Blog

Trademarks, Public Policy and Principles of Morality

MUNIA is a registered European Union Trademark (EUTM: 016305369) owned by Bodega ViñaGuareña, a Spanish winemaker producing high quality wines near Salamanca. As of today, their trademark enjoys protection across 27 member-states of the European Union, although their wines have not reached Greek retail stores.

But can a sign with an objectionable meaning be registered as a European Union Trademark (EUTM) ?

Not always. Article 7(1)(f) of Regulation 2017/1001 (EU) (EUTMR) provides for the refusal of trademark applications and the invalidation of registrations already effected, where trademarks are “contrary to public policy or to accepted principles of morality”.

The same provision as in the EUTMR is reflected in Article 4(1)(f) of the Trade Mark Directive, which has been transposed verbatim in Greek law, by means of Article 4 of Law 4679/2020.

The wording of the above refusal ground is very broad and could create legal tensions, as the EU trademark system is unitary in character, whereas both moral principles and the requirements of public policy may vary from country to country and evolve over time.

As a result, an objection against an EU trademark application in any member state can defeat the entire application, as under Article 7(2) ETMR an application can be rejected even if the grounds for refusal exist only in part of the European Union.

For the sake of uniformity, EUIPO Board of Appeals published a Case-law Research Report in October 2021 that establishes general principles on the assessment of applications.

Some of the most notable examples of the assessed signs over the last years, as summarised in the above report, are the following:

In SULA, (vulgar for ‘penis’ in Romanian), the Board rejected an application confirming that the goods (milk and derivates) applied for did not avoid, but in certain cases even enhanced, the link with such a sexual connotation.

Similarly, in Kona, which is a subcompact crossover SUV produced by the South Korean manufacturer Hyundai. Differently spelt, the word ‘cona’ is vulgar for ‘vagina’ in Portuguese, and in this respect the Board considered the sign to be an offensive vulgar expression for the Portuguese public, notwithstanding that the goods applied for were ‘automobiles’.

By contrast, in REVA The electriCity Car, EUIPO had found back in 2006 that in the context of electric cars and in combination with the English words ‘The ElectriCity Car’, the Finnish public will not consider the expression ‘reva’ (vulgar for ‘vagina’ in Finnish) to be intentionally abusive, but as an unfortunate choice of brand of foreign origin. EUIPO held in that case that “from time to time, the general public encounters words on imported goods and services which, if used conversationally in its own language, might be found shocking. Nevertheless, they are understood for what they are, namely as neutral foreign words carrying an unfortunate meaning in the native tongue.

The Board also allowed the registration of the trademark CUR (Romanian slang for ‘butt’) stating that the mark would not be found to be offensive in relation to IT-related specialised services, but rather as “a slightly embarrassing or even humorous example of how English- speaking undertakings can occasionally commit a linguistic ‘faux pas’ when selling their branded products globally. Moreover, the fact that the word did not address anybody in particular was also considered decisive in their assessment.

That was not the case in PAKI, however, where the General Court confirmed the Board’s assessment that, given the racist and degrading  meaning of the word for people originating from Pakistan and residing in the United Kingdom, the sign had to be refused registration irrespective of the goods and services applied for.

But would the above rejections constitute a violation of the respective applicant’s freedom of expression, enshrined in Article 10 ECHR and Article 11 of the Charter of Fundamental Rights of the European Union, or even a violation of their freedom to conduct a business pursuant to Article 16 of the Charter of Fundamental Rights of the European Union?

Under settled case-law, the refusal of a trademark application does not limit the applicant’s freedom of expression. In fact, the General Court has pointed out that it is not necessary to register a sign for it to be used for commercial purposes and that the goal of Article 7(1)(f) EUTMR is not to filter out signs whose use in commerce must at all cost be prevented.

In that sense, when EUIPO declared the trademark “BOY LONDON” invalid on the grounds that it evoked Nazi symbolism and was, therefore, contrary to the accepted principles of morality, it reiterated that the application of Article 7(1)(f) EUTMR is not a constraint to anybody’s freedom of expression, because the applicant is not prevented from using the sign but is simply refused its registration.

Quote of the Day

Actual happiness always looks pretty squalid in comparison with the overcompensations for misery. And, of course, stability isn’t nearly so spectacular as instability. And being contented has none of the glamour of a good fight against misfortune, none of the picturesqueness of a struggle with temptation, or a fatal overthrow by passion or doubt. Happiness is never grand.

