Free transfer of personal data to Republic of Korea: a historic adequacy decision is coming

The European Data Protection Board (“EDPB”) has issued its opinion on the draft adequacy decision published by the European Commission on last 16 June 2021 (available here) concerning the transfer of personal data to the Republic of Korea.

This is a decision that, once in force, will allow the EU economic operators – such as, first of all, all the electronic communication service providers, cloud providers and multinational companies - to freely transfer personal data from Europe to the Republic of Korea without having to adopt either the appropriate safeguards (e.g., "Standard Contractual Clauses") or the additional measures (e.g., consent of data subjects) required by Chapter V of EU Regulation No. 679/2016 ("GDPR").

Indeed, pursuant to articles 44 et seq. of the GDPR, the transfers of personal data to countries outside the European Economic Area or to an international organization are allowed provided that the adequacy of the third country or organization is expressly recognized by a decision of the Commission.

We will now examine in detail the contents of the opinion issued by the EDPB.

Firstly, it was noted that the Republic of Korea's legal framework on the protection of personal data is substantially aligned with the European one, especially with regard to the main definitions provided for by law (“personal data”, “processing” and “data subject”), the requirements for a lawful data processing, the general principles and the security measures.

This has been possible not only thanks to the presence of an effective privacy law (i.e., the "Personal Information Protection Act" or "PIPA" which came into force in 2011) but also because of a series of "notifications" (included the “Notification no. 2021-1”) issued by the Korean Data Protection Authority (i.e., "Personal Information Protection Commissioner" or "PIPC") which explain and make easily understandable the provisions of PIPA.

Moreover, as noted by the EDPB, the Republic of Korea is part of a number of international agreements that guarantee the right to privacy (including the "International Covenant on Civil and Political Rights", the "Convention on the Rights of Persons with Disabilities" and the “ONU Convention on the Rights of the Child"), which confirms the attention that the Republic of Korea has paid to the protection of personal data for several years now.

The EDPB's analysis then focused on some key aspects of PIPA that slightly differ from the GDPR and therefore require more attention - such as, in particular, the absence of a general right to withdraw the consent provided by the data subjects, for example, for marketing activities.

According to the EDPB, although article 37 of PIPA grants data subjects the right to request the “suspension” of the processing of their personal data - a right that can be exercised also in case of direct marketing, as expressly clarified by Recital 79 of the EU Commission adequacy decision – the PIPA provides for the right to withdraw the consent only in two specific cases:

  1. in relation to the transfers of personal data carried out in the context of special corporate operations (such as mergers, acquisitions, etc.);
  2. with regard to the processing of personal data for marketing activities by providers of electronic communication services.

The EDPB therefore considered it necessary to draw the Commission's attention to the above-mentioned issues in order to analyze in detail the consequences that, in the light of the Korean legal framework, the absence of such a right might cause for data subjects and to clarify, in the adequacy decision, the actual scope of the above-mentioned right to request the “suspension” of the processing.

Secondly, the EDPB observed that, pursuant to article 58 of PIPA, a substantial part of PIPA - including Chapters III, IV and V, which respectively regulate the general principles for data processing, the security measures and the rights of data subjects - does not apply to several processing of personal data (including those necessary to meet urgent needs for the protection of public health and safety).

The EDPB also notes that the word “urgent” in the PIPA expresses an extremely broad concept that needs to be limited and contextualized, also with the help of practical examples, in order not to compromise the confidentiality of the data subjects’ personal data.

Moreover, the EDPB, in the light of the current emergency situation caused by the Covid-19 pandemic, drew the Commission's attention in relation to the need to ensure an adequate level of protection also for personal data transferred to the Republic of Korea for purposes related to public health protection.

This is because "sensitive" information relating to European citizens (for example, the vaccination status), should receive at least the same level of protection as granted under the GDPR once transferred to the Republic of Korea. In this regard, the EDPB therefore invited the Commission to closely monitor the application of the exemptions provided for in article 58 of PIPA.

Finally, the EDPB considered it appropriate to focus on the possibility for Korean public authorities to access the personal data of European citizens for national security purposes. In this respect, there is no specific obligation for Korean authorities to inform data subjects of the access to their personal data, especially when data subjects are not Korean citizens.

However, even in the absence of such obligation, the balance between the needs of protection of the national security and the protection of the fundamental rights of the data subjects can be found in the same Korean Law that protects the privacy of interpersonal communications (the "Communications Privacy Protection Act" - see also Recital 187 of the adequacy decision), according to which the access to the personal data of European citizens for purposes of national security can be made only if certain legal requirements are met (for example, in the case of communications between "foreign agencies, groups or citizens suspected of being involved in activities threatening national security").

