70 minute read
Nick Cornor
negotiating under the new eu Copyright direCtive 2019/790 and gdpr
ADAM FREELAND
Advertisement
I. Introduction
What value, contemplated by law, is owed to copyright owners (Rightholders) for the production of content in the digital age? One answer to that question is seemingly apparent. The European Parliament and the Council of the European Union agreed to update protections for European Rightholders and journalists under new rules to reinforce the interests of Internet users.1 These changes impose affirmative obligations for online content-sharing service providers (Service Providers) having the net effect of transferring value from the Service Provider to the Rightholder, a clear indication that the European Union is expanding copyright protections.
The Service Provider invests heavily into its online infrastructure, hiring skilled labor, acquiring the assets necessary to create the digital market, and providing the services and goods demanded by consumers—Service Providers deserve the return produced by their efforts. On the other hand, the Rightholder produced the work subject to copyright and introduced it to the proper channels for distribution, with the expectation that only the approved channels distribute their work. Inevitably what results is a competition between the interest in preventing infringement and the interest in promoting availability of content in digital form. To illustrate, Hollywood Rightholders seek to expand protections,2 Silicon Valley Service Providers seek to avoid the encroachment of copyright laws into their business models,3 while academic and scientific institutions advocate for Internet freedom.4
What will happen to content creation if either party gets their way? Online accessibility of media and information is a vital component of the Internet, and if the Service Provider wins out, there will be more content because of the continued cost efficiency of their superior negotiating position. If the Rightholder wins out, the Service Provider must license less content or suffer a hit to the bottom line.
This Comment will examine the European Union’s5 motives in addressing the “value gap” between Service Providers and Rightholders in Part II; whether or not the transparency solution to the “value gap” is congruent with trade secret, copyright, and data exchange regimes of law in Part III. Finally, in Part IV, this Comment will assess whether the new bargain mandated by the Directive is palatable for global economies.
II. The “Value Gap”
Most of the value generated by Rightholders’ online content is derived from a portion of Service Providers’ advertisement revenue and from purchased or compulsory licenses.6 Service Providers are keen on the evolution of technology, adapting business models to anticipate new uses of the Internet as a delivery vehicle for content and improving content portability through the creation of innovative devices to achieve sustainable growth in network size and value.7 Service Providers incentivize Rightholders to enter into licensing agreements by tailoring platforms to reproduce their content and providing essential infrastructure for user traffic, information accessibility, stability, and security.8 Rightholders' uploaded works individually generate data that can be monetized from user traffic, but only the Service Providers posses or control such data as a result of website ownership. Therefore, Rightholders may only retrieve value from licenses and any secondary transaction arising out of monetized interactions with each website hosting its content. The EU has attributed the superior negotiating positions of Service Providers to the disparity in the respective values each party to each license receives.9
This bargaining disparity is what the EU seeks to rectify with its Directive on Copyright10 (Directive) by restraining Service Provider negotiating stature with affirmative and costly obligations. Under the Directive,
Rightholders will be able to claim additional remuneration from Service Providers lawfully exploiting Rightholders works when the remuneration originally agreed upon is “disproportionately low” compared to the benefits derived by the Service Provider.11 Exceptions to the “online content-sharing Service Provider” designation are entities that are “not-for-profit online encyclopedias, not-for-profit educational and scientific repositories, open source software-developing and sharing platforms, providers of electronic communication services,” such as Internet access services, interpersonal communications services, and services which consist wholly of conveying signals for transmission “online marketplaces, business-to-business cloud services[,] and cloud services that allow users to upload content for their own use.”12
A. Transparency Obligations
The proposal further requires “transparency,” that Service Providers are to share with entitled Rightholders “information on the licensing and the distribution of remuneration” to other Rightholders.13 Under Article 19, such Rightholders also have the right to receive such information at least once a year14 and may insist on the sufficiency of the information either directly themselves or indirectly through Collective Management Organizations or Member State Union law.15 Sufficiency depends on the Rightholders’ ability to “assess the continued economic value of [the] rights” in question, and the information shared should be “recent data, relevant to the exploitation of the work . . . and comprehensive in a way that it covers . . . all modes of exploitation and . . . all relevant revenues worldwide.”16
Service Providers with transparency obligations arising out of the EU General Data Protection Regulations (GDPR), discussed below, must provide “adequate information” on how personal data is processed,17 such as contact details and information on remuneration.18 The Directive qualifies the transparency requirement as “[s] uch information . . . sufficiently specific to provide enough transparency to [R] ightholders, without affecting business secrets,”19 but this is problematic for Service Providers that are unaware of their own business secrets, further discussed below. Member States are directed to several factors to determine whether a Service Provider is subject to transparency obligations, such as: the specificities of the content sectors; the contribution of the authors or performers to the overall work; and collective bargaining, to the extent it may be relevant in particular circumstances.20 Member States also have discretion, “the option,” to provide for “further measures” to ensure transparency.21
B. Monitoring Obligations
Further, Member States must consider several factors in determining whether the Service Provider generally prevented the availability of unauthorized works (the monitoring obligation), such as the size of the Internet company and the evolving state of the art as regards “suitable and effective means and their cost,” or similar technologies, including potential future technologies.22 Interestingly, the Directive does not seek to lead Member States to impose a “monitoring obligation” per se, as the negotiation of a license for all Service Provider hosted content is simply not economically feasible. Instead, the approach the “monitoring obligation” subscribes to seems to be “if at first you don’t succeed, try, try again.”
Under the Digital Millennium Copyright Act23 (DMCA) and its European counterpart,24 Service Providers are minimally incentivized, if at all, to sign fair licensing agreements with Rightholders. It follows then, that Service Providers further are uninterested in adherence to costly obligations to supply data—whether confidential in nature or perhaps even part of a larger trade secret information regime. DMCA and its equivalents only obligate Service Providers to remove infringing content when Rightholders ask them to do so.25 Therefore, the Directive should not be construed as granting any new rights to Rightholders, but as softening safe harbor immunities for Service Providers.26 The problem presented by altering prevailing practice is that vast amounts of content originally generated through the current scheme now will be significantly restricted as the Service Providers must renegotiate all of their licenses with Rightholders.27 One potential consequence of restructuring? Service Providers—effectively in control of generally available content—may now change their default stance to restriction, unintentionally resulting in censorship of content that it would have otherwise made available had favorable licenses been negotiated.28 Service Providers may choose to start filtering all content to which “relevant and necessary”29 requests are directed without any effort directed at determining the scope of the rights and protections of the offensive material or the reach of the filtering processes implemented.30
Due to these changes in the licensing system, Service Providers, in an effort to
protect their business model, may opt to make unlicensed content available, which ordinarily would open them up to liability for unauthorized acts of communication to the public.31 However, a Service Provider can mitigate liability if it:
1) makes best efforts32 to obtain an authorization;
2) is in accordance with high industry standards of professional diligence, makes best efforts to ensure the unavailability of specific works for which the Rightholders have provided… relevant and necessary information;
3) acts expeditiously, upon receiving a sufficiently substantiated notice from the Rightholders to disable access to, or remove from their websites, the notified works; and
4) makes best efforts to prevent future uploads.33
Privacy concerns abound with respect to the efforts necessitated by Service Providers— specifically, those unable to feasibly obtain authorizations for all uploaded content— now tasked with preventing access to and future uploads of such content. The EU Court of Justice has addressed just this, providing that Service Providers are to take “all reasonable measures” and provided clear guidance for this standard: (i) the measures should not unnecessarily deprive Internet users “of the possibility of lawfully accessing the information available”; and (ii) the measures used “have the effect of preventing unauthorised access to the protected subjectmatter or, at least, of making it difficult to achieve and of seriously discouraging Internet users who are using the services . . . from accessing [unauthorized] subject-matter.”34 This rule allows for the Rightholder to enjoin the Service Provider who “carries a third party’s infringement of a protected work . . . in a network,” and block access of Service Provider’s customers to its website, inasmuch as the site makes the unauthorized work available to the public.35 Thus, clearly the Directive’s goal is to maintain that the monitoring obligation is a creature of the judiciary.36
The inevitable result of monitoring high volume usage of a Service Provider’s website–such that the unauthorized use of a Rightholder’s content is both detected and in fact taken down in every case—is the implementation of filtering or surveillance technology.37 An affirmative monitoring obligation would impose high development, maintenance, and reporting costs on Service Providers who will likely end up outsourcing to large U.S.-based providers, strengthening these firms’ market position and giving them access to the behavior of EU users of Internet platforms.38
Critics of Article 17 posit that the Internet is subject to unprecedented transformation from an open platform, for sharing and innovation, into a tool for the automated surveillance and control of its users,39 even where no infringing material is uploaded.40 Such filtering technologies have the potential to deprive users of First Amendment rights and enforcement exceptions to copyright protection, such as the quotation right and the right to parody.41 The monitoring obligation is not necessarily an affirmative one, that is, courts must first make a caseby-case determination as to what a particular Service Provider’s monitoring obligation is, without impermissibly intruding into the specific measures utilized. Not all Service Providers are alike and will opt for measures proportionate to the resources allocable to its obligations.
However, still looming is question of economics in this context. Seemingly, a vast amount of value is now gushing out from the Service Provider and heading toward Rightholders. Add to this figure the costs associated with higher remuneration through Rightholder-favored licenses, maintaining transparency obligations, and, potentially, compliance with an injunction to implement monitoring technology. In this light, Service Provider profit margins begin to shrink exponentially.
