Data subject access rights – have your say

Dear reader

In the second of a series of posts on recent developments in the field of data protection law, my colleague Sherif Malak highlights some important aspects concerning the rights of individuals to access their data and the consultation on a new code that is currently underway.  A number of privacy campaigns have sought to raise the public’s awareness of the increasing volumes of personal data used and collected by service providers online, so it is important to have the right processes and procedures in place when dealing with a user request for access to their personal data.

The public consultation period for a draft code of practice on the access right of data subject access published by the ICO (the UK data protection authority) is due to end next month.  The 60 page draft code contains guidance on the requirements of the Data Protection Act (DPA) as well as points of good practice that it recommends organisations adopt in respect of the rights of access data subjects have under sections 7-9A of the DPA.  Generally, within 40 days of request and for a nominal fee (max. £10), individuals are entitled to be told whether personal data are being processed and to be given a description of that data, the reasons for processing and whether data will be shared with other organisations or people.  They are also entitled to be given a copy of the personal data and, if available, details of their source. 

For many organisations and other data controllers, such subject access requests (“SARs”) are commonplace and so the guidance may have a significant impact on how they conduct their request handing procedures.  The draft code emphasises that organisations should embrace the opportunity to take a positive approach to data subject access rights by streamlining request handling through staff training and guidance and by monitoring compliance.  We recommend reading through the paper which is quite detailed and provides a number of useful examples.  In the meantime, a few points made in the draft that will no doubt be of interest include:

• Although a SAR must be made in writing, it does not need to take a prescribed form nor mention the DPA (or that it’s a SAR) and can even appear at first sight to be a Freedom of Information Act request. In fact, a request can be sent, directly or indirectly, by post, email, fax, via an organisation’s website  or even posted on its social media site or a third party website.  So make sure you’re vigilantly checking your organisation’s tweets if it has a Twitter page!

• A child’s rights may be exercised by parents/guardians but it is the child who has the right of access.  If an organisation is confident that a child is mature enough to understand his/her rights then it should respond to the child and not to the parent (regardless whether the parent or the child made the SAR). The draft code helpfully lists a number of factors to consider in borderline cases on page 13.

• The 40 day period to respond to a SAR cannot be extended because an organisation is relying on a data processor to supply the required information.  So organisations using data processors take note – you will need to put in place contractual arrangements to make sure that you can deal with SARs promptly, including when they are send to your processors directly.

• You should not ignore a SAR simply because an individual has not paid the fee, has not provided enough information or if you reasonably require more information to confirm the requester’s identity.  You should contact the individual promptly and inform them of what is needed for their request to be processed.  If you have done so, the 40 day period will not begin until you’ve obtained these things from the requester.

• The draft code clarifies that the ‘disproportionate effort’ exception applies to the supplying of the information by organisations but does not permit you to exclude information from your response just because it is difficult to access or find.  Data controllers are therefore obliged to make extensive efforts to locate data relevant to a SAR but not obliged to “leave no stone unturned”.  You cannot require the requester to narrow the scope of their request if they have asked for “all the personal information held” about them.

• You should have procedures in place to find and retrieve personal data requested that has been electronically archived or backed-up.  However, the ICO has said that it does not expect you to use expensive technical expertise to ‘undelete’ deleted information that can technically be recovered.

• The draft code also covers in detail how you should deal with requests involving 3^rd party data, special cases (such as credit and health records) and the form in which you can respond to a SAR.

The consultation period ends on 21 February 2013 and if you would like to participate and provide your feedback, you can find the submission form for your comments as well as a copy of the draft code on the ICO’s webpage here.

Have a great week,

Laurie Kaye

Hurrah…corporation tax reliefs for creative industries move a step closer…

Dear Reader,

It looks like 2013 is off to a good start for the creative industries in a year in which demand for high quality creative output continues to grow.

The Government has published its proposed legislation for new corporation tax reliefs for British high-end television production (namely dramas and documentaries), animations and video games.

I asked my colleague Mailin Bala to look at the draft legislation to see what it delivers and what impact it has on co-productions.

OK, so, what does it amount to?