Aldous Huxley, Brave New World

European Union Reins in Big Tech

Οn Tuesday, 5 July 2022, the European Parliament held the final vote on the new Digital Services Act (DSA) and Digital Markets Act (DMA), two bills that aim to address the societal and economic effects of the tech industry by setting clear standards for how they operate and provide services in the EU, in line with the EU’s fundamental rights and values.

What is illegal offline, should be illegal online

The Digital Services Act (DSA) sets clear obligations for digital service providers, such as social media or marketplaces, to tackle the spread of illegal content, online disinformation and other societal risks. These requirements are proportionate to the size and risks platforms pose to society.

The new obligations include:

    • New measures to counter illegal content online and obligations for platforms to react quickly, while respecting fundamental rights, including the freedom of expression and data protection;
    • Strengthened traceability and checks on traders in online marketplaces to ensure products and services are safe; including efforts to perform random checks on whether illegal content resurfaces;
    • Increased transparency and accountability of platforms, for example by providing clear information on content moderation or the use of algorithms for recommending content (so-called recommender systems); users will be able to challenge content moderation decisions;
    • Bans on misleading practices and certain types of targeted advertising, such as those targeting children and ads based on sensitive data. The so-called “dark patterns” and misleading practices aimed at manipulating users’ choices will also be prohibited.

Very large online platforms and search engines (with 45 million or more monthly users), which present the highest risk, will have to comply with stricter obligations, enforced by the Commission. These include preventing systemic risks (such as the dissemination of illegal content, adverse effects on fundamental rights, on electoral processes and on gender-based violence or mental health) and being subject to independent audits. These platforms will also have to provide users with the choice to not receive recommendations based on profiling. They will also have to facilitate access to their data and algorithms to authorities and vetted researchers.

A list of “do’s” and “don’ts” for Gatekeepers

The Digital Markets Act (DMA) sets obligations for large online platforms acting as “gatekeepers” (platforms whose dominant online position make them hard for consumers to avoid) on the digital market to ensure a fairer business environment and more services for consumers.

To prevent unfair business practices, those designated as gatekeepers will have to:

    • allow third parties to inter-operate with their own services, meaning that smaller platforms will be able to request that dominant messaging platforms enable their users to exchange messages, send voice messages or files across messaging apps. This will give users greater choice and avoid the so-called “lock-in” effect where they are restricted to one app or platform;
    • allow business users to access the data they generate in the gatekeeper’s platform, to promote their own offers and conclude contracts with their customers outside the gatekeeper’s platforms.

Gatekeepers can no longer:

    • Rank their own services or products more favourably (self-preferencing) than other third parties on their platforms;
    • Prevent users from easily un-installing any pre-loaded software or apps, or using third-party applications and app stores;
    • Process users’ personal data for targeted advertising, unless consent is explicitly granted.
Sanctions

To ensure that the new rules on the DMA are properly implemented and in line with the dynamic digital sector, the Commission can carry out market investigations. If a gatekeeper does not comply with the rules, the Commission can impose fines of up to 10% of its total worldwide turnover in the preceding financial year, or up to 20% in case of repeated non-compliance.

Next Steps

Once formally adopted by the Council in July (DMA) and September (DSA), both acts will be published in the EU Official Journal and enter into force twenty days after publication.

The DSA will be directly applicable across the EU and will apply fifteen months or from 1 January 2024 (whichever comes later) after the entry into force. As regards the obligations for very large online platforms and very large online search engines, the DSA will apply earlier – four months after they have been designated as such by the Commission.

The DMA will start to apply six months following its entry into force. The gatekeepers will have a maximum of six months after they have been designated to comply with the new obligations.

Source: European Parliament

I Stand with Ukraine

In a 1787 letter to William Stephens Smith, the son-in-law of John Adams, Thomas Jefferson used the phrase “tree of liberty”.