C. “Value Gap” in the U.S.
In the U.S., the “value gap” is directly addressed by DMCA, Congress’ response to the WIPO Copyright Treaty.42 As the WIPO Copyright Treaty is not self-executing, any additional obligations proposed by legislation enacted in Europe must be further promulgated by Congressional action.43 However, new legal regimes implemented by Congress could be characterized as a provocative signal directed at the EU.44 The Music Modernization Act45 (MMA), signed into law by President Trump on October 11, 2018, represents a win for Hollywoodrelated stakeholders. MMA seeks to benefit “songwriters, publishers, artists, record labels, digital services, libraries, and the public at large”46 by establishing “a new blanket license for digital music providers to engage in specific covered activities (namely, permanent downloads, limited downloads, and interactive streaming)” (or on-demand streaming).47 Significantly, MMA changed the manner for collecting and disbursing
mechanical royalties for musical works. Specifically, the law contemplates use of the nonprofit “Music Licensing Collective”48 to direct royalties from Service Providers to the proper owners, shifting the “reasonable costs” of maintaining the collective to licensees.49 MMA changes rate-setting considerations for the Copyright Royalty Board, requiring them to consider a “‘willing buyer, willing seller’ rate standard and is applicable to all licensees of musical works . . . .”50 The law also changes judicial oversight mechanisms.51 These changes echo the Directive’s “value gap” disparity concerns, offering in reply a number of creative solutions.
Clearly, DMCA is at odds with its newly minted European counterpart. In fact, the mere conduit ISP category articulated under U.S. judicial rules of decision and § 512(a) would be eliminated as a form of safe harbor protection, as discussed above.52 Importantly, a recent study of both the DMCA and developments in electronic commerce, jointly conducted by the Copyright Office and National Telecommunications & Information Administration, specifically contemplates whether the first sale doctrine retains applicability to the digital environment.53 The first sale doctrine urges consideration as to whether copyright holders have obtained the full value of their works, as contemplated in the Copyright Clause of the Constitution.54 The Copyright Clause memorializes the notion of a quid pro quo, or bargain, between society and the creator, or writer.55 However, DMCA’s notice and takedown regime recognizes that copyright holders may decide to strike a deal with Service Providers,56 choosing to forego a portion of the value that they would normally be entitled to in exchange for the wide dissemination of their works.57 Thus, in the “value gap” debate, the U.S. takes the view that the consequential value lost is adequately compensated when exchanged for wide dissemination of the copyrighted work. On the contrary, the European view characterizes Rightholders as entitled to— in addition to the wide dissemination of the copyrighted works—higher royalties, access to unique datasets, as well as Service Providers’ affirmative obligation to monitor and eliminate dissemination of unauthorized works, to be undertaken as an expenditure of that particular Service Provider.
III. Obstacles Facing the Transparency Obligation
The “value gap” has proven to result in no more than a restructuring of the deal making process between Service Providers and Rightholders. The Service Provider delivers infrastructure; collects, organizes, and evaluates dispersed information; facilitates social communication and information exchange; aggregates supply and demand facilitates market processes; provides trust; and accounts for the needs of both buyers or users and sellers or advertisers.58 The Rightholder produces copyrightable expression, neither insignificant nor inexpensive, otherwise presumably lawmakers would not create economic incentives.59 The Neoclassical Economic Theory dominates the modern conception of the copyright regime in the digital information sphere, in that copyright is a necessary system of incentives to prevent free riders from undermining the market in creative expression, notwithstanding concerns for social costs.60 Internet use is currently “ubiquitous” and, given the ease with which data can be retrieved over the Internet, an unprecedented number of individuals are appropriating data and copyrighted works.61 Studies indicate that in the EU alone, there are over 460 million Internet users, with nearly 4.075 billion worldwide.62 Perhaps one explanation for widespread usage of the Internet owes to the nature of digital information technology which allows for the easy replication and transmittal of copyrighted works and other information for multiple uses; provides for the plasticity of digital media; yields both compactness and equivalence of works in digital form; and accommodates new searching and linking functionality.63
The Internet has simultaneously streamlined both the reproduction and distribution of copyrighted works. Historically, copyrighted works were mechanically reproduced and distributed, particularly after 1476 when, owing largely to William Caxton’s printing press, the first large scale reproduction of written materials was sent into motion.64 Subsequent innovations streamlined the mechanical printing process, such as Willis Carrier’s indoor cooling invention, reduced to practice on July 17, 1902.65 In essence, the Internet has dramatically reduced reproduction and distribution costs, while simultaneously enabling Service Providers to step into the role traditionally played by publishers.66
A. Copyright Law
i. Fair Use
Fair use presents the biggest challenge to Service Providers’ compliance with legislation seeking to address the “value gap”, requiring the implementation of surveillance technology. Fair use is a protection not
necessarily to the benefit of the Rightholder, extending to include third party usage of copyrighted works, absent a license.67 The protection operates to subject unlicensed use of copyrighted materials to a fair use carve out, absolving such reuse for the purpose of parody, criticism, comment, educational purposes, scholarship, research, news reporting, or, depending on the subject matter, adaptation.68
Presently, upload filtering software is insufficiently sophisticated, in that it lacks the functionality to make fair use determinations. Moreover, the jury is still out as to whether non-human automation is capable of exercising human judgment.69 Invariably, a technological gap at this scale results in mass filtration of otherwise infringing content, deemed non-infringing by virtue of the application of fair use doctrine.70 “Implementation of that filtering system would require . . . active observation of files stored by users with the hosting [S]ervice [P]rovider and would involve almost all of the information thus stored . . . requiring [the hosting Service Provider] to install the contested filtering system would oblige it to actively monitor almost all the data relating to all of its service users in order to prevent any future infringement of intellectual-property rights.”71
Indeed, it is a frightening notion that, beyond constructs of Phillip K. Dick’s imagination, a real A.I. program could accurately mimic human judgment with a level of fidelity that does not deviate from human faculties.72 The Fourteenth Amendment73 requires that no state “deprive any person of life, liberty, or property without due process of law.” Can A.I. be trusted to adjudicate human life, liberty, and property interests? Service Providers are not in the position to administrate such outcomes without infringing on powers Article III specifically granted to the judiciary.74 A more appropriately designed regime may entail company attorneys filing A.I. determinations in court together with traditional pleadings; perhaps courts may defer to such A.I. determination, provided the report is thorough and detailed in its modus operandi. However, on appeal how will such deference be reviewed? By what means will parameters constraining the A.I. decision-making process be evaluated by judges at both the trial and appeals court level, particularly by those in possession of little or no understanding of A.I. processes?
Clearly, the result—as Dick puts it— may be the arbitrary retirement of an essential carve out in copyright law, expressly provided for by both the Constitution and Congress. Not only is A.I. technology not Voight-Kampff75-ready, it is presently incapable of making fair use or status of work determinations (though the latter is a more feasible task with an automated system). With large technological gaps come proportionately sizable price tags, a pre-requisite in bridging the divide. While some companies are able to invest fully in such technology, others simply can or will not, consequently leading to increased disparities and differences between potential filtering technologies. Such non-uniformity in the determination of user rights under federal law is undesirable, if not outright intolerable. Therefore, any technological race to produce a viable A.I. filter inevitably falls under the purview of a standard determining organization76 (“SDO”), such as the FCC or an equivalent international body,77 who, ideally, in turn charge the largest Service Providers with the most market power with the task of developing the standard-essential patent (“SEP”) and the corresponding best practices of such technology. For Service Providers required to license an SEP to comply with monitoring obligations or even a court injunction, this ultimately presents yet another added cost to be discussed in future negotiations.
ii. Renegotiating Licenses
Another obstacle to U.S. “value gap” legislation is the creation of a revocation right that goes beyond the rights contemplated in the Copyright Act. Section 203 of the 1976 Copyright Act78 provides authors the right to terminate copyright grants after a fixed number of years. If the author is deceased, the right extends to persons entitled to exercise more than 50% of the author’s termination interest, according to the order of priority set out in the statute.79 The termination right applies to grants executed by the author of the work after January 1, 1978.80 Termination may occur during a five-year window, beginning thirty-five years after execution of the grant, or, for publication, opening at the earlier of thirty-five years after publication or forty years after execution of the grant.81
The Directive entitles Rightholders to “revoke in whole or in part the license or the transfer of rights where there is a lack of exploitation of that work . . . .”82 The right of revocation by extension, grants a further right to renegotiate the preexisting license, in the sense that should negotiations fail the Rightholder is free to terminate.83 The Directive proposes a “mechanism for the revocation of rights that authors and
performers have transferred on an exclusive basis.”84 Article 22 of the Directive provides a guideline for Member States to craft specific provisions of revocation that take into account “the specificities of the different sectors and the different types of works and performances . . . ,” and for joint works “the relative importance of the individual contributions, and the legitimate interests of all authors and performers affected by the application of the revocation mechanism by an individual author or performer.”85 Further, Article 22 provides that “revocation . . . can only apply within a specific time frame, where such restriction is duly justified by the specificities of the sector or the type of work or other subject matter concerned.”86
There has yet to be a threshold finding by any court clarifying which works are deemed not adequately exploited, thus triggering the revocation right on preexisting licenses because the law does not go into effect until June 7, 2021, giving Members States two years to promulgate national law compliant with the Directive.87
iii. Data as an Original Work of Authorship
Under the Feist rule, a compilation of data meets the requirements for an original work of authorship and, thus, qualifies for copyright protection if it features an original selection or arrangement of facts.88 However, the copyright is limited to the particular selection or arrangement of facts and not the facts themselves.89 The facts can be copied at will. “Given that copyright protection of a factual compilation is so thin, a competitor’s taking the bulk of factual material from a preexisting compilation without infringement of the author’s copyright is not surprising . . . and may seem unfair.”90
If the information is copyright protected, it is unclear whether the Rightholder would have to pay a licensing fee to the Service Provider for use of the material for economic exploitation, or whether outright sale of the information would suffice. This is a cost that would cut into Rightholders’ value proposition. One way around this is for the Service Provider to limit the data in such a way that the data, as expressed to the Rightholder, does not amount to a reproduction or derivative work of the protected data set. As discussed below, the Service Provider may insist on the transfer of a data set that has been anonymized or altered in such a way as not to affect the Service Providers’ protected works and at the same time comply with transfer obligations.
