GDPR and Brexit – A Few Things U.S. Businesses and Brand Owners Need to Know

I try hard to share news that is fun and informative.  I’m not sure how fun this is, but it’s a must read if you do business with European citizens, and if you own European trademarks.

The Impact of GDPR on US Businesses

The EU’s General Data Protection Regulation (GDPR) was implemented on May 25, 2018.  The GDPR is meant to protect the digital data of EU citizens and improve the way organizations handle data privacy.  The guidelines affect any organization handling personal data of European individuals, which means that U.S. companies that process data of individuals residing in the EU will have to comply.

Key provisions of the GDPR include:

  • Consent:  Businesses must be able to demonstrate that valid consent has been received from each individual whose personal data is being processed.  Consent must be freely given, specific, informed, unambiguous and in plain language.  Individuals have the right to withdraw consent at any time, and it must be as easy to withdraw consent as to give consent.  This means that businesses shouldn’t require individuals to “opt-out” of receiving communications, but instead, individuals should affirmatively “opt-in.”
  • Enhanced Rights:  Individuals have a right of access to their personal data, a right to rectify inaccuracies in their personal data, a right to have personal data erased, a right of portability, and a right to no profiling.
  • Transparency:  Businesses must be more transparent as to how they use personal data.  The information to be provided includes the purpose of the processing as well as the legal basis for the processing.  Information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language that a child can understand.
  • Data Breach Notifications: When a personal data breach occurs, a business must (no later than 72 hours after becoming aware of it) notify the breach to the appropriate authorities unless the breach is unlikely to result in a risk to the rights of individuals.
  • Penalties for Non-Compliance: The penalties for non-compliance have increased.  Businesses can be fined up to 20 million Euros or 4% of annual global turnover (whichever is greater) for certain offenses.
  • Broad Definition of Personal Data: Personal Data means any information related to an identified or identifiable natural person.  This includes names, addresses (including e-mail addresses), birth dates, identification numbers, financial information, IP addresses, mobile device IDs, and more all constitute personal data.

While some companies have been preparing for the GDPR and are already compliant, A Forbes article estimated that in March, 79% of U.S. businesses hadn’t put a plan in place.  If you have sales in Europe, a mailing list that includes subscribers from Europe, a website with European visitors that uses cookies, or collect other personal data from European citizens, then you fall within the scope of the GDPR.  Having a proper privacy policy and ensuring that you (and your vendors) are prepared and engaged in best practices in order to be GDPR compliant must be a priority.

The Impact of Brexit on European Trademarks

Since the United Kingdom’s vote to leave the European Union, many have been curious about the implications of Brexit for trademarks.  Specifically, brand owners have been wondering what will happen to their trademark rights in the United Kingdom based on existing European Community trademark registrations (formerly Community Trademarks, or CTMs).

The European Commission recently published a Draft Withdrawal Agreement, which if adopted, will ensure the continued protection in the United Kingdom of registered or granted intellectual property rights in the EU.  The draft agreement provides that owners of trademarks registered in the European Union shall “become the holder of a comparable registered and enforceable intellectual property right in the United Kingdom.”  Such registrations in the United Kingdom are expected to be granted free of charge.

The renewal date, priority filing date, and fame of the underlying community trademark, would all correspond in the newly established United Kingdom trademark registration.  Moreover, the corresponding United Kingdom trademark registration could not be challenged on the basis that there was no genuine use in the territory of the United Kingdom by the end of the transition period.

In order to obtain a United Kingdom registration, marks need to have been registered in the EU before the end of the “transition period,” which is expected to be a two-year period between March 30, 2019 and 2021.  This means that businesses can file EUTM applications today without having to separately file applications in the United Kingdom.  As long as those marks are registered by 2021, they will receive a corresponding UK registration following Brexit.  This is a welcome relief for brand owners, who do not now have to incur additional filing fees at this time.

This plan has yet to be finalized, but most trademark practitioners expect this to be the likely result.