Oracle v Google – Success for Oracle, Java APIs can have copyright protection

On Friday the US Court of Appeals for the Federal Circuit issued its much awaited decision in the Oracle v Google case. The case concerned copyright in APIs (Application Programming Interfaces) written by Oracle in the Java programming language. The APIs were licensed by Oracle and used by software developers in apps for smartphones, PCs and other devices.

Oracle discovered that Google was using 37 of its APIs without permission and filed a lawsuit claiming that Google’s Android mobile operating system infringed Oracle’s patents and copyrights. The jury in the original case found no patent infringement (which was not challenged on appeal) and found that Google had infringed Oracle’s copyright in the 37 Java packages but deadlocked on the issue of Google’s ‘fair use’ defence. However, the District Court denied Oracle’s motion for judgment as a matter of law (“JMOL”) and, following further consideration, ruled in favour of Google (except in respect of a specific computer routine known as “rangeCheck” and eight decompiled security files) finding that of the 37 Java API packages at issue, “97 percent of the Android lines were new from Google and the remaining…..elements replicated by Google were free for all to use under the Copyright Act.”

Both Google and Oracle appealed and at the end of last week the Court of Appeals reversed the decision of the District Court and held that the declaring code and the structure, sequence, and organisation of the 37 API packages were entitled to copyright protection. In coming to this decision, the Court considered whether the work was original (originality being a fundamental requirement for copyright protection) and whether the APIs constituted ideas or the expression of an idea. Under both US and EU law, copyright protection is not available for a mere idea but is available for the ‘expression’ of an idea.

In this case Oracle claimed copyright protection with respect to both: (1) the literal elements of its API packages (being the lines of source code); and (2) the non-literal elements (being the structure, sequence, and organization of each of the API packages). Both parties agreed that the APIs met the originality requirement. However, they disagreed upon whether they were an expression of an idea or just an idea itself. The Court found in Oracle’s favour in respect of both elements, finding that that the non-literal elements of the APIs were more than a mere idea and that Oracle had made a choice in how to express those ideas noting that “there were myriad ways in which the API packages could have been organized”.

The US decision has created an even greater divergence of US and EU copyright law. In 2012, the Court of Justice of the EU ruled that whilst source code itself can be afforded copyright protection, APIs and other functional characteristics (such as data formats and function names) cannot be. In reaching this finding the Court stated that “to accept that the functionality of a computer program can be protected by copyright would amount to making it possible to monopolise ideas, to the detriment of technological progress and industrial development”. For software businesses looking to operate on a global scale, this divide is not good news.

This isn’t the end of the story. The Court of Appeals has referred the case back to the District Court for further consideration of Google’s ‘fair use’ defence and even after the ‘fair use’ issue has been decided, it is likely that the case will be subject to further appeals.

ECJ ruling encourages copyright holders to shoot the messenger

In their decision issued last week in the case of UPC Telekabel v Constantin Film, the European Court of Justice (ECJ) confirmed that EU states have the right to issue injunctions requiring internet service providers (ISPs) to block their internet users’ access to copyright-infringing websites.

Whilst at first glance the decision may appear to be a landslide victory for rights owners, the decision also offers welcomed clarity to ISPs on the extent of their obligations to prevent infringements.

The ECJ’s decision arose out of an Austrian case involving an application by two film producers, for an injunction requiring an Austrian ISP to prevent its users accessing a website that enabled its users to stream or download films which infringed the producers’ copyright.

According to Article 8(3) of the Copyright in the Information Society Directive (2001/29) (Directive), national courts have the power to grant a blocking injunction against an ‘intermediary’ whose services are used by a third party, to infringe copyright or related rights. The ECJ’s decision addresses two key issues; firstly, what sort of intermediaries can be subject to injunctions under the Directive, and secondly, what form of injunctions can be granted against them?

Can an injunction be granted against an ISP as an intermediary?