B. Trade Secret Law
Internet companies are successful in part because of the organization and specificity of data that their platforms produce. “Indeed, rapid technological progress is likely to permit economic use,” by allowing for monetization of both the data and creative content.91 EU Service Providers are entitled to trade secret protection for information that has commercial value because it is secret, provided its owner takes reasonable steps to keep it secret.92 Such information has economic value, and may thus garner trade secret protection, particularly where the information at issue is user preference data, confidential information, or even copyrightable expression. When a Service Provider voluntarily shares such protected information, it risks waiving whatever trade secrecy exists in such information, even in situations where the information does not generally become known or readily ascertainable.93 Recital 68 of the Directive mandates that, when a company shares protected information with its Rightholders, the information be “sufficiently specific to provide enough transparency to [R] ightholders, without affecting business secrets.”94 The Directive qualifies this statement about business secrets, asserting, “Service [P]roviders should, however, not be required to provide [R]ightholders with detailed and individualised information for each work or other subject matter identified.”95 By qualifying the statement about business secrets in this way, the Directive skirts the issue—Service Providers may inevitably disclose business secrets, merely replying “We told you not to.” Most businesses may not know what their business secrets are, and by the time they figure it out, the secrets will be in the hands of potential competitors, either as Rightholders or through Rightholders. Service Providers must then have the capability beforehand to decide what expectation of confidentiality to attaches to which sorts of information, a useful exercise, notwithstanding.
If Service Providers are to limit the data transferred to Rightholders under the protection of trade secrecy, Service Providers must perform a risk analysis, then address those risks with courts. Further, they must avoid ex post facto justifications and explanations for trade secret protections by showing affirmative measures generated from a conscious recognition and assessment of its data protection policies. They must be prepared to show what information specifically should be excludable from any transparency obligation.96 This reasonableness
analysis should assess the costs and benefits of the security measures, from the perspective of the Service Provider, as well as the nature of the risks, such as the nature of the industry, the nature of the putative trade, the nature of the protective measures, and the known risks associated with the chosen storage and protection methods.97
Allocating such consumer information to Rightholders on the basis of compliance with transparency obligations is not only an errant attribution of the value sought by the Rightholder98 but may amount to a breach of confidence that each third party user has with the Service Provider absent any transfer agreement or consent requests that said consumer has with the Service Provider. Although end user agreements may be modified to contemplate this data exchange, the technology companies themselves face the problem of access that QSRSoft, Inc. faced with McDonald’s. McDonald’s attempted to eschew reliance on QSRSoft’s proprietary software by gaining access to QSRSoft’s system through a franchisee and used information obtained therein to develop its own similar service.99 By comparison, if the Rightholder develops its own service based on confidential information gleaned from the Service Provider, the proprietor of that information, then the Rightholder may ultimately supplant the Service Provider.100
While not all data will amount to a complete extrapolation of any given Service Provider’s business model, the data, as handed over, would lend tremendous value to Rightholders. The information would enable the Rightholder to capture details about the manipulation of its works on digital media; how other entities collect, organize, and evaluate dispersed information; how users are responding to the copyright and other facilitations of social communication and information exchange; what market processes the Service Provider is engaged in; and how the Rightholder can engage in similar market processes with the exact same data sets.101
C. Data Privacy Law
As proposed, the Directive supports the notion that third-party personal data should be shared as a part of the value attributed to Rightholders and content producers, strengthening Rightholders’ negotiating position.102 Moreover, the General Data Protection Regulation is directly implicated in this query. In addressing the “value gap” problem, the extent to which Rightholders are entitled requested data sets in the Service Provider’s possession remains unclear. Any proposition of a law comparable to the Directive would be unsuccessful in the U.S., as such a grant to creators would be in excess of that which is contemplated by the Constitution—a power specifically delineated to Congress. Congressional deliberations reveal two questions relevant to ask in addressing that value:
First, how much will the legislation stimulate the producer and so benefit the public; and, second, how much will the monopoly granted be detrimental to the public? The granting of such exclusive rights, under the proper terms and conditions, confers a benefit upon the public that outweighs the evils of the temporary monopoly.103
Presently, contract law provides data controllers, processors, and Service Providers a pathway to avoid liability for infringement, to the extent they are equipped with robust data processing and transfer agreements. The Directive provides that the “processing of personal data carried out within the framework of this Directive shall be carried out in compliance with Directive 2002/58/ EC and Regulation (EU) 2016/679.”104 Article 5 of the GDPR provides that personal data shall be processed “lawfully, fairly and in a transparent manner . . . collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes . . . ” sufficient or “adequate” to properly fulfill the stated purpose for collection, having a relational link or relevance to that purpose, and limited or not excessive “in relation to the purposes for which they are processed.”105 Further, Article 5 requires that personal data be accurate, up to date, and every reasonable step taken in furtherance of ensuring “erasure” of inaccurate data.106 Agreements for consumers’ personal data must reflect these requirements in the Service Provider’s performance provisions. Further, data transactions flowing out of the performance of transparency obligations owed to Rightholders must not be inconsistent with contractual provisions concerning consumer data subjects.
Where appropriate, GDPR instructs Service Providers to obtain consent from the consumer data subject before processing107 or collecting any personal data, instituting an “opt-in” regime.108 Recital 32 provides that consent is obtained by a “clear affirmative act establishing freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as
a written statement, including by electronic means, or an oral statement.”109 There are six legal bases that justify processing personal data.110 Article 6 provides that processing shall be lawful only and to the extent at least one of the following applies:
a) the data subject has given consent to the processing;
b) processing is necessary for performing a contract to which the data subject is a party . . . ;
c) processing is necessary for compliance with a legal obligation to which the data controller is subject;
d) processing is necessary in order to protect vital interests of the data subject or another natural person;
e) processing is necessary for the performance of a task carried out in public interest or in the exercise of official authority vested in the data controller; [or]
f) processing is necessary for the purpose of the legitimate interest . . . . 111
The six legal bases for processing personal data nearly mirror the legal bases for transfer of that data.112 The Service Provider must determine its lawful basis before processing personal data and represent to the consumer data subject this reason in its notice. Furthermore, where processing is justified based on consent, the exchange of one’s personal information is further limited by specific requirements of notice and the manner of obtaining consent.113 Consent requests that do not conform to the Regulation are non-binding.114 Consent may also be withdrawn just as freely as it had been given and Service Providers may not hinder withdrawal of consent. More, consent is not regarded as freely given if there is no “genuine or free choice” or the data subject is “unable to refuse or withdraw consent without detriment.”115 Consequently, this paradox imposes a unique risk on Service Providers with business models reliant on consent alone as the legal basis for processing, as all downstream exchanges of the consumer data subject’s data will be at risk, subject to consumer whim, of losing the only basis that the exchange was predicated on. Further, a company cannot change the legal basis relied upon once it represents to the consumer data subject another such basis.116
Extrapolation of Service Providers’ use of consumer data for the purposes of fulfilling transparency obligations to Rightholders or content producers multiplies the risk of potential misuse of sensitive personal data, injects unpredictability into transactions, and disorients consumers’ privacy expectations as well as any expectation of remedy.117 If a Rightholder supplies copyrighted works with which the Service Provider then promulgates en masse, Service Providers are responsible to the Rightholder for the data relating to the subsequent access information by data subjects viewing the copyrighted work on Service Provider provided media. Regardless of the data’s form, Service Providers must give the data subject notice of the legal basis for collecting their personal information—an exercise of particular importance where the Service Provider’s website is free and accessible.118 Whether or not Service Providers are required by GDPR to reciprocate data accountability remains an open question. Specifically, this issue arises when providing a data subject, exercising the right of access,119 with information about the Service Provider’s disclosure of such data subject’s information to a Rightholder, providing for, in turn, the Rightholder’s personal information.
The scope of the GDPR is limited to the processing of personal data; anonymous data is excluded, as data controllers are not required to “maintain, acquire, or process additional information in order to identify the data subject . . . .”120 Heightened data exchanges as a result of statutory transparency obligations in turn contributes to the increased possibility that data from these transactions will be misallocated. Misallocation is one consequence, creating complications merely due to sheer volume. Therefore, Service Providers may desire a method of controlling data exchanges, such as by reclassifying data according to its business needs.121
Moreover, Service Providers may find reclassification a desirable strategy in light of the fact that, for the purposes of liability, the distinction between data controller and data processor has been eliminated from the GDPR.122 As a result, Service Providers can no longer avoid liability by arguing that it was not the data controller. Because the risk a potential data breach carries is increased exponentially with the addition of every Rightholder entering the data queue under the Directive’s transparency obligations, Service Providers should contract for pseudonymized data sets as the data set contemplated in any transparency obligation with Rightholders.123
Furthermore, it is unclear what obligations attach to Rightholders receiving data in this capacity and how U.S. jurisdictions will interpret those obligations.124 Similarly,
it remains unclear what obligations attach to disclosees of Rightholders in connection with the disposal—appropriately or otherwise— of such personal data. Both Rightholders and Service Providers should enter into negotiations with a heightened awareness of the importance possessed by each data set involved in licensing obligations as well as voluntary transactions.
