given that without such measures the information itself would not be secret.
However, we should also not ignore certain differences existing between the above mentioned definitions.
For example, in relation to the requirement of secrecy (point 1 above), the EU Directive states that the information cannot be “generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question”, whereas the US provision requires that information should not be known or ascertainable “by, another person who can obtain economic value from the disclosure or use of the information”.
On this matter the Transatlantic Business Council[1] (in a report that may be found by clicking here) has argued that such differences have no meaningful practical consequences given that the two definitions reach the same conclusion in that: “A person who can obtain economic value from the information’s disclosure or use (US-DTSA) generally also will be a person within the circles that normally deal with the kind of information in question (EU-TSD), and vice versa” (see page 5).
In our view, similar considerations may be made with respect to the other minor differences[2] that may be found in these definitions which, despite their use of apparently different wording, ascribe the same meaning to the notion of “trade secret”.
Moreover, the European and American legal systems converge in other ways, in addition to the similarities found above in relation to the definition of “trade secrets”, as also evidenced by the International Chamber of Commerce in one of its reports (which may be found by clicking here), and in particular by way of non-exhaustive example:
- “unlawful acquisition, use and disclosure” of trade secrets in EU law (article 4 of the directive) are legal notions also present in US law (18 U.S.C. § 1839 (5));
- both legal systems provide for exceptions in relation to reverse engineering and independent discovery (see art. 3 of the EU directive, and 18 U.S.C. § 1839 (5));
- in relation to so-called “whistleblowing” (i.e. anonymous reporting of unlawful conducts) both the EU directive (art. 5, let. b)) and US law (18 U.S.C. § 1833 (2)) do not consider it an unlawful act for a person to reveal a trade secret if this is necessary for reporting to the authorities an unlawful conduct of the person or entity who holds the trade secret;
- both legal systems give judges the power to issue injunctions in order to prevent the unlawful divulgation of trade secrets (see in particular arts. 10, para. 1 and 12, para. 1 of the EU directive, and for the United States see 18 U.S.C. §1836 (b)(3)(A)(ii)) as well as to seize goods that infringe trade secrets (see art. 10, para. 1 of the EU directive, and 18 U.S.C. § 1836 (b)(2)).
Nevertheless, it should be reiterated that some differences do exist between the European and US systems; for example, a trade secret is considered a fully-fledged industrial property right under US law but not so in Europe (as also confirmed by the European Commission when it states that “trade secrets are not a form of exclusive intellectual property right”)[3].
However, as noted above, these differences are not so significant as to determine an irreconcilable separation between the European and US legal provisions on trade secrets.
- Conclusions and relevance (opportunity?) for Italy
On the basis of the considerations made above, we believe it is reasonable to speak of a substantial alignment on the topic of trade secrets between the legal system of the European Union, as codified in Directive (EU) 2016/943, and that of the United States of America as resulting from the relevant legislation (in particular the 2016 Defend Trade Secrets Act).
This alignment – which is a part of a greater harmonization project of intellectual property rights – is evidently aimed at encouraging foreign investors (in this case, American investors) to collaborate with European companies, in so far as those same investors may operate under the reasonable certainty that they will get from the European legal system a type of protection similar to that offered under the US system. The same applies for the European investor who is looking at the market of the USA for opportunities.
All of this certainly represents an opportunity for Italy which is a great European manufacturing power, as well as a country that more than others is culturally inclined towards creativity and experimentation both in the arts and sciences (which is after all the core of research and development, and therefore a place where trade secrets have great relevance).
If over time Italy will prove that it can put to best use its intangible assets and know how, we believe it will be among those European countries that will most benefit from the alignment between European and US laws on trade secrets and will allow it to further strengthen its relationships with overseas partners.
If not, then we’ll simply witness yet another missed opportunity.
__________
[1] The Transatlantic Business Council is an association involved in the promotion of greater integration and strengthening of political ties between Europe and the United States.
