Privacy Protection in Intellectual Property Enforcement
Evermore interconnected, the themes of Intellectual Property and Digital Law reverberate principally in present-day discussions related to privacy and data protection. This intercession can be identified in the recent news about the receipt by torrent platform users of extrajudicial notifications demanding indemnification of thousands of reais for the undue sharing of films, bringing to question the protection of privacy in the defence of intellectual property rights and the wave of similar measures being generated, as was conveyed by the notifications.
This is because the use of personal information in the identification of the noticed intellectual property right violators has caused surprise to them and entails a discussion on the methods and sources of Internet consultation employed in the exercise of rights by intellectual property right holders versus the rights of the personal information holders.
Intellectual Property rights, in Brazil, principally protected by Laws 9.279/96 – Industrial Property Law (trademarks and patents), 9.610/98 – Copyright Law and 9.609/98 – Computer Program Law (software), have an important characteristic imposing true onus on their rights holders: the power-duty to enforce their rights.
Said characteristic calls for intellectual property rights holders to act directly in their defence against the violators and third parties involved in the violation, first and foremost the police authorities with respect to the communication of the crimes against intellectual property and the civil and criminal courts. The fight against the illicit offering of counterfeit products and unauthorized copies of copyright-protected works (popularly called “pirated”) on streaming sites and music and film storage in servers located in the European Union (EU) economic region has also been called to question, including before The Internet Corporation for Assigned Names and Numbers (ICANN). Given that identification of the violators is necessary for due criminal prosecution and civil remedy and even for simple removal or disabling purposes, the obtaining of information that permits the identification of domain holders is crucial to the exercise of intellectual property rights holders.
In its turn, privacy protection law establishes the legal bases for the use of personal information. As established in Article 7 of Law 13.709/18 – The General Data Protection Law (GDPL) and in Article 6 of Regulation 679/16 – The General Data Protection Regulation (GDPR), said legal bases go far beyond simple consent and in the case of the defence of rights or vital interests (1 (d) of the GDPR and item VI of the GDPL) and legitimate interest (1 (f) of the GDPR and item IX of the GDPL) permit the legal use of personal data in intellectual property enforcement.
Recent decisions favouring concealing or obstructing access to Internet domain holder information by domain registrars have had important consequences, in particular, the possible benefiting of cybercriminals, including scammers and intellectual property rights holders, under privacy protection rules, to the detriment of the legitimate holders of the intellectual property rights and prompting them to enforce their rights.
From even before the entering into force of the GDPR, decisions concerning its applicability resulted in the concealing of information of domain holders located in the EU, as was the case of GoDaddy Inc., whereas others, such as the German EPAG, a Tucows group company, announced that they would not only not provide the information for search purposes but in fact do not even collect the technical and administrative information of domains administered by them.
In Brazil, despite the entering into force of the GDPL in September 2020, the discussions are not yet where they should be. Despite that with the publication GDPR in 2016 and its entering into force in 2018 questioning by diverse intellectual property rights protectors were generated, until the present moment little has been said by the Brazilian IP address registry The Brazilian Network Information Center (NIC.BR) with respect to the continuity or not of the disclosure of domain registration information by Whois of registro.br.
This fact could result in insecurity with respect to the official position that the entity will adopt, particularly as to the possible repercussions as may result in the case of the imposition of greater difficultly or even impossibility of accessing intellectual property right holder information via Whois in the defence of their rights. Further, it is common knowledge that with respect to registrars where the exhibition of registration information of domain holders are obligatory, such as in the case of registro.br (the department of NIC.br responsible for the activities of the registration and maintenance of dominion names), the services of administration and negotiation of domains are typically offered by companies that use their own information for registration information identification purposes.
The understanding of certain registrars that the exposure of the registration information of domain holders would violate the new personal data protection rules has rendered the exercise of intellectual property holder rights in enforcing their rights more difficult with respect to the adoption of extrajudicial, civil and criminal administrative and civil and criminal judicial measures. Noteworthy to mention is that usually such information is disclosed under a Whois search, except in cases where the provider offers an additional service option, gratuitous or paid, of concealing the information from the public.