“I do not know whether it is to yourself or Mr. Adams I am to give my thanks for the copy of the new constitution. I beg leave through you to place them where due. It will be yet three weeks before I shall receive them from America. There are very good articles in it: and very bad. I do not know which preponderate. What we have lately read in the history of Holland, in the chapter on the Stadtholder, would have sufficed to set me against a Chief magistrate eligible for a long duration, if I had ever been disposed towards one: and what we have always read of the elections of Polish kings should have forever excluded the idea of one continuable for life. Wonderful is the effect of impudent and persevering lying. The British ministry have so long hired their gazetteers to repeat and model into every form lies about our being in anarchy, that the world has at length believed them, the English nation has believed them, the ministers themselves have come to believe them, and what is more wonderful, we have believed them ourselves. Yet where does this anarchy exist? Where did it ever exist, except in the single instance of Massachusets? And can history produce an instance of a rebellion so honourably conducted? I say nothing of it’s motives. They were founded in ignorance, not wickedness. God forbid we should ever be 20. years without such a rebellion. The people can not be all, and always, well informed. The part which is wrong will be discontented in proportion to the importance of the facts they misconceive. If they remain quiet under such misconceptions it is a lethargy, the forerunner of death to the public liberty. We have had 13. states independant 11. years. There has been one rebellion. That comes to one rebellion in a century and a half for each state. What country before ever existed a century and half without a rebellion? And what country can preserve it’s liberties if their rulers are not warned from time to time that their people preserve the spirit of resistance? Let them take arms. The remedy is to set them right as to facts, pardon and pacify them. What signify a few lives lost in a century or two? The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants. It is it’s natural manure. Our Convention has been too much impressed by the insurrection of Massachusets: and in the spur of the moment they are setting up a kite to keep the hen yard in order. I hope in god this article will be rectified before the new constitution is accepted.”

The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants.

The EU Digital Markets Act

The EU has recently unveiled its much-expected landmark proposal for a Digital Markets Act (DMS). Twenty years after the introduction of the eCommerce Directive, the DMA envisages a new legal basis for competition and platform management, covering everything from content moderation  to app stores, search and self-preferencing.

The DMA introduces rules for platforms that act as “gatekeepers” in the digital sector. These are platforms that have a significant impact on the internal market, serve as an important gateway for business users to reach their customers, and which enjoy, or will foreseeably enjoy, an entrenched and durable position. This can grant them the power to act as private rule-makers and to function as bottlenecks between businesses and consumers.

With an eye mainly to US big-tech, the Digital Markets Act is set to prevent gatekeepers from imposing unfair conditions on businesses and consumers and ensure the openness of important digital services. Examples of these unfair conditions that gatekeepers sometimes impose on others include prohibiting businesses from accessing their own data when operating on these platforms, or situations where users are locked into a particular service and have limited options for migrating to alternative service providers.

Gatekeeper on the historic Banco Santander, Lisbon.

The enforcement system of the DMA is of particular importance, as the proposal does not seem to leave much space to national authorities. In fact, the European Commission shall be vested with extensive investigative powers (see Articles 19-21) and shall be able to impose fines and periodic penalty payments in case of non-compliance (Articles 26-27) of the same magnitude as in antitrust cases (up to 10% of annual turnover and 5% of daily turnover for fines and periodic penalty payments respectively).

In case of systematic non-compliance that has further strengthened or extended the gatekeeper’s position, the Commission may even impose behavioral or even structural remedies on the gatekeeper, including divestiture (Article 16). Structural remedies are a last resort penalty and can be imposed only if there are no equally effective behavioral remedies. The European Commission may also issue interim measures (Article 22) and accept commitments offered by the gatekeeper (Article 23).

Together with the Digital Services Act, the DMA is oriented at providing better protection to consumers and to fundamental rights online, establishing a powerful transparency and accountability framework for online platforms and leading to fairer and more open digital markets.

Harmonised across the EU and directly applicable, the new rules will make it easier to provide digital innovations across borders, while ensuring the same level of protection to all citizens in the EU.

Further information can be retrieved from the Commission’s dedicated webpage.

New Rules to Improve Fairness within the Online Platform Economy

Over the past decade, online platforms (such as Shopify, Magento, Etsy, etc.) have established their presence as important economic players, connecting economic actors and boosting efficiency while spurring innovation and new business models.

As of today, they play an important role in many industries, since they allow buyers and sellers of goods and services to trade and communicate with each other. At the same time, they create network effects, and raise new issues related to fairness, transparency, and market distortions.

This ecosystem is now regulated by means of Regulation 2019/1150 on online platform-to-business relationships (P2B Regulation).

The regulation, which directly applies throughout the Union since 11 July 2020, has introduced a set of transparency rules to be followed by online platforms in their relations with business users, to address unfair and potentially harmful contractual clauses and trading practices, and lack of effective redress.