In short, qualifying companies will be able to claim an additional deduction of 100% of UK qualifying production expenditure in computing their taxable profits. Where that deduction then results in a loss, companies will be able to surrender those losses for a payable tax credit amounting to 25% of qualifying production expenditure.

To qualify for the new relief, the following criteria have to be met:

• there must be a high end TV programme (meaning the average cost of expenditure per slot
  hour must be at least £1m), animation or video game being produced which is intended for broadcast/commercial release;

• the content must be certified by the Secretary of State as being British; and at least 25% of the core production expenditure incurred by the company must relate to expenditure on goods or services used or consumed in the UK.

See here for HRMC's detailed description of each of the reliefs (including the conditions to be applied) and the proposed draft legislation. See also this document for the
Government’s response to the consultation on the reliefs.

What constitutes ‘British’?

That will be determined by scoring a minimum 16 points out of a possible 31. Points will be awarded for using British locations, language, use of UK key staff and promoting British culture. In some cases, it will be sufficient for the content to include EU elements, rather than purely British ones.

When do the reliefs come into play?

All being well, the new reliefs will apply to qualifying expenditure incurred from 1^st April 2013. This
is subject to the government obtaining State aid approval of the ‘British’ test from the European Commission.

Who can claim the relief?

UK companies that are responsible for production activities and for undertaking negotiations and contracting for rights, goods and services in respect of the content.

What about co-productions?

Only one TV production company/games developer can claim the relief per relevant content. If
there is more than one company that meets the qualifying criteria, then it is the company that is most directly engaged in the activities that can claim the relief. However, a company can elect not to be regarded as a television production company/games developer by recording its election in the company's return for an accounting period.

The election will apply to all content that commence principal photography/ or begins production in that, or any subsequent, accounting period, until the election is withdrawn.

There is however, an additional benefit for TV production, in that a co-producer can claim the
relief if:

• the programme  is made under a relevant international co-production treaty (though not
  through a partnership); and
• the co-producer makes an effective creative, technical and artistic contribution to the programme.

In an attempt to avoid over complication and abuse of the relief, the Government has purposely not legislated for other forms of co-production to be eligible for the relief.

This may in itself appear to stymie co-productions, such as cross-industry productions where for example rights holders engage production houses to conduct all or some of their production activity.

Yet, rather helpfully, the government has acknowledged that companies wishing to access the
relief that are undertaking genuine co-productions, may wish to structure their business in such a way in order to access the relief.

Whilst setting clearer boundaries would have been preferable, this appears to be an invitation for other genuine co-productions to set up special purpose vehicles to avail themselves of the
relief; potentially benefitting additional sectors in the creative industries.

 

Have a good week.

Regards

Laurie

Binding Corporate Rules - A useful new tool for data processors?

Dear reader,

Data Protection will be a recurring theme this year so I’ve asked my colleague, Sherif Malak, to look into an important recent development regarding the use of ‘Binding Corporate Rules’ by organisations processing data on behalf of others.

There is little doubt that the rise of cloud computing services is likely to continue unabated in 2013, as more online consumer services and in-house IT departments roll-out cloud based solutions and enjoy the associated flexibility and efficiency gains they bring.  However, the cloud era does bring with it the need to keep on top of data protection compliance requirements.  Considering the often bewildering complexity of cloud arrangements, this can be easier said than done!

So for organisations grappling with the legal compliance issues around cloud computing, the European data protection authorities’ decision to launch Binding Corporate Rules (BCRs) for data processors could represent a very welcome tool for the new year.   BCRs are a set of rules governing transfers of personal data between entities that form part of the same corporate group. The authorities, which assemble as the ‘Article 29 Working Party’, have announced that organisations that are data processors will be able to use BCRs from 1^st January 2013.  

There are a number of advantages that Processor BCRs will bring to customers and providers of cloud services but first a quick recap for the uninitiated:- under the data protection rules, organisations that control the purposes and methods by which personal data are processed (i.e. “data controllers”) are prohibited from transferring personal data outside the EEA (EU countries + Iceland, Liechtenstein and Norway) unless the recipient country can ensure an adequate level of protection of the rights and freedoms of the data subjects about whom those personal data relate.  BCRs are one way an organisation can comply with requirements under European data protection regime when transferring personal data to countries outside the EEA – but only between companies within its corporate group.  Other ways include transferring only to non-EEA countries declared adequate by the Commission e.g. Canada, Israel (or US but only if the organisation participates in the Safe Harbor regime) or including Commission-prescribed “model clauses” in contracts with the transferee.