When a consumer data subject initially consents to their data’s usage, the result is the Service Provider is deemed to own that data, subject to the particular data subject’s control.125 A data subject then, ideally, will receive personal data given to a Service Provider in a “structured, commonly used, machine-readable and interoperable format,” and may dispose of his or her personal data however it pleases, perhaps to transmit the data to another controller.126 Where applicable, data subjects’ rights extend such that Service Providers should maintain their data in “interoperable formats that enable data portability.”127 Data portability, as the GDPR contemplates it, consists of the right to obtain a copy of a data subject’s data and the right to transmit data to another data controller.128 However, some argue that the “propertization” of data results in social harm.129 In this light, commodification of personal data may be viewed as akin with trading, exchanging, or even—depending on your viewpoint—as selling your soul to the proverbial devil, rather than propertization as it is commonly understood, which grants rightful owners of personal data some flavor of a property right, accompanied by the characteristic power of exclusion.130
Service Providers may not always willingly provide pseudonymized data to Rightholders. In that case, an opt-in, consent dependent regime inevitably becomes a thorny issue with respect to those data transfers explicitly provided for under the Directive. Because of the EU’s opt-in, consent-based regime, any data transfer mandated by the Directive’s transparency obligation creates opportunities for the ownership of the data so transferred,131 in turn creating a dilemma in terms of obligations owed to data subjects. That is, what happens if a data subject revokes consent after a Rightholder, via a valid contract with the Service Provider, now owns the data? The Service Provider is obligated to halt all productive use of the data based on their withdrawn consent. However, the Rightholder is under no such obligation to halt productive use; the Directive does not mention any obligations or duties owed to data subjects that would attach to a Rightholder upon the transfer of such data from a Service Provider.132 Data subjects further are entitled to the right to be forgotten, but the obligation to erase the data subject’s data is limited to Service Providers,133 as applied to data sets subject to control by the data subject, in an “interoperable format.” Subsequent control by the Rightholder thus does not amount to a personal data breach134 where the data set does not correspond to the data set within the control of a particular data subject.
Though the outcome depends on the licensee-licensor character of the transaction between the Service Provider and the Rightholder, nevertheless, such data is in fact duplicated between two separate entities. The data could be licensed and, perhaps, the license agreement may require that the Service Provider provide title to the data outright (as part of bridging the value gap) or perhaps grant data to the Service Provider by nonexclusive license. There are many ways data can be chopped up and the contract controls. However, courts must be able to enforce the rights of the data subjects irrespective of how contracts handles such data. Data subjects who have previously given consent to Service Providers (who are in turn obligated by Article 19 to transfer over user data) that later revoke such consent must have a pathway to prevent Service Providers and Rightholders from making productive use of their data in the future. Withdrawn consent is, sensibly, then an issue that should be provided for in the agreement between the Service Provider and the Rightholder. Further, counsel drafting such agreements may consider contemplating how disputes over data that remains in use after consent is withdrawn on the front end. Counsel should also try to clarify what the appropriate indemnity obligations will be should GDPR noncompliance arise.
One solution may be to employ protections for nonconsensual data processing which are capable of avoiding the consent issue altogether. A Service Provider may be protected where it needs to process data in accordance with its legal obligations.135 Thus, the Service Provider’s transparency obligation to the Rightholder licensing a particular protected work could operate as a work around to the intent of the consentbased regime.136 However, the data subject remains free to object to the use of his or her personal data and the Service Provider will then need to establish a “legitimate interest [that] overrides the interests or the fundamental rights and freedoms of the data subject.”137 Seemingly then, so long as data
has been put to productive use or made the subject of a legal obligation, a data subject is unprotected on the front end and forced to seek remedy against use of his or her personal data, with successful recovery hinging on their engagement in a quasi-philosophical debate to determine whose interest is deemed to be ordained.
Where Service Providers’ practices do not respect the rights of users, provisions in Member States’ individual national laws must fill in the gaps and set forth judicial remedies and penalties.138 Otherwise, users may consent and revoke, or even give no consent to the collection of their personal information, much less read an online license agreement, privacy policy, or terms of use and still be bound to such terms.139 Website proprietors, as well as Service Providers, whose business traffics through their websites utilize so-called browsewrap agreements to justify data collection of the user’s browsing activity on the website, with user consent imputed merely by their use of the website.140 Several companies’ website data collection practices are increasingly disputed,141 with French courts willing to hold certain provisions of both Google and Twitter’s terms and conditions null and void.142 Additionally, France imposed a 50 million euro fine on Google for processing personal user data as to use it to personalize advertisements based on a lack of transparency, inadequate provision of information, and objections to the validity of consent given.143
Service Provider performance failures may similarly result in such hefty fines.144 Denmark found that the company Taxa did not adhere to the GDPR’s data minimization principle, retaining personal telephone numbers beyond the allowable retention limit for such data.145 Taxa also did not properly anonymize its data, and, despite deletion of customer names, information on its systems could still be connected to data subjects through the undeleted telephone numbers. Thus, Taxa failed to prudently operate within, and simultaneously breached, its performance provisions.146
Clearly, Service Providers may use or sell data outside the scope of the agreement with the consumer data subject, notwithstanding the applicable law in the Directive. Therefore, it is incumbent on Service Providers to establish the scope of the usage of the consumer’s data to include data transfers in accordance with the Directive through conspicuous language in the terms and conditions of the agreement and narrowly tailor the grant of the Service Provider’s rights to only the services performed. The agreement should require an access control policy that restricts access to data on a need-to-know basis and further provides that subsequent transfers of data, such as to Rightsholders, will comply with such access control. Further, consumer friendly agreements should include warranties regarding GDPR compliance. Expedient fulfillment of transparency obligations also necessitates contractual provisions which contemplate the location of company processors, data portability, subcontractors, and assignability.
Beyond the European continent, GDPR has also changed the landscape of privacy law in the U.S. Language utilized in the California Consumer Privacy Act (CCPA) is similar to that in the GDPR, stating that California residents may “opt out” of the status quo by directing a business engaging in the sale of information to third parties to halt such sale, with respect to personal information specific to that consumer.147 As defined, a “business” subject to the regulation is a “legal entity that is organized or operated for profit . . .”;- with annual gross revenues in excess of twenty-five million dollars; receives for its commercial purposes, sells, or shares, for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or- derives 50% or more in annual revenues from selling consumers’ personal information.148 The law grants residents certain rights against businesses that satisfy the statutory thresholds, similar to a “data processor” or “data controller,” as defined by GDPR, or “online content-sharing [S]ervice [P]rovider,” as defined by the Directive.149 Exploration or analysis of the operation of the opt-out regime, as it relates to the subject matter of this Comment, is not currently possible as the law does not go into effect until January 1, 2020. However, the inherent nature of an opt-out regime has resulted in Service Providers’ enjoyment of a head start in the processing of consumer data and, consequently, in converting such data sets into interoperable formats, anonymizing data, and otherwise producing unique datasets subject to copyright or trade secret protections, such that consumers will be unable to effectively claw much data back by the time individuals can effectively make opt-out declarations.
The impact of GDPR is not limited to the confines of Californian borders. Aiming to prompt Congressional response, the U.S. Chamber of Commerce has published model privacy legislation.150 The proposal lays out several solutions emphasizing transparency
in data collection and usage practices, data subject control achieved by an optout regime bearing similarity to CCPA, in addition to data security measures and FTC enforcement.151 If adopted, the proposal “will assist the privacy market by ensuring that processes exist for the exchange of data and for the detection of violations of privacy promises,”152 utilizing a decentralized approach (or multiple smaller markets) that enable individual enforcement by private rights of action, as supplemented by the FTC’s ongoing role in policing privacy guarantees.153
Under both the European and Californian regimes, Service Providers cannot be liable to Rightholders for off-limits, uncollected personal data, such as where a resident or data subject has respectively opted out of or failed to opt-in to the respective regime of law by affirmative consent. The obligations of the GDPR and now promulgated CCPA should carry forward when Rightholders receive transfers of data from Service Providers. Failure in this regard must be regarded as a data breach. While the Directive provides all data processing is to comply with GDPR, the extent to which this approach is useful in finding solutions to the “value gap” problem remains to be seen.
IV. Summary and Remark
Importantly, observers should note that “value gap” legislation is less a mechanical reconstruction of copyright law in Europe, and more a rearrangement of the negotiation stage as to content either party can prepare to monetize upon. In one corner, the Service Provider, armed with newly minted transparency, monitoring, and data protection obligations that increase the cost of doing business in the online-content market, may leverage such obligations and accompanying increased costs. This may be sufficient to stop the wall of Rightholders advancing with open palms, as Service Providers may happily fill those palms with “value gap” based solutions, while imposing certain contractual obligations of its own on Rightholders.
