Oracle v Google – Success for Oracle, Java APIs can have copyright protection

On Friday the US Court of Appeals for the Federal Circuit issued its much awaited decision in the Oracle v Google case. The case concerned copyright in APIs (Application Programming Interfaces) written by Oracle in the Java programming language. The APIs were licensed by Oracle and used by software developers in apps for smartphones, PCs and other devices.

Oracle discovered that Google was using 37 of its APIs without permission and filed a lawsuit claiming that Google’s Android mobile operating system infringed Oracle’s patents and copyrights. The jury in the original case found no patent infringement (which was not challenged on appeal) and found that Google had infringed Oracle’s copyright in the 37 Java packages but deadlocked on the issue of Google’s ‘fair use’ defence. However, the District Court denied Oracle’s motion for judgment as a matter of law (“JMOL”) and, following further consideration, ruled in favour of Google (except in respect of a specific computer routine known as “rangeCheck” and eight decompiled security files) finding that of the 37 Java API packages at issue, “97 percent of the Android lines were new from Google and the remaining…..elements replicated by Google were free for all to use under the Copyright Act.”

Both Google and Oracle appealed and at the end of last week the Court of Appeals reversed the decision of the District Court and held that the declaring code and the structure, sequence, and organisation of the 37 API packages were entitled to copyright protection. In coming to this decision, the Court considered whether the work was original (originality being a fundamental requirement for copyright protection) and whether the APIs constituted ideas or the expression of an idea. Under both US and EU law, copyright protection is not available for a mere idea but is available for the ‘expression’ of an idea.

In this case Oracle claimed copyright protection with respect to both: (1) the literal elements of its API packages (being the lines of source code); and (2) the non-literal elements (being the structure, sequence, and organization of each of the API packages). Both parties agreed that the APIs met the originality requirement. However, they disagreed upon whether they were an expression of an idea or just an idea itself. The Court found in Oracle’s favour in respect of both elements, finding that that the non-literal elements of the APIs were more than a mere idea and that Oracle had made a choice in how to express those ideas noting that “there were myriad ways in which the API packages could have been organized”.

The US decision has created an even greater divergence of US and EU copyright law. In 2012, the Court of Justice of the EU ruled that whilst source code itself can be afforded copyright protection, APIs and other functional characteristics (such as data formats and function names) cannot be. In reaching this finding the Court stated that “to accept that the functionality of a computer program can be protected by copyright would amount to making it possible to monopolise ideas, to the detriment of technological progress and industrial development”. For software businesses looking to operate on a global scale, this divide is not good news.

This isn’t the end of the story. The Court of Appeals has referred the case back to the District Court for further consideration of Google’s ‘fair use’ defence and even after the ‘fair use’ issue has been decided, it is likely that the case will be subject to further appeals.

EU Data Protection Reform – Are we nearly there yet? In a word, no.

The EU’s plans for an overhaul of data protection laws have suffered yet another set-back. After much speculation from commentators that the June 2014 deadline was unrealistic, the EU Justice Commissioner Viviane Reding finally conceded in a speech at a meeting of EU justice and home affairs ministers in Athens last week that the draft Data Protection Regulation will not be agreed during the current term of the EU Parliament.

This most recent delay has been caused by EU ministers failing to reach agreement before starting negotiations with the EU Parliament and the Commission. The draft Data Protection Regulation was first published by the European Commission in January 2012 and has proved to be one of the most controversial proposals ever to come out of Brussels, with over 4000 amendments proposed to the Commission’s original draft.

New timetables have been proposed and Viviane Reding has made some optimistic statements that there will still be a new data law by the end of the year. However, the reality is that we will have to wait and see how discussions regarding the draft Regulations progress following the forthcoming parliamentary election season. There currently remain fundamental differences among Member States and some significant changes of approach will be needed if a consensus is going to be reached.

The UK is currently calling for the proposals to be watered down and for the Regulation to become a Directive, giving each Member State the opportunity to interpret the requirements in a way which best suits them when adopting the Directive into national law. However, this approach is unlikely to be welcomed by international businesses looking for consistency regarding the application of data protection legislation cross Europe.

The one consensus which appears to exist among Member States is the acknowledgement that a change of some description to the current data protection regime is required. In the UK, the core data protection legislation has been in force since 1998 and is outdated and often incompatible with the technological advances which have been made in the last 16 years. Updated legislation, which reflects the world in which businesses are now operating and the advances which are likely to occur over coming years, is likely to be welcomed by all, but only if it is clearly drafted, thoughtful and well-reasoned. No one wants another piece of hastily constructed legislation which raises more questions than it answers. We’ve already got the cookies legislation for that!

Data protection: tighter rules on the way in 2011?

The European Commission last month announced plans to overhaul data protection legislation. The aim of the new legislation is to strengthen the rights of individuals and to ensure that data protection rules are more consistently enforced. However, the current proposals are likely to place an increased burden on data controllers who could face greater penalties for non-compliance.

In its discussion document, A comprehensive approach on personal data protection in the European Union (PDF), the Commission states that the revision process is intended to address a number of “specific challenges”:

  • the impact of new technologies;
  • the need for increased data protection harmonisation and legal coherence within the EU;
  • simplifying the law on international transfers of data; and
  • stronger enforcement and an enhanced role for national data protection authorities.

The overriding aim is:

to protect the fundamental rights of natural persons and in particular their right to protection of personal data.

The discussion document then sets out a number of ways in which these challenges can be addressed in order to accomplish that aim. Some of the key ones for businesses are:

  • Increasing transparency, especially in privacy policies and as regards children. This could include standard forms of privacy notice.
  • Mandatory notification of personal data breaches.
  • Increased rights for individuals to have their data deleted (the “right to be forgotten”) and to withdraw their data from a service provider’s systems (“data portability”).
  • “Clarifying and strengthening” the rules on consent to data processing, in order to ensure that truly “informed consent” is given for processing.
  • Adding new categories of “sensitive” data, such as genetic data.
  • A requirement for “Privacy by Design” covering the design, deployment, use and disposal of technologies.

Observers have pointed out a number of areas of potential difficulty. The “right to be forgotten”, for example, seems on the face of it to contain a contradiction – because companies would need to keep lists of people they were required to have “forgotten”. More pertinently, data may refer to more than one person: where you and I both feature in a group photograph on Facebook, your “right to be forgotten” may conflict with my wish for the photograph to remain available.

Similarly, it is difficult for data controllers to know they have been given “informed consent” for processing without a certain amount of information already being retained and processed about an individual. It also seems doubtful whether standard forms of privacy notice could cover the limitless variety of different ways in which personal data is used.


Current data protection law is far from ideal, and so an overhaul is to be expected. However, the track record on EU legislation in this area will leave many businesses concerned as to the impact of any changes. The Commission document refers to “the fundamental rights of natural persons”, but (apart from references to “enhancing the internal market dimension of data protection) says little or nothing about the role of data processing in encouraging business activity and economic growth. Some of the proposals floated in the document, such as requirements for “informed consent” and the “right to be forgotten”, could present considerable administrative challenges to data controllers.

From a UK perspective, moves to increase “harmonisation” and “coherence” for data protection are likely to mean a considerable tightening up of the law. To date the UK has tended to take a more relaxed view towards data protection issues than some other EU jurisdictions, for example in allowing “implied consent” for processing where others require explicit consent in writing.

The Commission is inviting responses to its discussion document in a consultation period closing on 15 January 2011, and draft legislation is then expected some time during 2011. It remains to be seen what form this will take, but companies whose business is based heavily on data processing will want to keep a close eye on developments over the next twelve months.