Intellectual Property on Memes
Who among us has never received an image or photograph of a character (even a well-known one), accompanied by a caption capable of making us laugh?
Well, these elements are commonly referred to as “Memes”[1] and have the capacity to spread rapidly by mass communication media.
Beyond the communicative capacity of such Memes, one might wonder whether they receive any form of legal protection or if they are in the public domain and therefore freely usable by web users. To answer this question, it is first appropriate to understand the legal framework of Memes.
As mentioned, the Meme is nothing more than an ironic re-elaboration of an original work (usually photographic) already protected by copyright. It follows therefore that Meme - if has the degree of creativity required by copyright law - can be considered a derivative work (pursuant to Article 4 of Law no. 633 of 22 April 1941[2]), i.e. a work created on the basis of a pre-existing work.
This means that the owner of the rights on the main work - hence on the photograph or image created - will have the right to rework it and create derivative works, including Memes, and exploit them for commercial purposes.
Moreover, on the basis of the above considerations, anyone who intends to create and/or commercially exploit Memes will have to previously obtain the owner's permission of the original work, thus requesting a licence against payment of a fee.
But then one has to wonder why such Memes circulate on the web and/or via Whatsapp freely and without any licence?
As far as the European Union is concerned, the answer to this question is to be found in European Directive No. 2019/790 on Copyright in the Digital Single Market, which aims to harmonise the EU copyright framework in the field of digital technologies and in particular the Internet.
In particular, Article 17, VII paragraph, of that Directive states as follows: "Member States shall ensure that users in each Member State are able to rely on any of the following existing exceptions or limitations when uploading and making available content generated by users on online content-sharing services:
- quotation, criticism, review;
- use for the purpose of caricature, parody or pastiche”
It is therefore expressly provided that Member States may use and apply - within certain limits - exceptions allowing free use of copyright protected content via the Internet.
The ratio of the mentioned article is evidently to grant a discrete freedom for web users to share digital content, also protected by copyright, with the sole condition that such use must not even indirectly have an intent / purpose of profit, but only a satirical purpose.
In Italy, the right of satire, although not expressly provided by law, has found widespread application in case law over time[3]. The Meme can, therefore, be considered as an expression of right of satire, which, however, must be exercised within a well-defined perimeter, i.e. in the total absence of profit-making purposes.
This is because the owner of the rights over the Meme holds all the rights of economic exploitation over the work itself and, consequently, can prevent anyone from making a profit from their use. Indeed, there have been several legal actions commenced by Meme’s rights holders, especially in the United States[4].
In conclusion, due to the extremely quick digital evolution and the Internet world we are now witnessing, the outlined intervention of the European legislator can only be welcomed, which aimed at facilitating the exchange of content between Internet users and safeguarding their freedom of expression.
This European directive seems to have managed for the time being in properly balancing the freedom of expression of web users and the protection of copyright. We hope, in this regard, that the national legislator will follow this direction.
[1] “Digital memes are viral content that can monopolise the attention of users on the web. A video, a drawing, a photo becomes a meme when its "replicability", which depends on its ability to arouse an emotion, is maximised.” This is the definition of “Meme” provided by “Treccani” Dictionary.
[2] "Without prejudice to the existing rights on the original work, the elaborations of a creative character of the work itself, such as translations into another language, transformations from one into another literary or artistic form, modifications and additions constituting a substantial remake of the original work, adaptations, reductions, compendia, variations not constituting an original work, are also protected."
[3] Supreme Court no. 23144/2013: [...] satire constitutes a corrosive and often merciless modality of the right to criticism and can also be realised by means of the artistic image, as in the case of cartoons or caricatures, consisting in the conscious and accentuated alteration of the somatic, moral and behavioural features of the persons depicted. It differs from the chronicle in being removed from the parameter of truth in that it expresses, by means of paradox and surreal metaphor, an ironic judgement on a fact, remaining subject to the limit of continence and functionality of the expressions or images with respect to the purpose pursued. In the formulation of the critical judgment, expressions of any kind may therefore be used, even those damaging to the reputation of others, provided that they are instrumentally linked to the manifestation of a reasoned dissent from the opinion or conduct targeted and do not result in a gratuitous and destructive attack on the honor and reputation of the person concerned."