Its scope covers online intermediation services and online search engines provided, or offered to be provided, to business users and corporate website users, respectively, that have their place of establishment or residence in the Union and that, through those online intermediation services or online search engines, offer goods or services to consumers located in the Union, irrespective of the place of establishment or residence of the providers of those services and irrespective of the law otherwise applicable.

The key points covered by the regulation can be summarized as follows:

    • Terms and Conditions will have to be written in plain and intelligible language;
    • Business users will have to be informed of any modification of the Terms and Conditions;
    • Platforms will have to respect a reasonable notice period depending on the nature of the modification (minimum is fixed at 15 days) unless a business user gives an explicit agreement for this period to be shortened;
    • Providers of online intermediation services will have to provide business users with the reasons for restricting or suspending individual products/ services;
    • In case of definitive termination of the online intermediation service offered, the platform will provide the business user concerned with a statement of reasons at least 30 days in advance;
    • The providers of these services have to formulate and publish general policies on what data generated through their services can be accessed, by whom and under what conditions;
    • Providers of online intermediation services as well as online search engines will be required to clearly inform businesses about the main parameters determining how goods and services are ranked;
    • Online search engines should be transparent about any preferential treatment they give to their own products and services offered through their search sites;
    • Providers of online intermediation services will be required to explain the use of contract clauses demanding the most favourable range or price of products and services offered by their professional users;
    • Online platforms will have to set up or have in place internal complaint handling mechanisms (small enterprises with less than 50 staff members and generating ≤€10 million turnover will be exempted from this obligation);
    • Business users will have access to out-of-court dispute settlement through easily accessible external mediators (small enterprises with less than 50 staff members and generating <€10 million turnover will be exempted from this obligation);
    • Representative organisations or associations will be able to defend businesses in courts against possible infringements of the proposed rules by online platforms or search engines.

Furhtermore, an EU Observatory of the Online Platform Economy has been established to look into the current and emerging challenges and opportunities for the EU in the online economy. The observatory shall be monitoring online trends, the evolution of trading practices, and the development of national policies, in order to monitor, anticipate and solve issues arising in the online economy.

Hellenic Data Protection Authority’s Take on Law 4624/2019

Under the threat of hefty financial sanctions, Greece enacted hastily Law 4624/2019 (“Greek GDPR Law”) last summer, in order to align the domestic data protection framework with the GDPR. The Greek GDPR Law also provided for specific rules on certain topics based on the GDPR’s broad opening clauses, permitting EU member states such as Greece to enact national legislation.

Following a period of uncertainty, the Hellenic Data Protection Authority (“HDPA”) published Opinion 1/2020, whereby they reviewed certain key or contested aspects of the Greek GDPR Law and provided much needed clarity on their compatibility with the Regulation.

In fact, by reiterating Commission’s guidance on the direct application of GDPR dated 24.01.2018, the HDPA stressed that when adapting their national legislation, Member States have to take into account the fact that any national measures which may create an obstacle to the direct applicability of GDPR and this way jeopardise its simultaneous and uniform application throughout EU are contrary to Union Law.

Repeating the text of regulations in national law, opined the HDPA, is also prohibited, unless such repetitions are strictly necessary for the sake of coherence and in order to make national laws comprehensible to those to whom they apply. In fact, reproducing the text of GDPR mot-à-mot in national specification law should be exceptional and justified, and cannot be used to add additional conditions or interpretations to the text of the regulation. This was not the case, however, with Greek GDPR Law, where several GDPR provisions were repeated verbatim and exceptions were introduced without any particular justification.

More particularly, HDPA pointed out that the interpretation of the Regulation should be left to the European courts (meaning the national courts and ultimately the European Court of Justice) and not to the Member States’ legislators. The national legislator can therefore neither copy the GDPR text when this is not necessary in the light of the criteria provided by the case law, nor interpret it or add additional conditions to the rules directly applicable under GDPR, said the Athority. If they did so, commercial entities throughout the Union would again be faced with fragmentation and would not know which rules they have to obey.

In view of the above, the HDPA noted that they shall not be applying Greek GDRP Law provisions, which: (a) are deemed not in line with GDPR, and/or (b) are not based on opening clauses, which make it possible for Member States to lay down specific national arrangements.

