Evermore interconnected, the themes of Intellectual Property and Digital Law reverberate principally in present-day discussions related to privacy and data protection. This intercession can be identified in the recent news about the receipt by torrent platform users of extrajudicial notifications demanding indemnification of thousands of reais for the undue sharing of films, bringing to question the protection of privacy in the defense of intellectual property rights and the wave of similar measures being generated, as was conveyed by the notifications.
This is because the use of personal information in the identification of the noticed intellectual property right violators has caused surprise to them and entails discussion on the methods and sources of Internet consultation employed in the exercise of rights by intellectual property right holders versus the rights of the personal information holders.
Intellectual Property rights, in Brazil principally protected by Laws 9.279/96 – Industrial Property Law (trademarks and patents), 9.610/98 – Copyright Law and 9.609/98 – Computer Program Law (software), have an important characteristic imposing true onus on their rights holders: the power-duty to enforce their rights.
Said characteristic calls for intellectual property rights holders to act directly in their defense against the violators and third parties involved in the violation, first and foremost the police authorities with respect to communication of the crimes against the intellectual property and the civil and criminal courts. The fight against the illicit offering of counterfeit products and unauthorized copies of copyright-protected works (popularly called “pirated”) on streaming sites and music and film storage in
servers located in the European Union (EU) economic region has also been called to question, including before The Internet Corporation for Assigned Names and Numbers (ICANN). Given that identification of the violators is necessary for due criminal prosecution and civil remedy and even for simple removal or disabling purposes, the obtaining of information that permits the identification of domain holders is crucial to the exercise of intellectual property rights holders.
In its turn, privacy protection law establishes the legal bases for the use of personal information. As established in Article 7 of Law 13.709/18 – The General Data Protection Law (GDPL) and in Article 6 of Regulation 679/16 – The General Data Protection Regulation (GDPR), said legal bases go far beyond simple consent and in the case of the defense of rights or vital interests (1 (d) of the GDPR and item VI of the GDPL) and legitimate interest (1 (f) of the GDPR and item IX of the GDPL) permit the legal use of personal data in intellectual property enforcement.
Recent decisions favoring concealing or obstructing access to Internet domain holder information by domain registrars have had important consequences, in particular the possible benefiting of cybercriminals, including scammers and intellectual property rights holders, under privacy protection rules, to the detriment of the legitimate holders of the intellectual property rights and prompting them to enforce their rights.
From even before the entering into force of the GDPR, decisions concerning its applicability resulted in the concealing of information of domain holders located in the EU, as was the case of GoDaddy Inc., whereas others, such as the German EPAG, a Tucows group company, announced that they would not only not provide the information for search purposes but in fact do not even collect the technical and administrative information of domains administered by them.
In Brazil, despite the entering into force of the GDPL in September 2020, the discussions are not yet where they should be. Despite that with the publication GDPR in 2016 and its entering into force in 2018 questioning by diverse intellectual property rights protectors was generated, until the present moment little has been said by the Brazilian IP address registry The Brazilian Network Information Center (NIC.BR) with respect to the continuity or not of the disclosure of domain registration information by Whois of registro.br.
This fact could result in insecurity with respect to the official position that the entity will adopt, particularly as to the possible repercussions as may result in the case of the imposition of greater difficultly or even impossibility of accessing intellectual property right holder information via Whois in the defense of their rights.
Further, it is common knowledge that with respect to registrars where the exhibition of registration information of domain holders is obligatory, such as in the case of registro.BR (the department of NIC.br responsible for the activities of the registration and maintenance of dominion names), the services of administration and negotiation of domains are typically offered by companies that use their own information for registration information identification purposes.
The understanding of certain registrars that the exposure of the registration information of domain holders would violate the new personal data protection rules has rendered the exercise of intellectual property holder rights in enforcing their rights more difficult with respect to the adoption of extrajudicial, civil and criminal administrative and civil and criminal judicial measures. Noteworthy to mention is that usually such information is disclosed under a Whois search, except in cases where the provider offers an additional service option, gratuitous or paid, of concealing the information from the public.
Despite the sustaining of the legality of the offering of these services, particularly so as to avoid the receipt of spam, search collection and storage in aggregator sites and the use of domain holder information in frauds, innumerous are the cases of illegitimate use exactly to render access to the information of the scammers more difficult, such offering many times being used as a basis for the use of a domain in bad faith in alternative extrajudicial disputes.
Some solutions are being considered. The Registration Data Access Protocol (RDAP), for example, puts in place different levels of authorization for the accessing of certain information, leaving but a few available for the public in general. This positioning has the purpose of permitting a greater guarantee of privacy without rendering the access to certain information by certain authorities impossible.
This solution, despite being apparently balanced, might impose an extremely exaggerated onus on the intellectual property rights holders, who will depend on the administrative or judicial authorities for the obtaining of information that will permit the effective exercise of their power-duty of enforcing their rights.
This same onus may, further, be even greater should the registrar decide to totally conceal the referenced information, given that, in both cases, the unilateral decision without the due obligation being recognized by the competent organs might even result in the obligation to remedy the damages caused by the voluntary omission, causing violation to the intellectual property rights.
An alternative proposed by ICANN in 2017 was the updating of contracting with the registrars to obligate the obtaining the consent of the domain holders at the moment of their registration for the disclosure of the information via Whois. This option would do little to resolve the problem as on the principal of minimization the exposure of the referenced information would not be directly necessary for the offering of registration services and, moreover, in the case optional, would certainly be not be employed by the domain registrant acting in bad faith in violating intellectual property rights.
Lastly, the present maintenance of free access to the information could actually be considered the best solution for purposes of this discussion as that despite the constant receipt of spam and the use of one`s information in frauds, the exposure of said information in itself is supported by the principals of, and situations of legitimacy in the treatment of personal information required by, the GDPR and the GDPL. Publically accessible personal information being provided by their holder, exempting liability relative to those the information may concern, cannot be confused with public personal information.
To consider the exposure of information via Whois as violative of privacy would not only result in undeniable prejudice to the exercise of the intellectual property rights holders pointed out in this brief analysis but also would be a frustrated attempt at encumbering the activities of third parties, violating the data protection rules established by the GPDL and the GDPR and in the case of exercise of fraudulent activities.
The purpose of said rules of protection of privacy cannot be understood to render impossible the legitimate use of personal information, as was mentioned herein, but to guarantee that said use be made in conformity with their principals and meet their requirements, or otherwise prejudice to rights will result under a false sense of security. This appears to be an apparent conflict of rights, which cannot be left unresolved for those seeking protection of their rights in the judicial realm.
Almeida Advogados has within its ranks professionals with vast experience in Digital Law and is fully available to continue contributing relative to the application of the recent Brazilian court decisions towards the best assistance of its clients.
*Márcio Chaves is partner in charge of the Digital Law area of Almeida Advogados, with 20 years of legal, academic and professional experience, in São Paulo, Rio de Janeiro and Belo Horizonte, all where he also worked for Almeida Advogados, and Turin/Italy and Geneva/Switzerland, where he did his master’s degree in Intellectual Property.