The Service Provider is at an immediate disadvantage at the negotiating table as both the transparency obligation and Rightholder entitlement to additional, appropriate, and fair remuneration may not be avoided by contract.154 Article 23 provides that “any contractual provision that prevents compliance with Articles 19, 20 and 21 shall be unenforceable.” Respectively, these Articles provide for the transparency obligation, contract adjustment mechanisms for claiming additional remuneration from Service Providers, and alternative dispute resolution procedures.155 There is only one other Article that restricts contractual exercises.156
Additionally, negotiation over the monitoring obligation favors the Rightholder, only because failure to come to a licensing agreement triggers the “monitoring obligation,” which amounts to a burden of proof that the Service Provider must satisfy should unauthorized content be communicated to the public on its web service. Depending on the Service Provider, however, the monitoring obligation may not apply or may not apply for certain elements.157 New Service Providers with services available to the Union public “for less than three years and which have an annual turnover below EUR 10 million . . . are limited to compliance with” making best efforts to obtain authorization and to “expeditiously” disable access to or remove infringing websites “upon receiving a sufficiently substantiated notice.”158 Service Providers within the exceptions may have to demonstrate that they have made their best efforts to prevent further uploads to the notified works if unique viewers “exceed five million.”159
A negotiating, for-profit Service Provider should first determine if it falls within one of the exceptions of Article 3, 5, or 6. If it does not, it should next take stock of its size and market share within certain sectors, as well as its user traffic data. A small Service Provider may be in a stronger negotiating position as against Rightholders, unable to browbeat such Service Providers with monitoring obligation concerns. A larger Service Provider that wields fewer resources than its competitors and cannot avoid monitoring obligations for unlicensed content will have to either adjust its bottom line or incur expenses in monitoring its website for unauthorized content in order to meet the new safe-harbor standard. This may not provide leverage in a negotiation, as the Rightholder will insist that any monitoring obligation that the Member State has imposed which cannot be avoided due to its size is clearly a Service Provider obligation, and passing on the costs of the obligation in exchange for an increased royalty would defeat the spirit of the “value gap.”
There are some points of egress out of a bad deal for the Service Provider. The Service Provider may require a warranty from
the Rightholder that it will comply with GDPR by securing data, giving notification upon data breach, and maintaining an information security policy. Such security policy may include a provision that binds the Rightholder to default rules about dataprocessing practices that permit transfers for an initial category of use of personal data, but only if the data subject is granted an opportunity to block the Rightholder’s further transfer or use by unaffiliated entities.160 The Service Provider should negotiate a provision where the Rightholder agrees to indemnify it for all actionable injury relating to data breaches arising out of the Rightholder sharing data received under a transparency obligation to a bad actor. The parties should agree to liquidated damages because the higher damages implicated under this approach encourage companies to keep their privacy promises and overcome collective action problems from data subjects whose individual costs for privacy violations may be too low to follow through on any claim.161 The Service Provider may also impose limitations on the its right to alienate such information by negotiating a combined use-transfer restriction that follows the personal information through downstream transfers.162
Data exchanges under transparency obligations will surely be challenging to negotiate,163 particularly given the fact that Rightholders expect certain information from Service Providers, which amounts to an extrapolation of the Service Provider’s business model. Even just a peek at any of the accumulated data derived from the exploitation of the Rightholder’s content provides greater context as to how Service Providers collect, process, and reorganize data. This kind of information falls within the definition of trade secret,164 and the Service Provider is well within its right to either bind the Rightholder to confidentiality in the license. In exchange the Rightholder would agree to a reduced value for its content or limit the disclosure of this information so that its business model may not be inadvertently misappropriated.165
Recital 4 explains that “[i]nnovative businesses are increasingly exposed to dishonest practices aimed at misappropriating trade secrets, such as theft, unauthori[z] ed copying, economic espionage or the breach of confidentiality . . . globalization, increased outsourcing, longer supply chains, and the increased use of information and communication technology contribute to increasing the risk of those practices.”166 It is within the realm of possibility that a so-called Rightholder would provide a Service Provider with a content license, and the content provided has the content smell to it, but when all is said and done, the Rightholder just wanted the Service Provider’s raw data for building out its own similar online content service. This is similar to the case in QSRSoft. Any unlawful acquisition in this way “compromises legitimate trade secret holders’ ability to obtain first-mover returns from their innovation-related efforts.”167
The Directive does not mandate disclosure of a Service Provider’s trade secret or confidential information to Rightholders. However, it seems that the purpose is to create a legal framework that incentivizes Service Providers to part with valuable consumer data by layering costs on Service Providers that are only alleviated at the negotiating table with Rightholders. It may be under a contract that the Service Provider imposes obligations on the Rightholder to create complementary software for surveillance of the web services in order to establish that the duty to police infringement rests with the Rightholder, not the Service Provider. In exchange, the Rightholder may be permitted to compile data that would otherwise be supplied by the Service Provider under the transparency obligation or the Service Provider may part with data it has compiled in this way. So long as the license does not allow the Service Provider to avoid the obligation of transparency,168 contract law allows for this kind of flexibility in performance. The EU legislation may provide for the conditions that put the two sides at the negotiating table with provisions to talk about.
One potential positive is that Service Providers will readdress their business models, leading to further innovation. Another benefit is that many Service Providers will probe the niche content market for revenue streams169 and become specialists in this way, opening up opportunities for previously untapped content producers to enter the market. The downside is that only the biggest firms that can afford to license generally will continue to dominate the market.
V. Conclusion
Several legal regimes must weigh in as to comprehensively address the “value gap” proposal. Copyright protection for compilations, trade secrets, and confidential information will limit the data that a Rightholder should expect to receive under transparency obligations. In addition, copyright law carve outs, such as fair use, will
necessarily restrict the measures that Service Providers may pursue when complying with monitoring obligations.
Data protection laws will necessarily limit the availability of consumer data that the Service Provider may legally transfer to the Rightholder, and at the same time, limit what consumers can claw back. Further, considerable cost-shifting onto Service Providers will take place in light of the fact that license renegotiations will come at a tremendous price. Transparency and monitoring obligations will surely cut into the Service Provider business models and limit what content they are able to provide. How Service Providers will mitigate against these costs and compel other parties to share in them still remains to be seen.
It is incumbent on all parties involved–whether the Service Provider, the Rightholder, or the data subject–to clearly delineate their proposed obligations, specify to which data sets those obligations attach, and firmly establish at the outset of negotiations what each parties’ purpose is. No party should fear setting the agenda. As with all negotiations, preparation is key. Thus, each party should enter into the bargain with a clear understanding both of their own objectives as well as their opponent’s, as to avoid negotiating from the other side’s agenda.
1. Press Release, European Commission, Digital Single Mark: EU Negotiators Reach a Breakthrough to Mondernise Copyright Rules (Feb. 13, 2019), http://europa.eu/rapid/ press-release_IP-19-528_ en.htm [hereinafter European Commission Press Release]. 2. Bill D. Herman, The Fight over Digital Rights: The Politics of Copyright and Technology, 7–10 (2013) (“[The] debate boils down to . . . how best to balance the interests of a diverse set of constituencies. . . . By the late 1990s, policymakers and media industry advocates were expressing particular concern about the possibility that the Internet would enable infringement. Yet the laws they passed in response to this concern failed to stop widespread online infringement . . . .”). 3. Id. at 211–2 (emphasizing the “bottom line” motivations behind all business decisions). 4. Id. at 8. 5. See Rainer Bauböck, Why
European Citizenship? Normative
Approaches to Supranational Union, 8 Theoretical Inquiries in Law 453, 455–7 (2007) (explaining that the European Union is known as a “supranational organization,” a decisional body not entirely dependent on the cooperation of its Member States, and has the power to make decisions binding on Member States and its members, with the power to enforce such decisions). 6. Comcast Corp., Economic Analysis of the Effect of the Comcast-TWC Transaction on Broadband: Reply to Commenters (Form S-4), at 8–10, 19 (Sept. 22, 2014) (citing companies with a fundamental part of their business in multibillion dollar ad revenue as well as citing licensing expenses); see also OECD, Copyright in the Digital
Era: Country Studies, in Enquiries Into Intellectual Property’s Economic Impact 209 (2015) [hereinafter OECD, Copyright in the Digital Era]. 7. OECD, Copyright in the Digital