As regards personal data of employees, in particular, the HDPA clarified that the national legislator is not allowed to introduce new grounds for lawful processing other than those already set out in Art. 6 GDPR. In fact, processing under the GDPR framework can be lawful only on the basis of one of six specified conditions set out in Article 6(1)(a) to (f). Identifying the appropriate legal basis is of essential importance and controllers must take into account the impact on data subjects’ rights when identifying the appropriate lawful basis so as to fully respect the principle of fairness.

In this context, the Authority stressed that Art. 6 par. 1 (b) GDPR, which has been chosen by Greek legislator as the main processing legal ground, may sometimes be actually unfit in the employment environemnt. In fact, activities such as processing of biometric data, geolocation, monitoring of electronic media, whistleblowing policies ect. should be based on Art. 6 par. 1 (e) GDPR (processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or Art. 6 par. 1 (f) (processing necessary for the purposes of a legitimate interest) instead. This way, employees are able to challenge separate processing activities and perform their rights under GDPR, without the terms of their employment contract being challenged.

The matters handled with Opinion 1/2020 were not exhaustive and that is why HDPA explicitly reserved judgment on the compatibility of all other Greek GDPR Law provisions, which have not yet come under the spotlight.

As the case may be, it remains to be seen how Greek GDPR Law provisions shall be interpreted by Greek courts, once challenged by stakeholders, who are all those affected by the new rules (the business community and other organisations processing data, the public sector and citizens). The dust has not settlled yet, the winds of data regulation keep blowing strongly.

Air (Hera orders Aeolus to release the winds) (Aeneid I) by Charles Dupuis (1718)

A New Deal for Consumers

On 8 November 2019, the European Parliament and the Council adopted a directive on the better enforcement and modernisation of EU consumer protection rules. The directive is a part of the so-called “New Deal for Consumers” legislative package proposed by the European Commission in April last year. The directive, which the Member States will have 24 months to implement into their national legislation, is bound to bring about many significant changes, especially for businesses trading online. The most notable updates are briefly set out below.

Online Marketplaces

In today’s online intermediation services (marketplaces), the trading coordinates of the actual seller is not always clear to the end-consumer. This has been identified as an issue, since consumer protection rules do not apply to C2C (consumer to consumer) relationships, and a consumer could unknowingly purchase products from another private individual through a marketplace. The new legislation introduces transparency as regards whom the consumer is entering into an agreement with.

That is, when buying from an online market place, consumers will have to be clearly informed about whether they are buying goods or services from a trader or from a private person, so they know what protection they will benefit from if something goes wrong. Moreover, when searching online, consumers must be clearly informed when a search result is being paid for by a third-party trader or not. They will also be informed about the main parameters determining the ranking of search results and who they can turn to when something goes wrong.

Personalised Pricing

Transparency will be further required with respect to personalised pricing. The new legislation mandates that consumers be clearly informed when the price presented to them is based on personalisation on the basis of automated decision-making. There should be noted, here, that GDPR restricts the use of automated decision-making, which may also impact the use of personalised pricing.

Consumer Protection for “Free” Services

There is no denying the fact that data may often replace monetary payment when using online services such as social media, cloud services, and email services. To bolster consumer protection for such “free” services, the directive now requires that the fourteen (14) day withdrawal right be applicable to digital services will also apply to such “free” services.

Clear Information on Price Reductions

In order to address misleading price information, the new directive dictates that any announcement of a price reduction must indicate the prior price applied by the trader. The prior price means the lowest price applied by the trader during a period of time not shorter than 30 days prior to the application of the price reduction.

New penalties for Violations

Aiming to reimburse consumer protection, the new directive grants the national legislator the right to impose a fine of up to 4% of the trader’s turnover for violations that are widespread and affect consumers in several Member States. This follows the same pattern with personal data protection, where the GDPR introduced similar fines for violations. This pattern has proved successful, as many enterprizes have proceeded with substantial investments to enhance data protection. It is therefore expected that businesses shall now need to turn their attention to furhter enhancing their compliance with consumer protection legislation.

The directive is only one of the two directives making up the New Deal for Consumers legislative package. The second directive on representative actions for the protection of the collective interests of consumers would empower certain qualified entities, such as consumer organisations, to launch representative actions seeking injunctions and collective redress (e.g. compensation, replacement, or repair) on behalf of a group of consumers. This directive is still making its way through the legislative process.