The primary issue to be determined by the court was whether a party making infringing information available on their website ‘uses’ the services of the ISP whose customers access the website to do so, where the ISP’s customers themselves have not committed an infringement, thus providing a jurisdictional platform for courts to grant injunctions against such an ISP.

UPC argued that they had no contractual business relationship with the website operators, having neither made internet access or storage space available to them. Since it could not be established that their direct customers acted unlawfully (although, as the Advocate General Cruz Villalon pointed out in his preceding opinion delivered back in November, it could be assumed with near certainty that they took advantage of the services on offer on the offending website), they maintained that it could not be considered that their services had been used to infringe a copyright or related rights. UPC also emphasised that, in any event, the various blocking measures available were excessively costly, especially as for the most part they could be easily circumvented with minimal technical expertise.

Contrary to the assertions of UPC, the ECJ found that where an ISP’s service users access infringing content on a website, that ISP is in fact an intermediary whose services are used to infringe copyright within the scope of the Directive, and as a result they can be subject to injunctions forcing them to block access to the offending sites. They cited the rationale that the ISP “is an inevitable actor in any transmission of an infringement over the internet between one of its customers and a third party, since in granting access to the network it makes the transmission possible.”

In their decision, the ECJ recognised that, on a practical level, as the services of intermediaries are increasingly used to infringe copyrights, such intermediaries are often ideally placed to take preventative action. The ECJ emphasised that in order to fulfil the key objective of the Directive, which is to guarantee right holders a high level of protection as outlined at Recital 9 of the Directive, ISPs must be included within the parameters of Article 8(3), because to rule otherwise would substantially diminish the protection afforded to such right holders.

This means that in future it will not be necessary to show a specific relationship between a person infringing copyright and the intermediary against whom an injunction may be issued, nor will it be necessary to prove that the customers of the ISP in question actually access the protected subject matter on the known infringing website, as the ECJ reiterated that that spirit of the Directive required Member States to not only take action to bring existing infringements to an end, but also to prevent further infringements, or at least make them more difficult to commit.

Can an injunction be granted without specifying the means of implementing it?

Having decided that an injunction could be granted against an ISP in the circumstances outlined, the ECJ then proceeded to consider the nature of the injunction to be granted, and in particular whether the Austrian court’s approach in leaving the ISP to decide the means to be used in blocking the website was acceptable, or whether the court should be required to specify any prescribed block should be implemented.

In reaching their decision, the ECJ recognised the tension between the ISP’s freedom to conduct a business, the internet users’ freedom of information, and the right holders’ copyright, and emphasised the need to achieve a “fair balance” between these fundamental rights. In assessing whether such a balance had been struck, the ECJ found that by giving the ISP a wide discretion to determine the appropriate measures to implement a block of the website, the Austrian Court’s ‘results’ form of injunction had in fact ensured the optimum business freedom of the ISP, as they could choose to put in place measures best adapted to their available resources and the challenges of carrying on their particular business activities. Furthermore, provided the ISP had taken all measures “capable of being considered reasonable”, they could rest assured that they would not be held liable for breach of the injunction, thus ensuring that an ISP cannot be expected to make unbearable sacrifices in order to protect the conflicting interests of a rights-holder.

In this regard the ECJ judgment differed from the opinion of the Advocate General, where he expressed the view that it would be “incompatible with the weighing of the fundamental rights of the parties to prohibit an ISP generally [from accessing an infringing website] and without ordering specific measures”.

The Advocate General did, however, acknowledge that a specific blocking measure imposed on an ISP relating to a specific website would not automatically be disproportionate simply because it entailed not inconsiderable costs and could be easily circumvented without any special technical knowledge.