Era, supra note 6, at 212; see also OECD, The Economic and Social Role of Internet Intermediaries 18 (2010), https://www.oecd.org/internet/ ieconomy/44949023.pdf [hereinafter OECD Internet Intermediaries]. 8. OECD Internet Intermediaries, supra note 7, at 5. 9. See European Parliament Press Release, Agreement Reached on Digital Copyright Rules (Feb. 13, 2019), http://www. europarl.europa.eu/news/en/ press-room/20190212IPR26152/ agreement-reached-on-digitalcopyright-rules [hereinafter European Parliament Press Release] (“[I]nternet companies have little incentive to sign fair licensing agreements with rights holders, because they are not considered liable for the content that their users upload. They are only obliged to remove infringing content when a rights holder asks them to do so. However, this is cumbersome for rights holders and does not guarantee them a fair revenue.”). 10. Directive 2019/790, of the European Parliament and of the Council of 17 April 2019 on Copyright and Related Rights in the Digital Single Market and Amending Directives 96/9/ EC and 2001/29/EC, 2019 O.J. (L 130) 92, 99, 107, 125 (published in the Official Journal of the European Union on May 17, 2019)[hereinafter Directive 2019/790] (Article 31 provides the “Directive shall enter into force on the twentieth day following that of its publication in the Official Journal,” which means the Directive will enter into force June 7, 2019. Article 29 provides that Member States have two years from June 7, 2019 to “bring into force the laws . . . necessary to comply with [the] Directive.”). 11. Id. at 122. 12. Id. at 113. 13. Id. at 102. 14. Id. at 121. 15. Id. at 105, 121–2. 16. Id. at 109-110. 17. Id. at 108 (“[S]ervice Providers should be transparent with rightholders with regard to the steps taken in the context of cooperation.”). 18. Id. at 110. 19. Id. at 108. 20. Id. at 110. 21. Id. 22. Id. at 107; see also id. at 120 (providing a metric for whether or not the Service Provider has complied with its monitoring obligations). 23. See 17 U.S.C. § 512 (2018) (naming one of the sections that the Act added or amended). 24. See Directive 2000/31/EC, of the European Parliament and of the Council of 8 June 2000 on Certain Legal Aspects of Information Society Services, in Particular Electronic Commerce, in the Internal Market, 2000 O.J. (L 178) 1 [hereinafter Directive 2000/31]. 25. 17 U.S.C. § 512(b)(2)(E). 26. European Parliament Press Release, supra note 9. 27. Dirk Visser, Trying to Understand
Article 13, at 10 (SSRN, Working Paper, 2019), https://papers.ssrn. com/sol3/papers.cfm?abstract_ id=3354494. 28. EU Copyright Reform/Expansion - Article 13 Upload Filters, Julia Reda (Feb. 6, 2019), https:// juliareda.eu/eu-copyright-reform/ censorship-machines/ [hereinafter Julia Reda]; Article 13 is now Article 17. Sophie Goossens,
Article 13 (now Article 17) of the new EU Copyright Directive: what you need to know,Reed Smith (Apr. 5, 2019) https://www.reedsmith. com/en/perspectives/2019/04/ article-13-now-article-17-of-thenew-eu-copyright-directive. 29. Directive 2019/790, supra note 10, at 120 (demonstrating that it has “made . . . best efforts to ensure the unavailability of specific works... for which the rightholders have provided the service providers with the relevant and necessary information . . .”). 30. Visser, supra note 27, at 10. 31. See Directive 2019/790, supra note 10, at 106. 32. See Eleonora Rosati, DSM
Directive Series #5: Does the DSM
Directive Mean the Same Thing in
All Language Versions? The Case of
‘Best Efforts’ in Article 17(4)(a),The IPKat (May 22, 2019), http:// ipkitten.blogspot.com/2019/05/ dsm-directive-series-5-does-dsm. html (detailing how the “best efforts” obligation is mistranslated into different language versions that will result in challenges for judiciary and the application of resulting national provisions). 33. Directive 2019/790, supra note 10, at 120 (emphasis added). 34. Case C-314/12, UPC Telekabel Wien GmbH v. Constantin Film Verleih GmbH, 2014 E.C.L.I. 192 (holding that an injunction may impose an obligation to measures that come at significant expense, have considerable impact on the organization of activities, or require difficult and complex technical solutions, so long as the injunction leaves the Service Provider free to determine the specific measures, provided those measures are reasonable). 35. Directive 2001/29/EC, of the European Parliament and of the Council of 22 May 2001 on the Harmonisation of Certain Aspects of Copyright and Related Rights in the Information Society, 2001 O.J. (L 167) 10, 15 [hereinafter Directive 2001/29]. 36. See Directive 2019/790, supra note 10, at 107, 120 (Article 17 and Recital 66 provides that there is not a general monitoring obligation, leaving the determination up to Member States). 37. LibertiesEU, Article 13 Open
Letter – Monitoring and Filtering of Internet Content is Unacceptable, Liberties (Oct. 16, 2017), https://www.liberties.eu/en/ news/delete-article-thirteen-openletter/13194; see also Julia Reda, supra note 28. 38. Julia Reda, supra note 28. 39. Julia Reda, supra note 28. 40. Martin Senftleben, Christina Angelopoulos, Giancarlo Frosio, Valentina Moscon, Miquel Peguera & Ole-Andreas Rognstad, The
Recommendation on Measures to
Safeguard Fundamental Rights and the Open Internet in the Framework of the EU Copyright Reform, 40 Eur. Intell. Prop. Rev. 149, 149 (2017), https://papers.ssrn. com/sol3/papers.cfm?abstract_ id=3054967. 41. Id.; see also Directive 2001/29, supra note 35, at 17 (Article 5(3) (d) & (k)). 42. For the U.S., see U.S. Copyright Office, DMCA Section 104 Report: A Report on the Register of Copyrights Pursuant to § 104 of the Digital Millennium Copyright Act 8–9 (2001) https://www. copyright.gov/reports/studies/ dmca/sec-104-report-vol-1.pdf [hereinafter DMCA Section 104 Report]; for EU, see Directive 2001/29, supra note 35 at 10–11. 43. Berne Convention Implementation Act of 1988, Pub. L. 100-568, 102 Stat. 2853 (1988). 44. S. Rep. No. 115-339, at 2 (2018) (“Music copyright and licensing laws are too difficult to comply with and do not adequately reward the artists and professionals . . . .”). The use of this language mirrors the language used to justify Directive
end notes
2019/790. Compare Directive 2019/790, supra note 10, at 122 (“Member states shall ensure that . . . authors and performers or their representatives are entitled to claim additional, appropriate and fair remuneration from the party with whom they entered into a contract for the exploitation of their rights . . . when the remuneration originally agreed turns out to be disproportionately low compared to all the subsequent relevant revenues derived from the exploitation of the works or performances.”). 45. Orrin G. Hatch—Bob Goodlatte Music Modernization Act, Pub. L. No. 115-264, § 132 Stat. 3676 (2018) (replacing 17 U.S.C. § 301(c) and codifying law at 17 U.S.C. § 1401(e)). 46. U.S. Copyright Office, The Orrin G. Hatch—Bob Goodlatte Music Modernization Act, https:// www.copyright.gov/musicmodernization/mma-pamphlet. pdf (last visited Oct. 24, 2019). 47. Marsha Ajhar, Music to Our Ears:
The Music Modernization Act of 2018 Smith, Gambrell, & Russel, LLP, https://www.sgrlaw. com/music-to-our-ears-the-musicmodernization-act-of-2018/ (last visited Oct. 24, 2019) [hereinafter
Music to Our Ears]. 48. Allen Bargfrede, The MMA and
EU Copyright Reform Are Charging
Ahead. What Will Be Their Impact? Medium (Oct. 5, 2018), https:// medium.com/verifimedia/themma-and-eu-copyright-reformare-charging-ahead-what-will-betheir-impact-407e79f70da4. 49. S. Rep. No. 115-339, at 6 (2018) (reasoning “licensees benefit most from the reduction in transaction costs” and thus should bear the “reasonable costs”). 50. Music to Our Ears, supra note, 47. 51. Music to Our Ears, supra note, 47. (“The legislation also modifies the process for selecting federal district court judges to adjudicate rate-setting disputes regarding performance rights organizations that are subject to consent decrees with the Department of Justice.”). 52. Directive 2019/790, supra note 10, at 95 (explaining Rightholders are entitled to “proportionate” measures “necessary to pursue the objective of ensuring the security and integrity of the system” based on information provided by Rightholders). 53. U.S. Copyright Office, Joint Study of Section 1201(g) of the Digital Millennium Copyright Act, https://www.copyright.gov/ reports/studies/dmca_report.html (last visited Dec. 8, 2019). 54. Kirtsaeng v. John Wiley & Sons, Inc., 568 U.S. 519, 535 (1984). 55. Kewanee v. Bicron, 416 U.S. 470, 484–87 (1974). 56. Dep’t Com. Internet Pol’y Task Force, Department of Commerce: Copyright Policy, Creativity, and Innovation in the Digital Economy, 29 (2013), https://www.uspto. gov/sites/default/files/news/ publications/copyrightgreenpaper. pdf (“[L]icensing mechanisms have been developed as a less risky alternative to relying on fair use.”). 57. See OECD, Copyright in the Digital
Era, supra note 6, at 214 (“[D] igital technology greatly reduces the cost of copying, distributing, and transforming content, which has led to the availability of more copyrighted content and much wider usage of it than ever before . . . .”). 58. OECD, Internet Intermediaries, supra note 7, at 6. 59. Craig Joyce et al., Copyright Law 49 (10th ed. 2016); see also Twentieth Century Music Corp. v. Aiken, 422 U.S. 151, 156 (1975) (“The immediate effect of our copyright law is to secure a fair return for an author’s creative labor. But the ultimate aim is, by this incentive, to stimulate artistic creativity for the general public good.”). 60. Trotter Hardy, Property (and
Copyright) in Cyberspace, 1996 U. Chi. Leg. F. 217, 217 (1996), https://chicagounbound. uchicago.edu/cgi/viewcontent. cgi?article=1205&context=uclf (“If a new idea is freely appropriable by all, if there exist communal rights to new ideas, incentives for developing such ideas will be lacking.”). 61. Joyce et al., supra note 59, at 40. 62. Internet Usage in the European Union, Internet World Stats, https://www.internetworldstats. com/stats9.htm (last visited Nov. 8, 2019). 63. Pamela Samuelson, Digital
Media and the Changing Face of Intellectual Property Law, 16 Rutgers Computer & Tech. L. J. 323 (1990). 64. Joyce et al., supra note 59, at 15. 65. The Invention that Changed the
World, Carrier, http://www. williscarrier.com/1876-1902.php (last visited Nov. 20, 2019). 66. Amazon (company), Wikipedia, https://en.wikipedia.org/wiki/ Amazon_(company) (last updated Nov. 18, 2019). 67. Sony Corp. of Am. v. Universal City Studios, Inc., 464 U.S. 417, 443 (1984) (“[A]nyone who . . . makes a fair use of the work is not an infringer of the copyright with respect to such use.”); Lenz v. Universal Music Corp., 801 F.3d 1126, 1133 (9th Cir. 2015) (stating that fair use is not merely a defense to infringement, but is an expressly authorized right, and an exception to the exclusive rights granted to the author of a creative work.). 68. 17 U.S.C. § 107 (2018). 69. Giancarlo Frosio, To Filter or
Not to Filter? That is the Question in the EU Copyright Reform, 36 Cardozo Arts & Entm’t L. J. 331, 357 (2018), https://papers.ssrn. com/sol3/papers.cfm?abstract_ id=3058680 (“Automated systems cannot replace human judgment that should flag a certain use as fair or falling within the scope of an exception or limitation.”).
