preloader logo

The agency's legal responsibility to its client.

Riestra Abogados.

Is the agency aware of all the legal implications of the actions it proposes to its client? The client expects it to be so.

From the very conception of the idea, the legal implications must be clear.

A legal error in the campaign, in addition to losing the account, means assuming responsibility for the imposed fine, facing lawsuits, or assuming the expense of withdrawing the campaign.

Do you use your client's databases?

If so, according to Article 12 of the Organic Law on Data Protection (LOPD), it is mandatory to have a signed personal data processing contract.

But the most important thing for an agency is if we also subcontract the campaign to third-party providers, we need our client's prior authorization, and must sign another data processing contract with that provider. Remember that according to the LOPD, transferring data without consent can result in a fine of between €40,000 and €300,000.  

Do you use stock images?
The client must be informed of the scope of the license for the images used, including the territorial scope, duration, and intended uses. Otherwise, the agency could assume liability and have to pay the necessary amounts to cover the license, which can be significant sums. To avoid this, understand the terms of the licenses being acquired and communicate them to the client in writing.

Do you contract audiovisual production services with third parties?
As in the previous paragraph, the scope of the production must be defined with the client and reflected in an audiovisual production and intellectual property rights transfer contract. If actors are hired, the same applies to the transfer of their image rights.

Do you commission software development?
In this section, it is very important to clearly state who owns the source code. Without it, the software being custom-developed is useless. But it's just as important to include this in the contract as the practical way in which it's delivered to you, because it's of little use to me if the supplier is, for example, in Argentina or India.

Are you developing a website for your client?
There are two important points worth highlighting:
(i) If you use OPEN SOURCE in your programming, read the terms of use carefully, as they often limit it to commercial use (as was the case with our client's website). This contract is often governed by US law, and there, compensation of $50,000 is being paid for each open source page used without the corresponding license, i.e., multiplying the website pages by $50,000.
(ii) The client is responsible for providing the legal texts of their data protection policy on the website. If the client requests this from the agency, the agency must seek legal advice; the consequences of copying and pasting can be disastrous.

Forms of Advertising and Data Protection.

Riestra Abogados. 
Regulation (EU) 2016/679
  1. Definitions.
  2. Basic regulations.
  3. Commercial communications and data protection.
  4. Relevant aspects of telephone advertising.
  5. Relevant aspects of electronic advertising.
  6. Viral marketing.
  7. Anonymity on the Internet.
  8. Cookies.
  9. Online advertising. New online advertising methods, personalized and based on user identification, have led to the updating of data protection regulations, such as the new European Data Protection Regulation 2016/679, which in its Article 7 establishes the conditions for consent as follows:
  1. Where processing is based on the data subject's consent, the controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data.
  2. Where the data subject's consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in a form that is clearly distinguishable from the other matters, in an intelligible and easily accessible manner, and using clear and plain language. No part of the declaration that constitutes a breach of this Regulation shall be binding.
  3. The data subject shall have the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. Before giving consent, the data subject shall be informed thereof. Withdrawing consent shall be as easy as giving it.
  4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is made conditional on consent to the processing of personal data that are not necessary for the performance of that contract.
This article aims to provide an overview of advertising methods and their implications for personal data protection.

Definitions  

We must keep in mind two definitions that will be the cornerstones throughout this article.
a. Advertising is understood as: "any form of communication carried out by a natural or legal person, public or private, in the exercise of a commercial, industrial, artisanal, or professional activity for the purpose of directly or indirectly promoting the contracting of movable or immovable property, services, rights, and obligations." (Art. 2 of Law 34/1988, November 11, General Advertising Law)
b. Commercial communication: "any form of communication aimed at promoting, directly or indirectly, the image or the goods or services of a company, organization, or person carrying out a commercial, industrial, artisanal, or professional activity." (Annex to Law 34/2002, of July 11, on information society services and electronic commerce)
It is interesting to note in the definition of advertising the reference "for the purpose of directly or indirectly promoting the purchase of movable or immovable property, services...", as well as in the definition of commercial communication, "any form of communication aimed at the direct or indirect promotion of the image or of the goods or services...". In other words, the term "indirect" practically covers all forms of advertising and commercial communication that we might think are not within the scope of the regulation, because the simple communication of a brand will fall within the definition of advertising or commercial communication, unless we prove otherwise. For example, sending an email asking a customer to subscribe to our newsletter is a commercial communication, and unless we have their consent, it cannot be sent.

Basic regulation

When a company decides to launch a new product and/or service, it implicitly entails making decisions regarding what type of advertising is most appropriate for the action they intend to carry out. To do this, it is necessary to know whether said advertising involves the processing of personal data or not, since this will determine whether, in the event of collecting personal data, different security measures must be established to protect the rights of users.

What type of advertising involves data protection processing?

Television advertising does NOT require data protection:
If a company decides to promote its products, promotions, etc., through television, such advertising will not involve the direct collection of users' personal data, as feedback, understood as the possibility of creating a personal database with the user or consumer, is not possible through this medium. Therefore, the basic regulations governing such advertising are:
 
o Law 7/2010, of March 31, on Audiovisual Communication.
o Law 34/1988, of November 11, on General Advertising.
o Law 3/1991, of January 10, on Unfair Competition.
o Sectoral regulations.

In any case, let's not forget that if it's a televised contest or sweepstakes, there's an obligation to provide information about data processing, including the cost of the call and the features of the service, among other obligations (Article 18 of Order PRE/361/2002, of February 14, implementing the rights of users and premium-rate services, Title IV of Royal Decree 1736/1998, of July 31, approving the Regulation implementing Title III of the General Telecommunications Law; in conjunction with Article 20 of the General Law for the Protection of Consumers and Users).

Telephone advertising DOES involve the processing of personal data:
How many times have we received a call offering us a product? Well, in those situations where the call is recorded and you are asked for certain information such as your first name, last name, email address, etc., personal data is being collected, and the relevant data protection regulations must be taken into account. Therefore, the reference regulations in these cases are:
o Royal Legislative Decree 1/2007, of November 16, approving the revised text of the General Law for the Defense of Consumers and Users and other complementary laws.
o Organic Law 15/1999, of December 13, on the Protection of Personal Data and its implementing regulations.
o General Data Protection Regulation 2016/679.

Advertising carried out electronically or through information society services DOES involve the processing of personal data:
This type of advertising refers to advertising transmitted through websites, emails, text messages, etc. For example, when advertising is carried out through websites (banners, pop-ups, etc.), we are using the user's IP address to place cookies that help us generate more accurate and tailored advertising tailored to the user's needs. Therefore, we are processing personal data, since the computer's IP address is also considered personal data because it allows us to identify the user of that device.
The regulations we must take into account are:
o Law 34/2002, of July 11, on information society services and electronic commerce.
o Organic Law 15/1999, of December 13, on the Protection of Personal Data and its implementing regulations.
or General Data Protection Regulation 2016/679.

Commercial communications and data protection
a. What should be done before sending commercial communications?
Before sending any commercial communications, we must pay attention to the following aspects:

If you are not our clients
- Common files for exclusion from the sending of commercial communications (Article 49.4 of the RLOPD); these files are also known as the Robinson List. Currently, the Robinson List of the Spanish Association of the Digital Economy is the only exclusion file existing in Spain.
- Any individual registered on this list expresses their opposition to the sending of commercial communications by digital means. In other words, all companies intending to send commercial communications must consult this list beforehand, in order to exclude from their mailings all users listed in their databases. In any case, please remember that we cannot send commercial communications electronically without the express consent of users.