[2] Other differences that according to the Transatlantic Business Council may be found in these definitions: a) the US Act states that information is secret in so far as it is not accessible “through proper means”, whereas the EU directive does not include such wording in its definition and instead defines separately (under art. 3) the lawful acquisition of a trade secret; b) the EU directive protects a trade secret also “in the precise configuration and assembly of its components”, so that the combination of information as a whole would enjoy protection even though its individual components are not secret; this wording is not present in the definition of the Defend Trade Secrets Act, however, the protection of combinations of information is settled in US common law.
[3] For further references see the website of the Commission by clicking here.
Contact tracing and COVID-19: the GDPR as a balance between the protection of health and the privacy right
The use of contact tracing technology is necessary and essential in order to deal with the Covid-19 emergency and protect the public health of our country. However, mapping the movement of individuals can have serious consequences for the protection of our privacy. So how can the right balance be found between the two fundamental rights of health and privacy of each individual?
“Contact tracing” is the expression of the moment. It is a digital system used for tracing physical contact between individuals and in that sense it represents an important technological measure aimed at containing and preventing the spread of the Covid-19 virus in our country (and elsewhere).
This tracking system should be implemented via the application called “Immuni”, designed and developed by the Milan-based software house Bending Spoons, which will (probably) be launched in Italy by the end of May 2020.
However, the tracking of contacts between individuals and the consequent use of their common and sensitive personal data (including health data) for purposes related to the protection of public health also has an impact on their privacy.
While, on the one hand, the protection of health is a right guaranteed by the Italian Constitution – wherein “health” is understood both as a fundamental right of the individuals and an interest of the community, pursuant to article 32 of the Italian Constitution - on the other hand, the protection of personal data (or the privacy right) is a fundamental right expressly provided for by the Charter of Nice and recognized by the Italian Constitution.
Furthermore, we should ask ourselves what could be the practical consequences of using contact tracing technology in our daily lives; how the relationship between the right to health and the right to protection of personal data has been dealt with at a regulatory level; and whether it is possible to rely on the use of this new technology without fear of violation of our right to privacy.
1. What is "Immuni" and how does it work?
Immuni is an application that can be downloaded on each mobile device and that generates - for each device - a temporary, anonymous and variable identification code (ID) which interacts, via “Bluetooth Low Energy” technology, with other nearby mobile devices, thereby collecting and storing the ID code and related metadata of those devices (for example, how long the connection with the other device lasted, the distance in meters, etc.). The data controller of the personal data collected by Immuni is the Italian Ministry of Health.
Immuni checks whether the nearby ID codes include so-called “positive IDs”, i.e. ID codes associated with mobile devices owned by people who are already infected (or rather, whose infection has already been ascertained by a healthcare facility); to perform this operation, Immuni downloads positive IDs from a publicly managed server at regular intervals and cross-checks them with the ID of the device on which the application is installed. Subsequently, Immuni processes the metadata collected through a special algorithm and determines whether a “potential risk of Covid-19 contagion” (which may be more or less high) may be established.
If the outcome of the above checks is positive and Immuni believes that there is a reasonable risk of contagion, the user receives a notice on his / her device indicating that he / she was in contact with an infected person and therefore invites him / her to follow certain instructions (including, for example, staying at home and/or carrying out diagnostic tests).
A practical example on how this works: Carlo and Giulia meet for a few minutes at a short distance from each other; they both downloaded Immuni and their mobile devices have captured each other’s ID codes. After a few days, Carlo discovers that he has Coronavirus and decides spontaneously (remember that there is no obligation in this regard) to upload this sensitive data to Immuni. Meanwhile, the app installed on Giulia’s smartphone examines the IDs she has collected and stored in its memory and cross-checks them with those downloaded from the public server, detecting the presence of Carlo’s ID. Subsequently, Giulia is informed through a notice sent by her Immuni app that she was in contact with a person that tested positive to the Coronavirus (without, however, indicating who that person is) and she is thereby invited to take certain cautionary measures.