The EDPB notes that, as a further guarantee of the confidentiality of communications accessed by the Korean authorities, the South Korean Constitution states essential data protection principles applicable to this specific matter.

In the light of the favorable opinion issued by the EDPB, it is certainly desirable, and likely, that the European Commission will adopt an adequacy decision in respect of the Republic of Korea.

In an increasingly data-driven global economy based on the economic value of personal data as well as on the sharing of personal data, such an adequacy decision would open the door to the liberalization of trade with the east, also from a privacy perspective.

This regulatory intervention, object of this article, was due and awaited and it certainly follows the "Free Trade Agreement" between the EU and South Korea in force since 2011, which has been able to exponentially increase bilateral trade between the two countries (in 2015 the trade value of transactions amounted around € 90 billion).

Our hope is that, as the years go by, the European Commission's adequacy assessments will cover more and more legal frameworks so that the international transfer of personal data can represent a real and concrete instrument for promoting the economy and innovation worldwide.

by Insight

Copyright Directive: an open challenge

The path leading to the implementation of the Copyright Directive has been long and full of setbacks. Indeed, it was only on 6 August - two months after the deadline set by the Directive itself - that the Council of Ministers approved the draft Legislative Decree implementing the Directive, which is now once again being discussed by the Parliament.

One of the elements that has contributed to slowing down the legislative process of this new text is the objective it pursues, namely the rebalancing of the relationship between, on the one hand, the large digital platforms that disseminate and aggregate creative content and, on the other hand, the producers, authors and performers of such content.

From that perspective a number of innovations have been introduced, as listed below, which have given rise to much debate and concern:

  • Article 13: establishment of an impartial body to assist creators of audio-visual works in negotiating licensing agreements with video on demand service platforms (such as Netflix, Prime Video, Disney Plus, etc.). This therefore is an instrument for the protection of authors and their rights which aims solely at limiting the enormous bargaining power that digital platforms use to their advantage against those parties;
  • Article 14: free use of acts of reproduction of works of the visual arts that have entered the public domain because copyright protection has expired. Basically, if a work of the visual arts, such as a painting or a film, falls into the public domain and is reproduced in a video or in any other form of communication by a third party, the latter cannot claim any right over such act of reproduction, unless it constitutes an autonomous intellectual creation of the author and can be protected as such;
  • Article 15: introduction of a new related right in favour of publishers of journalistic publications for which they must be remunerated for the online exploitation (reproduction and making available to the public) of these publications by digital platforms, such as Google, Bing, Yahoo; the same article also provides for the obligation of the same publishers to pay a reasonable share of the revenues generated in favour of the authors of the publications. Such fair remuneration has given rise to a number of uncertainties, since the decree in question, instead of limiting itself to providing for the right of publishers to negotiate a remuneration (as provided for in the text of the Directive), has provided for the obligation to negotiate a fair remuneration. Moreover, if the parties in question are unable to agree on this point, AGCOM (the Italian Communications Authority) will act as “referee” in identifying such remuneration;
  • Article 17: obligation of online content sharing services, such as Facebook, YouTube, Telegram, to obtain the authorization from rights holders to share protected content on their platforms. Sharing services therefore will be directly liable for copyright infringements committed via their platforms, unless they can prove that they have obtained the authorization from the rights holders to disseminate protected works or at least have made “best efforts” to obtain such authorization or to remove unauthorised content.

The use of the term “best efforts” to assess whether or not the conduct of the platforms may be sanctionable will certainly create several problems, especially of an interpretative nature; for the time being, this expression has been translated in the decree under review as the obligation to adopt the “maximum efforts”, thus favouring an extensive and quantitative interpretation that imposes and therefore requires greater control by the platforms;

  • Article 17: introduction of complaint and fast-track redress mechanisms for users in the event of disputes that concern content removal or account disabling by platforms, as well as information requirements for platforms concerning the conditions and terms of removal of uploaded content.

The innovations listed above undoubtedly constitute a major challenge because of the economic interests that are involved. The objective of the directive certainly is a bold one in that it seeks to change the rules of the game in order to redistribute the value generated by the activity of the platforms and “give it back” to the creators and authors of the contents.