The introduction of Processor BCRs brings with it a number of advantages including:

1. By using data processors that have BCRs approved by regulators, data controllers do not need to negotiate the safeguards and conditions each and every time a contract is entered into.  Processor BCRs permit controllers to demonstrate compliance with the ‘adequacy’ rules for all data processed by that processor’s group.  Processor BCRs also go some way to solve the problem of the current gap in the model clauses system which does not provide a set of clauses for controllers to use with EEA processors that have non-EEA sub-processors (albeit the solution only applies to sub-processors in the same group).
2. Under the BCRs, data processors can transfer the data controller’s data within their corporate group (including any members in non-EEA, ‘non-approved’ countries) without having to manage a matrix of contracts between the data controller and individual group companies to ensure that such data are adequately protected.  Also, if the group expands, there is no need for data protection authorities to approve updates to the BCRs once they’re operational (e.g. if a new entity is established or if there’s some other change to the corporate structure), although periodic notification of new members and in some jurisdictions, notification of transfers, is required. So for instance, a UK processor can pass data to its established Indian or Brazilian subsidiaries or a new subsidiary in China – the BCRs will bind them all without requiring an approval process each time. 
3. Processors with BCRs can use them as a selling point not only to appeal new controller clients but also to existing clients as the take up of new processing services that may be carried out by sub-processors in the group outside the EEA will automatically be covered by the BCRs.

Of course Processor BCRs do suffer from the same issues as those for data controllers: BCRs raise the compliance bar in jurisdictions which might not require such an onerous level of data protection compliance, they only apply to intra-group transfers, the approval process is not straightforward and can be lengthy and they allow data subjects to enforce the rules directly against the organisation.  Nonetheless, until the much anticipated Data Protection Regulation shakes up the approach to BCRs in light of the fast-moving transition to the cloud, Processor BCRs will be a welcome addition to the toolkit for both customers and providers of cloud services when tackling the issue of transfers of personal data outside the EEA in their contracts.

So much food for thought!

Have a great week.

Laurie Kaye

UK Copyright - exceptions which prove the rule?

Dear Reader

So the Government's decided to fill Christmas stockings with its response to its consultation on copyright exceptions. It would herald major changes to UK copyright law. Copyright has always been about the balance between rights and exceptions. But the big question is whether these proposals have got it right or do they threaten to undermine some emerging digital content business models?

That's a question I'll try and answer in upcoming posts. But, in the meanwhile, here's a quote from the IPO's Response, published yesterday. It also needs to be read in conjunction with its Impact Assessments on these proposed measures.

In the meanwhile, enjoy the festive break and let me wish you and my other readers a very happy holiday season and a healthy, prosperous and creative year ahead. It's going to be a busy one.

So here's the Government's own summary - their words, not mine:

Permitted act	What will the Government do?
Private copying	Introduce a narrow private copying exception, allowing  copying of content lawfully owned by an individual (such as a CD) to another  medium or device owned by that individual (such as a mobile phone, MP3 player or private online storage), strictly for their own personal use.
Education	Introduce a fair dealing exception for non-commercial  use of copyright materials in teaching. Expand the type and extent of copyright works that can be copied by educational establishments. Expand the exceptions to enable distance learners to access educational materials over secure networks. Retain existing licensing arrangements for recording broadcasts and photocopying.
Quotation	Introduce an exception permitting fair dealing with quotations, as long as sources are identified.
Text and Data mining	Create a copyright exception to cover text and data  analytics for non-commercial research within certain restricted limits, which  will protect publishers from large-scale copyright infringement.
Parody	Introduce a fair dealing exception to allow limited copying for parody, caricature and pastiche, while maintaining current system of moral rights.
Research and private study	Change the scope of copyright law to allow copying of  all types of copyright works for non-commercial research purposes and private  study. Introduce an exception to allow educational institutions, libraries, archives and museums to offer access to all types of copyright works on the premises by electronic means at dedicated terminals for research and private   study.
Disabilities	Broaden the scope of the current disability copyright exceptions to include all relevant types of disability and copyright work, and simplifying the processes and procedures related to these exceptions.
Preservation	Enable libraries, archives, museums and galleries to make preservation copies of all classes of work.
Public Admin. and reporting	Amend the current copyright exception for public administration and reporting to permit the publication of relevant third-party documents   online.
Other permitted acts	Current position to be maintained.