See also, Updates to our manual
Content ID claiming policies, YouTube https://youtubecreators.googleblog.com/2019/08/ updates-to-manual-claimingpolicies.html [https://perma.cc/ W2DN-S5KM] (last visited Oct. 18, 2019) (describing YouTube’s change to their manual claiming policies “to improve fairness in the creator ecosystem, while still respecting copyright owners’ rights to prevent unlicensed use of their content . . .”). 70. Frosio, supra note 69, at 348. 71. Case C-360/10, Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v. Netlog NV, 2012 E.C.R. 85, at §§ 36–38 (emphasis added). 72. Indeed, it is axiomatic to say that initial determinations could be made by A.I., but the ultimate fair use question must be decided by a human. See generally Jonathan P. Osha, et al., 2019 – Study Question – Copyright/Data Copyright in
Artificially Generated Works, AIPPI (2019), https://aippi.org/ wp-content/uploads/2019/08/ SummaryReport_COPYRIGHTDATA_London2019_ final_160719.pdf (discussing how human intervention is still necessary for A.I.-generated works to be eligible for copyright protection). 73. U.S. Const. amend. XIV, § 1. 74. The most appropriate regime is through Congress, which must delegate “intelligible principles” of administration of these claims to the Copyright Office, creating a new agency department within that Office that may adjudicate such claims. See U.S. Const. art. I, § 1 (providing the Constitutional basis for non-delegation); see also 35 U.S.C. § 134(a) (2012) (providing the procedure for adjudicating claims to rights in patents); see also 35 U.S.C. § 144 (2012) (providing the appropriate procedural safeguards such that delegation of adjudication of patent rights to the USPTO does not violate the non-delegation doctrine). 75. The Voight-Kampff test, in Phillip K. Dick’s novel Do Androids Dream of Electric Sheep, was used by LAPD’s “Blade Runners” to test whether an individual was an android “replicant” or human. Victor Gomes, The Science Behind
“Blade Runner”’s Voight-Kampff
Test, Nautilus (Oct. 6, 2017), http://nautil.us/blog/the-sciencebehind-blade-runners-voight_ kampff-test [https://perma.cc/ J62R-3J43]. 76. Broadcom Corp. v. Qualcomm Inc., 501 F.3d 297, 303 (3rd Cir. 2007) (discussing what role a standard determining organization plays in the development of industry standard technology), Ericsson, Inc. v. D-Link Sys. Inc., 773 F.3d 1201, 1209 (Fed. Cir. 2014) (discussing standard essential patents are patents used by the general public because the collaborative efforts to create standards requires devices utilize specific technology). 77. See Broadcom Corp., 501 F.3d at 304 (“[T]he European Telecommunications Standards Institute . . . and its SDO counterparts in the United States . . . requires a commitment from vendors whose technologies are included in standards to license their technologies on fair, reasonable, and nondiscriminatory (“FRAND”) terms.”). 78. 17 U.S.C. § 203(a)(3) (2018). 79. Id. at § 203(a)(1)-(2). 80. 17 U.S.C. § 304(c) (2018) (providing for termination rights for author grants made before January 1, 1978). 81. 17 U.S.C. § 203(a)(3) (2018). 82. Directive 2019/790, supra note 10, at 122. 83. See 17. U.S.C. § 203 (2012). 84. Directive 2019/790, supra note 10, at 93. 85. Directive 2019/790, supra note 10, at 122. 86. Directive 2019/790, supra note 10, at 122. 87. Directive 2019/790, supra note 10, at 125. 88. Feist Publ’ns, Inc. v. Rural Tel.
Serv. Co., 499 U.S. 340, 349–50 (1991). 89. Id. 90. BellSouth Adver. & Publ. Corp. v. Donnelley Info. Publ., Inc., 999 F.2d 1436, 1445 (11th Cir. 1993). 91. OECD, Copyright in the Digital Era, supra note 6, at 213-14 (“[S]ome analysed economies (the European Union, and consequently the United Kingdom, Italy, and Poland) have also introduced additional legislation to cover noncreative databases that is intended to strengthen the rights of database creators.”). 92. Directive 2016/943, of the European Parliament and of the Council of 8 June 2016 on the Protection of Undisclosed Knowhow and Business Information (Trade Secrets) Against Their Unlawful Acquisition, Use and Disclosure, 2016 O.J. (L 157) 1, 9 [hereinafter Directive 2016/943]. 93. See Daniels Health Scis., LLC v. Vascular Health Scis., LLC, 710 F.3d 579, 583–84 (5th Cir. 2013) (determining compilation of research data used to produce drug met the standard for trade secret protection); see generally Rohm & Haas Co. v. ADCO Chem. Co., 689 F.2d 424, 433 (3rd Cir. 1982); see also Brocade Commc’ns. Sys. v. A10 Networks, Inc., 873 F. Supp. 2d 1192, 1215 (N.D. Cal. 2012) (determining combination of customer names together with information such as the customer’s buying patterns and product needs met standard for trade secret protection); see Edgenet, Inc. v. GS1, AISBL, 742 F. Supp. 2d 997, 1026–27 (E.D. Wis. 2010) (determining compilation of publicly available product data protectable as trade secret where categories used to organize the data were not publicly available and could not be recreated without extensive effort and investment). 94. Directive 2019/790, supra note 10, at 108. 95. Directive 2019/790, supra note 10, at 108. 96. Elizabeth A. Rowe, Contributory
Negligence, Technology and Trade
Secrets, 17 Geo. Mason L. Rev. 1, 12–13, 27–29 (2009). 97. Id. at 29. 98. See Amazon.com LLC v. Lay, 758 F. Supp. 2d 1154, 1170–72 (W.D. Wash. 2010) (agreeing that complying with the North Carolina Department of Revenue’s request to disclose one data set containing names, addresses, and detailed descriptions of the products ordered by each Amazon customer, in addition to disclosure of another data set containing product code numbers, order ID numbers, seller, ship-to-city, county, postal code, non-taxable amount of purchase, and tax audit record ID info, would violate the VPPA, legislation aimed to protect intellectual privacy); id. at 1163 (concluding that the disclosure of the “reading, watching, and listening habits poses an imminent threat of harm and chill to the exercise of First Amendment rights.”). 99. QSRSoft, Inc. v. Rest. Tech., Inc., No. 06 C 2734, 2006 U.S. Dist. LEXIS 76120, at *4–5 (N.D. Ill. Oct. 19, 2006). 100. See Amazon (company), supra note 66 (explaining how publishing companies could recapture market share). 101. OECD Internet Intermediaries, supra note 7, at 6 (discussing how Service Providers capitalize on hosted content). 102. See European Parliament Press Release, supra note 9. 103. H.R. Rep. No. 60-2222, at 7 (1909). 104. Directive 2019/790, supra note 10, at 124. 105. Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/ EC, 2016 O.J. (L 119) 1, 35 [hereinafter Regulation 2016/679] (GDPR went into effect on May 25, 2018). 106. Id. 107. Id. at 31–33 (providing for Article 4(2) which defines “processing” as “any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, or combination, restriction, erasure or destruction . . . .”). 108. Sarah Hospelhorn, California
Consumer Privacy Act (CCPA) vs. GDPR, Varonis (Nov. 5, 2018), https://www.varonis.com/ blog/ccpa-vs-gdpr/#; see also Regulation 2016/679, supra note 104, at 6 (Recital 32 provides that consent is obtained by a “clear affirmative act establishing freely given, specific, informed and unambiguous indication of the data subject’s agreement to processing of personal data relating to him or her, such as a written statement . . . by electronic means, or an oral statement.”). 109. Regulation 2016/679, supra note 104, at 6. 110. Regulation 2016/679, supra note 104, at 36. 111. Regulation 2016/679, supra note 104, at 36; see Regulation 2016/679, supra note 104, at 9 (Recitals 47 and 48 explain the “overriding legitimate interest.”). 112. Regulation 2016/679, supra note 104, at 64 (providing for Article 49 which addresses specific situations in which a data transfer is legally justified where conditions giving rise to an adequacy decision pursuant to Article 45(3) or appropriate safeguards pursuant to Article 46 are not met). 113. Regulation 2016/679, supra note 104, at 8 (providing for Recital 42 which conditions data control on consent requests in an “intelligible and easily accessible form, using clear and plain language,” containing no “unfair terms.”). 114. Regulation 2016/679, supra note 104, at 37. 115. Regulation 2016/679, supra note 104, at 8 (Recital 42 explains where consent is a condition of using the service the court should be wary of finding that consent was “freely given.”). 116. ICO, Guide to the General Data Protection Regulation 55 (GDPR) (Aug. 2, 2018), https://ico.org.uk/media/ for-organisations/guide-tothe-general-data-protectionregulation-gdpr-1-0.pdf [hereinafter ICO Guide to GDPR]. 117. See Chiara Giorgetti, Rethinking the Individual in International Law, 22 Lewis & Clark L. Rev. 1085, 1111–16 (2019) (discussing the international approach to standing and enforcement of individual rights internationally). 118. E.g. YouTube, https://www. youtube.com/about/press/ (last visited Nov. 15, 2019) (providing that users watch one billion hours of copyright subject matter daily and, thus, YouTube collects massive amounts of personal information daily). 119. ICO Guide to GDPR, supra note 115, at 100, 105 (providing individuals can make a request verbally or in writing and the Service Provider has one month to comply; this one-month period may be extended by a further two months). 120. Regulation 2016/679, supra note 104, at 39; see also, Regulation 2016/679, supra note 104, at 32 (“This Regulation . . . [applies] . . . to the processing of personal data . . . .”); see also, Regulation 2016/679, supra note 104, at 33 (“[A]ny information relating to an identified or identifiable natural person.”). 121. Regulation 2016/679, supra note 104, at 5 (“The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations.”). 122. Regulation 2016/679, supra note 104, at 3 (providing for Recital 13 which sets out the policy of ensuring a “consistent level of protection for natural persons . . . [and] provid[ing] legal certainty and transparency for economic operators . . . and to provide natural persons . . . with the same level of legally enforceable rights and obligation and responsibilities for controllers and processors . . . ”). 123. Inge Graef, Martin Husovec & Nadezhda Purtova, Data