If you are our clients: 
- Review of the company's own exclusion list. That is, the list of users in the database of the company in question who have expressed their opposition to data processing. Users on this list must be excluded from receiving commercial communications; however, it is permitted to retain the data truly essential to identify the user and not send them commercial information.
- We must also verify that the user has been given the right to object to receiving commercial communications or that express consent has been obtained to send commercial communications (Article 15 of the Regulations for the Development of the Organic Law on Data Protection).
b. After sending commercial communications
- After sending commercial communications, the company must keep track of the objection requests received and proceed to delete said data. Diligence must be exercised in managing ARCO rights and developing and designing a simple and free procedure for exercising them. We must strictly comply with the regulations, thus maintaining an up-to-date file. Relevant Aspects of Telephone Advertising
The reform of consumer and user regulations has resulted in the limitation of telephone advertising. For this purpose, we must adhere to Articles 96 et seq. of the General Law for the Protection of Consumers and Users, which establish the following:
- Under no circumstances may telephone calls be made to consumers before 9:00 a.m. or later than 9:00 p.m., nor may they be made on holidays or weekends.
- If communication techniques involving an automated call system without human intervention, or faxes, are to be used, the consumer's prior express consent is essential.
- Telephone calls must be made from an identifiable telephone number; that is, a hidden number may not be used.
- The identity of the company and the commercial purpose of the call must be clearly communicated at the beginning of any conversation. Likewise, the identity of the person making the call and their relationship with the company they are calling on behalf of must be disclosed.
- It is very important to know that when a consumer contacts the company regarding any incident or complaint, they should not be offered new services or products during the call.

Relevant aspects of electronic advertising

We must also keep in mind the formal aspects established in the Law on Information Society Services and Electronic Commerce (LSSI) regarding the content and format that commercial communications must comply with via this medium, among which we highlight the following:
- Commercial communications must be clearly identifiable; for this purpose, the words "Advertising," "Publi," "Newsletter," etc. must be used (Article 20.1 LSSI).
- The legal or natural person sending the message must also be clearly identifiable in the message (Article 20.1 LSSI).
- It is advisable to include direct access to the website's terms of use and privacy policy (Article 20.1 LSSI).
- The possibility of exercising ARCO rights easily and free of charge must be included in each message (Article 21.2 LSSI).

Viral marketing

It's becoming increasingly common to hear the term viral marketing, videos that become viral content, etc., all because they spread very quickly. Therefore, we can define the concept of "viral marketing" as: that which manages to generate interest and the willingness to make potential purchases of a brand or product through messages that spread like a virus; it is carried out easily and quickly from person to person; hence, social media is the ideal medium for such advertising.
Taking "Refer a Friend" as a reference, we can observe:
i. Problems: The Spanish Data Protection Agency (AEPD) has sanctioned this activity on several occasions, based on the fact that the company provides the "sender" with a system for sending data to the "receivers," considering that this involves processing personal data without the latter's consent. (Sanctioning Procedure/00183/2009 and Sanctioning Procedure/00323/2007).
ii. Solutions: The website owner must not process personal data (neither of the sender nor of the recipient), and the user must send the commercial communication at their own risk. For example, technically, a form-mail provided by a third party that does not collect personal data must be provided.
However, this practice, sanctioned by the Spanish Data Protection Agency, a consequence of abuse in certain online sweepstakes, is still inconsistent with one of the reasons why the Internet exists: to share news.

Anonymity on the Internet

The goal of anonymity is more ambitious than simply hiding the name of the person or user by whom they are identified. Rather, what is sought is confidentiality in the activities we carry out online and, above all, what is intended to be protected is, on the one hand, the protection of anonymous speech (freedom of expression) and the protection of personal data. However, the reality is somewhat more complicated if we consider that most of the time, the transactions we carry out are recorded.
For example, if you send an email to another person through a provider like Google or Yahoo, it reveals that you are both in contact and contains a series of metadata such as the location where you were when the email was sent, the time, the software used, etc.
The same would happen when we visit a website, as it usually has cookies installed through which the website can know where you were when you visited the page, the time, and whether you previously used the same device to access the website. Therefore, when you access any website, you will almost certainly have provided this information, among other things, to the internet service provider, the search engine, and third parties that enable our daily internet use.
Therefore, it is important for users (individuals or legal entities) to be aware that IP addresses identify the device from which they are carrying out transactions and are therefore considered personal data (AEPD Report 327/2003).
Finally, to generate greater trust in service providers and intermediaries, they must be encouraged to exercise due diligence regarding the personal data they handle to safeguard user rights.

Cookies

First, we must define what cookies mean: "They are files that allow the storage of amounts of data ranging from a few kilobytes to several megabytes on the user's device" (definition given by the AEPD Cookie Guide, accessible in this guide).
In other words, they are files containing small amounts of information that are downloaded to the user's device when they visit a website. Their main purpose is to recognize the user each time they access the website.
a. Type of cookies
1. Technical cookies. These are those that allow the user to navigate through a website, platform, or application and use the different options or services available therein.
2. Personalization cookies. These are those that allow the user to access the service with some predefined general characteristics based on a series of criteria on the user's device.
3. Analysis cookies. These cookies allow the data controller to track and analyze the behavior of users on the websites to which they are linked.
4. Advertising and behavioral advertising cookies. These manage advertising space, and the latter also analyze information on user behavior obtained through continuous monitoring of their browsing habits.
b. Legal regulation
Article 22.2 of the Law on Information Society Services and Electronic Commerce (LSSI) (transposition of Directive 2009/136/EC) must be applied in accordance with the Cookie Guide of the Spanish Data Protection Agency (AEPD). In summary, the following must be reported via a first layer (via a pop-up window, etc.):
- The use of cookies and whether they are first-party or third-party cookies. Only those cookies that are not exempt need to be reported, as provided in Article 22.2 of the LSSI (technical cookies).
- First-party cookies: those sent to the user's terminal from a computer or domain managed by the website owner and from which the service requested by the user is provided.
- Third-party cookies: those sent to the user's terminal from a computer or domain not managed by the website owner, but by another entity that processes the data obtained through the cookies. Similarly, cookies installed from a computer or domain managed by the website owner, but the information collected through them is managed by a third party, are not considered first-party cookies.
- Where applicable, a warning that if a certain action is performed, the user will be deemed to have accepted the use of cookies (e.g., by browsing, you accept the Cookie Policy).
- A link to a second information layer containing more detailed information.

Online advertising

a. Types of Online Advertising:
- Paid Search: sponsored links such as Google AdWords.
- Contextual advertising (keywords).
- Personalized advertising: e.g., registered user.
- Geotargeting (IP).
- Social advertising: Facebook, LinkedIn, Instagram, etc.
- Retargeting or remarketing.
- Behavioral advertising.
b. Behavioral advertising:
i. Definition
“Advertising that is based on the continuous observation of individuals' (online) behavior” (Opinion 2/2010 of the Article 29 Working Party on Online Behavioral Advertising, June 22, 2010).
ii. Characteristics
- Browsing tracking (tracking cookies);
- The creation, by companies, of browsing profiles based on certain criteria;
- The sending of a specific advertisement to a specific browser so that it appears during the user's browsing.
iii. Participants:
• Advertisers.
• Web publishers: On-site advertising (first party) or through an intermediary (third party).
• Ad networks: intermediaries between advertisers and publishers (e.g., DoubleClick).
• Ad servers: send the advertisements.
iv. Guidelines to keep in mind for profiling (Art. 22 of the General Data Protection Regulation 2016/679):
- The website must inform you about the possibility of user profiling for segmentation, the tools that will be used, and the purpose.
- Obtain consent clearly and explicitly.
- Offer the right to exercise ARCO rights.
c. Codes of conduct: a set of rules not imposed by law or regulation, which define certain behaviors or commercial practices to which companies that decide to adhere to them are subject.

- EASA Best Practice Recommendation on Online Behavioral Advertising
Information obligations according to the codes of conduct:
- On your own website:
- Who is responsible for the cookies
- What data they collect
- What is the purpose of using the data
- In or around advertising:
- A universal informational icon that provides access to a tool to opt out of this type of advertising.

Posts relacionados

Data protection clauses are changing with the new European regulation.