[4] Recalled in this regard is the case of Pepe the Frog, a cartoon character created by cartoonist Matt Furie. The author sued the website Infowars and its owner in 2014 for having used the image for the purpose of creating memes with a sexist, xenophobic and even racist background. Furie was awarded $15,000 in compensation in 2019.
European Green Certificate: freedom of movement in Europe during the pandemic
It's called the European "Green Certificate," but actually you can read it as "Covid-19 Pass". It purports to make movement of citizens within the European Union easier, as well as to contribute to the containment of the spread of the Sars-CoV-2 virus.
Let's try to understand what are the features of the green certificate, who will issue it and what guarantees it will have in place for the protection of personal data, including sensitive data.
1. Premise
On 17 March 2021, the European Commission proposed the introduction of a European "Green Certificate", which aims to allow the exercise of the right of free movement of citizens – as provided under Article 21 of the Treaty on the Functioning of the EU (TFEU) – during the Covid-19 pandemic. This certificate would be issued by each Member State, in digital and/or paper format and would have the same legal value throughout the EU.
However, to speak of just one "Green Certificate" is not correct. Indeed, as explained in the Proposal for a European Regulation published by the EU Commission[1], there are three different types of certificates that may be issued:
i. “Vaccination certificate": namely an attestation certifying that a person has received an anti Covid-19 vaccine authorized for marketing in the EU;
ii. "Test certificate": a certification that an individual has tested for Covid-19, via an antigenic or molecular test (as long as it is not self-diagnostic) which has returned a negative result;
iii. "Certificate of recovery": a document proving that a person who had been diagnosed with Covid-19 has subsequently recovered from it.
Each certificate will be in the official language of the relevant Member State and in English, it will be free of charge and will be issued by duly authorized institutions/authorities (e.g., hospitals, diagnostic/testing centres or the health authority itself).
2. How does the certificate work?
The certificate has a "QR (Quick Response) code" containing essential information about its holder, a digital signature that prevents forgery and a seal that guarantees its authenticity.
When a European citizen enters a Member State of which he or she is not a native, the institutions and/or competent authorities of that State will scan the QR code on the certificate and verify the digital signature contained therein. This verification of the digital signature will take place by comparing it with the signature keys held by the institutions/authorities of the State of destination, which will be stored in a secure database of each State.
In addition, a single "gateway" managed by the EU Commission will be made available at an EU level, via which the digital signatures of green certificates may be verified throughout the EU.
3. Processing of personal data contained in the certificate
Each certificate - whether related to vaccination, test or recovery - will contain a series of information relating to the person to whom it refers such as, for example: name, surname, date of birth, date of vaccination, result of the antigenic/molecular test, diseases which he/she has recovered from. This is information that falls under the definition of "personal data" pursuant to art. 4 of Regulation 679/2016 ("GDPR") insofar as it relates to an identified natural person and, for this reason, must be processed in accordance with the principles and guarantees provided by that Regulation.
In this regard, it is appropriate to summarise the most important contents of the opinion dated 31 March 2021 that the European Data Protection Board ("EDPB") and the European Data Protection Supervisor ("EDPS") provided to the EU Commission regarding the green certificate.
a) The processing of personal data contained in the certificates should be carried out only for the purpose of proving and verifying the vaccination, negativity or recovery status of the holder of the certificate and, consequently, to facilitate the exercise of the right of free movement within the EU during the pandemic.
b) In order to facilitate the exercise of privacy rights by the data subjects, it would be advisable for each country to draw up and publish a list of the persons authorized to process such data as data controllers or data processors and of those who will receive the personal data (in addition to the authorities/institutions of each Member State competent to issue certificates, already identified as "data controllers" by the proposal for a Regulation at issue).
