Browsing articles from "December, 2011"
Dec 28, 2011
Comments Off on European Commission to increase the Data Protection burden for businesses

European Commission to increase the Data Protection burden for businesses

Recently leaked information gives details of a European proposal for a new data protection law (See Financial Times of Monday 12 December 2011).  The European Commission has been debating such a law for at least 12 months and indeed sought submissions on possible changes over that period (See, for example http://ec.europa.eu/justice/news/consulting_public/news_consulting_0006_en.htm).  If the leaks are to be believed, the new law will require EU countries to adopt stringent new data protection measures.  If breached they will allow for companies to be fined up to 5% of annual turnover.  This is in stark contrast to the present theoretical maximum fine of £500,000 (See http://www.ico.gov.uk/what_we_cover/taking_action/dp_pecr.aspx#monetarypenalties). 

The United Kingdom Commissioner’s Office (ICO) has had this power to fine companies only since 6 April 2010.  However, the ICO has used this power sparingly. Indeed in the first 20 months the ICO has fined only two businesses.  Excluding one nominal fine, the only fine imposed on a commercial company was to A4E Limited, a company acting primarily as a supplier of service to the public sector.  All the remaining seven fines were of local authorities. 

History shows, that at least in the United Kingdom, the ICO has no appetite to take on companies bigger than he is.  Take for example the case of Google collecting Wi-Fi data unlawfully in preparation for its Street View service a few years ago. 

The UK Information Commissioner took no effective action against Google, unlike his counterparts in Germany, Italy, Switzerland, Canada and Czech Republic (See, for example http://www.bbc.co.uk/news/technology-11684952).  In more recent times, the UK Information Commissioner has similarly failed to take action against Sony in respect of the Playstation hacking incident or against Facebook for tagging of facial features (See, for example http://www.dailymail.co.uk/news/article-1260334/Facebook-tagging-launch-breach-privacy-EU-court-battle-looms-social-network.html). 

This week has seen David Cameron throw down a gauntlet to the European Union to protect the London based banking industry.  The European Commission is proposing a radical change to the United Kingdom’s softly-softly approach to policing the data protection legislation, by proposing that a new European bureaucracy would enforce the new legislation.  It remains to be seen whether the British government will continue the stance it started last week in opposing this type of legislation.  If it fails to do so, British industry and British banks in particular will face a very significant increase in the risks associated with data loss. 

The one silver lining in the cloud of the new proposals is the way in which they propose to tackle the Cloud Computing industry.  Previously this industry, based as it is to a large extent outside the European Union, has been able to ignore European data protection rules.  The European Commission is proposing to extend enforcement of the new European Union rules to all foreign companies operating in the European Union.  This would mark a significant change.  No longer would companies such as Facebook be able to hide behind a foreign veil.  Instead, the new EU rules would allow their EU subsidiaries to be fined. 

However, a company can only be fined if the proposed European data-policing authority knows that the company has breached data protection rules.  Therefore the European Commission is proposing to require companies to report data protection breaches.  This is consistent with EU Commissioner Viviane Reding remarks in a speech on 29 November 2011, when she said “Our proposal will introduce a general obligation for data controllers to notify data breaches. In concrete terms, that means notifying data protection authorities and the individuals concerned when a data breach is discovered.” (See http://ec.europa.eu/commission_2010-2014/reding/pdf/speeches/data-protection-social-media_en.pdf).  What is not yet known is whether all breaches must be reported or, more likely, only those over a certain threshold of importance. 

A proposal that has been debated for a while is a “right to be forgotten”.  A provision to achieve this will also be included in the new legislation.  This will require Facebook and other social media networks to change their sites significantly to improve the ease with which individuals can require their data to be removed.  All of this is significant with Ms Reding’s view that “The protection of personal data is a fundamental right”. 

 

Dec 27, 2011
Comments Off on Database Protection Rights

Database Protection Rights

1  DATABASES – THE LEGISLATION

In the United Kingdom, the Copyright and Rights in Databases Regulations 1997 (S.I. 1997 No. 3032) (the “Regulations”) implement Council Directive 96/9/EC of the European Union on the Legal Protection of Databases (the “Directive”).  Under this legislation, the maker of a database (i.e. the person who creates the database) has the right to prevent the extraction or re-utilisation of the whole or a substantial part of the contents of the database.  The legislation applies to databases created on or after 1 January 1998.  There are certain transition provisions. 

2  THE MAKER AND OWNER OF THE DATABASE

For the database right to be enforceable the person or organisation having the benefit of the rights must be a national of a Member State of the European Economic Area or be formed under the laws of such a state.

The maker of the database is the person who takes the initiative in obtaining, verifying or presenting the contents of the database and assumes the risk of investing in it.  Where the database is made by an employee during the course of his employment, then, unless the contrary is agreed, the employer will be regarded as the database “maker”. 