In that regard, the obligation for publishers to reach agreements with large information aggregation platforms such as Google for the purpose of obtaining remuneration for the use of their publications is an historic legislative change, albeit one that risks cementing the predominance of those publishing houses that have sufficient resources to engage in such negotiations. This imbalance is even more evident if one considers that art. 1, para I, lett. b (8) of the decree includes, among the criteria for quantifying this remuneration, the higher number of views or the reputation of the publisher itself.

Equally relevant is the provision of a “maximum effort” to be borne by the sharing platforms in removing illegal content uploaded by users. However, the choice of the Italian legislator to prefer the quantitative criterion, which seems to refer to the amount and pervasiveness of the checks carried out, introduces a potential risk of indiscriminate removal of content by extremely “sensitive” detection algorithms, which certainly contrasts with one of the stated objectives of the directive, namely, to preserve the right of criticism and satire of users. On the other hand, a “qualitative” interpretation of this obligation could have been preferred, namely a “better effort” on the part of the platforms, one that would be proportionate to the seriousness of the violations and their diffusion.

The decision by the Italian Government to depart in part from the text - and from the spirit - of the directive has been the subject of a lengthy debate, to the extent that it has raised in more than one person the doubt of an excess of delegated powers or of so-called “gold plating”, i.e. the practice whereby the national legislator goes beyond what is required by European legislation, while formally remaining within the perimeter of its own discretion.

Hopefully, in the final version of the decree the Italian legislator will pay more attention to the aim of harmonisation that all European directives pursue, which in this case requires the adoption and definition of a common “European approach” to digital copyright in the coming years. This approach will in fact allow the individual countries of the Union to effectively interact with the so-called “web giants” and finally take a firm stance against them (which so far has been completely lacking).

by Insight

Trade secrets: convergence between Europe and the United States in light of recent legislative reforms

  1. Introduction

Until 2018 the correct terminology to be used in Italy for identifying information which, by virtue of its inherent economic value, is kept secret by the company that owns it would have been “confidential information”. Subsequently, Legislative Decree of 11 May 2018, no. 63, modified – among other things – article 98 of the Industrial Property Code (henceforth “IPC”) by substituting the aforementioned expression with “trade secrets”, which is now the currently applicable legal terminology.

The reform of the ICP was made necessary as a result of the implementation in Italy of Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure.

The topic of trade secrets is highly relevant for many businesses that in some cases base their entire commercial success on such intellectual assets. Take for example Coca Cola, a product that has had enormous success also as a result of the strategy pursued by the owner of the recipe – the US corporation The Coca Cola Company – who chose to keep secret the formula created by the pharmacist John Pemberton all the way back in 1886 (subject to the innumerable attempts at reverse engineering that have been made in the past 134 years). The Coca Cola recipe may be qualified as a “trade secret” and is often cited by industry experts as a virtuous example of corporate know how.

In this regard the European directive is crucially important within the general context of European industrial property rights inasmuch as it attempts to harmonize the differing trade secrets laws enacted in the various Member States of the European Union.

Within the same time frame the United States of America enacted its Defend Trade Secrets Act, signed into law on 11 May 2016 by the President at the time, Mr. Barack Obama. The American legislation in particular purports to strengthen the protection of trade secrets at a federal level, given that the vast majority of US states had already individually implemented the 1979 Uniform Trade Secrets Act (i.e. a model legislation that essentially codified the principles of American common law on trade secrets).

There are a series of parallels – briefly described here below – that exist between the European directive and the US system which justifiably may be described as a substantial alignment between Europe and the United States on the topic of trade secrets.

 

  1. Similarities and analogies between the two legal systems

Firstly, let us consider the definition of “trade secret” found in both the EU directive and the US Defend Trade Secrets Act:

Article 2 of directive (EU) 2016/943

For the purposes of this Directive, the following definitions apply:

1) “trade secrets” means information which meets all of the following requirements:

a) it is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;

b) it has commercial value because it is secret;

c) it has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret”.

  

Defend Trade Secrets Act

(18 U.S. Code § 1839)

The term “trade secret” means all forms and types of financial, business, scientific, technical, economic, or engineering information … whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if:

(A) the owner thereof has taken reasonable measures to keep such information secret; and

(B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information”.

 

As may be seen, both of the above definitions specify the same constituent elements of a trade secret. In particular, both the European and American definitions provide that a trade secret is information (which also includes data, documents, etc.) which is:

  • secret, inasmuch as the information in question is not ordinarily within the availability of those operating in the relevant industry;
  • economically valuable, given that such information must be economically quantifiable (namely, the company that owns the information has invested significant economic resources in the information);
  • subject to protection measures, given that without such measures the information itself would not be secret.