'FutureBook 2012' - so what were the 'big themes'?

Dear reader

I spent last Monday at The Bookseller's 'FutureBook' conference (#fb12) and came away more with a sense of affirmation than radical new insight. As one presenter put it, "the future's now". The market is real. Sales of ereaders, tablets and ebook are all rising fast. The mist surrounding forecasts a few years ago is being dispelled by a strong blast of 'on the ground' activity. And it's just the beginning, as the possibilities for the "book" and reading continue to expand.

All of which requires hard graft and a strong reality check.

OK, so what were the 'big themes' and the big lessons? Amazingly, I have boiled them down to my 'Top 10' and many of which feature in my White Paper - plug - which I wrote earlier this year on 'the 4C's: The Building Blocks of a Future Business Model for Publishers' (click here).

1. The world is is reader/consumer/community centric 

"The world is being re-defined from the viewpoint of the customer rather than the industrial process." (Rebecca Smart, Osprey Publishing). For instance, Osprey have used crowdsourcing to identify potential new series. Generally, books are becoming more social, personal and interactive. The shift is from the product to the reader - As Dominique Raccah of sourcebooks put it, the key question is to ask is "what creates the best immersive experience."

But is this really new? Hasn't publishing always been about the reader? I think this is a radical shift which is changing the internal organisation and skills within publishers and in the way that they engage with readers.

2. Author Power

Self-publishing platforms provide authors with direct access to their readers, giving them the opportunity to build readership communities and their brand. They also strengthen author's negotiating position with agents and publishers if they're already self-published.

Authors are the creators of the narratives that can be expressed across different multiple formats.

Authors, and their brands, are at the heart of the creative, digital world. Everyone else in the chain between author and reader has to find their added value in order to secure their place.

3. Owning creativity

Charlie Redmayne, Pottermore's CEO, exhorted publishers to own creativity and innovation and to exploit the huge opportunities to build their own brand (referring to Lonely Planet as an examplar) and to harness fan bases. In Charlie's words: "It's about the monetisation of content on every digital platform that makes sense."

From physical to digital book, from plain text to rich media, from online and mobile to augmented reality, the possibilities are huge.

4. IP Centric

'Format free, IP centric' is my new mantra. There's great scope for creative and innovative new business models and to use core and derivative copyrights and other intellectual property rights to power creativity.
Personally, I think we're still in the very early days of what I'd call 'business model innovation'. But we need to remember, and remind others, that copyright is the enabler for that innovation.

5. Collaboration

Collaboration was one of my '4C's in my White Paper on 21st century publishing.Collaboration across industry sectors, not segmentation and keeping rights in silos. It was repeatedly mentioned at 'FutureBook'. But it isn't all 'peace and love'. Collaborations have to manage conflicting and competing interests. That takes skill! (Add that to the next point as a core skill!).

6. New skills,new organisations

This isn't news to publishers but it may not be apparent to those outside the industry how fast things are changing. The new "digital skillsets" include product development, marketing, consumer insight and data analytics. Consumer focus groups, common in consumer products industries, are now an increasing feature of product development for publishers.

7. New organisations

And it's not just the skills. Creating "books" across a range of mobile devices with rich media requires a team-based, collaborative approach that breaks down silos that may exist within organisations.

8. Agile and iterative

"Books" are now software, as much as editorial, projects. So  project management techniques for developing new products are closer to software development. For instance the use of 'agile'  is becoming increasingly common, involving an iterative approach in which the "book" is developed in short sprints at the outset of which the client and developer (in-house or external) agree what is going to be developed in each phase. This needs close client involvement in the project and testing on a phased basis.

9. Role of data

As Kobo's presentation showed, syncing to the cloud provides publishers with huge (anonymised, aggregated) data and insight into what readers read and, as important, what they finish and what they don't.  Data analytics is another core skill in 21st century publishing. And, yes, ensuring privacy and data protection compliance is equally essential.

10. Just the beginning, carpe diem

Mike Sabinas of Kobo described a 25 year transformation from physical to digital and encouraged everyone to "play the long game." So if let's look beyond today's zero sum game of cuts and low/no investment to the huge opportunities which everyone in the industry can grasp, including authors, agents, publishers, retailers, developers, platform and service providers and, why not, even lawyers!

Have a good week.

Laurie Kaye

 

Reconciling national laws and legal jurisdictions in a borderless, networked word.

Dear reader

In my last post, I said I'd look at more detail at this issue. If you were an Internet pioneer, you'll remember the adventure book language of 'Cyberspace' and the Wild West in the early 1990's, in which the Net/Web was seen as a parallel universe beyond legal and other norms. But there's been a slow but steady theme emerging that, at least in legal terms, 'online =offline' is a more accurate starting point for cyberlaw analysis, a point hammered home by the recent slew of libel claims arising from tweets on Twitter.

The issue of jurisdiction

Sure, the debate about the enforceability and acceptability of certain aspects of intellectual property and other legal rights as they apply online rages on. But an issue of equal importance is the location of the legal jurisdiction where rights can be enforced. In the online world, there is a cross-border, continuous chain of transmission. Content is copied and distributed across multiple legal jurisdictions on its journey from the browser request, across multiple servers until it's served up to the user's device.

So if that content is illegal or infringing content, where does the rights owner go to enforce those rights? And for rights clearance purposes, which national rights need to be cleared?

In short, the hunt for legal jurisdiction over content online has travelled from "it's nowhere" >"its everywhere" > to "its somewhere". In this post, I examine the rules which determine where that "somewhere" is. As we'll see, under European law it's the country where the recipient computer/device is located assuming there's some targeting of the public there.

The legal framework about jurisdiction is the so-called Brussels Regulation which says that the general rule is that you sue someone where they are domiciled. (So, in the case of a company, it would be where that company was established). But there's an exception for 'torts, including intellectual property rights. In that case, you can sue "where the harmful event" occurs. So with creative content which is travelling from server to server across legal jurisdictions, where does the "harm" take place?

The case

That was the point examined in detail by the European Court of Justice (ECJ) in Football Dataco and others v Sportradar GmbH and another, Case C-173/11, 18 October 2012. The legal right in question was the often misunderstood and often overlooked database right (aka sui generis right), which was created by European law in the Database Directive. The Directive harmonised the rules in Europe about copyright protection for databases but also introduced a new right - the database right - to protect investment in database content. (You can read a guide I wrote about the Directive here).

In short, the database right gives the owner of that right - the database producer or their successor - the right to prevent others from "extracting" or "re-utilising" substantial parts of database without a licence.

Case details

Football Dataco Ltd (Dataco), a UK company, gathered and exploited data about English Premier League football matches through its 'Football Live' database available via the Web. Sportradar GmbH has a competitor service - 'Sport Live Data' - available via its betradar.com website which was hosted on servers in Germany and Austria. UK-based customers were using online betting services provided to them by UK companies who were taking a data feed from Betradar. Dataco alleged that Sportrader had 'extracted' data from its 'Football Live' database without permission.

So the question for the ECJ was this: where was the infringement of the database right taking place? In Germany and Austria where the servers were located, in the UK where the UK customers were using the data or both? (To be precise, the question was whether Sportradar was jointly liable for acts of infringement of the database right by users in the UK who accessed the data).

ECJ's decision

The ECJ decided two things about the Database Directive. First, that sending data that has previously been uploaded from a database protected by the sui generis/database right from a web server to the computer of another person for the purpose of storage in that computer's memory and display on screen, is an act of re-utilisation by the sender (Sportradar in this case).

On the issue of jurisdiction, the ECJ decided that that act of re-utilisation takes place at least in the member state where the receiving computer is located - in this case the UK - as long as there is evidence that the sending discloses an intention to target members of the public in that member state. That evidence about "targetting" must be considered by the national court. Relevant factors in this case might include the fact that Sportrader made agreements with companies which offered betting services to the UK public; the fact that betting companies' websites were in the English language.

In fact, this decision of locating "harm", and therefore jurisdiction, in the "targeted" country is narrower that other intrepretations. The Attorney General had previously given an opinion that infringement proceedings can be brought in any country where an act in the chain of re-utilisation takes place.

Conclusion

This case will not be the last case on the issue. But it does demonstrate that, at least in legal terms, there is growing proximity between the online and offline worlds. In both the physical and digital worlds, "stuff" happens somewhere. And you just have to deal with it.

Have a great week,

Laurie Kaye

 

More on digital media and automated rights clearances

Dear reader

I know that 2 blog posts one day nearly constitutes spam - "Blam?" - but I wanted to share this press release with you, just received from the Linked Content Coalition. It's another stream of work on automating rights clearance - theme 1 in my earlier post -  which has EC support behind it.

If not quite here, the future for rights automation is definitely coming.

Regards

Laurie Kaye

3 recurring digital media law themes

Dear Reader

It's a digital media lawyer's natural instinct - OK, mine at least - to want to try and distill ever growing complexity and multi-factorial change into a few [10] golden rules, [8] key points etc. If only life was that simple.

But I can't resist. So here are 3 recurring digital media themes:-

1. Liberating the digital content market by moving content licences from filing cabinets and emails to 'machine to machine' communicated permissions.
2. Getting contracts right in an IP-driven, format neutral world.
3. Reconciling national laws and legal jurisdictions in a borderless, networked word.

On the first theme, the UK has a vested interest in getting this right. We have a global language, vibrant creative industries and a global market place. So it's worth taking note of the work being done by the Copyright Licensing Steering Group (CLSG), a cross creative industries group, to implement Richard Hooper’s recommendations in his report, Copyright works: Streamlining copyright licensing for the digital age. Here, you can Download Copyright Hub  Press Release.

In my next two posts, I'll look at the 2nd and 3rd themes by reference to a few recent cases. In my next post, I'll deal a  copyright transfer which didn't clearly deal with copyright in pre-existing works.

Following that, I'll look at the recent decisions in Football Dataco and others v. Sportradar GmbH amd SMI Group v.Levy and others which addressed the question of how to work out in which country the database right was infringed in a situation where the operators of the database, their servers and the users were all in different countries.

Have a good week

Laurie Kaye

'We're all in the technology business now' - 'agile', 'waterfall' and 'agi-fall'

Dear reader

As someone from the publishing industry observed recently, "we're all in the technology business now." So delivering successful projects for new technology platforms and applications is now as important a skill for the industry as is commissioning great content.

If that responsibility is part of your remit, I'm sure you'll be familiar with the first meeting with the developer for, say, a new App when the question of project management methodology is discussed. "Let's use 'Agile' says the developer. Everyone nods sagely. Unlike the classic 'Waterfall' approach to software development which is based on pre-defined funtional specifications, 'Agile' is designed for a more iterative approach which is more 'friendly' to web and mobile based applications.

The topic of 'Agile' was discussed at a recent excellent 'Society for Computers & Law' seminar.

The starting point for an 'Agile' development is the 'user stories' which express the business outcomes that the client wants to achieve. Selected 'user stories' are then developed on an incremental approach in short - typically 30 day - sprints, with testing on a sprint by sprint basis.

So is this right for you? This is not a yes/no question. But bear these golden rules in mind:

1. It isn't right for all developments. If the development can be fully defined at the outset, taking a 'Waterfall' approach may be safer in achieving the outcome you want within a pre-set budget.
2. 'Agile' needs clients and developers who have 'hands on' experience of working in this way. So don't try this at home!
3. 'Agile' needs a genuinely collaborative approach between client and developer. Not everyone can work in this way.
4. The client's 'Product Owner' must fully and actively integrate him or herself into the develper's team.
5. The Developer's 'Scrum Master' must act as the Client's advocate within the developer as the Client's advocate. That's a tough role.
6. In its pure form, 'Agile' is a time and materials contract for services with no fixed price. That's risky in inexperienced hands. That said, I recently heard a developer saying that they work in 'Agile' but to fixed prices! Definitely, a point for upfront negotiations.
7. There is no 'one size fits all' solution for Agile. Fori nstance, there are lots of 'hybrid' pricing solutions to manage the pricing risk.
8. Contracts for 'agile' need to create clear processes for communication between the client and developer teams.

So get all this right, and 'Agile' can work really well. My personal view? Based on my experience, I'm an advocate of an approach which I call 'Agifall'. This takes the key elements of 'Agile's' iterative and flexible approach to software developments but 'encases' it within certain 'hard' outcomes in terms of minimum requirements, price etc.

I'm happy to tell you more about that if you're interested.

 Have a great week

Laurie Kaye

When is a sale not a sale, and vice versa?

Dear reader

Imagine going into a car showroom, signing the paperwork to buy a car and driving away, with neither you nor the dealer being exactly sure what the deal was.  You thought you had bought the car and were therefore free to either keep it or sell it.  The dealer, on the other hand, thought that you didn’t own the car outright and couldn’t sell it on without his permission.

This never happens – right? Well, in “the real” world probably not, but in the world of creative content and software, it does happen.

Take the recent controversy surrounding Bruce Willis where he was allegedly upset that he was unable to bequeath his iTunes library to his children.  Although press reports of Bruce’s threats to exercise serious courtroom muscle against Apple turned out to be unfounded, the story did highlight a very important issue – when it comes to purchases in the digital world, be it software, mp3s, e-books or anything else, are we all making purchases without knowing exactly what the deal is?

3 key lessons

A recent ruling by the European Court of Justice (ECJ) involving software publisher Oracle and UsedSoft, a  vendor of pre-owned software licences, has highlighted that in the case of software downloads there really is widespread confusion on both sides of these transactions regarding what rights a buyer walks away with after purchasing software.  As we’ll see, the case demonstrates three things. First, if the economic substance of the transaction is a sale, then this doesn’t change if the language talks about a limited licence, meaning that the buyer is generally free to re-sell. Second, even if it is a sale, there is a big caveat: the owner can still control rental of the software. Put another way, business models (e.g. ‘software as a service’) built on rental do not result in loss of control over re-distribution of the software. Third, although the case related to computer software, there are some important lessons for other forms of creative content.

It’s all about control

So what was the case all about? Oracle claimed that UsedSoft had infringed its copyright in the software on the basis that Oracle’s customers (and subsequently any reseller such as UsedSoft) had no right to distribute purchased copies of its software by re-selling them.   UsedSoft’s position was that, as with cars and other “real world” purchases, once a customer buys software for lifetime use, including via download, they have the right to sell it on without requiring any permission from the seller. 

Oracle disagreed.  It pointed to its licence terms, particularly the words “non-transferable”, to argue that real world rules did not apply to software downloads.  As far as it was concerned, the software had been ‘licensed’, not ‘sold’, so it could still control what the buyer could do with its software, even after sale. 

The case was referred by the German courts to the ECJ for clarification on certain aspects of the Copyright and Software EU Directives.  We’ll examine the case in a moment and see whether it applies to other forms of digital content and not just software.  But what is the nub of the problem? For the software and creative content industries, new business models are built on licences but, as these cases show, there is a lack of clarity about exactly what constitutes a “licence”. 

So what exactly is a “licence”? What does the consumer or business customer get? A typical provision in a consumer service talks about a: “….limited, non-exclusive, non-transferable, non-sublicensable license to access and make personal and non-commercial use of the [content]”.  This isn’t an academic legal debate buried in impenetrable online terms and conditions. If a licence is in fact, a sale, then the consumer is free to give away or sell the content like 2^nd hand goods on eBay. Similarly, if the licensee is a trade customer, it can re-sell or deal with the digital content without requiring any further permission from, or payment to, the content provider.