Portability and Data Control:
Lessons for an Emerging Concept in
EU Law, 19 German L.J. 1359, 1371-72 (2018) [hereinafter Data
Portability] (“[C]ontrollers [may] opt for processing pseudonymized datasets to avoid the obligations of data portability when they are unwilling to share—for instance to preserve their unique datasets.”). 124. 16 C.F.R. § 682.3(a) (2018) (“Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized . . . use of the information in connection with its disposal.”); see also 16 C.F.R. §§ 682.3(b), 312.1, 312.8, 312.10 (2018). 125. Regulation 2016/679, supra note 104, at 2 (“Natural persons should have control of their own personal data.”). 126. Regulation 2016/679, supra note 104, at 13. 127. Regulation 2016/679, supra note 104, at 13. 128. Data Portability, supra note 122, at 1369. 129. Paul M. Schwartz, Property,
Privacy, and Personal Data, 117 Harv. L. Rev. 2055, 2081-82, 2084 (2004) (“Propertization . . . will neglect important social values that information privacy should
advance.”). 130. See 17 U.S.C. § 106 (2018); see also 35 U.S.C. § 154 (2012). 131. Ownership of data may always be contracted for, and the data subject enters into a contract with the Service Provider upon consent to processing, whereby the Service Provider obtains title to the data subject. Nothing in the GDRP prohibits this. See Regulation 2016/679, supra note 104, at 13 (providing that the data subject’s rights are overshadowed where processing is necessary for the performance of a legal obligation). 132. Regulation 2016/679, supra note 104, at 12 (“Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient.”); this only applies to the disclosure of the data set to which the data subject has control. 133. Regulation 2016/679, supra note 104, at 12 (providing the “data subject . . . [has] the right to have personal data . . . rectified and a ‘right to be forgotten’ where the retention of [the] data infringes this Regulation . . . to which the controller is subject.”); Regulation 2016/679, supra note 104, at 33 (“ ‘[C]ontroller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data . . . .”). 134. Regulation 2016/679, supra note 104, at 34 (“ ‘[P]ersonal data breach’ means breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”). 135. Regulation 2016/679, supra note 104, at 36 (providing six legal bases for processing data without consent at Article 6). 136. The transparency obligation is a contractual performance obligation for those who seek to license copyright protected works.
See Directive 2019/790, supra note 10, at 122. 137. Regulation 2016/679, supra note 104, at 13. 138. Directive 2002/58/EC, of the European Parliament and of the Council of 12 July 202 concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, 2002/58/EC, 2002 O.J. (L 201) 37, 42 [hereinafter Directive 2002/58/EC]. 139. Catherine Schmierer, Better Late than Never: How the Online
Advert. Industry’s Response to
Proposed Privacy Legis. Eliminates the Need for Reg., 17 Rich. J.L. & Tech. 1, 13 (2011); see also Pamela Jones Harbour, Remarks Before
FTC Exploring Privacy Roundtable
Washington D.C, Federal Trade Commission 1, 2 (2009), http://www.ftc.gov/ speeches/ arbour/091207privacyroundtable. pdf; see also M. Angela Buenaventura, Teaching a Man to Fish: Why Nat’l Legis. Anchored in Notice and Consent Provisions
Is the Most Effective Solution to the Spyware Problem, 13 Rich. J.L. & Tech. 1, *14-*15 (2006) (noting that courts often construe clickwrap agreements as binding “whether or not meaningful consent was actually present, and whether or not the user even saw the terms [of the contract] to begin with.”). 140. Schmierer, supra note 138, at 14–15. 141. See In re Sears Holdings Mgmt. Corp., No. 082-3099, 2009 WL 2979770 (F.T.C.), at *1 (Aug. 31, 2009); id. at *6–7 (Sears Privacy Statement and User License Agreement contained deceptive language in its websites where the language stated that consumer would retain control over the collection of their information when in fact the software downloaded upon acceptance of the agreement terms ran in the background of consumer’s computers, and consumers who installed the application often had no knowledge that their personal information was collected; this resulted in settlement between Sears and the FTC, whereby Sears agreed to destroy all data collected and to clearly identify all future attempts to track consumers’ online activities.). 142. Tribunal de Grande Instance [ordinary court of original jurisdiction] Paris, civ., Aug. 7, 2018, 14/07300; see also Tribunal de Grande Instance [ordinary court of original jurisdiction] Paris, civ., Feb. 12, 2019, 14/07224 (“Ses finalités générales concourent donc parfaitement avec celles du droit de la consommation visant notamment à sanctionner tout déséquilibre contractuel significatif entre les professionnels et les simples particuliers dans leurs différentes activités de consommation.”) (providing that the GDPR is aimed at “penalizing any significant contractual imbalance between professionals and private individuals in their various consumer activities . . . .”). 143. Commission Nationale de l’Informatique et des Libertés [National Data Protection Commission] Paris, civ. Jan. 21, 2019 SAN-2019-001. 144. Regulation 2016/679, supra note 104, at 82 (providing for a “lower” level, $10 million or 2% of worldwide revenue, and “upper” level $20 million or 4% of worldwide revenue). 145. Cynthia O’Donoghue & Karen Lee Lust, Danish DPA Issues its
First GDPR Fine for Late Deletion of Customer Telephone Numbers, Lexology, Apr. 18, 2019, https:// www.lexology.com/library/detail. aspx?g=13e6d9c1-1c7d-410ca583-7776062d41d9 [https:// perma.cc/V6SB-VW9V]. 146. Id.; Regulation 2016/679, supra note 104, at 35–36 (recalling Article 5 obligations and responsibilities imposed on all controllers and processors). 147. 2018 Cal. Stat. 1807 (2017-2018 Regular Session) § 1798.120 (to be codified at Cal. Civ. Proc. §§ 1798.100–1798.198, eff. Jan. 1, 2020) [hereinafter CCPA]. 148. Id. § 1798.140(c)(1). 149. Regulation 2016/679, supra note 104, at 33 (providing for Article 4(7) & (8); both are defined as people or entities that determine how data will be processed, with “processors” being third parties that process data on behalf of “controllers”); see Directive 2019/790 at note 10, at 113 (providing for Article 2 which states that an online contentsharing Service Provider means a “provider of an information society service of which the main or one of the main purposes is to store and give public access to a large amount of copyright-protected works or other protected subject matter uploaded by its users, which is organises and promotes for profit-making purposes.”). 150. Press Release, U.S. Chamber Releases Model Privacy Legislation, Urges Congress to Pass a Fed. Privacy Law (Feb. 13, 2019, 9:15 AM), https://www. uschamber.com/press-release/uschamber-releases-model-privacylegislation-urges-congress-passfederal-privacy-law [https:// perma.cc/T6WV-EGAL]. 151. Rachel F. Fefer, Cong. Research Serv., R45584, Data Flows, Online Privacy, and Trade Policy 18 (2019). 152. Schwartz, supra note 128, at 2110. 153. Schwartz, supra note 128, at 2111. 154. See Directive 2019/790, supra note 10, at 122-23. 155. Directive 2019/790, supra note 10, at 122-23. 156. Directive 2019/790, supra note 10, at 113-14 (providing for Article 7 prohibitions on contract: “[a] ny contractual provision contrary to the exceptions provided for in Articles 3, 5 and 6 shall be unenforceable,” where these Articles, respectively, provide for use of online content for text and data mining for the purposes of scientific research, use of content for cross-border teaching activities, and use of content for preservation of cultural heritage). 157. See Directive 2019/790, supra note 10, at 107, 120. 158. Directive 2019/790, supra note 10, at 120. 159. Directive 2019/790, supra note 10, at 120. 160. Schwartz, supra note 128, at 2098. 161. Schwartz, supra note 128, at 2109. 162. Schwartz, supra note 128, at 2098. 163. Recall that the transparency obligation cannot be negotiated out of the license, the Service Provider can negotiate what data it hands over so long as the information adequately passes Directive muster. See Directive 2019/790, supra note 10, at 123. 164. See Directive 2016/943, supra note 91, at 1 (“Businesses, irrespective of their size, value trade secrets . . . [and] use confidentiality as a business competitiveness and research innovation management tool . . . that extends beyond technological knowledge to commercial data such as information on customers and suppliers, business plans, and market research and strategies.”). 165. See Directive 2016/943, supra note 91, at 2. 166. Directive 2016/943, supra note 91, at 2. 167. Directive 2016/943, supra note 91, at 2. 168. See Directive 2019/790, supra note 10, at 124. 169. See Dust, https://watchdust. com (last visited Nov. 16, 2019) (example of a niche online-content sharing Service Provider).
