As previously discussed, DPOs are responsible for other EU data protection laws besides just the General Data Protection Regulation, including at least parts of the ePrivacy Directive. The question is: Should DPOs also be required to have knowledge of other laws?

One legal area that might need to be included within DPO knowledge is EU intellectual property law. After all, just like the GDPR protects the rights of data subjects for their personal data, intellectual property law protects the rights of the holders of patents, trademarks and copyrights. Because patents and trademarks will not likely be of concern to DPOs, this article focuses on the one area of intellectual property law that could concern DPOs: EU Copyright Law.

EU Copyright Law

As explained in more detail in "Information and Internet Law – Global Practice," EU copyright law, starting from the Copyright Directive, protects the rightsholder(s) ability to reproduce, distribute and communicate the work of their creation to the public. It also provides for the legal protection against circumventing technological measures that help to enforce the copyrights and removing electronic rights-management information.

fOther EU directives extend copyright protection to databases and software programs. The IP Enforcement Directive specifies possible actions to deal with violations of IP rights, including those for copyrighted materials. These laws work in conjunction with global conventions, treaties and agreements on copyright, which include the moral rights to claim ownership of a copyrighted work and prevent its modification or distortion.   

The DPO can become involved with at least two aspects of current EU copyright law.

The first may occur when personal data becomes mixed with copyrighted materials in the data store that the DPO monitors for GDPR compliance. In such a situation, the rights of a data subject and that of a copyright holder could become diametrically opposed. Suppose a data subject exercises their right to access their personal data under Article 15. If the controller or processor fulfilling the request cannot identify down to a divisible data element which is personal data belonging to the data subject and which is copyrighted material belonging to the rightsholder, or cannot separate them due to system limitations, the copyrights may be violated in responding to the subject-access request (or the SAR not fully fulfilled due to copyright violation concerns). Similar types of violations could happen with the exercise of other data subject rights, such as the right to erasure. 

The second aspect of current EU copyright law for DPOs to be aware of is when personal data becomes part of a copyrighted database. Under the EU’s Database Directive, by merely undertaking the intellectual creative act of selection or arrangement of the contents of a database the database becomes copyrightable. This gives the database creator all the rights that a typical copyright holder would have. The personal data contents of the database are not copyrighted, just the database itself with its creative arrangement or selection. 

There is also a right to prevent extraction of the contents of a database, when the maker of the database has made a significant investment in obtaining, verifying or presenting the contents of a database. This sui generis right also prevents the re-utilization of all or substantial parts of the content of the database without the rightsholder’s approval. DPOs may see these database rights when negotiating a processor agreement. The act of creating a database containing the personal data of customers of the controller may implicate a copyright over that database that is owned by the processor. As such, controller DPOs should be aware of the possibility of these rights arising and look for legal language that transfers any such intellectual property rights back from the processor to the controller.   

Revised Copyrights Directive

A third aspect of copyright law for DPOs to be aware of may come from an updated EU Directive. The revised Copyrights Directive, currently undergoing a trilogue between the Parliament, Council and Commission, is intended to address the technological present and future. One area where it does so is in the ever-burgeoning field of big data and data mining for research purposes. 

As the amended (as of Sept. 12, 2018) revision to the Directive states, “Text and data mining allows the reading and analysis of large amounts of digitally stored information to gain new knowledge and discover new trends … text and data mining may involve acts protected by copyright and/or by the sui generis database right.” 

To protect their copyrights, “Rightholders shall be allowed to apply measures to ensure the security and integrity of the networks and databases where the works or other subject-matter are hosted.”

What this means is that DPOs of certain types of organizations, especially those in the public sector that could be the target of such research data mining, will need to be concerned with balancing the technological and organizational measures that facilitate protecting the rights of copyright holders with those that protect personal data and the rights of data subjects. The Article 29 Working Party had previously stated in WP 221 its belief that existing data protection laws were sufficient to deal with big data and data mining. This was further detailed in guidelines from the Information Commissioner's Office and opinions from the European Data Protection Supervisor. So affected DPOs will need to add the impacts of copyright-related obligations to their GDPR data-mining compliance analysis.   

Furthermore, under the revised Copyrights Directive, online content-sharing service providers are required to reach licensing agreements with copyright holders or not allow the unauthorized uploading of materials belonging to those copyright holders who do not wish to reach an agreement.  Users may file complaints if their uploaded content is unjustifiably removed based on a copyright violation, but they should not be identified or their personal data processed in the complaints procedure, in accordance with the GDPR. In general, Recital 46 notes, “The provisions of the General Data Protection Regulation, including the 'right to be forgotten,' should be respected.” DPOs of such organizations must understand the interplay of this aspect of new copyright law and the GDPR.

DPOs’ focus for copyrights

Three scenarios where DPOs should be aware of EU copyright law have been discussed: where personal data and copyrighted materials have been intermixed and cannot easily be separated to respond to the exercise of data subject rights, where personal data is used within a database that could become protected by an organization who is not the data controller, and for obligations related to GDPR under the proposed amended revision to the Copyrights Directive. There are likely more scenarios than just these three. It would be wise for DPOs to familiarize themselves with EU copyright law at least to the extent that it interplays with the GDPR and other relevant data protection and privacy laws they are responsible for monitoring compliance with.

photo credit: Mr.TinDC via photopin