Riestra Abogados. The current Organic Law 15/1999, of December 13, on the Protection of Personal Data establishes the obligation to include an information clause when collecting personal data. Consider the clauses we currently use in web forms, digital media, paper forms, or those communicated over the telephone.The European Data Protection Regulation includes new obligations in addition to those currently in place, although it should be noted that it will be applicable as of May 25, 2018. However, it is important to be familiar with it because significant reviews and changes will be required to companies' data protection policies.Needless to say, fines for data protection violations, already considerable under our Organic Law on Data Protection, will skyrocket with the new Regulation.For example, Article 83.5 of the European Regulation provides:5. (…) administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, whichever is higher.What's new?Regarding the new features, which are not few, regarding the information we must indicate in data protection clauses when we collect data directly from users and according to Article 13, these are:a) The contact information of the data protection officer, where appropriate.b) The legal basis for the processing.c) The recipients or categories of recipients of the personal data.d) The intention of the controller to transfer personal data to a third country or international organization, and the existence or absence of an adequacy decision by the Commission, or, in the case of transfers, reference to the appropriate safeguards and the means to obtain a copy of these or the fact that they have been provided.e) The period during which the personal data will be retained or, where this is not possible, the criteria used to determine this period.f) The right to data portability.g) The right to lodge a complaint with a supervisory authority.h) If the provision of personal data is a legal or contractual requirement, or a requirement necessary to enter into a contract, and if the data subject is obliged to provide the personal data and is informed of the possible consequences of not providing such data.i) The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.How extensive will the data protection clauses be then?If the current obligations already create extensive clauses, let's consider what they will be like under the new Regulation.The Spanish Data Protection Agency proposes the idea of ​​two layers or two levels, which is currently being developed for cookie information, and provides the following example.Where would the first layer be?It must be clearly identified with a title such as "Basic Information on Data Protection."• For example, on an application form, the table with the basic information should be located in the same field of vision as the place where consent is to be expressed (the signature, if it is on paper, or the "submit" button, if it is an electronic form), and should be part of the copy made available to the interested party.• If, due to design restrictions, this is not feasible, a note or callout should be included in the signature field of vision, informing the interested party about the location of the table with the data protection information. Example: "Before signing the application, you must read the basic information on data protection presented on (...the back, at the bottom, etc.)."As indicated by the Spanish Data Protection Agency, the legal text of the information must be clearly visible.Example:And the second layer?You must complete the information in the first layer in full, as well as add any additional information required by the regulations that was not included in the first layer.Where could the second layer be displayed?• On a paper form, it could be on the back of the form.• On an online form, via a hyperlink.• On a telephone call, in the call itself by selecting an option, or by offering the option to receive it electronically or by mail.Summary table of the two layers:

Codification in the new European Data Protection Regulation.

Riestra Abogados. Today, more than ever, companies need to robustly protect their information against potential attacks or intrusions into their IT systems, given the risks that a potential security breach would pose to both the company and its customers or potential clients. Hence, encryption and two-factor authentication (also known as 2FA) are considered the basic pillars of security.However, the preconceived idea that systems are complex to manage and implement is now obsolete. To this end, we refer to the statement made by Arturo Ribagorda, Professor of Computer Science at UC3M, who states the following: "The idea that implementing data protection security measures is difficult is a misconception and fallacy."Importance of encryptionToday, no company, no matter how small or large, can guarantee that it has not suffered or will not suffer an attack on its assets, meaning the computer files it holds.Therefore, the AGPD, in its report No. 494/2009, highlights the importance of adequate data protection: "The security of the exchange of personal information, for which high-level security measures must be adopted, particularly data encryption requirements, is not a trivial matter, nor a mere administrative procedure, nor a matter of convenience. It is the technical means by which the protection of a fundamental right is guaranteed, and the time and resources necessary for its proper implementation must be dedicated to it."What encryption options do we have?The encryption options applicable in Spain are based on both the provisions of European regulations on this matter and Article 104 of the Regulation implementing the Organic Law on Data Protection (RDLOPD). Therefore, companies that are required to adopt encryption measures due to the volume of assets, etc., may choose between:- Robust professional encryption system.- Any other system that guarantees that the information will not be intelligible or tampered with by persons outside the company.Article 104 of the LOPD Regulation:“When, in accordance with Article 81.3, high-level security measures must be implemented, the transmission of personal data through public networks or wireless electronic communications networks shall be carried out by encrypting said data or using any other mechanism that guarantees that the information is not intelligible or tampered with by third parties.”Therefore, companies must adhere to these encryption systems and omit those that do not guarantee adequate security, such as various tools for personal use or file compression. The AGPD has issued a statement on the matter, stating the following: "Products that generate PDF files, or the one generated by WinZip, have known vulnerabilities, and freely distributed tools are available that exploit these vulnerabilities. More specifically, not only are utilities that break the protections of PDF or ZIP files easily available on the Internet, but the very algorithm that encrypts PDF documents, the RC4 algorithm, is clearly vulnerable" (Report 494/2009).New features introduced by the new Data Protection RegulationDue to the entry into force of the new General Data Protection Regulation (EU), there are three "levels" of encryption:Mandatory encryption:- This is mandated by the state; that is, in Spain, all companies or organizations that process particularly sensitive data (ethnic or racial origin, political opinions, religious beliefs, etc.) and therefore must apply high-level security measures will be required to adopt encryption systems to protect their files.- All companies that have adhered to a code of conduct must adopt an encryption system, provided that such code so requires.- Companies that process biometric data or systematically monitor publicly accessible areas must encrypt the data they collect.- If there is a definite risk, the company or organization in question must adopt an encryption system to mitigate it, regardless of the importance of the data handled.Recommended Encryption:- All companies, regardless of the volume or importance of the personal data they process, should implement an encryption system to safeguard their computer files and provide greater security for their users.Voluntary Encryption:- The encryption system will be an optional measure for companies that process disassociated data, since it would not be possible to identify a natural person through it.Obligations for the controller and the processorPursuant to Article 32 of the GDPR (EU), both the controller and the processor must implement appropriate technical and organizational measures, such as:- Pseudonymization and encryption of personal data;- The ability to guarantee the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;- The ability to restore the availability of and access to personal data quickly in the event of a physical or technical incident;- A process for regularly verifying, evaluating, and assessing the effectiveness of technical and organizational measures to ensure the security of processing.What obligations exist in the event of a security breach?According to the GDPR (EU), ALL companies are required to notify any security breach, no matter how small, and communicate it to the data subjects. Therefore, immediately upon the company becoming aware of such a vulnerability in its security system, it must notify the General Data Protection Agency (GDPR) or the competent supervisory authority.This notification must be made as quickly as possible and, whenever possible, within 72 hours of becoming aware of the security breach.As can be seen from the above, the encryption system is a somewhat mandatory security measure in certain cases and is always recommended by the European institutions. The General Data Protection Agency (GDPR) has adopted it as its own, given that millions of attacks are carried out daily against any type of company or organization to access personal data. Therefore, the ultimate objective of encryption is to protect the rights and freedoms of individuals.Therefore, sanctions could range from administrative fines of up to €10 million or an amount equivalent to 2% of the total annual global turnover of the previous financial year, whichever is higher (Article 83 GDPR (EU).

Consent and data processing under the new European Data Protection Regulation.