2. The opinions of the European Data Protection Board and the Italian Data Protection Authority
The European Data Protection Board (see the “Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak”) and the Italian Data Protection Authority (see “Parere sulla proposta normativa per la previsione di una applicazione volta al tracciamento dei contagi da COVID-19”) have already issued their opinions on the use of geo-localisation of individuals and contact tracing tools during the Covid-19 emergency and have identified which measures should be taken in order to ensure that the data subjects’ personal data is processed without causing prejudice to their fundamental rights and freedoms.
In this regard, according to the Italian Data Protection Authority the contact tracing carried out through the Immuni app is in line with the criteria identified by the European Data Protection Board and is compliant with the data protection principles inasmuch as such contact tracing:
a) is regulated by a law that provides a sufficiently detailed description of the processing of personal data, the type of data collected, the guarantees given to the data subjects, the provisional duration of the measure (reference should be made to art. 6 of Italian Legislative Decree of 30 April 2020, no. 28);
b) is based on the voluntary participation of the data subject, excluding any form of conditioning of individual choice and, therefore, any possibile unequal treatment for those who decide not to consent to the tracking;
c) is designed to pursue a public interest purpose indicated with sufficient precision and excludes that the personal data collected is being processed for other different purposes, it being understood that there is the possibility (within the general terms provided for by the GDPR) of using the personal data, either anonymously or in aggregate form, for statistical or scientific research purposes;
d) appears to comply with the principles of minimisation as well as with the criteria of privacy by design and by default (set out in art. 25 of the GDPR), insofar as it provides for the collection of just the data that concerns the proximity or closeness of the devices and for their treatment in pseudonymous form, provided such collection may not occur in a completely anonymous form. Such collection must occur in such a way as to exclude the use of geo-localisation data and limit the storage of data to the time strictly necessary to reach the indicated purpose, with the automatic deletion at the expiry date.
In this regard, it should be noted that, pursuant to art. 6 of Italian Legislative Decree no. 28/2020, the use of Immuni and any related processing of personal data will have to cease at the end of the state of emergency and in any case within 31 December 2020, and all personal data processed must be permanently deleted or anonymized;
e) complies with the principle of transparency with respect to the data subjects, thus guaranteeing that before activating the app the users receive an information notice in accordance with the GDPR.
Consequently, the Italian Data Protection Authority supports the use of Immuni, however, it always maintains special attention towards the data subjects: indeed, in its opinion, the Authority clarifies that, on the one hand, the characteristics of the processing of personal data carried out by Immuni can be better identified and, on the other hand, adequate measures to protect the rights, freedoms and legitimate interests of the data subcjects can be adopted (in accordance with art. 2-quinquiesdecies of the Privacy Code and art. 36, para 5, of the GDPR).
3. GDPR as a balance between the protection of health and personal data
There is unfortunately a widely held opinion, especially among non-professionals, that privacy regulations are often a mere “bureaucratic complication” that act as an obstacle to the achievement of all those goals which involve a processing of personal data.
This is an erroneous and misleading opinion, often generated by a lack of knowledge about the law, which may also be dangerous in light of the consequences which it could lead to - let us just think, for example, about the remote possibility of completely forfeiting the use of a valid and efficient contact tracing system to deal with the health Covid-19 emergency inasmuch as such system allegedly may be “incompatible” with the protection of personal data.
This writer believes that the current scenario represents the perfect context to demonstrate that, on the contrary, privacy regulations may (and must) represent the “balance” which allows for the achievement of some of the most ambitious purposes – which certainly include the protection of public health - without giving up privacy.
First of all, it should be recalled that the European Data Protection Board had the opportunity to clarify that “the data and technologies used to contribute to the fight against COVID-19 must serve to give people more tools, rather than to control, stigmatise or repress their behavior”.
A careful analysis of Regulation no. 679/2016 (so-called “GDPR”) also shows that, with reference to health emergency situations, the European legislator does not place any obstacle in the way of pursuing important interests in the public health sector by means of the processing of personal data (see recitals 52 and 54 and art. 9, paragraph 1, letter g and i), where such interests also include “monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health”.