However, we should also not ignore certain differences existing between the above mentioned definitions.

For example, in relation to the requirement of secrecy (point 1 above), the EU Directive states that the information cannot be “generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question”, whereas the US provision requires that information should not be known or ascertainable “by, another person who can obtain economic value from the disclosure or use of the information”.

On this matter the Transatlantic Business Council[1] (in a report that may be found by clicking here) has argued that such differences have no meaningful practical consequences given that the two definitions reach the same conclusion in that: “A person who can obtain economic value from the information’s disclosure or use (US-DTSA) generally also will be a person within the circles that normally deal with the kind of information in question (EU-TSD), and vice versa” (see page 5).

In our view, similar considerations may be made with respect to the other minor differences[2] that may be found in these definitions which, despite their use of apparently different wording, ascribe the same meaning to the notion of “trade secret”.

Moreover, the European and American legal systems converge in other ways, in addition to the similarities found above in relation to the definition of “trade secrets”, as also evidenced by the International Chamber of Commerce in one of its reports (which may be found by clicking here), and in particular by way of non-exhaustive example:

  1. “unlawful acquisition, use and disclosure” of trade secrets in EU law (article 4 of the directive) are legal notions also present in US law (18 U.S.C. § 1839 (5));
  2. both legal systems provide for exceptions in relation to reverse engineering and independent discovery (see art. 3 of the EU directive, and 18 U.S.C. § 1839 (5));
  3. in relation to so-called “whistleblowing” (i.e. anonymous reporting of unlawful conducts) both the EU directive (art. 5, let. b)) and US law (18 U.S.C. § 1833 (2)) do not consider it an unlawful act for a person to reveal a trade secret if this is necessary for reporting to the authorities an unlawful conduct of the person or entity who holds the trade secret;
  4. both legal systems give judges the power to issue injunctions in order to prevent the unlawful divulgation of trade secrets (see in particular arts. 10, para. 1 and 12, para. 1 of the EU directive, and for the United States see 18 U.S.C. §1836 (b)(3)(A)(ii)) as well as to seize goods that infringe trade secrets (see art. 10, para. 1 of the EU directive, and 18 U.S.C. § 1836 (b)(2)).

Nevertheless, it should be reiterated that some differences do exist between the European and US systems; for example, a trade secret is considered a fully-fledged industrial property right under US law but not so in Europe (as also confirmed by the European Commission when it states that “trade secrets are not a form of exclusive intellectual property right”)[3].

However, as noted above, these differences are not so significant as to determine an irreconcilable separation between the European and US legal provisions on trade secrets.

 

  1. Conclusions and relevance (opportunity?) for Italy

On the basis of the considerations made above, we believe it is reasonable to speak of a substantial alignment on the topic of trade secrets between the legal system of the European Union, as codified in Directive (EU) 2016/943, and that of the United States of America as resulting from the relevant legislation (in particular the 2016 Defend Trade Secrets Act).

This alignment – which is a part of a greater harmonization project of intellectual property rights – is evidently aimed at encouraging foreign investors (in this case, American investors) to collaborate with European companies, in so far as those same investors may operate under the reasonable certainty that they will get from the European legal system a type of protection similar to that offered under the US system. The same applies for the European investor who is looking at the market of the USA for opportunities.

All of this certainly represents an opportunity for Italy which is a great European manufacturing power, as well as a country that more than others is culturally inclined towards creativity and experimentation both in the arts and sciences (which is after all the core of research and development, and therefore a place where trade secrets have great relevance).

If over time Italy will prove that it can put to best use its intangible assets and know how, we believe it will be among those European countries that will most benefit from the alignment between European and US laws on trade secrets and will allow it to further strengthen its relationships with overseas partners.

If not, then we’ll simply witness yet another missed opportunity.

 

__________

[1] The Transatlantic Business Council is an association involved in the promotion of greater integration and strengthening of political ties between Europe and the United States.

[2] Other differences that according to the Transatlantic Business Council may be found in these definitions: a) the US Act states that information is secret in so far as it is not accessible “through proper means”, whereas the EU directive does not include such wording in its definition and instead defines separately (under art. 3) the lawful acquisition of a trade secret; b) the EU directive protects a trade secret also “in the precise configuration and assembly of its components”, so that the combination of information as a whole would enjoy protection even though its individual components are not secret; this wording is not present in the definition of the Defend Trade Secrets Act, however, the protection of combinations of information is settled in US common law.

[3] For further references see the website of the Commission by clicking here.

by Insight