The ECJ imposed two conditions on the granting of a general injunction such as that proposed by the Austrian court in order to ensure a fair balance is struck between the fundamental rights of the parties:

(i)            Firstly, measures must not unnecessarily deprive users of the possibility of lawfully accessing the information available, so in other words measures must be strictly targeted to ensure that internet users’ right to freedom of information is not be curtailed more than is necessary; and

(ii)           Secondly, those measures must have the effect of preventing unauthorised access to the protected subject-matter or, at least, of making it difficult to achieve and of seriously discouraging users accessing the infringing subject-matter. This means that courts will not decline to grant an injunction just because there is no fool-proof solution available. As the English High Court has acknowledged “a blocking order may be justified even if it only prevents access by a minority of users”.

The ECJ declined to elaborate further on how best to balance and protect the competing rights of parties in such a case, leaving the ultimate decision as to “fair balance” in the domain of national courts.

In order to ensure that the fundamental rights of internet users are afforded adequate protection, and are not diminished in the wake of an insurgence of applications for injunctions by rights-holders, the ECJ also introduced the concept that internet users can assert their rights before national courts, ensuring that they have a forum for redress where they believe measures imposed by an ISP are unduly restrictive.

The battle is won, but the war has just begun…

Whilst the International Federation of the Phonographic Industry (IFPI) has issued a positive statement in support of the ECJ ruling, which undoubtedly represents a string to their bow in fighting online piracy, the decision is unlikely to have a notable impact on the approach of the UK courts to website blocking. The High Court had already been persuaded to grant specific injunctions against a number of ISPs under domestic intellectual property legislation before the recent judgment came to light, and is likely to continue to grant such orders without hesitation in the future, particularly with the reinforcement of an ECJ decision behind them. Other EU member states are now likely to follow suit, adopting an approach more consistent with that already prescribed by English law.

Whilst those campaigning for better protection of intellectual property rights are celebrating their apparent victory, they may stop to consider that whilst in principle the ECJ ruling is a step in the right direction, in practice the operators of illegal websites, and the ISPs making them available online, are often based outside of Europe or conceal their identity, which means that in reality it is very difficult to pursue them before the courts. Let the historic examples of the difficulty encountered in shutting down notorious copyright-infringing sites such as Pirate Bay serve as a cautionary warning not to celebrate too soon – the road ahead for rights-holder’s crusading against piracy in the internet age is a treacherous one; and for every website you successfully shut down you can all but guarantee the same will resurface under a different address or hosting provider!

Are you missing out on some potentially lucrative ICT contracts?

An estimated £13.8 billion was spent in 2011/2012 by the public sector on ICT. Have you been put off trying to win a slice of this because you think the procurement process is too complex and will require you to invest too much time and cost to get the necessary security clearances without a good chance of success because the incumbent supplier will most likely win? You are not alone.   The OFT Market Study has found that these are real barriers to competing which prevent suppliers from tendering. But it also found that suppliers themselves are hindering competition in this market by complex pricing and a lack of transparency. Things are changing though and the process of tendering for government and local authority ICT contracts may get easier.

In January the European Parliament voted to introduce new directives to help simplify the process, which may make tendering a simpler and more attractive process for small and medium sized suppliers.  In particular, the reduction in the documentation required from bidders will mean suppliers can submit self-declarations through a standardised document. Only the winning bidder will now have to submit formal evidence.   The introduction of a mandatory requirement for electronic communication in public procurement could increase accessibility to SME’s and the division of contracts into lots is also being encouraged with turnover requirements being limited to a maximum of twice the estimated value of the contract, except in justified cases.  Although the government has 2 years to implement the directives, it has pledged to get the rules onto the UK statute books quickly (which means we might see them by the end of this year). So ICT suppliers not currently involved in procurement may want to start considering whether tendering could now be a viable option for them.

The Impact of the New Consumer Contracts Regulations

Background

If you sell goods, services or digital content to consumers, the recently published Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (SI 2013/3134) (the “Regulations”) are likely to affect the way you carry out your business.

The Regulations will apply to consumer contracts concluded on or after 13 June 2014, revoking the current ‘distance selling’ and ‘doorstep selling’ regulations.