On the same basis, the Italian Privacy Code - updated lastly by Italian Legislative Decree no. 101/2018 - also refers to the provisions of the GDPR and indeed expressly considers “relevant” the interest of those who process personal data for the performance of public interest tasks (or tasks related to the exercise of public authority) in the health sector and for the health and safety of the population.
Consequently, it may be said that data protection rules support the adoption of measures and solutions aimed at curbing the spread of the Covid-19 without, however, forfeiting protection of individual privacy.
However, these solutions - and this is where the “balance” can be found - must always be based on laws that regulate them and that expressly establish appropriate and specific measures to protect the fundamental rights and freedoms of the data subjects, including the types of data that can be processed, the processing operations that can be carried out and the reason of the relevant public interest (see art. 9, paragraph 1, letter i of the GDPR and art. 2-sexies of the Privacy Code).
4. Conclusions and considerations
So can we “trust” Immuni? The answer must be affirmative.
As already said, the use of this app is left to the conscientiousness of each of us, since the key principle that inspires this app is the principle of willingness: each user, in other words, will be free to download it, to enter their personal data in the app, even related to their state of health (i.e Covid-19 positivity) and to comply or not with the instructions received from the app following a potential contact with an infected person.
However, experts tell us that at least 70% of the population should download it so that the app can contribute to a significant containment of the pandemic. This is certainly an ambitious objective, which, in order to be achieved, requires first of all a public awareness campaign aimed at making the app easy to understand, especially for those who are not experts in the field, and clarifying what are the guarantees identified by the Italian Government to protect our privacy.
Briefly, the guarantees that Immuni offers for the protection of our personal data, and that everyone has the duty to be aware of, are: transparency towards the data subjects (we will know before registering with the app, for example, for which purposes our personal data will be processed, for how long and to whom it will be communicated), the exclusivity of the purpose of the processing (our data will be used only for the containment of infections, excluding different purposes) and the minimisation of processing (only the data necessary to trace our contacts will be collected and reliable anonymisation and pseudonymisation techniques will be adopted).
But that’s not all. Indeed, spreading accurate knowledge of data protection rules, their real meaning, their function and their value is even more important, if not indispensable and essential, towards contributing to a widespread “legal culture” and pursuing an ambitious goal that we are all called upon to realize in this delicate historical moment.
The President of the European Data Protection Board, Andrea Jelinek, has expressly reiterated this concept to the European Commission by stating: “the voluntary adoption of a contact tracing system is associated with individual trust, thus further illustrating the importance of data protection principles”.
Awareness and trust. And vice versa.
Copyright and videogames: Insight hold a lecture on copyright and video games at Bocconi University in Milan
Insight's Digital Entertainment team held a guest lecture at Bocconi University for the students of the master's degree course in law, as part of the "European and International Intellectual Property Law" module. Insight dealt, in particular, with the issues of the legal classification of videogames as works protected by copyright and the reproduction of Italian cultural heritage assets in videogames.
Insight talks about live entertainment and its exploitation on streaming platforms
Insight was invited to a meeting on "Streaming and copyright and image rights at the time of social distancing" organized by the ethical table of A2U - Attrici e Attori Uniti. Insight spoke about copyright, neighboring and image rights of live entertainment actors, focusing on the opportunity to exploit theatrical works via streaming platforms to face the impossibility of a live attendance caused by the COVID-19 emergency.
Insight welcomes Emanuele!
Our team continues to grow… we are very happy to announce that Emanuele Fava is joining the Digital Entertainment & Technology team as an Associate. Emanuele is a videogame enthusiast and his practice is focused on intellectual property and advertising law. Before joining Insight, Emanuele has worked at a leading international law firm and at the EUIPO where he litigated cases on registered trademarks and designs before the Court of Justice of the European Union. Here at Insight, Emanuele will handle litigation, transactional and advisory work, mostly related to interactive entertainment and new technologies.
For his complete profile click here.
We’re thrilled to have you on board, Emanuele!19