Riestra Abogados. Regulation (EU) 2016/679There is an important new feature in the new European Data Protection Regulation regarding marketing activities, and that is the obligation to obtain express consent when collecting data.Let's look at the definition in Article 4.11:"consent of the data subject": any freely given, specific, informed, and unequivocal expression of will by which the data subject accepts, either by a declaration or a clear affirmative action, the processing of personal data concerning them;The inclusion of "a declaration or a clear affirmative action," that is, an "action," is compelling. This is defined in the RAE dictionary, second meaning, as the "result of doing something," which means that express consent, also known as opt-in, such as checking a box, is required, and tacit consent or opt-out is no longer valid.Let's look at recital (32) of the Regulation: “Consent must be given through a clear affirmative act reflecting a freely given, specific, informed, and unequivocal expression of the data subject's willingness to accept the processing of personal data concerning them, such as a written declaration, including by electronic means, or a verbal declaration. This could include checking a box on a website, choosing technical parameters for the use of information society services, or any other statement or conduct that clearly indicates in this context that the data subject accepts the proposed processing of their personal data. Therefore, silence, pre-checked boxes, or inaction should not constitute consent.”Additionally, it should be added that consent must be given for each of the intended purposes, and remember that when we collect data, we have purposes such as commercial prospecting, transfer to third parties, profiling, etc.“Consent must be given for all processing activities carried out for the same purpose or purposes. When processing has multiple purposes, consent must be given for all of them. If the data subject's consent is to be given following a request made by electronic means, the request must be clear, concise, and not unnecessarily disrupt the use of the service for which it is provided.”Recall that the definition of consent includes the following terms: free, specific, informed, and unequivocal, which have been defined so many times by the Spanish Data Protection Agency. For example, in recital (43), consent is presumed not to have been freely given:“when it does not allow for separate authorization of the different processing operations of personal data, even though it would be appropriate in the specific case, or when the performance of a contract, including the provision of a service, is dependent on consent, even if consent is not necessary for such performance.”Article 7 of the European Regulation establishes the conditions for consent:“1. Where processing is based on the data subject's consent, the controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data.2. Where the data subject's consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in a way that is clearly distinguishable from the other matters, in an intelligible and easily accessible manner, and using clear and plain language.3. The data subject shall have the right to withdraw their consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. Before giving consent, the data subject shall be informed thereof. Withdrawing consent shall be as easy as giving it.4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is made conditional on consent to the processing of personal data that are not necessary for the performance of that contract.”And regarding minors, in Royal Decree 1720/2007 of the Organic Law on Data Protection, we currently maintain the age limit of 14 for collecting data directly from minors. We will have to pay attention to the planned reform of our law and see how we adapt it to the European Regulation, because regardless of age (13 or 14), the important thing is to consider how we will obtain the express online consent of the parents or guardians of minors under 14 years of age. Article 8 of the European Regulation establishes the conditions applicable to a child's consent in relation to information society services:“1. Where Article 6(1)(a) applies to the direct offer of information society services to children, the processing of a child's personal data shall be lawful when the child is at least 16 years of age. If the child is under 16 years of age, such processing shall only be lawful if, and only to the extent that, consent has been given or authorized by the holder of parental responsibility or guardianship over the child. Member States may by law provide for a lower age for such purposes, provided that it is not lower than 13 years.2. The controller shall make reasonable efforts to verify in such cases that consent has been given or authorized by the holder of parental responsibility or guardianship over the child, taking into account available technology.3. Paragraph 1 shall not affect the general provisions of Member States' contract law, such as rules relating to the validity, formation, or effects of contracts relating to a child."And as for sensitive data, such as ideological, racial, sexual orientation, or health data, they remain more or less as regulated in our Law regarding the need to obtain express consent.Article 9 of the European Regulation, Processing of special categories of personal data:"1. The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data intended to uniquely identify a natural person, data concerning a natural person's health, or data concerning a natural person's sex life or sexual orientation, shall be prohibited.""2. Paragraph 1 shall not apply where one of the following circumstances applies: (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject;ConclusionThis is an important change, establishing express consent as the basis for obtaining consent. In any case, we will be monitoring updates to our Organic Law on Data Protection (15/1999) and its implementing regulations, and to the Law on Information Society Services and Electronic Commerce (34/2002). However, it is undoubtedly true that this affects everyone, as data protection clauses will have to be adapted and provided with the necessary checkboxes. However, it particularly affects companies that market online databases, as they will have to change their data collection strategies and will undoubtedly lose in quantity, though not in quality.

Contracts with freelancers: the importance of intellectual property rights assignment clauses.

Riestra Abogados.A few days ago, we reported on the news that the owner of the firm Kukuxumusu had filed a lawsuit against five former artists of the brand, urging them not to use 15,000 drawings because they had been assigned to the firm.The question arises when differentiating between the artist's style and the 15,000 completed drawings, as it appears the style used could be so identifiable with the former that it could be confused.In this scenario, it is prudent to keep in mind that when hiring an illustrator, draftsman, photographer, etc. to perform services, it is important to consider the implications related to intellectual property.We're going to focus this article on a situation we see very often: an advertiser or an advertising agency hires the services of a professional to create illustrations, photographs, or videos, which will be used to promote a specific brand, product, or service.From a very general perspective, we're talking about a service provision contract, the purpose of which is the creation of a design, drawing, or photograph. At this point, we should clarify that the material commissioned, whether by an advertising client or their advertising agency, is protected by the Intellectual Property Law (Royal Legislative Decree 1/1996, of April 12, approving the revised text of the Intellectual Property Law), which states that the intellectual property of a literary, artistic, or scientific work belongs to the author by the sole fact of its creation. Intellectual property is comprised of personal and property rights, which grant the author full control and the exclusive right to exploit the work, with no limitations other than those established by law.Therefore, from the moment a person creates a creation (literary, artistic, or scientific work), that creation is protected by intellectual property rights. The author, as the creator of the work, may freely dispose of the exploitation rights and is therefore entitled to assign these rights to a third party.Having addressed the legal basis of the matter, when commissioning a specific work, we must specify it in a contract. In this contract, we will detail the scope and characteristics we want the work to have, as well as the scope of the assignment of intellectual property rights.Clauses on the transfer of rightsWhen determining the scope of the assignment of rights, we must first keep in mind that this is not a mere license to use the work or the commissioned material. We are talking about a custom commission, a specific drawing, a design, a photograph. The advertiser needs to have the work to use for their own benefit. Below we describe the elements that must be considered when considering an assignment of intellectual property rights:- Originality. To avoid surprises and to ensure that the commissioned work is completely original and innovative, we must expressly require this characteristic of the work. The author must agree to be original and creative, and not to imitate other possible works owned by third parties. In this way, the assignee will be covered against possible third-party claims.- Exclusivity. Whether or not this term is included will determine whether the work may be used by the author or by third parties outside the commercial relationship. If we include this term, the transfer of intellectual property rights will be limited exclusively to the transferee entity. That is, neither the author nor other entities may exercise the exploitation rights of the work. The LPI determines exclusivity as follows: The exclusive transfer must be expressly granted for this purpose and will grant the transferee, within its scope, the power to exploit the work to the exclusion of any other person, including the transferor, and, unless otherwise agreed, the right to grant non-exclusive authorizations to third parties. It also grants the transferee legal standing, independent of that of the transferring owner, to pursue infringements that affect the rights granted to it.- Power to transfer to third parties. In cases where an advertising agency contracts with the supplier, the agency must ensure that the transfer of exploitation rights does not expire with the agency itself, but that the agency must also be empowered to transfer them to its client, the advertiser.- Exploitation rights. We must be clear at all times about what we want to do with the assignment. We may simply want to use it as is, without modifications. We may need to modify it slightly and adapt it to the advertiser's needs. We may want to incorporate the work into other audiovisual material or offer it for sale, rental, or simply publish it. The LPI lists the exploitation rights in Article 17: The author has the exclusive right to exploit his or her work in any form, and in particular, the rights of reproduction, distribution, public communication, and transformation, which may not be carried out without his or her authorization, except in the cases provided for in this Law. Furthermore, if the exploitation rights are not specified, the transfer will be limited to those necessarily deduced from the contract itself and essential to fulfill its purpose.- Duration and territorial scope: It is important to determine a period for the transfer of exploitation rights, as well as to agree on a sphere of influence. This is crucial if we want to distribute the work for a specific event in a specific territory, such as an advertising spot. The LPI establishes that the exploitation rights of a work may be transferred by "inter vivos" acts, with the transfer being limited to the right or rights transferred, the exploitation modalities expressly provided for, and the time and territorial scope determined. The lack of a time limit limits the transfer to five years, and the territorial scope to the country in which the transfer is made.And what would happen to the employees?Although this article has focused on contracts with freelancers, how would the transfer of rights be regulated in the case of an in-house illustrator?According to the LPI (Spanish Industrial Property Law), the relationship between the company and the author, and therefore the transfer of rights, must be set out in a written contract. In the absence of a written contract, it is presumed that the rights are transferred exclusively and to the extent necessary according to the employer's activity:1. The transfer to the employer of the exploitation rights of the work created by virtue of an employment relationship will be governed by the terms of the contract, which must be in writing.2. In the absence of a written agreement, it will be presumed that the exploitation rights have been transferred exclusively and to the extent necessary for the exercise of the employer's usual activity at the time of delivery of the work produced under said employment relationship.3. Under no circumstances may the employer use the work or dispose of it for any purpose other than those established in the two previous sections.Therefore, regardless of the approach, whether freelance or salaried, we must be very clear in advance about the purposes for which the work will be used. Before starting work, if possible, we must specify all aspects related to the transfer of intellectual property rights in a contract. We must not waste time without firmly establishing the obligations and responsibilities of each party through the corresponding contract.

Legal recommendations on the use of AI in advertising campaigns

We discussed in our previous article, "Who Owns AI Creation?", that the use of these types of AI platforms is not without risks. No one doubts their potential and the wide range of opportunities, but after analyzing some of these platforms, such as ChatGPT, Tome, Midjourney, Runway, and EssayGenius, the first conclusion, common to all of them, is that the responsibility for the generated content rests exclusively with the user, that is, with the person who handles and enters the data (inputs), and in no case with the platform, regardless of this firm's opinion on these types of maximalist clauses.In any case, what concerns and occupies us at this moment is that a marketing and advertising campaign can be affected, with serious economic and legal consequences, if a series of basic precautions are not taken into account.Let's not forget that, if the campaign is designed by an advertising agency, the client understands that what is presented to them is in accordance with the law; otherwise, the agency will assume responsibility for it. No agency wants to have a campaign withdrawn, assume the costs, pay the corresponding compensation, and lose the client in the process.Let's look at a series of examples using GPT chat, regardless of whether the agency or the client designs the campaign.We ask GPT chat for something simple, without further details:Usuario: “Give me a claim for an advertising campaign for a beef and cheeseburger.”. ChatGPT: "The burger that makes you melt with pleasure: delicious juicy meat with the creamiest cheese, try it now!"Usuario: “shorter”. ChatGPT: "The best cheeseburger, savor the flavor!"User: “Give me more claims like savor the flavor!"    Sure, here are some examples.:- "The flavor that makes you say 'mmm' with every bite".- "The explosion of flavor you were looking for".- "The authentic flavor that transports you to paradise".- "Unparalleled flavor that will leave you wanting more".- "The taste you will never forget".User: “that the claim goes to a young audience”. Perfect! Here are some claim options for a young audience:- "Awaken your senses with the bold flavor of our cheeseburger."- "The funniest burger you've ever tried".- "The burger that ignites your passion for flavor".- "The cheeseburger that gives you the power to enjoy".- "Discover the vibrant flavor of our cheeseburger".Now we ask you for ideas for an automotive campaign: Usuario: “Give me a claim for an advertising campaign for a vehicle for young people who feel free and travel.”,ChatGPT: "Explore the world your way with our vehicle: the perfect companion for your adventures full of freedom and excitement.".ChatGPT: "Freedom has no limits when you're behind the wheel of our vehicle: venture down every road and discover your wanderlust.".We see that with zero intellectual effort we have a proposal for slogans such as: "The burger that makes you melt with pleasure", savor the flavor!, "The flavor that makes you say 'mmm' with every bite", "the authentic flavor that transports you to paradise", "unparalleled flavor that will leave you wanting more", "the flavor you will never forget", "awaken your senses", "the most fun burger", "the burger that ignites your passion for flavor", "the burger that gives you power", and in automotive, "explore the world your way with our vehicle", "the perfect companion for your adventures full of freedom and excitement", "freedom has no limits when you are behind the wheel of our vehicle", "venture down every road and discover your wanderlust".In these results, where is the user's authorship? In the question "Give me a claim for a beef and cheeseburger advertising campaign?" Where is the creativity? The originality? The author's personality? The intellectual effort?Recall, as we already mentioned in our cited article, that in our legal field, intellectual property is governed by Royal Legislative Decree 1/1996, which establishes "original creations" as the object of its protection. That said, not much more is known about what a creation is, and even less about what can be classified as original. The Provincial Court of Navarre attempted to clarify what could be understood by "creative" and "original" to determine whether or not a production will be protected by intellectual property. It gave two criteria for verifying originality: that it did not exist before and that it reflects the author's personality. Regarding creativity, the Court equates it with an "intellectual effort" that allows us to move from a simple act to an "artistic or intellectual creation." The jurisprudence of the Court of Justice of the European Union follows a similar path, more simply put. The CJEU dismissed the relevance of any consideration of the means used by the individual to protect a production, sufficing that it "reflects their personality and expresses their free and creative choices." The important thing is that human intervention exists, even if minimal, but this idea can be distorted in the examples we have presented. In any case, this debate matters little to the marketing and advertising departments, who are the ones designing the campaigns. What they want, and quite rightly, is to use generative AI for their campaigns with the lowest risk. That is why the trend toward using generative AI platforms like ChatGPT will be widespread.We asked the latter:User: Can you give the same result to multiple users?ChatGPT: “As a language model, my answer to a specific question may be the same for multiple users, as long as the question is the same and the input is the same. However, answers may vary slightly due to the inherent randomness of natural language generation in models like mine. Additionally, my answers may depend on the context and prior information I have about a specific user, such as their language or interests.”.The system recognizes that results may coincide, although we believe the likelihood of matches between users will decrease with greater intellectual intervention by the user in fine-tuning the results. In any case, the risk of a mass-market platform exists. Matches can occur. Therefore, the AI ​​platform Midjourney, which creates new images with a brief description, monetizes the risk. If you have a "Pro" account and subscribe to the "Stealth" option, Midjourney will commit to self-limiting the distribution of the result to avoid matches with third parties. This is a hint of how this business model may evolve.Below, we will outline a series of basic legal tips that we should keep in mind when designing advertising campaigns with generative AI.Tips: Industrial Property. Once we have the list of selected slogans, we must conduct a search for identical or similar names or trademarks. We may find that the name we want to use is already registered, and remember that it doesn't have to be exactly the same to infringe a third party's industrial property rights. This is a task that legal departments typically perform when developing campaigns. It's important to keep in mind that an error in this regard will force you to withdraw the campaign and assume any applicable damages. Ideally, and we always repeat this, to be 100% covered, you should request registration of the claim you're interested in and not use it until you have received approval from the Registry Office. However, in practice, this seems illusory due to the speed and timeliness of advertising campaigns. We recommend at least checking that there is nothing that could cause a conflict at the time of launching the campaign.Industrial Property. When we ask the AI ​​platform for results, be careful not to make references to third-party brands, such as, "Give me a claim for an advertising campaign like [renowned trademark]," because it can give us results similar to those already registered trademarks of that renowned trademark. This must be taken into account.Intellectual property. We will address this issue in future articles because it is a highly controversial topic. The important thing when designing advertising campaigns with generative AI is that our results do not coincide with those of a third party, so it would be wise to somehow document the creation process of the result on the AI ​​platform. We would at least try to prove that there was no plagiarism if the two campaigns coincide in time.Personal data protection. Pay special attention to the personal data provided to the AI ​​platform. Remember that many of these platforms are in the sights of European data protection authorities because their headquarters are in the US and there is no information about the processing of this personal data. GDPR fines can be significant. Personal databases should never be entered under any circumstances.Confidential information. Keep in mind that the information we provide to the AI ​​platform to fine-tune the algorithm may be classified as confidential. For example, a client requests a campaign proposal from an agency. Both sign a non-disclosure agreement (NDA) where the client transmits sensitive information to the agency. Let's suppose the agency uses an AI platform and uploads the information submitted by the client to it. This would be a breach of confidentiality, given that this third party (the AI ​​platform) does not owe the agency a duty of confidentiality, especially considering that this information will remain in the system to continue improving the algorithm.Image rights. If we use results that include the name or obvious allusion to a public figure, we will likely be infringing their image rights.Review the terms and conditions of the AI ​​platform, as they will gradually change. Where rights previously belonged to the user, an updated terms and conditions may reveal that they can be shared when there is a commercial purpose.Generative AI is undoubtedly an unpredictable tool, although we sense its great potential. It's like when, in the late 1990s, the great potential of the internet was sensed, but no one realized what would come next with social media. In the short term, there will be many legal conflicts due to the clash of legislation that doesn't fit and contradicts a new AI-based mentality. In any case, our obligation is to advise our clients so they don't violate current regulations, or at least be aware of them.Riestra Abogados. 2023

