GDPR: a simple approach for European and Latin American SMEs

Alessio Balbo di Vinadio – Trainee at Clarke, Modet & Co. Spain

Following our previous publication on data processing, this article will address the issue of the first few small repercussions of the European Union General Data Protection Regulation (hereinafter ‘GDPR’) on the online world.

In that same aforementioned article, the author rightly stated that companies should hurry up for compliance, as time was running out and the road to achieving full compliance is a very long one (depending on the activity the company carries out, obviously!). One would think that now, approaching the end of the first decade of June 2018, most businesses have already taken care of the privacy matter, in light of its pivotal importance. Well, as we all know, that is not true (not for everyone, at least).

This article is intended to provide a useful overview of important aspects not only for European SMEs but also for Latin American companies operating in the European Union (EU), since one of the highlights of the new regulation is its broadened scope: it is applicable to all companies in the world that handle personal data from European customers, even if the processing takes place outside of the EU.

Preliminarily, it is worth noting that in contrast to the European Union, at present, Latin America has no harmonised legislation on data and privacy, due to different national legislations. This inevitably leads to different levels of protection, all of them still considerably lower than the EU standards (i.e. Guatemala, for instance, still lacks a specific legislation on data protection).

Bearing this in mind, the Latin American region is making serious efforts to respond to the demands of today’s global market. Notwithstanding the current situation, through the Ibero-American Data Protection Network (RIPD) some regional standards have been set as a reference for future implementations. There is still a long way to go and striking differences between countries yet remain. However, it must be acknowledged that Argentina, Mexico, Uruguay and Chile stand out for their domestic legislations on the matter, by virtue either of their age or the existence of local authorities specialized in data protection.

Indeed, all these relative progresses both national and regional, have been developed in accordance with the model established by the EU-GDPR. Therefore, these countries are likely aware of the need to bring Latin American legislation in line with Europe’s in order to attract foreign investment and create a better climate for European SMEs.

Let’s quickly analyse the GDPR: the main changes concern the personal data definition, the increased territorial scope, the penalties, the consent, the newly introduced rights (to access, to be forgotten, data portability), the immediate (within 72 hours) and compulsory data breach notification and, finally, the introduction of the Data Protection Officers (DPO – compulsory only in some cases). Furthermore, companies need to comply with the definitions of ‘Privacy by design’ and ‘Privacy by default’ when dealing with personal data.

Certainly, it can be affirmed that consent is at the very centre of this legislation. The Consent has to be “freely given, specific, informed and unambiguous”, “clearly distinguishable, intelligible and using clear and plain language”, according to, respectively, articles 4 and 7 of the GDPR.

Prior to this introduction, privacy had not been changed this radically for over 20 years and the “data market” was ‘wild’ and uncontrolled. The straw that broke the camel’s back was when Max Schrems, an Austrian privacy lawyer, filed a complaint in 2013 against Mark Zuckerberg’s social network Giant due to the lack of Privacy compliance by Facebook. In his unveiling to the general public, Mr Schrems disclosed 1,200 pages of data that Facebook possessed on him and proved the flaws of the social network’s privacy policy (and its consequent conduct) to be enormous. As an example, prior to those decisions, Facebook would transmit personal data to app developers, with no reason or legally obtained consent. The ‘profiling’ (“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person”, as defined by article 4 GDPR) was an activity that allowed Facebook to provide Page Managers with users’ precise information for the advertisement targeting. Advertising was a very relevant source of income for Mark Zuckerberg’s tech Giant.

We are only a few days away the entry into force of the new GDPR and the email boxes of half the planet have been filled up with newsletters, data processing requests, “We care about your privacy” statements and so forth. Notwithstanding, when analysing those emails, not all of them appear to be fully compliant and actually, most of them, have not achieved the ‘simplification’ requirement of privacy law, which was one of the many targets of the GDPR. In fact, emails with excessive material and written in “legalese” (technical-juridical language) do not allow the consent to be informed for the majority of the public, due to the extremely complex language used by the policies.