Various categories of goods and services, including contracts dealing with gambling and package holidays, are excluded from the scope of the Regulations. Other categories, such as prescription items and passenger transport are partially exempt.  Otherwise, the Regulations will apply to and distinguish between “On-premises contracts” (concluded at the seller’s business premises e.g. in a shop), “Off-premises contracts” (concluded away from the seller’s business premises where both parties are present e.g. when visiting homes), and “Distance contracts” (concluded where the parties are not physically together e.g. online) as outlined below.

Information

Sellers will be required to bring certain “pre-contract information”, such as delivery charges and the seller’s complaints policy, to a consumer’s attention before a contract is entered into. This obligation will be more onerous for off-premises and distance contracts, where the consumer must also be given a copy of the contract or confirmation in a “durable medium” allowing them to store and reproduce the information, such as paper or email, within a reasonable time and not later than the delivery of goods or commencement of services.

Order Process

In relation to distance contracts, it must be made clear to the consumer that an order confirmation will result in an obligation to pay.  For online sales, this will mean that any button the consumer clicks to show that they wish to enter into a contract must be labelled unambiguously to the effect of “order with an obligation to pay” or “pay now”; “continue” or “confirm” is unlikely to be sufficient.

Additional Payments

Consumers cannot be required to make payments in addition to the price agreed without “express consent”.  Pre-ticked boxes which bolt-on costs during the online order process, such as for an extended warranty, will be prohibited.  A pre-ticked box will still be allowed for free products and services, such as a newsletter.

Cancellation

For consumers entering into off-premises and distance contracts, their right to no-fault cancellation  (the “cooling-off period”) will be extended from seven to 14 calendar days from the date they received the goods or, for contracts for services or digital content, from the date the contract is concluded.  Cancelling the main contract will automatically terminate any supplemental agreements, such as insurance.

Under the Regulations, a seller can only start to provide services or digital content during the cooling-off period if a consumer makes an express request, and acknowledges that they will lose their right to cancel if the contract is fully performed, or once the supply of digital content has begun.

The Regulations include a model cancellation form which must be provided to consumers, and they also set out model instructions for cancellation, the insertion of which would ensure a contract complies with the cancellation provisions.

Failure to inform a consumer of their cancellation rights could result in the cooling-off period being extended by up to 12 months, during which time the consumer would not be obliged to pay for any services provided.

Refunds

Where a consumer elects to withdraw from the contract during the cooling-off period, they are entitled to be reimbursed for all payments including the costs of delivery.  The seller must also pay the costs of returning the goods unless otherwise specified in the contract.  Once goods have been returned, or proof of return provided, the seller will have 14 days (rather than 30) to reimburse the consumer.  Sellers are entitled to make a reduction for use beyond what is needed to check that goods are as the consumer expected.

Delivery

Where a contract is silent as to the time for delivery, the Regulations imply that delivery must occur without undue delay, and in any event within 30 days.  This is more stringent than the current requirement of delivery within a “reasonable time”.

Telephone Lines

Telephone helplines operated for use by consumers with contract queries must not be charged at more than basic rate.

Conclusion

All sellers dealing with consumers are likely to need to update their terms and conditions and ordering processes in order to implement the Regulations, and failure to do so by the 13 June 2014 deadline could result exposure to significant costs.

EU Data Protection Reform – Are we nearly there yet? In a word, no.

The EU’s plans for an overhaul of data protection laws have suffered yet another set-back. After much speculation from commentators that the June 2014 deadline was unrealistic, the EU Justice Commissioner Viviane Reding finally conceded in a speech at a meeting of EU justice and home affairs ministers in Athens last week that the draft Data Protection Regulation will not be agreed during the current term of the EU Parliament.

This most recent delay has been caused by EU ministers failing to reach agreement before starting negotiations with the EU Parliament and the Commission. The draft Data Protection Regulation was first published by the European Commission in January 2012 and has proved to be one of the most controversial proposals ever to come out of Brussels, with over 4000 amendments proposed to the Commission’s original draft.

New timetables have been proposed and Viviane Reding has made some optimistic statements that there will still be a new data law by the end of the year. However, the reality is that we will have to wait and see how discussions regarding the draft Regulations progress following the forthcoming parliamentary election season. There currently remain fundamental differences among Member States and some significant changes of approach will be needed if a consensus is going to be reached.

The UK is currently calling for the proposals to be watered down and for the Regulation to become a Directive, giving each Member State the opportunity to interpret the requirements in a way which best suits them when adopting the Directive into national law. However, this approach is unlikely to be welcomed by international businesses looking for consistency regarding the application of data protection legislation cross Europe.

The one consensus which appears to exist among Member States is the acknowledgement that a change of some description to the current data protection regime is required. In the UK, the core data protection legislation has been in force since 1998 and is outdated and often incompatible with the technological advances which have been made in the last 16 years. Updated legislation, which reflects the world in which businesses are now operating and the advances which are likely to occur over coming years, is likely to be welcomed by all, but only if it is clearly drafted, thoughtful and well-reasoned. No one wants another piece of hastily constructed legislation which raises more questions than it answers. We’ve already got the cookies legislation for that!

Data Protection Reform Update

In January 2012, the European Commission proposed a major reform of the EU legislation regarding the protection of personal data. The aim of the new proposals was to update the current Data Protection Directive (95/46/EU) passed in 1995 in order to provide a higher level of protection over EU citizens’ personal data. It is also meant to consolidate and harmonise data protection laws across all EU member states. Another key objective of the proposals is to ensure that the revised law addresses the recent developments in technology to cover progressions in e-commerce, social networking, and cloud computing. In terms of compliance, the new regulation is set to be stricter than the previous law with harsher enforcement and penalties. As the draft regulation will be directly effective in member states, there will not be a need for local legislation to implement it.

 Key provisions of the Regulation 

  • Most businesses (including public sector bodies, private sector businesses with over 250 employees, and businesses that demand regular data monitoring) will be required to appoint or designate a data protection officer to ensure that data controllers and processors fulfil their duties, and monitor the implementation of policies. 
  • Companies will have to be more transparent about what they require data for. They can only collect the minimum amount of data that they require for a specified intention. 
  • Data subjects should have the right to ‘erase’ their personal data through a ‘right to be forgotten’. 
  • The activities of data processors will also be brought within the scope of the draft regulation. Previously, the Directive applied only to the data processing activities of data controllers. Furthermore, the regulation will also apply to data controllers who offer goods or services to data subjects in the EU, but who are not themselves established in the EU. 
  • Both data processors and data controllers will be required to implement security measures to strengthen online privacy. 
  • Data controllers will be obliged to inform the relevant national data protection authority of a data security breach within 24 hours of becoming aware of the breach.

 Although the regulation cannot enforce criminal sanctions, there will be more significant consequences of breaching the draft regulation. This will include fines of up to 2% of a business’ annual turnover for intentional or negligent breaches.

 According to the current timescales, the draft regulation is to be implemented before the European Parliament elections in May 2014, but is not likely to apply to the UK until 2016 at the earliest. Despite this, businesses should continue to keep informed about the proposed changes to ensure they are in a position to fulfil the requirements and comply with the key provisions when the time comes.

Twitter launch ‘report tweet’ function

Twitter has introduced a new ‘report tweet’ function across all of its platforms to enable users to report abusive tweets.

The move has been hailed by campaigners who called for social network websites to take action against threatening and abusive users. As noted in our earlier blog post, ‘report abuse’ buttons and similar functions can have limited effect in stopping internet trolls. But this is a step forward in terms of social network websites taking some responsibility for preventing their platforms being used for abusive purposes.