Smart contracts. Blockchain technology.

The origin: blockchain technologyBefore starting to talk about smart contracts and the opportunity they represent for 21st-century businesses, it's worth explaining the technology on which they are based: blockchain. Simply put, a blockchain is a record of data (blocks) shared among different users of the same network (nodes). Like any physical record, it can be modified, with the difference that this is done simultaneously for users without a centralizing entity; in other words, it is a decentralized system. In a blockchain, authorized users share direct access to this record to create, modify, and view that data. Any action taken on it is stored as a "block," which is irreversibly added to the chain formed by all past actions. Therefore, blockchain technology offers several significant benefits for pursuing an essential purpose for business: trust. For example, through a blockchain network, real estate sales could be certified with the same guarantee as a notary, as they would be recorded on the network, preventing any third party from intervening in the modification of the registry. The same would apply to attesting any property rights, since this registry is immutable.The parties granted, therefore, enjoy absolute equality with the same rights of direct access and modification without having to resort to a centralized authority. Each new block created is made public and, to be integrated into the chain, must be validated by the other parties; if they do not accept it, the attempt is recorded as such, but not the act. If the parties accept this new block, it is automatically integrated into the chain, which will be recorded in each party's shared registry. There is no turning back. Any modification, addition, or deletion of information is transparent and is recorded as information in itself. Think of it like a book whose pages cannot be separated: if the author dislikes a chapter already written, they can only indicate to their co-authors that they decided to continue the subsequent narrative without taking it into account, but they cannot tear out the corresponding pages. Hence the security this type of technology provides: even if someone were to unilaterally modify the blockchain, the disappearance of a few links would make the manipulation visible due to the lack of continuity in the chain. This technology opens up a wide range of opportunities, as in our case, smart contracts.Advantages of smart contractsSecurity in the fulfillment of agreements because it acts automatically. Speed ​​in the execution of the contract, because, for example, payment is automatic. Cost reduction, since, if properly articulated, it avoids lawsuits for misinterpretation of the contract.Smart contracts use this technology to limit discrepancies that may arise in the execution of a contract. The parties agree on each aspect of a contract, which will take the form of negotiated computer code, accepted by all, and uploaded to a blockchain network. This code is immutable and encloses each agreed clause following a model of "if/then" chained conditions whose execution is carried out using blockchain technology. In other words, the parties foresee a series of events, and if/then they occur, a series of consequences are triggered. The mechanics are the same as those currently used when drafting a contract, anticipating and regulating the circumstances. However, in smart contracts, the effect is the automation of contract execution: if the information necessary for fulfilling a clause is entered into the registry, the program will directly trigger the previously established consequences. Both the uploaded information and the result generated by the code are added to the chain as new blocks, preventing rollback. Transactions are public, but their initiation can be restricted to certain users through a public/private key system to ensure the legitimacy of the action. The private key allows the user to create a block of data (such as receipt of goods, condition, number of products, etc.) and add their "signature," whose authenticity is verified with the public key communicated to everyone.A priori, the scope of application of smart contracts is the same as a normal contract; however, their usefulness is more prominent in certain sectors. The internationalization of the financial and banking sector, whose regulation requires verification of the origin of capital movements, can be automated, lowering the cost of transactions and their control. For an insurer, creating a network with its insured allows for the collection of data and expert reports on a claim to automate the payment of compensation. In logistics, blockchain technology enables transparent product tracking, ensuring full traceability from production to delivery. Regarding this example, one can imagine a food supply chain from the producer to the receiving supermarket. That is, from the moment the seeds and agricultural materials necessary for production are purchased, to the harvesting, processing, processing, distribution, and purchase of the product by the consumer, everything is perfectly traced, with the blockchain providing information on how it was produced, by whom, where, who distributed it, how, and where. For example, supermarkets would upload their order to the blockchain, which would be automatically communicated to suppliers. Once delivered to the carriers, the GPS would report the real-time location of the products, as well as compliance with the cold chain through automatic temperature measurement. If this hygiene requirement is not met, supermarkets would be immediately informed of the affected goods and the corresponding compensation would be granted through the clauses established in the smart contract. Automatic executions. The same applies to agreed delivery periods. If the date and time uploaded by the carrier meet the deadline established in the code, the bank transfer of payment from the supermarket's account will be automatically granted. In the event of a delay, the code would detect it and execute a compensation clause, if one exists.In theory, anyone can create a smart contract as long as they have the necessary computer programming skills, although there are already some that offer this possibility without being a technical expert. They are developed on freely accessible platforms that allow blockchain execution. The most widely used is Ethereum, but Hyperledger, Polkadot, and Tron can also be mentioned. Given the skills required to manage blockchain, some companies, such as Santander, with the help of the we.trade platform (IBM blockchain), developed a smart contract service for businesses.Future and limitsDespite the numerous uses that can be (and already exist) for smart contracts, Spanish and European legislators are only just beginning to show interest. Currently, there are no national regulations for smart contracts, nor are there any EU or international lex cryptographia whose scope of application would be more appropriate to the characteristics of current commerce. Hence the current legal status quo for smart contracts. They continue to be governed by the Civil Code and EU legislation, which separate the binding force of the contract from its form (provided the validity criteria are met) and allow for remote execution.The main problem with smart contracts stems from their greatest advantage: security, as the contract is enclosed within immutable code. On the one hand, all possible scenarios and the necessary response must be anticipated, since subsequent modification of the code is impossible. Therefore, there is no room for maneuver in the event of a legislative change, or any other event that would require modifying the contract, even if all parties agree. The rebus sic stantibus principle cannot even be conceived in a blockchain network. On the other hand, a computer code does not allow for the parties to renegotiate certain aspects with greater or lesser flexibility depending on the level of trust they have between them (something common in dealings with regular suppliers). The contract is either fulfilled as planned, or it is not: it does not consider the adaptability that commercial relationships may require. The design of the code precludes any stipulation that does not take the form of "if/then." This type of contract does not so much eliminate conflict due to its absolute predictability, but rather excludes any type of more subjective clause. Like any emerging technology, it will have to consolidate itself through know-how.In 2019, the European Commission asked the European Blockchain Observatory for a report to clarify the challenges of this new technology and the role the European Union could play in its development and regulation. He highlighted several legal issues, almost all related to liability. To communicate with the offline world, the online blockchain requires a program capable of exchanging information: called the "oracle." How is it chosen? And, above all, who is responsible in the event of a computer error? The same applies to the code itself: who bears the consequences of an unforeseen bug? It is also unclear whether the automatically executing program should be considered a party or a representative. Furthermore, risks of violating the digital rights contained in the General Data Protection Regulation (GDPR) were identified. On the one hand, the encryption that protects access to the blockchain or even anonymizes its users makes it impossible to identify precisely who controls the data circulating on the network. On the other hand, the immutability of the blocks that enclose the data neutralizes each individual's right to be forgotten.As expected, the Observatory's conclusions rule out regulation by individual countries, preferring the creation of a more efficient European legal framework. Without proposing a specific option, he makes it clear that the status quo cannot continue and that, at the very least, current legislation on contracts and obligations must be reformed. He recommends prioritizing regulation of sectors in which blockchain is well implemented and whose use could pose a risk to European interests: specifically, the financial sector and transaction control. In other cases, current legislation is sufficient to protect the still limited use of smart contracts, despite the need to build an appropriate legal framework. He invites us to observe how practices develop in each sector to avoid hasty regulation that would nip the use of this promising technology in the bud.How to apply to an advertising agencyFor the Client, the most important thing is to receive payment in a timely manner, and not at the Client's discretion, even if there is an obligation to pay within 60 days. In other words, the Agency should be paid automatically as the phases of a project are executed. And the phases are approved through the blockchain. Many of the conflicts between Agency and Client stem either from the lack of a contract, which operated, at best, with a purchase order, or from insufficiently documented delivery acceptances. Within this new framework, the Agency should begin to design its own smart contracts and anticipate potential scenarios. In any case, these types of contracts are much simpler than those required by the Client, since, as we mentioned, the most important thing for the Agency is to have guaranteed payment, the duration of the contract, and the intellectual property rights being transferred.Regarding its suppliers, the Agency must focus primarily on the approval of project phases, delivery schedules, and the transfer of intellectual property rights. It is essential to be aligned with the Client's needs, and agencies are aware of this, because changes of mind or sudden decisions by the Client impose obligations on the Agency toward its suppliers. Therefore, and to the extent the Agency deems appropriate for the type of project, it would be very useful for all three parties—Client, Agency, and Supplier—to jointly participate in a smart contract.ConclusionsSmart contracts are undoubtedly another blockchain-derived application with enormous opportunities. We are entering a new era of automation, and contractual obligations, as the backbone of our socioeconomic relations, cannot be excluded from this. The slowdowns and delays resulting from our bureaucratic systems, the collapse and saturation of many public agencies, which depend on human intervention to validate processes, can be carried out automatically, eliminating the need, for example, to wait months or years to collect compensation. Ultimately, this is all about automation, and that means speed, savings, security, transparency, and efficiency.Riestra Abogados 2023Campus Blockchain, ¿Qué son los Smart Contracts? ¿Para qué sirven? [https://www.campusblockchain.es/que-son-los-smart-contracts-para-que-sirven]LÓPEZ RODRÍGUEZ, Ana Mercedes. “Ley aplicable a los smart contracts y Lex Cryptographia” en Cuadernos de Derecho Transnacional, vol.13, nº1, marzo 2021, pp.441-442 [https://doi.org/10.20318/cdt.2021.5966]FETSYAK, Ihor. “Contratos inteligentes: análisis jurídico desde el marco legal español” en REDUR, nº18, diciembre 2020, pp.202-203 [https://doi.org/10.18172/redur.4898]Ana Mercedes LÓPEZ RODRÍGUEZ, “Ley aplicable a los smart contracts y Lex Cryptographia” en Cuadernos de Derecho Transnacional, vol.13, nº1, Marzo 2021, p.446 [https://doi.org/10.20318/cdt.2021.5966]Real Decreto de 24 de julio de 1889 por el que se publica el Código Civil, última actualización publicada el 06/03/2022, Artículo 1278 [https://www.boe.es/eli/es/rd/1889/07/24/(1)/con]Ibid. Artículo 1262THE EUROPEAN UNION BLOCKCHAIN OBSERVATORY AND FORUM. Informe temático iniciado por la Comisión Europea, “Legal and regulatory framework of blockchains and smart contracts”, 27 de septiembre 2019 [https://www.eublockchainforum.eu/sites/default/files/reports/report_legal_v1.0.pdf?width=1024&height=800&iframe=true]Ibid. pp.23-25Ibid. pp.33-35Real Decreto Legislativo 1/1996, de 12 de abril, por el que se aprueba el texto refundido de la Ley de Propiedad Intelectual, regularizando, aclarando y armonizando las disposiciones legales vigentes sobre la materia. https://www.boe.es/buscar/act.php?id=BOE-A-1996-8930 SAP Navarra, nº201/2014, FJ 2Ibid. FJ 4CJEU, 1 December 2011, C-145/10, Painer. Ruling §2Ley 17/2001, de 7 de diciembre, de Marcas. Artículo 6. Marcas anteriores.
1. No podrán registrarse como marcas los signos: a) Que sean idénticos a una marca anterior que designe productos o servicios idénticos. b) Que, por ser idénticos o semejantes a una marca anterior y por ser idénticos o similares los productos o servicios que designan, exista un riesgo de confusión en el público; el riesgo de confusión incluye el riesgo de asociación con la marca anterior.Italia bloquea el uso de ChatGPT por incumplir la normativa de protección de datos. https://elpais.com/tecnologia/2023-03-31/italia-bloquea-el-uso-de-chatgpt-por-incumplir-la-normativa-de-proteccion-de-datos.html Ley Orgánica 1/1982, de 5 de mayo. Artículo séptimo. Tendrán la consideración de intromisiones ilegítimas en el ámbito de protección delimitado por el artículo segundo de esta Ley: Artículo 7.6. La utilización del nombre, de la voz o de la imagen de una persona para fines publicitarios, comerciales o de naturaleza análoga