c) The legal basis for the processing of personal data in the certificates should be the fulfilment of a legal obligation (art. 6, para. 1, lett. c of GDPR) and "reasons of substantial public interest" (art. 9, para. 2, lett. g of GDPR).
d) In accordance with the GDPR principle of "storage limitation" of personal data, retention of data should be limited to what is necessary for the purposes of the processing (i.e. facilitation of the exercise of the right to free movement within the EU during the Covid-19 pandemic) and, in any case, to the duration of the pandemic itself, which will have to be declared ended by the WHO (World Health Organization).
e) The creation of EU-wide databases will be absolutely forbidden.
4. Critical remarks and conclusions
In addition to the innovative implications of the proposed Regulation, there are certain aspects which deserve further study or, at least, clarification by the European legislator in order to ensure the correct application of the new European legislation.
a. Issuing and delivery of certificates
The proposal for a Regulation provides that certificates are "issued automatically or at the request of the interested parties" (see Recital 14 as well as articles 5 and 6). Therefore, as also pointed out by the EDPB and the EDPS, the question is whether a certificate:
i. will be created and then delivered to the individual only if expressly requested by the latter;
or if, on the contrary
ii. such certificate will be created automatically by the competent authorities (e.g., as a result of vaccination) but delivered to the individual only upon his/her express request.
b. Possession of a certificate does not prevent member states from imposing any entry restrictions
The proposed Regulation provides that a Member State may still decide to impose on the holder of a certificate certain restrictive measures (such as, for example, the obligation to undergo a quarantine regime and/or self-isolation measures) despite the presentation of the certificate itself, as long as the State indicates the reasons, scope and period of application of the restrictions, including the relevant epidemiological data to support them.
However, one may wonder if these restrictions and their enforcement conditions will be defined at European level, or whether their identification will be left to each State; in the latter case, this would involve accepting the risk of frustrating the attempt of legal harmonisation pursued by the proposed Regulation.
c. The duration of the certificate
The proposed Regulation provides that only the "Certificate of recovery" must also contain an indication of the validity period. Therefore, once again we may wonder what will be the duration of the other two certificates ("vaccination" and "test") and how it will be possible to ensure the accuracy of what is attested by a certificate after a certain period of time from the date of issuance (for example, let us think about the various cases of positivity found after the administration of a vaccine or the so-called "false negative / positive" cases).
d. The obligations of the certificate holder
What are the obligations of the certificate holder? For example, if a certificate has been issued attesting a Covid-19 negative result and, after a few months, the holder finds out that in fact he or she is positive, would the holder be obliged to apply to the competent authorities/institutions of his/her country in order to have the certificate revoked? Furthermore: in the event that the holder tries to use a false certificate for entry in another Member State, what sanctions would he/she have to face?
e. The protection of personal data
The new proposal for a Regulation tasks the Commission with adopting, by means of implementing acts, specific provisions aimed at guaranteeing the security of the personal data contained in the certificates.
However, given the extremely sensitive nature of the data in question, will the EU Commission also ask for a prior opinion from the Data Protection Authorities of the Member States? Perhaps it would be useful to ensure, also in this context and with specific reference to the privacy documentation to be provided to the data subjects prior to the issuance of certificates, a quasi-unanimous European approach in order to prevent the possible dilution of the guarantees provided under Regulation 679/2016 ("GDPR").
In conclusion, this is a proposal which, if implemented with due care, could contribute greatly to the return to a somewhat normal life; however, it is feared that without a particularly detailed regulation on this matter, a high risk of making cross-border movements even more complex would ensue, also considering that each State would most likely adopt further measures regarding the regulation of this certificate.
[1] https://eur-lex.europa.eu/resource.html?uri=cellar:38de66f4-8807-11eb-ac4c-01aa75ed71a1.0024.02/DOC_1&format=PDF.