This new regulation has re-shaped the online (and offline) world, as we have moved from an (online) environment with full access to websites and limitless actions available, to almost completely blocked websites until full GDPR compliance is achieved. To this regard, in these days, when accessing websites, very disturbing banners do not allow the correct displaying of the website (or will ‘bother’ you until you click “I agree”). Additionally, if you are an ‘informed user’ and want to know the purposes of the processing of personal data on the accessed website, a “More information” button should be available (usually next to the “I agree” box) and you should be provided with full disclosure of the data processing carried out on such page. Normally, clicking on that button will redirect the user to a special page displaying the cookies implied (which can be essential, functional and targeting). That particular page is where your preferences will be saved by the “Controller” (the legal entity that determines the purposes of the processing) or the “Processor” (the legal entity that actually processes the data) so that each user’s data will (or will not) be processed and, especially, inform the user for what purposes.

Before the introduction of such law, privacy was almost “disregarded”, as it referred to lengthy and boring legislation with few implications. Nowadays, we can undoubtedly assert that there was – and there still is – indeed a big business on (personal) data used with no legitimate consent. The change derives from the concern that companies have developed about the newly regulated sanctions, in accordance with article 83(4) and 83(5) of the GDPR (20 Million or 4% of the global revenue – whichever is higher – for the harshest fine and 10 million or 2% of the annual global revenue – again, whichever is higher).

In recent days, we have seen many blocked non-EU websites, which, prior to the entry into force of the GDPR, were accessible for European users. Many businesses from all over the world are still not yet compliant with the GDPR, mainly due to the investment required, both economically and in terms of time-management. Full compliance will come with time and dedication, and hopefully, companies that process big amounts of personal data will stop seeing it as an asset and start approaching it in a more intimate and personal manner. The temporary blockage of the access from the EU (until full compliance is achieved) has to be merely momentary, as the GDPR is an issue that has to be addressed compulsorily, as the repercussions can be relevant (sanctions). An incentive to avoid permanent blockage of the website to EU customers would be to avoid losing a considerable market share (significant to most businesses – 508 million inhabitants). As a suggestion, quick GDPR compliance companies have found a niche market at the moment (i.e.Trustarc or OneTrust); these provide a minimum level of compliance and allow to ‘buy’ some time in order to align the business to the newly introduced legislation.

In short: how can we know if the EU GDPR applies to my company?

Due to its wide range, it appears to be difficult not to be affected by the GDPR, but let us summarize in which cases it will be mandatory to implement its measures:

  • When the company tracks EU customers’ data;
  • When the company is based outside the EU but provides goods and/or services (even when free of charge) to EU customers;
  • EU-based companies’ data is collected and processed regardless of the place of collection. This means that EU SMEs operating in Latin America must comply, in any case, with the EU GDPR (even if the data comes from Latin-American customers only) due to the nationality of the company itself.

Generally, compliance is always suggested and carefulness is needed when processing any kind of personal data originating from the EU, so be carefully compliant!

Marcas no convencionales: Unión Europea vs América Latina

Eli Salis
Partner at DISAIN IP

Aquellos que nos dedicamos a la propiedad intelectual tenemos la fecha del 1 de octubre señalada en rojo en nuestros calendarios desde que se aprobara el nuevo Reglamento (UE) Nº 2015/2424 que modifica reglamentos anteriores sobre la marca comunitaria, ya que será el momento en el que entren en vigor las últimas novedades del mismo, introduciendo importantes cambios en cuanto a la representación de las marcas europeas se refiere, con la finalidad de modernizar el sistema de marcas dentro de la Unión Europea, haciéndolo más accesible, eficiente y coherente en su conjunto.

Como ya es sabido por todos, el nuevo Reglamento hace desaparecer el requisito de la representación gráfica para los signos que se pretendan registrar, sustituyéndolo por los criterios adoptados oportunamente por el TJUE en el caso Sieckmann, según los cuales será suficiente con que la marca pueda reproducirse en el registro de manera “clara, precisa, completa en sí misma, fácilmente accesible, inteligible, duradera y objetiva”, por medio de cualquier tecnología generalmente disponible.

De este modo se abriría a priori la puerta al registro de marcas no convencionales que, hasta el momento, veían privado su acceso registral al no poder superar el obstáculo de la representación gráfica. Sin embargo, debemos tener presente que, a partir de ahora, determinadas marcas no convencionales podrán representarse mediante el uso de medios electrónicos de reproducción. Tal es el caso, por ejemplo, de las marcas sonoras, de movimiento, de posición, hologramas o multimedia.

Sin embargo, si bien es cierto que se presagia un nuevo futuro para determinadas marcas no convencionales, otras, como las olfativas, táctiles o gustativas, seguirán encontrando dificultades, ya que no existe actualmente tecnología disponible que permita su representación de forma precisa, inteligible y, sobre todo, duradera y objetiva.