Cookies should come with a consent

On October 1, 2019, the Court of Justice of the European Union (CJEU) ruled that storing cookies on an Internet user’s computer requires active consent. Consent cannot be implied or assumed and therefore a pre-ticked checkbox is insufficient (the press release can be found here).

The CJEU ruling stems from a 2013 case, in which the German Federation of Consumer Organizations (GFCO) took legal action against online lottery company Planet49. Planet49’s website actually required customers to consent to the storage of cookies in order to participate in a promotional lottery; as part of entering the lottery, participants were presented with two separate checkboxes: The first one was an unticked marketing checkbox, in case the user wished to be receiving third-party advertising. The second one, though, was a pre-ticked box allowing Planet49 to set cookies to track the user’s behavior online. The GFCO argued that this practice was illegal, since the authorization to set cookies did not involve explicit consent from the user.

In fact, the CJEU agreed with the GFCO in its finding that Planet49 is required to obtain active consent from its users, such consent not being possible in the form of a pre-selected checkbox. This active consent, ruled the Court, is required without any further differentiation, in particular, between strictly necessary cookies, reach measurement cookies or tracking cookies; the CJEU adopts this way the view that the cookie consent requirement applies regardless of whether or not the information accessed through the cookie is personal data within the definition of the GDPR.

Furhtermore, according to the CJEU it would “appear impossible” to objectively ascertain whether a user has provided informed consent by not deselecting a pre-ticked check-box, as the user may simply have not noticed the checkbox, or read its accompanying information before continuing with his or her activity on the website. Further to that, the CJEU held that active consent is expressly set out in GDPR, where recital 32 expressly precludes “silence, pre-ticked boxes or inactivity” from constituting consent.

In view of the above reasonings, it seems that consent obtained for placing cookies with the help of pre-ticked boxes, or through inaction or action without intent to give consent, even prior to the GDPR entering into force, has been unlawfully obtained. So it now remains to be seen if any action by supervisory authorities shall ensue, to tackle some of those data collection practices relying on unlawfully obtained consent.

As the case may be, following years of disparate approaches by national transposition laws and supervisory authorities, the ruling in Planet49 has introduced a much needed clarity on how the “cookie banner” and “cookie consent” provisions in the ePrivacy Directive should be applied.

In this regard, the Planet49 case is likely to have an impact on the ePrivacy regulation ongoing negotiations, which is set to regulate cookie usage in the not-so-distant future. Until this time arrives, website owners wishing to avoid any “kitchen accidents” would be well advised to request cookie consent for all cookies other than cookies that are technically required to properly operate their website. That is, marketing, tracking, and analytics cookies may only be used with explicit, clear, informed and prior consent, provided by means of a consent management tool.

Real-Time Bidding under the Sword of Damocles

On 20 May 2019, complaints were filed with the competent Data Protection Authorities in Spain, the Netherlands, Belgium, and Luxembourg, in connection with one of the latest digital marketing practices called Real-Time Bidding (“RTB”). The complainants consider RTB a “vast scale personal data leakage by Google and other major companies” in the behavoiral advertising industry.

A typical RTB transaction begins with a user visits a website. This triggers a bid request that includes various pieces of data, such as the user’s demographic information, browsing history, location, and the page being loaded. The request goes from the publisher to an ad exchange, which submits the request, along with the accompanying data to a bid manager. Advertisers automatically submit their bids in real time, in order to place their ads and the advertising space goes to the highest bidder, who displays the winning ad on the website. Real-time bidding transactions typically happen within 100 milliseconds (including receiving the bid request and serving the ad) from the moment the ad exchange received the request.

The criteria for bidding on particular types of consumers can be very complex. The complainants, nevertheless, point out tha there is no control over what happens to the data, a situation similar to the Facebook data leakage that enabled Cambridge Analytica to profile people, but for the fact that it is far greater in scale.

For example, Google relies on self-regulatory guidelines that rely on the companies that receive its broadcasts to inform it if they are breaking its rules. Google claims that over 2.000 companies are certified in this way. Google DoubleClick / Authorized Buyers sends, however, intimate personal information about virtually every single online person to these companies, billions of times a day.

It is relevantly reminded that in accordance with the applicable GDPR provisions, a company is not permitted to use personal data unless it tightly controls what happens to that data. In fact, Art. 5 (1)(f) GDPR requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss”.