The real moral of the story is that the creative content industries should not leave it to the courts to “retro-design” business models.  If the substance of the transaction is a sale then that‘s how it should be described based on the economic business model.  If, on the other hand, it’s a form of exploitation such as rental then that should be reflected clearly as well.  That was the lesson in the UsedSoft v. Oracle case where the bottom line of the ruling was that if a business charges a licensing fee for software that represents the entire economic value of that copy’s useful life, whether downloaded or sold on physical media, the transaction will be treated as a “sale” even if the licence terms state that the licence is “non-transferable”.  It can therefore be lawfully resold in the same way that a car or any physical product containing copyright material can be resold as long as the seller first deletes or makes his copy unusable.

Case background

The ECJ ruling in UsedSoft v. Oracle clarified two main points on the interpretation of the Software Directive, namely that:

1. under Article 4(2) of the EU Software Directive Oracle couldn’t prevent subsequent sales of a copy of its downloadable software, including any updates, after it had charged a fee “corresponding to the economic value of the copy of the work” on its first sale.  The ECJ ruled that by charging fee reflective of the economic value of the software Oracle had effectively transferred the ownership of its rights in that copy to the purchaser and therefore had ‘exhausted’ its rights to further distribute, and be further remunerated for, that copy.  So the ECJ agreed with UsedSoft that the ‘exhaustion of rights’ principle applied.  Similar to the ‘first sale’ doctrine in the US, this principle in EU law restricts the ability of a rightsholder to control a physical copy of an item containing their work, say a book, by causing that control to be ‘exhausted’ after the first sale of that copy.  It is by virtue of this principle that a number of traders have lawfully created a secondary market for a variety of second hand goods, including books, CDs, computer games, computer software, DVDs etc.  However, the court held that the seller must render his copy of the software unusable (e.g. by deleting that copy) for the resale to be lawful.  Referring back to our example, it would hardly be fair to the car manufacturer if you could sell your car and somehow retained the benefit of it.
2. Oracle couldn’t prevent a purchaser to whom a copy had been resold (such as UsedSoft or its customers) from copying the software in order to use that copy because, although the exhaustion principle does not apply to Oracle’s reproduction right, under Article 5(1) of the Software Directive a “lawful acquirer” can reproduce the software to make use of it for its “intended purpose”.

The court did however point out a caveat: volume licences must be sold as a whole as the partial resale of a multi-user licence would involve the seller continuing to use a usable copy.

Case analysis

The ECJ ruling marks a considerable shift as to where the courts draw the distinction between a “licence” and a “sale” by applying an “economic value” test.  By doing so the case clarifies, at least where software is concerned, that a transaction where a customer is charged a ‘one time’ fee which represents the economic value of the software will be treated like a real world sale and not a time-limited licence or rental. And just as with the sale of a car, this means a buyer is free to sell the software on to whomever he or she chooses.

But the impact of this ruling may not only be limited to software publishers.  Publishers of music, e-books or any other digital content sold by download should also take note: although the ruling specifically concerned the resale of software under the Software Directive, the reasoning applied by the court to the exhaustion of rights principle is likely to apply in the same way under the Copyright Directive.  Whilst there is no equivalent reproduction exception for such works as there is for software under Article 5(1) of the Software Directive, the Copyright Directive does allow for temporary copying, which would allow for lawful uses of many formats of work e.g. mp3, e-book etc. once such files were resold.  For more information on this, barrister Tom St Quintin of IP specialists Hogarth Chambers discusses the various legal issues involved in his post here.

Practical pointers

• All businesses in the creative industries should carefully consider how the test used by the court might affect their pricing and business models. 
• In particular they should think about whether the ‘one-time’ licence fees they currently charge reflect the value of, in effect, what are now transferable licences, at least in the case of software.  If not, they may wish to explore rental, hire-purchase models or models based on offering “Software as a Service” (SaaS), to which the exhaustion of rights principle does not apply.This ruling will have an immediate impact on businesses that sell perpetual licenses for a one-time fee, especially to the consumer market where single-user licences are common.  Such software publishers, are likely to have new competition from the used software market which can now expand to include used licences for digital downloads comprising up-to-date, fully patched versions of their software products.

If you’d like any help in applying these lessons to your own business models, we’d be delighted to help. And, just to encourage you, for a limited time only we’re offering 30 minutes free phone consultation.

Have a great week

Laurie