Además de la falta de medios técnicos, otro obstáculo de nuevo cuño introducido por la propia reforma del Reglamento (y de la Directiva) es la inclusión de la muletilla “y otras características” a la prohibición absoluta recogida en el artículo 7.1 (e), que originalmente se refería en exclusiva a la forma del producto y ahora se extiende a otros tipos de marcas, en un intento por contrarrestar el efecto flexibilizador de la supresión del requisito de la representación gráfica. Tendremos que estar a la práctica de la EUIPO y de los Tribunales para ver cómo se interpreta esta nueva disposición.

Por otra parte, si bien estos estándares se van a aplicar de manera uniforme dentro de la UE, en el ámbito extracomunitario -y más concretamente en Latinoamérica- los requisitos para el registro de marcas varían de un país a otro, por lo que estas marcas pueden encontrar nuevos obstáculos al tratar de ampliar la protección a nivel internacional.

De este modo, encontramos que en casi la totalidad de países latinoamericanos (con algunas excepciones) sigue vigente el requisito de la representación gráfica (o de un signo visualmente perceptible), aunque gran parte de ellos plantean una definición amplia del concepto de marca, posibilitando la entrada, si bien de forma progresiva, a las marcas no tradicionales.

Así, en Argentina es posible registrar marcas sonoras desde hace varios años, existiendo incluso alguna decisión favorable de los Tribunales sobre la registrabilidad de marcas olfativas. También en Uruguay se permite el registro de marcas sonoras. En la Comunidad Andina, como en Chile, algunos de estos tipos de marcas están expresamente enumerados en sus correspondientes disposiciones legales como signos que constituyen una marca. Así encontramos que, por ejemplo, en Colombia se han registrado más de 850 marcas no convencionales, entre las que se encuentran marcas tridimensionales, de color, de posición, sonoras e incluso gestuales y táctiles aunque no se ha concedido ninguna marca de olor. En otros países, sin embargo, como es el caso de Brasil o México, las marcas no tradicionales todavía tienen un largo camino por recorrer.

Por tanto, y retomando la práctica europea, habrá que esperar a ver cómo se interpretan estas nuevas modificaciones y, sobre todo, la restricción comprendida en el nuevo artículo 7.1 (e) antes de augurar un futuro prometedor a las marcas no convencionales en Europa que realmente suponga un avance considerable con respecto a las legislaciones de otros países de nuestro entorno.

Este artículo ha sido elaborado en colaboración con Gracia Tordesillas.

International IPR SME Helpdesks Stakeholders Meeting

The China, Latin America and South-East Asia IPR SME Helpdesks are holding their Annual Stakeholder Meeting in Brussels on the 4th of April 2017. Joining the three regional Helpdesks as a co-organiser is Business Beyond Borders (BBB), an EU-funded initiative supporting businesses and clusters when attending international trade fairs around the world.

As a valued partner and user of the Helpdesk services, we are delighted to invite you to this event where you will hear about our latest developments, success stories and planned activities for 2017. To register and access the detailed agenda, please click here.

The event will include the participation of complementary key EU initiatives that are all supporting EU SMEs in their internationalisation efforts, as well as various intermediaries and companies. They will all contribute to the interactive panel- and roundtable discussions and will be available for the matchmaking session.

Similar to previous editions, the meeting will be a key opportunity to have your say on the services of the Helpdesks and join discussions on what can be done towards its continuous improvement in terms of support to businesses and collaboration with partner organisations and experts.

THE MATCHMAKING SESSION

The Matchmaking Session will take place at the end of the Annual Stakeholder Meeting place on the 4thof April from 15.00pm – 17.00pm. The dedicated area is located in the premises of the European Economic and Social Committee – Rue Belliard 99-101, 1000 Brussels.

It will be a great opportunity to interact with a wide variety of stakeholders of pertinence to IPR and SME internationalisation. As a company you will get the chance to have your questions answered by relevant experts.

Attendees will include European SMEs with an interest in expanding their business abroad as well as companies already established in, or working with business entities overseas with specific focus on China, Latin America and South East Asia. The presence of business support organisations and other EU supported schemes focusing on internationalisation, makes this an event you simply cannot miss!

Following the Matchmaking Session there will be a Networking Cocktail, to conclude the day.

We look forward to welcoming you on the 4th of April!