Who owns AI creation?

Artificial intelligence and intellectual property.Artificial intelligence (AI)-assisted creation poses a real challenge to our intellectual property law system at the national, European, and international levels. In the absence of specific regulations, this new world is governed a priori by the different Terms and Conditions established by the AI ​​companies themselves, which are diverse but have some common features.Property of the input.In general, input refers to the data provided by the user to the AI ​​so it can generate the result, and output refers to the result of the work performed by the AI ​​itself.The terms of use of each platform analyzed establish the same intellectual property regime for the information provided by the user (input). Logically, it is required that the data or information we provide to generate a result cannot infringe third-party intellectual property rights, image rights, personal data protection rights, or violate any other regulations. If the ownership of the data provided belongs to the user, they are obligated to share with the platform unlimited and international rights to use, copy, and modify said data for the achievement of the purposes of said platform. So far, so predictable. If the ownership of the resulting content remains in the hands of the user, they are equally obligated to share with the platform unlimited rights to use, copy, and modify the content for the achievement of the purposes of said platform. Typically, such purposes are related to internal purposes, such as self-promotion and algorithm training.Runway Gen-1, which produces new videos based on user-uploaded content, makes it clear that it has no rights to this original content. Since these are audiovisual inputs, their appropriation would have been difficult to justify. Let's not forget that in their early days, social media, especially Facebook in 2009, attempted to acquire all rights to user-uploaded content through their terms and conditions, but they reversed themselves after the controversy surrounding them.Ownership of output.Regarding the output created with AI, some companies are more generous than others. Open AI, the creator of ChatGPT, grants full intellectual property rights to the user with the only requirement being to clearly indicate co-authorship with the AI ​​in the event of content publication. It is also the only platform that considers the possible appearance of identical results due to the same algorithm. In this case, no one has any rights to the creation.This means that there is no full guarantee regarding the generated result, but I believe this does not imply that third parties, without authorization, could freely use such generated content, because the status of author is not granted to you by an AI platform but by the law. It is somewhat similar to how when two uncopied works coincide in that they are identical or very similar, both would maintain originality or authorship vis-à-vis third parties, but the difficult part is proving that the second work that appeared did not copy the first. Before the internet, it was simpler; it was necessary to demonstrate that, due to context, both authors had difficult access to the other's work. However, currently, there's no need to prove anything; the works match. Consider, for example, a script for an advertisement resulting from a public platform's algorithm that is very similar to that of another agency, and which is also on the red line for plagiarism. Wouldn't the second agency, which coincided with the first when fine-tuning the algorithm, then have any problem? Common sense would suggest that if the first agency aired the advertisement before, the second agency could be considered plagiarism, even if it's the result of the algorithm. In this sense, I think the judges wouldn't be too troubled. And if no agency has aired it before, and both agencies produce it in parallel and independently without any connection, it certainly wouldn't be considered plagiarism. The controversy is there.Runway Gen-1 also grants ownership of the result to the user on the condition that they share the property rights to the content with the company.Taking advantage of the lack of regulation in this regard, Midjourney, which creates new images with a brief description, monetized these different intellectual property regimes. In any case, the company requires users to share the exploitation and distribution rights with the company. If the user uses the platform without an account, they will only be entitled to free distribution of the result. If they have a "Pro" (paid) account, they will retain the intellectual property rights of the result (with the aforementioned requirement). If, in addition to the "Pro" account, they subscribe to the "Stealth" option, Midjourney will agree to self-limit the distribution of the result to avoid overlaps with third parties. This example may give us clues as to where this business model may evolve.More restrictively, the specialized text generator Essay Genius makes it clear that the generated outputs may only be used in the personal context that motivated the use of the platform, for example, in an academic essay.On the other hand, the Tome platform, which allows users to create interesting professional presentations, simply states that the content provided by the platform will always remain its property.Regarding possible infringements of third-party intellectual property, that is, if the results violate such rights, the AI ​​platforms make it very clear that they cannot be held liable under any circumstances. Therefore, they add to their terms that they have no obligation to verify the legality of user-uploaded content, as any criminal use of their services or infringement of third-party rights is prohibited. Regarding generated content, all these platforms use an "as is" clause: what is created by the AI ​​and the user is provided "as is." That is, it is the user who has the obligation to verify that they can use the new content without violating anyone's intellectual property.Summary table, ownership, and exploitation rights. (Own elaboration)In summary, the general trend regarding rights over AI-assisted creations seems to be, on the one hand, to leave moral rights to the user and, on the other, to share exploitation rights. At this point, it would be interesting to see what each platform means by sharing exploitation rights: those of the agency when it sells the Work to the advertiser (ad, designs, texts, etc.), or those of the advertiser when it markets such Works.It is, therefore, the user who will have to verify that they can use the new content without violating the intellectual property of any third party. And this includes intellectual property generated by other AI rights.This "filter" responsibility that falls on the user makes sense when it comes to a creation forged by their own and exclusive will. On the contrary, holding them solely responsible for the production of someone else's will may be excessive.This "filter" responsibility placed on the user makes sense when it comes to a creation forged by their own will. On the contrary, holding them 100% responsible for the production of someone else's will may be ethically and legally questionable. Making AI companies jointly responsible could make such businesses economically unviable due to the high risk of conflict and unpredictability. Of course, in many cases, these AI companies also want to charge for exploitation rights. In other words, the profits are shared, but the risk is for the user.We are at the dawn of this type of creative cooperation between machine and human beings, which will be regulated on a case-by-case basis.And what does the law say?The main reference is the private regulation that each AI company establishes with its users. Nor does current legislation offer many answers when it comes to determining what belongs to whom. As previously explained, no law covers AI-assisted intellectual production. The current framework is limited, but case law has provided us with clues that can serve as a starting point.And the jurisprudence?In Spain, intellectual property is governed by Royal Legislative Decree 1/1996, which establishes "original creations" as the object of protection. That said, not much more is known about what a creation is, and even less about what can be classified as original. Purely digital works are largely left out of the list of types of works. In this area, only databases are explicitly protected by "the selection or arrangement of their contents," which constitute an intellectual creation.The Provincial Court of Navarre attempted to clarify what could be understood by "creative" and "original" to determine whether a production will be protected by intellectual property. It provides two criteria for verifying originality: that it did not previously exist and that it embodies the author's personality. Regarding creativity, the Court equates it with an "intellectual effort" that allows one to move from a simple object to an "artistic or intellectual creation." What's interesting about this ruling is that the work in question was obtained through the use of technological means (a camera), and the existence of copyright does not seem to depend at all on the technique used to obtain the result.The case law of the Court of Justice of the European Union follows, more simply, the same line. In a similar case (another photograph), the CJEU ruled out the relevance of any consideration of the medium used by the person to protect a production, sufficing that it "reflects their personality and expresses their free and creative choices." In short, point the lens and shoot. If the camera takes a photo on its own, for whatever reason, it would not be considered an original work as there was no human intervention. The important thing is that human intervention exists, even if minimal, and this idea can be distorted in the case of AI assistants, because the disproportion between human intervention and the generated result can be abysmal. Thus, if we assume intellectual production generated by AI that does not infringe pre-existing copyright, two possibilities would arise. In the first, the individual's choice of inputs, the selection of outputs, and the manner of presenting them would be considered to reflect the author's effort and subjectivity: AI would be nothing more than a technical means, and humans would be the sole holders of intellectual property. In the second, the final result would be due almost solely to the algorithm within the AI, with the individual being unable to claim anything other than having given it minimal information for it to function. In this case, the production may have an owner who remains to be defined, but it cannot be regulated by intellectual property as we currently understand it, because the algorithm's output has been fed by the prior contributions of thousands or millions of users.Conclusions. More and more could be extrapolated from existing laws and rulings, but these will only be hypotheses. Regulations on this matter are needed, because while the current ones can temporarily make up for the absence of more specific ones, the rapid development of AI will create increasingly more legal gray areas and many controversies. The idea of ​​giving personality to AI does not seem to be, for the moment, the European Parliament's. Furthermore, it would mean recognizing, if not the intelligence of something non-human in the proper and defining sense of the human race, then a creative capacity, which we are not yet ready to assume. In any case, the European Parliament is in favor of a community regulation of the matter that would assign ownership of each work to an author, which is what is understood by author under current regulations. However, the fundamental question remains unresolved: whether 20th-century intellectual property laws are useful for 21st-century AI.Although specific regulation of the matter is desirable, it will not mean the end of conflicts regarding the matter due to the international dimension of the world of AI. On each of the aforementioned companies' websites, the Terms and Conditions clearly state that any dispute related to the use of AI must be resolved by arbitration and, if that fails, by the courts of the state where the company is headquartered, generally California. Therefore, even if there is a desire to regionally regulate AI-assisted intellectual production, its presence and that of the user in different legal systems will lead to further doubts about where and under what law conflicts should be resolved. A real solution would be a new international agreement promoted by the World Intellectual Property Organization to establish basic rules for co-creation with AI without discouraging it. But there is still a long way to go.This article has sought to provide some general guidelines for understanding the legal logic in this type of AI-assisted creation systems. The information provided by the user (input), the result of the system (output), and the liability regime, which generally falls on the user. For this reason, in the next article, we will discuss a series of practical legal tips for using these AI systems in campaign design.Riestra Abogados 2023 Términos y condiciones de las empresas Propiedad de los inputs Propiedad de los outputs Derecho de explotación de los inputs Derecho de explotación de los outputs Open AI (ChatGPT) Usuario Usuario Si respuestas idénticas: nadie Usuario Usuario (con mención “hecho con ChatGPT”) Tome Usuario (impreciso) Usuario y empresa Usuario y empresa Midjourney Usuario Gratis: empresa Usuario Gratis: usuario (sólo distribución) y empresa Pro: usuario Pro: usuario y empresa (limitable) Runway Usuario Usuario Usuario Usuario y empresa EssayGenius Usuario Usuario Usuario Usuario (únicamente para un uso particular

    Programa Kit Digital, iniciativa del Gobierno de España. Cofinanciado por los Fondos Next Generation EU del Mecanismo de Recuperación y Resiliencia. Kit Digital

    Cookie settings

    We use cookies to provide you with the best possible experience. They also allow us to analyze user behavior in order to constantly improve the website for you.