European Union: What IP Practitioners Should Know About GDPR And Personal Data Protection In Europe

Last Updated: January 25 2018
Article by Catherine Muyl and Marion Cavalier

In the European Union ("EU"), "everyone has the right to the protection of personal data concerning him or her" under the Charter of Fundamental Rights. Intellectual property is also protected as a fundamental right under the Charter, as is freedom of speech. These rights can sometimes conflict. In two previous posts on cases about linking to Playboy pictures and the inspiration for Jeff Koons' sculptures, we discussed how freedom of expression has been used as a defense to copyright infringement. But IP rights can also come into conflict with data protection.

On May 25, 2018, the General Data Protection Regulation (the "GDPR") will apply in all Member States of the European Union ("EU"), and will replace the 95/46/CE Directive ("the Directive").

Why You Can't Ignore the GDPR

U.S. in-house lawyers should know at least two things about GDPR.

1. Extraterritorial Effect

The GDPR extends the application of EU legislation to companies outside the EU, in that it will apply to entities established outside the EU that offer goods or services to individuals in the EU and/or monitor the behavior of data subjects within the EU.

In practice, it means that many U.S. companies that did not have to comply with the Directive will now have to comply with the GDPR. U.S. companies may already have some familiarity with EU data protection rules if they had access to personal data collected in the EU, due to the restrictions on data transfers to countries outside the EU (they have to use the EU-US Privacy Shield or other transfer tools). However, the requirements will be more stringent once they are directly subject to European rules.

2. Increased Sanctions

The GDPR considerably increases the sanctions and penalties in the event of non-compliance. The maximum amount of financial sanctions is increased up to 4% of total worldwide annual sales or 20 million euros, whichever is the greater. Therefore, compliance with the GDPR should be taken all the more seriously.

IP Rights vs. GDPR

Some of the GDPR obligations are of specific interest for IP practitioners because they can conflict with IP rights.

1. The Right of Access v. Protection of IP Rights

The "right of access" already exists under EU law in the Directive. Pursuant to the right of access, individuals (in the data protection jargon, they are called "data subjects") can obtain a copy of all the personal data that has been collected about them.

What kind of information are data subjects entitled to? Recently, a French journalist who had been using Tinder, the dating app, for a few years, exercised her right of access and asked Tinder to send her all her data. She explained in an article published in the Guardian, that Tinder "sent [her] 800 pages of [her] deepest, darkest secrets" but refused to give her the information on how her matches were personalized using her information. They objected that "[their] matching tools are a core part of [their] technology and intellectual property, and [they] are ultimately unable to share information about [their] proprietary tools." To our knowledge, the journalist did not consider going to Court with this request, so we don't know how a judge would react, but Tinder's objection does have a legal basis.

GDPR provides, as a derogation to the exercise of the right of access, that it "should not adversely affect the rights or freedoms of others," including trade secrets and intellectual property rights, in particular with respect to software. As in the Tinder example, these considerations will limit the information available to a data subject, but will not justify a refusal to provide any information.

2. The Right to Portability v. Protection of IP Rights

The right to portability is a new right that did not exist before the GDPR. It is essentially designed to help data subjects switch from one supplier to another. Data subjects have the right to receive their personal data in a structured, commonly used and machine readable format, which they can then forward to someone else.

Because that "someone else" may be a competitor, the right to portability raises issues for those who may take the view that providing personal data in a "reusable way for potential competitors" would be an infringement of their IP rights or, at the least, a disclosure of their know-how. As with the right of access, the GDPR provides that the exercise of this right "should not adversely affect the rights and freedoms of others," which include IP rights.

In practice, one should keep in mind that the scope of data portability is limited to the raw personal data provided by the data subjects themselves, and should not include data which is inferred or derived from the raw data. This is important, because proprietary technology normally comes into play after the raw data is collected from data subjects, to transform that raw data into more valuable information.

3. Data Protection Requirements v. Digital Management Rights and Profiling

Owners and distributors of copyright protected content on the Internet often have access to their customer's personal data, and the ability to monitor user activity with respect to, for example, the downloading of songs or ebooks. These companies may use this information to engage in "profiling," i.e., using data to make a series of statistical deductions to analyze current behaviors and preferences and to predict future behaviors and preferences.

IP practitioners should be aware that the European Data Protection Authorities do not like profiling at all. According to the Guidelines of the Article 29 Working Party (an advisory body on which representatives of the Data Protection Authorities of all Member States sit), "profiling can perpetuate existing stereotypes and social segregation. It can also lock a person into a specific category and restrict them to their suggested preferences. This can undermine their freedom to choose, for example, certain products or services such as books, music or newsfeeds. It can lead to inaccurate predictions, denial of services and goods and unjustified discrimination in some cases".

For companies that use profiling, it is important to keep in mind the following GDPR requirements:

  • All processing activities must have a legal basis, such as the consent of the data subjects or the fact that the profiling is necessary in order to provide the service. For example, the insertion of a unique identifier in a content protected by copyright via a Digital Rights Management scheme should not be linked to an individual except to the extent that this link is necessary for the performance of the service or if the individual has been informed and has consented to it.
  • You cannot use personal data for purposes that are not compatible with the purpose for which the data was originally collected. For example, if you sell goods to customers who pay with credit cards, you may collect their name and address but you cannot use them later for marketing purposes.
  • Personal data should not be stored longer than is necessary to fulfill the purpose for which such data is processed. For example, if you collect personal data about your customers, you must delete that data as soon as it is no longer necessary for billing purposes or any other purposes (after-sale services) consented to by the customers. You cannot keep the data "just in case" one of them might misuse your IP.

4. Privacy v. Enforcement of IP Rights

IP practitioners know that, when it comes to enforcing IP rights, it can be challenging to identify infringers and the various actors involved in the distribution chain, especially for products sold on the internet. When IP owners conduct investigations to identify potential infringers, they are collecting and processing personal data. For example, when contents are made available on peer-to-peer platforms, IP owners can collect user IP addresses and combine them with publicly available data (e.g. using Whois to identify a domain name registrant). In some circumstances, they may also be able to collect information held by third parties, such as internet service providers or banks.

These situations create a potential conflict between, on the one hand, the protection of IP rights and, on the other hand, the protection of data, which requires that data be only processed when there are appropriate safeguards and transparency.

EU Directive 2004/48 on the enforcement of intellectual property rights (which is not being changed by introduction of GDPR) requires Member States to ensure that in IP infringement proceedings, national courts may order infringers or persons who have been involved in the production or sale of the goods, to disclose information regarding the origin and distribution networks of such goods. However, this is without prejudice to provisions governing the processing of personal data. EU Member States legislations and national courts (under the control of the Court of Justice of the European Union) will therefore have to find a fair balance between data protection and IP protection.

To learn more about GDPR, check our Security, Privacy, and the Law blog.

To view Foley Hoag's Trademark and Copyright Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Wilson Elser Moskowitz Edelman & Dicker LLP
Lewis Roca Rothgerber Christie LLP
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Wilson Elser Moskowitz Edelman & Dicker LLP
Lewis Roca Rothgerber Christie LLP
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions