Intellectual Property Bulletin - Winter 2016

European Union’s General Data Protection Regulation to Usher in Sweeping Changes Affecting Data Protection and Privacy Practices of European and U.S. Companies

By Jonathan Millard and Tyler Newby


In December 2015 the European Commission published a General Data Protection Regulation to replace the Data Protection Directive, which currently regulates the collection and use of personal data within the European Union. The Data Protection Directive was enacted more than 20 years ago and was in dire need of updating to keep pace with developments in data collection and sharing practices, as well as the explosion of data security breaches. The Regulation will likely come into force in 2018, but its wide-ranging implications necessitate immediate attention from the business community not only in the EU, but on the global stage.

The key features of the Regulation are summarized below.

Territorial Reach

The “extra territorial” reach of the Regulation is a key change that all non-EU entities will need to be aware of. Previously, EU law in this area applied only to those entities that control the use of the data and have some sort of establishment or equipment in the EU. However, the Regulation applies directly to any entity that processes personal data about EU residents in connection with (i) the offer of goods or services in the EU; or (2) the monitoring of behavior in the EU. Jurisdiction will therefore be measured digitally rather than physically, paying less attention to the physical location of the entity undertaking the processing. When assessing this reach, regulators will look to a variety of factors, including how a website references EU individuals, the currencies accepted, and the languages used. Any profiling of EU individuals will fall squarely within these criteria. This is a huge shift and something that entities that were previously outside the scope of the current law, but are now likely subject to the Regulation, will need to absorb over the coming months.

Expansion of Definition of Personal Data

The Regulation expands upon the definition of “personal data” from the Data Protection Directive, the collection and processing of which is covered by the Regulation. After its effective date, personal data will include unique online identifiers, e.g., IP addresses and mobile device identifiers, as well as geo-location data about a subject. Unique biometric data such as fingerprints, retina scans, and genetic data are also included in the expanded definition of personal data.

Enhanced Individual Rights

The Regulation also requires data controllers to provide greater transparency to individuals about the data they are collecting and how that data will be used at the time of data collection. Most of this information should be described in a well-written privacy policy, and includes the identity and contact information of the controller, the purpose of data collection and processing, and third parties to whom the data will be transferred. The information provided must also identify the legal basis of transferring data outside of the EU. Those bases — whether the use of standard contractual clauses, binding corporate rules, or the new “Privacy Shield” — are likely to continue to be in flux until the Regulation comes into effect. Controllers also must inform individuals about the right to deletion and correction of data about themselves, more colloquially known as the “right to be forgotten,” the right to lodge complaints to the controller’s data privacy authority, and the right of individuals to receive data that has been collected about them in a structured and commonly used machine-readable format.

Article 4(3aa) of the Regulation also requires controllers to notify individuals if they will use personal data for “profiling,” which is defined as (a) involving automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person. Profiling cannot be based on certain special categories of personal data, such as racial, ethnic, or religious information without explicit consent, unless such processing is necessary for reasons of substantial public interest. Controllers will be required to use adequate procedures and implement technical and organizational safeguards to correct data inaccuracies and avoid errors, secure personal data, and minimize the risk of “discriminatory effects.” Additionally, individuals will have the right both to request the “profiling” data about themselves and to object to or demand that profiling be stopped.

Direct Liability for Processors

Data processors will now have direct obligations under the Regulation. Currently, only the data controllers are subject to direct regulatory oversight, often flowing applicable obligations to the data processor under contract, such that the data processor would be contractually liable to the data controller, but would not be subject to direct enforcement or penalties from a data protection regulator. Whether a data processor is located within the EU or overseas, this is a big movement in regulatory compliance risk. These obligations of a data processor will include implementing appropriate technical and organizational measures with respect to personal data, notifying the data controller of a data breach and potentially appointing a data protection officer. In addition, contracts appointing data processors will need to be more prescriptive, requiring audit rights for the data controller and a mechanism for the approval of the appointment of sup-processors.

Organizational Requirements

The Regulation imposes several internal administrative compliance obligations for data processors and controllers. First, both controllers and processors will be required to develop and maintain documentation describing their data protection policies. Both will also be required to keep a record of processing activities. Controllers and processors will be required to conduct data protection impact assessments where the proposed data processing is likely to result in a high risk to the rights and freedoms of individuals. An impact assessment evaluates the likelihood and severity of the risks involved in the proposed data processing and assesses the safeguards to be introduced to mitigate the risk. To ensure covered companies will have internal accountability for compliance, the Regulation will require data processors and controllers to appoint a data protection officer where its core processing activities require regular and systematic monitoring of individuals on a large scale, or where its core activities consist of the processing of sensitive data on a large scale. The data protection officer will have the responsibility for overseeing the company’s compliance with the Regulation.

Local Representative Requirement

As a mechanism to bring non-EU data processors within the regulatory oversight of EU data protection authorities, Article 25 of the Regulation requires both data controllers and processors that regularly collect or process personal data from EU citizens on a large scale to appoint local representatives within EU member states where they do business. This requirement is likely to apply to, for example, U.S.-based Software as a Service providers whose customers include companies with significant numbers of EU end users or employees.

Fortunately for companies that have few contacts with EU citizens’ personal information, there is an exception to this requirement for companies that do limited processing of EU citizens’ personal data. Companies that only engage in “processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of data relating to criminal convictions and offences referred to in Article 9a, and is unlikely to result in a risk for the rights and freedoms of individuals, taking into account the nature, context, scope and purposes of the processing” are not required to appoint local representatives.

Harmonization and the One Stop Shop

Under EU law, a “regulation” is law directly applicable to companies acting within the EU whereas a “directive” requires legislation to be passed at a national level implementing the general principles of the directive, inevitably resulting in a lack of uniformity throughout Member States. Therefore a key nuance which is not necessarily evident from the text of the Regulation, but which is a product of this fundamental principle of EU law, is that the Regulation will now create a uniform privacy regime across the EU, in place of the current patchwork of member state laws implementing the current directive.

Following the same theme, the Regulation will also fundamentally change the way that data protection law is supervised in the EU. A key proposal to promote this uniformity was for any given company (which may have a presence in a number of Member States) to be able to have one point of contact for supervisory purposes. This has manifested itself in detailed structure whereby a lead supervisory authority in the Member State in which a company has its main or sole establishment will have supervisory responsibility, with that lead supervisory authority having the ability to work with other concerned authorities. A centralized European Data Protection Board will be established, having the ability to issue opinions on particular decisions. It remains to be seen how this will work in practice, and whether companies will have the ability to influence which lead supervisory authority is allocated to it, along with the political and tactical maneuvering this may entail to ensure the most preferable outcome for the company.

Data Transfers

There are no major changes in this area of the Regulation and, save for the Safe Harbor uncertainties, the existing methods to transfer data internationally have broadly been retained, with some refinements. With regard to Safe Harbor, we all await clarification on the law and the details of its newly unveiled replacement, the “Privacy Shield.” There appears to be an emerging view that whatever the details of this Privacy Shield transpire to be, it is likely to be subject to challenge in the courts. Whether it will withstand such challenge remains to be seen, but in the interim, the market waits with anticipation. With regard to other methods to facilitate transfers of data, a popular alternative to the Safe Harbor regime are Model Contractual Clauses. Although these remain intact under the Regulation, in due course these may come under fire and be subject to similar challenges and calls for invalidity as the Safe Harbor regime. Binding Corporate Rules have also survived under the Regulation, remaining a valid way to transfer data, with the current rules now codified into law.


There are new provisions codifying the ways in which a data subject may provide, or be deemed to have provided, its consent to the processing of its data. Consent needs to be informed, specific, evidenced by a statement or affirmative conduct (silence or inactivity is insufficient), and in the case of sensitive personal data, be explicit. The onus is on the data controller to demonstrate this and the request for consent must be easily accessible, using clear and plain language. The consent must be freely given and revocable at any time without detriment to the data subject. The Regulation looks to the bargaining power of the parties as a factor when assessing this. For example, companies can no longer make it a condition of a contract or service that consent is provided to that company to process certain personal data, where the processing of that personal data is not necessary for the performance of that contract or delivery of that service — the “all or nothing” option is therefore likely to find little favor. In addition, in the employer/employee context, which is often the focus of much analysis regarding freely given consent, Member States will have the ability to implement specific rules to regulate this.

Data Breach Response

An aspect of the Regulation that will significantly impact U.S.-based companies’ data breach response plans is the requirement of data controllers to notify supervisory authorities — e.g., data protection authorities — of a data breach that “is likely to result in a risk for the rights and freedoms of the data subject” within 72 hours of discovery of the breach. This time period is considerably shorter than any existing U.S. state statute. Because companies affected by breaches are often still assessing what happened and identifying the scope of the compromise within the first 72 hours of a breach, companies will need to be cautious in not understating or overstating the impact of the breach.

Affected individuals must also be notified without “undue delay” if the breach presents a high risk “for the rights and freedoms” of individuals. The notification must describe the nature of the breach and its causes, if known, and recommendations on how affected individuals may mitigate risks. Although a data controller may not give notice to the supervisory authority or affected individuals if it determines that the breach is unlikely to pose a threat to the rights and freedoms of affected persons, the burden will be on the data controller to prove the absence of risk.

Notably, the trigger for a breach notification under the Regulation is both broader and vaguer than under the laws of the more than 47 U.S. states and territories that have data breach notification statutes. Under these statutes, an obligation to notify arises following the breach of relatively well-defined categories of information, typically including a combination of the first name or initial and last name, plus some other unique identifier, such as a social security number, driver’s license number, financial account and passcode, unique biometric identifiers, or health insurance or medical treatment information. The Regulation imposes a much vaguer standard, requiring notification where the breach could lead to identity theft, discrimination, loss of confidentiality of information that could result in economic loss, or social disadvantage. The end result is likely to be an increase in global notifications of data breaches.

Penalties for Non-Compliance

The Regulation, once in effect, is not a paper tiger. Data controllers will face penalties of up to 4% global “turnover” — gross revenue — for non-compliance. For large U.S. companies — the kind that are likely to be controllers, rather than mere data processors — these fines could be substantial. Data protection authorities will also be able to enforce penalties against the local representative of a non-EU data processor or controller, effectively giving those authorities indirect jurisdiction over non-EU data processors. The Regulation has no means of enforcing penalties against non-EU processors who fail to appoint a local representative, which may lead some U.S. data processors to consider whether appointing a local representative simply invites more risk.

The Department of Commerce Internet Policy Task Force White Paper on Remixes, First Sale, and Statutory Damages

By Ronnie Solomon

In January 2016, the U.S. Department of Commerce’s Internet Policy Task Force issued its “White Paper on Remixes, First Sale, and Statutory Damages.” Spearheaded by the U.S. Patent and Trademark Office and the National Telecommunications and Information Administration, the Task Force received public comments on and examined key topics in copyright law, including the application of statutory damages in the context of individual file-sharers and secondary liability for large-scale online infringement. This article focuses on the Task Force’s analysis of statutory damages under the Copyright Act and its recommendations for amending the statute.

Criticisms of the Current Regime for Statutory Damages

The Task Force highlights several concerns about the current statutory damages framework in § 504(c) of the Copyright Act. These include: the potential “chilling effect” that the prospect of a massive damages award has on innovations and new technologies, especially for Internet service providers, technology companies, and others that face secondary liability for the directly infringing acts of their customers and users; copyright “trolls” who leverage the threat of maximum statutory damages per work to coerce settlements from individuals they accuse of file-sharing; copyright plaintiffs who use statutory damages to obtain windfall profits; and inconsistencies in the application of statutory damages, leading to disparate and unpredictable awards in similar cases. And although service providers do not control the number of works individual users may directly infringe, they are nonetheless still held liable for damages on a per-work basis. In cases where tens of thousands of works are at issue, even a minimum of $750 per work leads to a massive award that is disproportionate to the service provider’s conduct.

Section 504(c) also lacks specificity. Unlike other federal laws, which provide specific factors to guide a statutory damages award (i.e., the Truth in Lending Act, 15 U.S.C. § 1640(a)), the Copyright Act offers no statutory factors or guidelines for courts and juries to consider in reaching a statutory damages award.

The Task Force’s Recommendations for Amending the Copyright Act

The Task Force recommends three amendments to statutory damages provisions of the Copyright Act, noting that “effective enforcement tools” against online piracy must be reconciled with “excessive and inconsistent awards” that chill innovation and incentivize litigation abuse.

The first recommendation is to amend § 504 to add nine specific, non-exclusive factors that courts and juries must consider in determining a statutory damages award:

  1. The plaintiff’s revenues lost and the difficulty of proving damages;
  2. The defendant’s expenses saved, profits reaped, and other benefits from the infringement;
  3. The need to deter future infringements;
  4. The defendant’s financial situation;
  5. The value or nature of the work infringed;
  6. The circumstances, duration, and scope of the infringement, including whether it was commercial in nature;
  7. In cases involving infringement of multiple works, whether the total sum of damages, taking into account the number of works infringed and the number of awards made, is commensurate with the overall harm caused by the infringement;
  8. The defendant’s state of mind, including whether the defendant was a willful or innocent infringer;
  9. In the case of willful infringement, whether it is appropriate to punish the defendant and if so, the amount of damages that would result in an appropriate punishment.

Drawn from model jury instructions and case law, the Task Force does not intend these factors to be exclusive, allowing consideration of other factors relevant to a particular case.

Second, the Task Force recommends an amendment to the notice provisions of the Copyright Act, embodied in §§ 401 (d) and 402 (d). Under the current statute, the presence of a notice of copyright protection prevents a defendant from asserting an innocent infringement defense. The proposed amendment would permit an infringer to still assert the innocent infringer “defense,” making the appearance of a copyright notice relevant, but not a bar to, an innocent infringement defense.

The third and final recommendation is arguably the most important. In cases involving non-willful secondary liability by “online services” involving large numbers of infringed works, courts should have discretion to fashion an award other than through a strict “per-work multiplier” calculation. In other words, courts would not be bound to the minimum statutory per-work amounts. As the Task Force notes, the “per-work multiplier” makes less sense where secondary liability is concerned, because there is an attenuated connection between the service provider’s actions and the direct infringement by customers and users. Without this change, “[w]hen a court must multiply this minimum by a very large number of copyrighted works, it may not be possible to avoid an excessive outcome.”

Benefits of the Task Force’s Recommendations: Taking Facts into Account

The recommendations are an improvement over the current statute, providing guidance, specificity, and greater predictability. The statutory damage factors help tie awards to the “facts on the ground.” The first, fifth, and seventh factors codify the rule recognized by several courts that statutory damages should bear a relationship to actual damages plaintiff suffered. New Line Cinema Corp. v. Russ Berrie & Co., 161 F. Supp. 2d 293 (S.D.N.Y. 2001) (“New Line’s statutory damages should be commensurate with the actual damages incurred”); Dae Han Video Prod., Inc. v. Chun, No. 1:89-01470, 1990 WL 265976 (E.D. Va., June 18, 1990) (“When awarded, statutory damages should bear some relation to the actual damages suffered.”); Bait Prods. Pty Ltd. v. Murray, No. 8:13-CV-0169-T-33AEP, 2013 WL 4506408 (M.D. Fla. Aug. 23, 2013) (“‘Statutory damages are not intended to provide a plaintiff with a windfall recovery’; they should bear some relationship to the actual damages suffered.”). This prevents windfalls for copyright plaintiffs, and provides an incentive for parties to use civil discovery tools to calculate actual harm. And a claim that damages are difficult or impossible to demonstrate is less likely to go unchallenged.

The sixth factor also ties awards to the “facts on the ground” by making the circumstances, duration, and scope of the infringements relevant considerations. For instance, “when the infringed work is of minimal commercial value, a lower award may be appropriate.” And where a large number of works are at issue, courts can take a “holistic” approach and adjust awards for each work so that the overall award is commensurate to harm, rather than engage in a mechanical exercise of multiplying a random amount by the number of works at issue. This will nudge courts and juries to consider the value of works at issue and to recognize that works should not be treated the same as a default.

Finally, permitting courts in their discretion to depart from the per-work calculus in cases of non-willful infringement is a crucial, common sense amendment. While courts would still retain discretion to revert to the ”per-work multiplier” approach, this change could in some instances help prevent the exorbitant awards that otherwise would inevitably result.

Drawbacks of the Task Force’s Recommendations

A step in the right direction, the recommendations nonetheless may promote confusion and inconsistency. The addition of certain mandatory factors suggests that other factors are less important. Missing from the proposed statutory factors is consideration of a plaintiff’s own conduct. Courts have held that the “conduct of the parties,” including that of the plaintiff, is a relevant consideration in crafting an award. Warner Bros. Inc. v. Dae Rim Trading, Inc., 877 F.2d 1120 (2d Cir. 1989) (holding that a court may take into account the attitude and conduct of the parties, and finding that district court did not abuse its discretion in awarding low amount of statutory damages where plaintiff’s own conduct was “vexatious [and] oppressive.”); Bryant v. Media Right Prods., Inc., 603 F.3d 135 (2d Cir. 2010) (courts should consider the conduct and attitude of the parties in determining the amount of statutory damages to award for copyright infringement); Oppenheimer v. Holt, No. 1:14-CV-000208-MR, 2015 WL 2062189 (W.D.N.C. May 4, 2015) (same). Consideration of plaintiff or its agent’s own conduct would help to address abusive tactics by copyright trolls. Also missing from the proposed statutory factors is consideration of a plaintiff’s failure to mitigate its actual damages. Though this factor may be limited to assertion of a failure to mitigate defense, some courts have held this is a relevant consideration, even where a plaintiff seeks statutory damages. See, e.g., Malibu Media, LLC v. Julien, No. 1:12-CV-01730-TWP, 2013 WL 5274262 (S.D. Ind. Sept. 17, 2013) (“current law allows the court to consider actual damages [in making determination of statutory damages], and failure to mitigate is relevant in considering actual damages… ”); Malibu Media, LLC v. Guastaferro, No. 1:14-CV-1544, 2015 WL 4603065 (E.D. Va. July 28, 2015) (“Although typically only applied to claims for actual damages, the defense may be relevant to claim requesting statutory damages because ‘one purpose of statutory damages is to approximate actual damages that are difficult to prove.’”).

Additionally, the first factor references the “difficulty of proving damages,” but there is no mention of whether plaintiff has the burden of proof, what steps, if any, a plaintiff must take to meet this burden, or the consequences of failing to do so. Moreover, the fourth factor concerning a defendant’s financial situation is vague and open-ended. Though intended to address the reality that the amount needed to deter an infringer depends on the circumstances, such as whether the infringer is an individual or a corporation, the factor as phrased does not make this clear. Indeed, profitable corporations may unfairly become the target of higher awards simply because the company is seen as profitable and able to afford paying large awards.

The amendment allowing courts to depart from the “per-work multiplier” calculus also has limited benefit in the secondary liability context, because it would not apply in cases of willful infringement. But even where the infringement is willful, the acts of the service provider are likely to be so attenuated from and not related to the number of works infringed, and calculation of damages on a per-work basis may nonetheless remain overkill.

Finally, the Task Force does not address litigation abuse by copyright trolls, and rejects recalibrating the range of damages available in the case of awards against individual defendants. Such a step could address the use of threats of maximum statutory damages by trolls to extract settlements from unwitting consumers. Instead, the Task Force notes that “courts are well-positioned” to evaluate abusive enforcement activities. But this misses the point; indeed, the issue is that copyright trolls use threats to extract settlements outside the purview of the court.


The Task Force’s recommendations for amending the statutory damages provision of the Copyright Act are a mixed bag. While a step in the right direction because they offer greater clarity and recognize the different nature of secondary liability, there are some serious drawbacks and glaring omissions in the proposed amendments. If the Copyright Act is to be amended, it should be done in a comprehensive manner and should dispel as much confusion and inconsistency as possible.

Quick Updates

Prevailing Party: Defendant Awarded Attorney Fees Despite Plaintiff’s Voluntary Dismissal of California Trade Secrets Action

By Stefan Szpajda

Cypress Semiconductor Corp. v. Maxim Integrated Products
In Cypress Semiconductor Corp. v. Maxim Integrated Products, 236 Cal. App. 4th 243 (6th Dist. 2015), the California Court of Appeal, Sixth Appellate District found that a defendant in a trade secrets suit can be deemed a “prevailing party” entitled to attorney fees under California Civil Code § 3426.4 when a plaintiff voluntarily dismisses its lawsuit to avoid an adverse determination on the merits. Although attorney fees provisions in contracts are governed by California Civil Code § 1717 — which defines “prevailing party” in a manner that excludes voluntary dismissal without prejudice as a basis for finding prevailing party status — attorney fees awarded per statute are not subject to § 1717. Cypress clarified that, at least under § 3426.4, prevailing party status can be found following a voluntary dismissal without prejudice.

Plaintiff Cypress sued defendant Maxim, alleging that Maxim had misappropriated a trade secret, or was in the process of doing so, by seeking to hire away specialists in touchscreen technology. Cypress and Maxim compete in the field of touchscreen technology. Maxim responded that it was entitled to solicit prospective candidates from Cypress’ workforce and that there was no evidence it acquired, or sought to acquire, any trade secret. Cypress tried and failed to secure temporary injunctive relief, and failed to obtain an order placing under seal evidence derived by Maxim from public sources. Cypress then dismissed the action. The trial court awarded Maxim attorney fees pursuant to § 3426.4, which authorizes such an award to the prevailing party where a claim for misappropriation of trade secrets is found to have been made in bad faith.

On appeal, Cypress argued that the trial court erred because it could not properly find that Maxim was the prevailing party, or that Cypress brought the action in bad faith. The court found that (1) the trial court’s findings are free of procedural error; (2) the finding of bad faith is supported by evidence that defendants merely attempted to recruit a competitor’s employees, which Maxim was entitled to do under California law; and (3) Maxim prevailed when, as the trial court implicitly found on substantial evidence, Cypress dismissed the suit to avoid an adverse determination on the merits.

A more detailed treatment of this case and its implications is available here.

How much Discretion does the Patent Trial and Appeal Board have in Instituting Inter Partes Reviews?

By Lauren Whittemore

2016 promises to bring clarity to issues that have confounded a country in the throes of change. No, we do not mean the presidential election. Instead, we are looking forward to the Federal Circuit’s review of a number of decisions by the Patent Trial and Appeal Board. This guidance will provide increased clarity for practitioners as the Federal Circuit weighs in on matters both procedural and substantive. Two recent decisions address the scope of the Board’s discretion in instituting inter partes reviews and conducting trials.

Synopsys v. Mentor Graphics
The Board may grant IPR if “there is a reasonable likelihood that the petitioner would prevail with respect to at least one of the claims challenged in the petition.” 35 U.S.C. § 314(a); 37 C.F.R. § 42.4(a). The Board has discretion to review only certain claims in a petition, or only certain grounds raised by the petitioner. The Board’s institution decision is not appealable. 35 U.S.C. § 314(d).

In Synopsys, Inc. v. Mentor Graphics Corp., No. 2014-1516, 2014-1530, 2016 U.S. App. Lexis 2250 (Fed. Cir. Feb. 10, 2016), Synopsys sought review of claims 1-15 and claims 20-33 of Mentor’s patent as anticipated or obvious in light of various prior art references. The Board instituted review of only claims 1-9, 11, and 28-29 based on a single prior art reference, denying review of the remaining claims. After a hearing, the Board issued a written decision invalidating claims 5, 8, and 9. Synopsys appealed the decision, arguing the Board should have found claims 1 and 28 invalid and that the Board erred in issuing a final written decision that did not address the validity of all claims raised in the petition. Because an institution decision is not appealable, Synopsys instead challenged the scope of the final decision itself, arguing that “because § 318(a) directs the Board to issue a final written decision with respect to ‘any patent claim challenged by the petitioner,’ the Board’s final decision must address every claim raised in the petition.”

The Federal Circuit looked at the language of the statute to determine that Congress used different language to refer to claims challenged in a petition and claims adjudicated in the final written decision and rejected the argument that Congress intended the IPR proceeding to be a complete substitute for invalidity determinations in district court. Instead, the Federal Circuit affirmed that the validity of claims for which the Board did not institute review could still be litigated in district court.

Redline Detection LLC v. Star Envirotech
At the other end of the process, the Federal Circuit has confirmed that the Board has discretion to decline review of timely filed “supplemental” information from a petitioner. 37 C.F.R. § 42.123 provides that a party may file a motion to submit supplemental information after an IPR is instituted. Subsections (b) and (c) of the Rule, addressing late submission of supplemental information and other supplemental information, require Board authorization to file and a showing of good cause. Subsection (a) does not include those requirements — it simply requires that the motion be timely filed and that the supplemental information is relevant to an instituted claim.

Redline submitted an IPR petition seeking review on twelve grounds based on combinations of four prior art references. Redline planned to timely supplement its petition under 37 C.F.R. § 42.123(a) to include expert declarations after the Board issued its institution decision. Because Redline’s obviousness arguments could not be supported without the supplemental information — including a 60-page expert declaration — Redline believed it met the requirement of relevance. The Board denied Redline’s motion, stating that Redline did not provide any justification for submitting the information after institution beyond a desire to reduce costs. The Board then upheld the challenged patent. Redline Detection, LLC v. Star Envirotech, Inc., No. 2015-1047, 2015 U.S. App. LEXIS 22897 (Fed. Cir. Dec. 31, 2015).

On appeal Redline pointed to the language of the statute, noting the lack of requirement for good cause in subsection (a), and argued that the Board’s decision was arbitrary and capricious because the Board has permitted other petitioners to timely submit supplemental information. The Federal Circuit held that the Board was entitled to deference in interpreting its own rules and that its interpretation of 37 C.F.R. § 42.123(a) was not plainly erroneous. Requiring the Board to accept all timely, relevant supplemental information would read out other portions of the regulations governing IPR and trial proceedings and would remove the Board’s discretion to grant or deny motions under 37 C.F.R. § 42.5(a) and (b).

These decisions continue a trend of the Federal Circuit confirming the Board’s discretion in interpreting the statues and regulations governing IPRs. We will continue to follow the Federal Circuit’s jurisprudence in this area while we wait for the Supreme Court’s decision in Cuozzo Speed Techs. v. Lee. The Supreme Court granted certiorari on January 15 of this year. Cuozzo Speed Techs. v. Lee, 193 L. Ed. 2d 783 (2016). In the meantime, put all your supporting evidence in the petition, and think carefully before trying to appeal institution decisions.

Federal Circuit Court of Appeals Says That Excluding Disparaging Trademarks from Registration Is Unconstitutional

By Moira Lion

On December 22, 2015, the Federal Circuit Court of Appeals, sitting en banc, held that the Lanham Act’s exclusion of “disparaging” trademarks from registration violated the First Amendment and is unconstitutional. In re Simon Shiao Tam, 808 F.3d 1321 (Fed. Cir. 2015).

Simon Shiao Tam, a founding member of the band The Slants, sought registration of THE SLANTS as a trademark in 2011 for use in connection with his band’s live music performances. Tam chose The Slants as his band’s name in an effort “to ‘reclaim’ and ‘take ownership’ of Asian stereotypes.” The Trademark Office rejected the application on the grounds that the mark “‘deride[s] and mock[s] a physical feature’ of people of Asian descent.” This determination that THE SLANTS was disparaging was affirmed on appeal by the Trademark Trial and Appeal Board and then again on appeal by the Federal Circuit Court of Appeals; however, THE SLANTS case was reheard by the Federal Circuit en banc, which held that the disparaging trademark exclusion was unconstitutional.

Section 2(a) of the Lanham Act precludes scandalous, immoral, or disparaging marks from being registered, and this has prevented the registration of numerous applications for marks containing racial slurs, swear words, and arguably vulgar designs over the last several decades. The 9-3 majority in In re Tam determined that excluding these types of marks from registration is a viewpoint-based denial of protection of speech by private speakers that cannot be reconciled with the First Amendment.

The most significant conclusions that the majority drew were: (1) the disparagement exclusion is viewpoint based, rather than content based, because it precludes registration of marks that describe groups in a negative way but allows registration of marks that refer to groups in a positive way; (2) although the government can discriminate against speech based on viewpoint when the speech is considered to be that of the government itself, federal trademark registration is not government speech and is a regulatory activity; and (3) even if registering a trademark is considered a subsidy or benefit, the denial of an available benefit based on the viewpoint of speech is still unconstitutional. The dissenting judges disagreed with a number of the majority’s conclusions, namely, whether trademark registration is government speech and whether the government has a sufficiently justifiable interest in restricting subsidies.

We are starting to see the fallout from the In re Tam decision in other cases. In In re Brunetti, No. 85310960, 2014 WL 3976439 (T.T.A.B. Aug. 1, 2014), the TTAB affirmed the Trademark Examiner’s refusal to register the mark FUCT based on the Lanham Act’s scandalous and immoral exclusions. On appeal to the Federal Circuit, the USPTO and Brunetti submitted separate letters to the Federal Circuit addressing In re Tam in light of their case. The USPTO interestingly conceded that the scandalous and immoral exclusions violate the First Amendment if it is true that the disparagement exclusion does, so the case should be remanded. Despite this concession, the USPTO did stipulate that it believes these exclusions to be constitutional, so this approach was likely a strategy to avoid giving the Federal Circuit another chance to look at the disparagement exclusion before In re Tam could perhaps reach the Supreme Court.

The 2(a) exclusion has become a particularly hot topic in the last few years, especially in light of the media attention that the REDSKINS case has garnered. Pro-Football, Inc. v. Blackhorse, 112 F. Supp. 3d 439 (E.D.Va. 2015), appeal docketed, No. 15-1874 (4th Cir. Aug. 6, 2015). As discussed in the IP Bulletin Quick Update in Summer 2014, several registrations of the REDSKINS mark were canceled by the TTAB on the grounds that REDSKINS was disparaging of people of Native American descent. Currently this case is being appealed to the Fourth Circuit Court of Appeals, and the parties recently submitted their opening briefs. Not surprisingly, THE SLANTS decision in the Federal Circuit will play a large role in bolstering Pro-Football’s First Amendment arguments. Although Federal Circuit decisions are not binding on the Fourth Circuit, they certainly are influential, particularly because the Federal Circuit hears many trademark cases that originate from TTAB decisions. If the Fourth Circuit’s decision does not align with the Federal Circuit, however, there is a higher likelihood that the Supreme Court will consider these cases.

Kirtsaeng II: Back to the High Court

By Kathleen Lu and Jennifer Stanley

Kirtsaeng v. John Wiley & Sons, Inc. will be one of those rare cases heard by the Supreme Court more than once.

Supap Kirtsaeng was a Thai graduate student studying in the U.S. While in school, he sold foreign edition English-language textbooks to fellow students that his friends and family had purchased in Thai bookstores. Because many publishers including John Wiley & Sons sold textbooks containing virtually identical content at high prices in the U.S. and low prices abroad, Kirtsaeng was able to reap a profit from his re-sales.

In 2008, John Wiley & Sons sued, alleging copyright infringement. It won at the district court and in the Second Circuit, but in 2013, the Supreme Court ruled for Kirtsaeng, holding that the first sale doctrine, which explicitly allows the resale and distribution of lawfully made copies on the secondhand market without running afoul of copyright law, applies to works first distributed overseas. Kirtsaeng v. John Wiley & Sons, Inc., 133 S. Ct. 1351 (2013). The decision was a momentous one, settling a hotly debated question that had ended in a 4-4 tie only three years earlier, in Costco Wholesale Corp. v. Omega, S.A., 562 U.S. 40 (2010). After the Supreme Court’s decision, Kirtsaeng’s attorneys asked the District Court for attorney fees. Section 505 of the Copyright Act allows judges to award attorney fees to the prevailing party at their discretion. The prospect of attorney fees can influence decisions to defend or settle a case, since attorney fees through trial and appeals can often exceed potential damages.

Past Supreme Court precedent on the topic is vague. In Fogerty v. Fantasy, Inc., 510 U.S. 517 (1994), the Supreme Court stated that copyright defendants are equally eligible for attorney fees as copyright plaintiffs, and should be treated alike. The Fogerty court emphasized that requiring prevailing defendants to show that the plaintiffs’ claim was frivolous or in bad faith — essentially treating an award of attorney fees to defendants as a punishment — was too narrow a view of the purposes of the Copyright Act and the attorney fees provision. Instead, the “primary objective of copyright is… to promote the Progress of Science and useful Arts,” and “defendants who seek to advance a variety of meritorious copyright defenses should be encouraged to litigate them to the same extent that plaintiffs are encouraged to litigate meritorious claims of infringement.”

Nevertheless, any award of fees is still at the discretion of the district court. In a footnote, the Supreme Court accepted, without explicitly endorsing, the use of non-exclusive factors such as “frivolousness, motivation, objective unreasonableness (both in the factual and in the legal components of the case) and the need in particular circumstances to advance considerations of compensation and deterrence…. [s]o long as such factors are faithful to the purposes of the Copyright Act and are applied to prevailing plaintiffs and defendants in an evenhanded manner.”

The various Circuits have applied the Fogerty factors in varying ways, setting the stage for Kirtsaeng II. At one end, the Seventh Circuit applies a presumption in favor of attorney fees to prevailing parties in all cases. On the other end, the Second Circuit emphasizes that the objective unreasonableness factor should receive substantial weight such that the other factors must outweigh it for a fees award to be issued. The rest of the Circuits lie somewhere in between, with some applying the Fogerty factors, either primarily or nonexclusively, some stating that awards should be “routine,” some emphasizing the question of whether fees would further the interests of the Copyright Act, or some combination, though all at the discretion of the district court.

The district court denied Kirtsaeng his fees, finding that the publisher’s suit was not “objectively unreasonable.” It weighed the novelty of the issues against Kirtsaeng because the plaintiff also took a risk in pressing an unsettled theory. It discounted consideration of compensation because Kirtsaeng had pro bono representation at the Supreme Court. It also held that Kirtsaeng’s degree of success and the financial disparity between the parties were issues relevant to the amount that would constitute reasonable fees, not whether fees should be awarded at all. The Second Circuit affirmed, though it disapproved of the district court’s discounting of potential compensation for pro bono versus paid representation.

Kirtsaeng has appealed to the Supreme Court, arguing that the Second Circuit’s focus on objective unreasonableness improperly mirrors the “exceptional case” standard of patent and trademark law because, unlike the patent and trademark statutes, there is no exceptional case requirement under the Copyright Act. Furthermore, he argued that the Second Circuit applies its standard in an uneven manner by favoring copyright plaintiffs unless their claims are unreasonable, under the theory that the imposition of a fee award against a copyright holder with an objectively reasonable litigation position will generally not promote the purposes of the Copyright Act, but awarding fees against defendants who employ reasonable defenses to deter violations. Essentially, Kirtsaeng’s critique is the Second Circuit improperly views the purpose of the Copyright Act as stopping infringement instead of promoting the progress of science and useful arts, as the constitutional preamble states.

In January, the Supreme Court granted Kirtsaeng’s petition for certiorari a second time. Briefing on the merits has not yet begun, so a decision will likely not come until the fall, but copyright practitioners, litigants, and potential litigants will be watching closely.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fenwick & West LLP | Attorney Advertising

Written by:

Fenwick & West LLP

Fenwick & West LLP on:

Readers' Choice 2017
Reporters on Deadline

Related Case Law

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.