Nordic IPT Law Bulletin - December

IT & Telecom

EU legislation - Sweden/Denmark/Norway/Finland
 

Sweden

Covert Interception of Data – Evaluation and Permanent Legislation (SOU 2023:78)
The law (2020:62) on covert interception of data (Sw. Lagen om hemlig dataavläsning) entered into force on 1 April 2020 and introduced a new covert coercive measure in the form of data scanning that the law enforcement authorities can use on suspicion of serious crime. The law allows Swedish law enforcement authorities to secretly enter by technical means e.g. computers, mobile phones or user accounts or communication services in order to read or record information contained in the physical equipment or service. The law is limited in time until the end of March 2025.

A Committee appointed by the Sweden Government evaluated the law and released its Government Official Report (Sw. Statens Offentliga Utredningar) report in November 2023 in which it is recommending that the law is made permanent and that its scope is extended in order to facilitate investigative efforts on reasonable suspicions of crime, provided that the application is balanced with control mechanisms and other legal safeguards to reduce the risks to personal integrity and information security.

Denmark

Implementation of the NIS2 Directive in the financial sector
The Danish FSA has submitted a draft bill for a public hearing regarding the NIS2 Directive, which aims to raise the standard of cybersecurity in the financial sector. 

In the financial sector, boards of directors will be responsible for cyber risk management and will therefore have to approve organizations’ cybersecurity strategies.

The FSA will have oversight powers and will be able to conduct audits and impose sanctions for non-compliance, including a ban on the continued leadership of the management team. The Act is expected to enter into force on 1 July 2024.

Norway

During the fall, the Norwegian Communications Authority (NKOM) has been receiving and reviewing a substantial amount of feedback from service providers and stakeholders regarding the establishment of regulation on broadband services
The feedback is intended to provide NKOM with a better basis for assessing which markets and areas require further analysis and assessment, before specific regulation is suggested. So far, the variety and interests shown through the feedback have illustrated the complexity of the area and that due process is required in order for the appropriate and adequate regulations may be enforced.

Intellectual Property and media

EU legislation - Sweden/Denmark/Norway/Finland

Sweden

"Work of applied art"
In 2021 the furniture company Asplund filed a lawsuit with the Swedish Patents and Market Court (the "Court") against the furniture retail chain MIO, claiming that MIO's dining table "Cord" infringed Asplund's copyright in the dining table "Palais Royal". The Court found that the Palais Royal table was a copyright protected work of applied art (Sw. brukskonst), and that the Cord table infringed that copyright.

MIO appealed the decision to the Swedish Patents and Market Court of Appeal, which in turn halted the proceeding to refer questions to the Court of Justice of the EU ("CJEU") regarding the Infosoc-directive (2001/29/EC) and work of applied art.

This is an interesting case to follow as the CJEU has been asked to clarify, among others, in assessing whether a work of applied art is copyright protected. How should the test be carried out to decide that the work reflects the author's free and creative choices? How should the similarity assessment be conducted to conclude whether a work of applied art infringes copyright protected work?

DLA Piper will provide an update once the CJEU deliver its responses.

Denmark

Bill on certain media service providers' contribution to the promotion of Danish culture (the Cultural Contribution Act)
On 3 November 2023, the Bill on the introduction of a cultural contribution requiring on-demand streaming service providers to contribute to Danish content production was introduced in the Danish Parliament. 

The cultural contribution will be introduced as a fixed contribution of 2% of the turnover of all on-demand streaming services aimed at a Danish audience. If the on-demand streaming service invests at least 5% of its turnover in Denmark in Danish content, the service will be exempted from a higher cultural contribution of 3% of its turnover in Denmark. 

The law is scheduled to come into force in 2024, while the cultural contribution will be levied for the first time in 2025, based on the media service providers' turnover in Denmark in 2024.

Norway

The Norwegian Intellectual Property Office (NIPO) and the Board of Appeal for Industrial Property Rights (KFIR) has issued several decisions, including the following:

NIPO approved application for "STRATOS" for services in classes 36, 41 and 43. Youngstorget Eiendom AS’ subsequently filed an opposition, claiming that there was a likelihood of confusion between STRATOS and their older trademark “Stratos” which had been established through use. NIPO, however, dismissed the opposition.

KFIR concluded that the word mark "HiSecEngine" had inherent distinctiveness for certain goods in class 9. The mark was, however, considered to be descriptive and lacking distinctiveness for the rest of the applied-for goods in class 9 and all the services in class 42.

KFIR concluded that the mark "Saint Tropez" was descriptive and lacks distinctiveness for the goods and services in classes 18, 25 and 35, as the mark is considered to be perceived as an indication of the location of the goods in question.

Finland 

Finnish Supreme Court rules the case between SodaStream and MySoda, 17.11.2023
The decision KKO:2023:87 of the Finnish Supreme court (KKO) concerned trademarks and exhaustion of trademark rights. The case had previously been heard by the Finnish Market Court and the Court of Justice of the European Union.

In the case, the owner of the trademarks SODASTREAM and SODA-CLUB (Sodastream, the plaintiff) had placed on the market in Finland reusable carbon dioxide bottles for use in carbonation equipment for beverages, engraved with its trademark and with a label attached. MySoda had sold and marketed in Finland carbonators which did not include a carbon dioxide bottle and had received Sodastream carbon dioxide bottles returned by consumers and had removed the label and replaced it with its own pink or white label, leaving the earlier trade visible, and had sold the refilled bottles. The plaintiff in the case had brought an action against MySoda. In its decision, the Market Court found that the exclusive rights conferred by

Sodastream's trademarks for the carbon dioxide bottles put into circulation had been exhausted, but the question remained whether, despite the exhaustion of the trademark rights, the plaintiff had a legitimate reason to oppose the marketing and sale of the bottles. The Market Court found that the white labels did not infringe the trademark but confirmed that MySoda's pink labels infringed the trademarks. The court also prohibited the defendant from continuing or repeating this practice under penalty of a fine.

Both parties appealed the case to the KKO. The KKO decided to refer the case to the Court of Justice of the European Union for a preliminary ruling, which issued its decision in case C-197/21 on 27 October 2023. The KKO analysed whether the plaintiff, despite the exhaustion of its rights, had a legitimate ground to oppose the procedure on the grounds that the replacement of the labels by the defendant's labels was not necessary from the point of view of resale in accordance with the Bristol-Myers Squibb conditions applicable to trademarks under European Union law (the conditions being that the repackaging or marking of the goods bearing the trademark must be necessary for their sale and the legitimate interests of the trademark proprietor must be guaranteed). If the conditions were not applicable, the Supreme Court would have to assess whether the conduct gives consumers a false impression of the economic link between the parties as legitimate grounds for opposing the use of the trademark.

The KKO found that the conditions were not applicable in this case, leaving it to be assessed whether the plaintiff was entitled to oppose the procedure on the basis of a false impression of an economic link. Ultimately, the KKO held that the plaintiff had a legitimate interest in objecting to the sale and marketing of carbon dioxide cylinders bearing the trademarks SODASTREAM or SODA-CLUB engraved on the surface and with a pink label. However, as regards the white labels, the plaintiff had no legitimate reason to oppose the procedure. Therefore, the infringement occurred only in respect of the pink labels. Having reached the same conclusion as the Market Court, the KKO did not change the outcome of the interim judgment, but referred the case back to the Market Court as regards the claims for compensation for infringement and damages. The case suggests that the protection of the IPR holder remains strong, for example in relation to arguments in favour of recycling. On the other hand, it can be seen from the case that the purpose of the trademark, i.e. to serve as a means of distinction, must still be considered as the most important factor.

Marketing law

EU legislation - Sweden/Denmark/Norway/Finland
 

Sweden

Supervision on environmental claims in focus
The Swedish Consumer Agency (the "Agency") has conducted a supervision on environmental claims in the banking sector and has reviewed 15 investment firms' advertising with environmental claims and observes a clear improvement since the last supervision of the sector in 2020.

Denmark

Large insurance company sentenced for misleading marketing by the Supreme Court on 25 September 2023 
In a landmark decision on 25 September 2023, the Supreme Court sentenced the large insurance company Alka for misleading marketing practices in 2016-2017. 

Alka falsely advertised its car insurance policies on TV channels and YouTube, claiming that prices would remain fixed in the event of a claim. Despite these assurances, Alka's terms and conditions allowed it to change prices and cover with 14 days' notice after a claim was reported.

The Supreme Court ruled that Alka's marketing statements misled consumers into believing that claims wouldn't affect prices. This was in direct breach of Section 5 of the Danish Marketing Practices Act. The Court emphasized that Alka's option to increase premiums after a claim made the advertising misleading, regardless of whether Alka exercised this option.

The penalty imposed was a fine of DKK 16 900 000, double the marketing costs of DKK 8 450 000. This decision was based on the “old” rules, where the fine for a first offence could be twice the marketing costs. If the new rules had been applied, taking into account the company's turnover, the fine could have been higher, reflecting the seriousness of the offence.

Norway

The Consumer Authority (CA) has launched new educational tools for children in elementary school (grades 5-7)
The tools are intended to enlighten and educate children on how to recognize advertisements, the influential powers of marketing and what means may be utilized in order to increase the level of influence.  

The Council dealing with unfair marketing practices (NKU), which issues non-binding statements regarding traders’ compliance with chapter six of the Marketing Control Act (Protection of the interests of traders), has issued a number of statements, including:

• Pharmacy chain, Apotek 1, had violated good business practice amongst traders (Section 25 of the MCA) in case NKU-07-2023;
• Interstil’s bar stool AKITA was an illegal imitation of HAY’s ApS’ bar stool, AAS 32, violating Scetion 30 of the MCA;
• Synnøve Finden’s packaging for cheese was not an illegal imitation of Tine’s packaging.

Finland

Statement of the Finnish Council of Ethics in Advertising, 30.11.2023
As a means of attracting attention to the advertisement, a sound similar to the "SOS" signal used by the authority, was used on television in connection with a hazard announcement. The Council of Ethics in Advertising has received a request for an opinion from an individual on a television advertisement by Eckerö Line Ab Oy. In the opinion of the petitioner, the publication is contrary to good practice because the advertisement contains a warning beep throughout. This is normally heard when the public is warned of a danger nearby. According to the applicant, the alarm sound is unnecessarily frightening. In the advertisement, mermaids find a beeping telegraph device in a bag. One of the mermaids says: "What a good offer."

According to the marketer, in the advertisement, the mermaids are lying on a reef and wonder at the bag, which emits an electric noise known as morse code. The mermaids examine the bag and find a telegraph, a device that transmits and receives morse code. The frequency of the sound heard in the advertisement differs from the warning sound used on television by about four steps. Electroshock, or morse code, is not the sound of danger, but a communication technology.

According to the view of the media, it is clear from the advertisement that it is an advertisement and does not contain any unfair content. The advertisement speaks over a faint murmur in the background. Electrotyping is not the voice of danger, but a communication technology and a universal language. The frequency of the sound is different from the warning sound used by the authorities. The message spoken over the morse code is clearly commercial in content. The Rescue Department of the Finnish Ministry of the Interior argued that the signal sound of the advertisement can be confused with the same SOS sound that is used when a danger message appears on the television screen. The use of the signal tone in the advertisement may cause confusion and the viewer may look at the television without thinking that it is a danger message. However, the sound is quite muffled in the background.

The Council of Ethics in Advertising noted that the sound used to attract attention in the advertisement is the same as that used by the authority in a television warning. The Council of Ethics in Advertising stated that fear should not be exploited in marketing without justifiable cause. For these reasons, the Council of Ethics in Advertising considered that the marketer had acted in violation of ICC's marketing rules. The advertisement was contrary to good practice.

Consumer law

EU legislation - Sweden/Denmark/Norway/Finland
 

Sweden

"30-day price rule"
The Swedish Consumer Agency (the "Agency") has released a guidance statement regarding the disclosure of the 30-day price. In summary, the statement entails the following:

• The 30-day price must be indicated if the retailer use a marketing claim such as 'final sale', "realization", or other expressions which give the impression that the price has been reduced,
• The price reduction indicated by a percentage or an amount may not be calculated on any other price than the 30-day price,
• The 30-day price should be displayed in the immediate vicinity of the discounted price in a style and size that is easy to read, and
• It is typically not allowed to display an additional reference in addition to the 30-day price.

New fee in relation to consumer disputes
An amendment to the Act (2015:671) on alternative dispute resolution in consumer relationships, is proposed, which would authorize the Government to issue regulations on application fees in cases of alternative dispute resolution at the National Board for Consumer Disputes. Anyone who initiates such a case may therefore have to pay a fee. The legislative amendment is proposed to enter into force on 1 July 2024.

Denmark

Consumers must not be silenced
A company that rents out selfie cameras for parties included a confidentiality clause in its sales and rental conditions. The Consumer Ombudsman found that this violated both the Danish Marketing Practices Act and the Danish Contracts Act. 

The terms and conditions stated that the consumer waived the right to write negative or critical reviews and mentions about the company in the event of certain incidents, such as improper use. 

Although the company never enforced the confidentiality clause against consumers, the Consumer Ombudsman found that the condition was contrary to good marketing practice, as companies must tolerate consumers' subjective statements and reviews. 

The company has now removed the clause from its terms and conditions.

Norway

There have been several amendments to Norwegian consumer, marketing and e-commerce law entered into force this fall
The amendments follow the implementation of directive (EU) 2019/2161, which imposes stricter and more extensive obligations on traders (especially those involved in e-commerce). The amendments include a new obligation for traders to ensure that any customer reviews featured or otherwise utilized in their marketing are in fact real. Other important changes worth mentioning are the new rules on price reduction practices.

The CA and Consumer Council has also started looking into the legality of certain invoice fees, particularly those of telecom companies and electricity suppliers. Electricity suppliers have been found to charge up to 74 NOK for issuing physical paper invoices by mail to customers while a survey conducted by Norges Bank indicates that the actual for issuing a paper invoice and sending it by mail is around 6 NOK.

Finland

The Finnish Consumer Ombudsman has appealed to the Supreme Administrative Court against the decision to impose a penalty payment on Masku (a major Finnish furniture shop chain) - Notice of the Finnish Competition and Consumer Authority 1 November 2023
The Finnish Consumer Ombudsman is seeking a decision from the Supreme Administrative Court to increase the amount of the penalty payment imposed by the Finnish Market Court on Masku Kalustetalo Oy to one million euros.

In September, the Market Court ordered Masku Kalustetalo Oy to pay a penalty of EUR 300 000 for misleading discount marketing. The Consumer Ombudsman proposed a higher penalty of €1 million. According to the Consumer Ombudsman, the EUR 300 000 fine imposed does not have sufficient specific and general effect. The amount of the fine imposed on Masku is not such that the infringement would not continue to be profitable for Masku. Since 2020, the Consumer Ombudsman has been able to propose to the Market Court that it impose a penalty payment on a trader who acts to the detriment of consumers intentionally or negligently and infringes or neglects essential consumer rights. This is the first time that the Consumer Ombudsman has used this means.

The Masku proceedings concerned repeated infringements of consumer protection legislation, for which the company has been subject to injunctions and periodic penalty payments imposed by the Market Court. The injunctions and periodic penalty payments previously imposed on Masku by the Market Court have not acted as a deterrent for Masku to refrain from the marketing activities in 2020-2021 that are the subject of the contested proposal.

Masku's conduct, which consisted in the repeated use of a discounted price in the form of a campaign and a significant number of discounts, was liable to obscure consumers' perception of the normal level of prices charged by Masku and, consequently, of the actual advantage derived from the discount.

Data Privacy

EU legislation - Sweden/Denmark/Norway/Finland
 

Sweden

Decisions by the Swedish Authority for Privacy Protection ("IMY") not to investigate a complaint further or to close a supervision related to a data subject's complaint without action may be appealed
The Supreme Administrative Court has in two judgements found that IMY's decisions to not investigate a complaint and to close a supervision case related to a data subject's complaint, where the outcome of the supervisory negatively affected the complaining data subject, are appealable under GDPR Art. 78.1.

The IMY issued a fine of SEK 58 M (approx. EUR 5.1 million) against a streaming company for deficiencies in the fulfilment of data subjects' right to access (GDPR Art. 15)
The IMY found that the streaming company did not provide data subjects with information regarding e.g. the purpose of the processing of personal data, the categories of personal data undergoing processing and the relevant retention period, when data subjects exercised their right to access. The IMY found that the communication provided to data subjects under GDPR Art. 15 did not fulfil the requirements of being clear and intelligible (GDPR Art. 12.1).

Denmark

Bill to raise the age of consent for the processing of personal data 
On 14 November 2023, a bill was introduced in the Danish Parliament to raise the age limit for children to consent to the processing of personal data in connection with the provision of information society services from 13 to 15 years. The change is intended to help protect children online.  

The Act is expected to enter into force in 2024. Consent given before the Act enters into force will be subject to the current rules.

Norway

The Norwegian Data Protection Authority (NDPA) has actively been pursuing Meta since summer, due to their conclusion that the companies’ practices for behavioral advertising have not been legal under the GDPR
In August, the NDPA issued a temporary ban on the companies’ behavioral advertising, and a compulsory fine of MNOK 1 per day has since been running. Meta has brought the case to court twice, challenging the legality of the NDPA’s ban and fine, but has thus far not been heard with their claim. The NDPA on the other hand has also brought the case to the European level, and in late October, the European Data Protection Board (EDPB) confirmed that it agreed with the assessment and ban issued by the NDPA.

The NDPA has also issued a notice to the Norwegian Labor and Welfare Administration (NAV), including both notice of an infringement fine of NOK 20 million, as well as several orders.

The Norwegian Privacy Appeals Board (Personvernnemda) has upheld the 65MNOK record fine for Grindr due to Grindr's sharing personal data, to service targeted surveillance-based advertising, without a legal basis.

Finland

Charges filed in the Vastaamo data breach case
The prosecutor has filed charges of aggravated data breach, aggravated attempted extortion, 9,598 aggravated dissemination of information that violates private life, 21,316 attempted aggravated extortion, and 20 aggravated extortion. The aggravated data breach has been committed between 25 and 26 November 2018 and other crimes between September and October 2020.

The Psychotherapy Centre Vastaamo's data breach case is a data breach that took place in 2018 and 2019 and became public on 21 October 2020, in which personal and patient data of a total of 33,086 clients of the Psychotherapy Centre Vastaamo were stolen and at least partially published on the Tor network. The operator who appeared under the username ransom_man tried to extort money by publishing the information initially from Vastaamo and later from individual customers, but failed to do so.

Office of the Data Protection Ombudsman recalls: an organisation must assess the seriousness of the breach for the data subjects, 8 November 2023
The Office of the Data Protection Ombudsman has added instructions on how to report a personal data breach to its website. The guidance for organisations covers how to assess the seriousness of the impact on the data subject, how to inform data subjects, how to complete the notification and how to meet the deadlines. Data controllers must notify a personal data breach to the office of the Data Protection Ombudsman if the breach may pose a risk to the rights and freedoms of natural persons.

Organisations can submit a security breach notification using the online form of the Office of the Data Protection Ombudsman on the Security Form service of the Government ICT Centre Valtori. If the organisation uses its own platform, it must ensure that the notification contains the information required by the GDPR.

Supplementary guidance from the Office of the Data Protection Ombudsman on the issues to be considered in a security breach notification:

1. Assess the severity of the impact of the breach on the data subject.The controller must carefully assess the severity of the potential impact on the data subjects affected by the breach. The purpose is to specifically assess the severity of the impact on the data subjects, not the consequences for the controller. Data subjects must be informed of a high risk situation without undue delay. Where appropriate, the Office of the Data Protection Ombudsman may order the organisation to inform the victims of a breach.
2. Always notify the data subject in the event of a high risk, even if the high risk is eliminated by the measures taken after the discovery of the breach.
   The actions taken by the controller after a breach has been detected may eliminate the high risk posed to the data subject by the breach, at least for the period after the actions have been taken. Even if the high risk is removed, the data subject may have been at high risk before the measures were taken. In such cases, the data subject must in principle be informed of the personal data breach.
3. Make a preliminary notification to the Office of the Data Protection Ombudsman, if necessary, and complete it on your own initiative.
   The data controller may submit a preliminary notification to the Office of the Data Protection Ombudsman if only limited information on the breach is still available. The notification shall be completed at a later stage on its own initiative.
4. Submit a breach notification within 72 hours, providing a reasoned explanation if necessary.
   A breach notification should be submitted without undue delay, even if not all the details of the incident are yet fully known. If the notification is not made within 72 hours, the controller must provide the Office of the Data Protection Ombudsman with a reasoned explanation for the delay.

We at DLA Piper are happy to assist you with Data Privacy matters. We have experience in providing advice, assistance and support to our clients in relation to the following:

• Audits, GAP-analysis and data mapping under the General Data Protection Regulation (GDPR)
• Privacy compliance programs and policies
• Data retention analysis
• Data security, data loss prevention and data breaches
• Online and mobile tracking and consumer protection regulation
• E-discovery and investigations management
• Incident Response Planning and Execution
• Supervisory authority relations (notifications, authorisations, DPO appointments as a service)
• Whistle-blowing hotlines, employee monitoring and suspect persons screening
• Data subject access and opposition rights
• Global data transfer management (transfer agreements, BCRs, etc.)

Other relevant legal topics

Denmark

Text and data mining - the exception as the new starting point?
On 1 June 2023, the Danish Parliament passed a bill implementing parts of the DSM Directive. The amending act came into force on 7 June 2023 and included, among other things, the new Section 11b on text and data mining (TDM) in the Danish Copyright Act.

The effect of Section 11b is to permit the making of copies of copyrighted works through text and data mining if the person performing the text and data mining has lawful access to the works and the author has not expressly and reasonably reserved his or her rights.

The rule is thus an exception that results in a deviation from the general rule that authors must give prior permission for their works to be used.

This rule is likely to have a major impact on the future of AI models.

Norway

Strict legal regulation and supervisory actions have led to the adverting of foreign gambling services becoming practically non-existent on Norwegian tv-screens
Gambling is strictly regulated under Norwegian law and few providers have been granted the license required in order to legally provide such services in Norway. Currently, no foreign providers hold such a license, meaning they are also not allowed to market their services towards Norwegian consumers. The Gambling Authority and Media Authority have for the past year(s) been actively monitoring the marketing activities of various foreign gambling and betting service providers and issuing strict fines where direct marketing actions have been found. As a result, such advertisements have been significantly reduced on Norwegian tv-screens and is currently virtually non-existent.

Finland

Private copying continues to fall in Finland, according to study
The Ministry of Education and Culture commissioned a study from the Finnish market research company, Taloustutkimus, the main aim of which was to find out how much private copying took place in Finland this year. Among other things, the study showed that copying among 15-79 year olds continues to fall and has even halved since 2015. The study shows that 137,000 music and 649,000 video material copies were made by 15-79 year olds covered by legal private copying, with a total of 755,000 copiers. In 2022, for example, there were 851,000 copiers, a significant drop even in a single year.

The number of private copying copies, including both music and video files, is estimated at 188-210 million files. Overall, this is lower than in 2022, but music files have been copied more this year and videos less than in the previous year. This compares with previous years: 197-213 million files in 2022 and around 260 million in 2017, compared with an estimated 725 million files in 2013.

Music was most often stored on mobile phones and computers, videos also on mobile phones and online storage services for TV programmes. The most common sources for music were streaming services, free online storage and original CDs, and for video recordings TV programmes. In terms of graphic material, the study found that 80% of people living in Finland have printed, recorded, photocopied or scanned material for private use. Printing and recording were the most commonly used media, especially for copying photographs, government forms, food instructions/recipes, educational materials or articles. The material was usually published by a private person (website or blog), a company or a public administration.

(News release of the Finnish IPR University Center, 8 November 2023, available in Finnish at: https://iprinfo.fi/uutiset/tutkimuksen-mukaan-yksityinen-kopiointi-laskee-edelleen-suomessa/)

Further emphasis on Finnish corporate security - A leading Finnish business organization develops a business security model
Business security means ensuring and developing the security of all company operations. The company's security measures aim to protect important assets such as people, information, reputation, property and the environment from various risks. The key role of corporate security is to promote the competitiveness of the company and improve productivity. Security is part of the company's quality system and also provides added value to customers. It is therefore worthwhile for a company to commit itself to continuous improvement of its safety performance.

The Confederation of Finnish Industries has developed a model for business security, the various components of which help to outline and examine the security area of a company.

The model is available here (in Finnish): https://ek.fi/hyotytietoa-yrityksille/yritysturvallisuus/