3  THE DATABASE

In the legislation, a “database” is defined as:
* “a collection of independent works, data or other material which:
* are arranged in a systematic or methodical way, and
* are individually accessible by electronic or other means”

This definition of database will include, for example, a telephone directory; a list of spare parts or an analysis of stresses and strains in a mechanical device.  The definition is also sufficient to encompass an automated employment record or even a web site.

Database rights are applicable to databases whether they are in written or electronic format.  However, there are limits as to how widely the definition may be interpreted.  In the case of Hit Bit Software GmbH v AOL Bertelsmann Online GmbH & Co KG it was argued in the German Court that computer MIDI files of instrumental music were capable of protection as databases.  Hit Bit Software produced MIDI files of instrumental music.  AOL Bertelsmann hosted a website from which various MIDI files could be downloaded.  Hit Bit alleged that MIDI files contained on AOL Bertelsmann?s website breached its copyright and it also alleged that its MIDI files were capable of being protected as databases.  The court held that a MIDI file was not capable of being protected as a database under the equivalent German Copyright Act. 

4  THE DURATION OF THE DATABASE RIGHT

The rights created by the Regulations last for 15 years from the date of creation of the database.  The rights are infringed even by a systematic extraction or re-use of insubstantial parts of the contents of the database. 

Where there is a substantial change to the contents of a database, so that it can be considered as a ?substantial new investment?, the database will then qualify for a new term of protection beyond the original 15 year period.  In this way, database protection can conceivably last for a long time: provided that “substantial new investments”, are regularly made to the database.  This will invariably be the case for commercial databases which are continuously being updated; as for example to a telephone directory or a spare parts list. 

Database owners are strongly recommended to maintain records of the investments of time or money in their databases to assist in arguing that they are making a “substantial new investment” and thereby extending the period of database right protection.  Database owners are also advised to ensure that the correct name of the (European) owner appears as the database creator on any copy of the database. 

5   INFRINGEMENT OF THE DATABASE RIGHT

Database rights are infringed if any person extracts or re-utilises a substantial part of the contents of the database.  However, the rights may also be infringed by a systematic extraction or re-use of a series of insubstantial parts of the contents of the database. 

There are exceptions to this.  For example, extraction of a substantial part of the contents of a database is permissible in circumstances where the database has been made available to the public or  where the extraction is by a lawful user for the purpose of teaching or research.  In order for this exception to apply, the source must be indicated and the teaching or research must not be for any commercial purpose.

The UK Regulations define “extraction”, in relation to any contents of a database, as “the permanent or temporary transfer of those contents to another medium by any means or in any form”. 

6   DATABASE SUBSTANTIALITY

The UK Regulations state that “substantial” means “in relation to any investment, extraction or re-utilisation, substantial in terms of quantity or quality or a combination of both”.

In the William Hill case, discussed in detail below, the Court concluded that there was both a qualitative and quantitative element to the substantiality test. 

 7  DATABASE LICENSING

The UK Regulations do not contain any compulsory licensing provision for the contents of a database which cannot be obtained through any other source. 

8  DATABASE RIGHTS – LEADING CASES

The English case of British Horseracing Board Ltd v William Hill Organisation Ltd (Case C-203/02 – (1) The British Horseracing Board Limited (2) The Jockey Club (3) Weatherbys Group Limited -v- William Hill Organization Limited (2004)) has provoked much debate about the investment required in order for a database ot be protectable under the legislation.  The brief facts of this case are as follows.  British Horseracing Board maintained a comprehensive electronic database providing up to date statistics relating to horse racing.  Some of the information on the database was supplied to a firm, SIS by a licence agreement.  William Hill used information and services supplied by SIS in order to provide up to date information to customers in its betting shops.  This information was later incorporated in to William Hill’s online betting website.   British Horseracing Board argued that William Hill was using the information without its permission and this constituted an infringement of British Horseracing Board’s database right: i.e. William Hill was extracting and re-utilising a substantial part of the database or was making repeated extractions of insubstantial parts.  William Hill argued that the material was available from other sources and consequently it was not infringing British Horseracing Board’s rights. 

William Hill further argued that the information it had used or extracted from the database was not a part of the database, since what had been extracted was the information from the database (rather than the database itself). 

Other jurisdictions have also struggled with the definition of a database contained in the Directive and there had previously been a series of conflicting decisions within the EU.  The William Hill case came before the European Court of Justice at the same time as anumber of other cases, collectively knopwn as the “Football Fixtures” cases, namely:
* C-46/02 – Fixtures Marketing Ltd -v- Oy Veikkaus AB (2004) ECJ 9/11/2004
* Case C-338/02 – Fixtures Marketing Ltd -v- AB Svenska Spel (2004) ECJ 9/11/2004
* Case C-444/02 – Fixtures Marketing Ltd -v- Organismos Prognostikon Agonon Podosphairou AE (OPAP) (2004) ECJ 9/11/2004

These three cases in, respectively Finland, Sweden and Greece concerned lists of football fixtures created by the English and Scottish football leagues.  The claimant had been given exclusive rights to use the database rights.  The defendants ran the football pools and in doing so extracted information from the claimant’s fixture lists.  The claimant sued for infringement of its database right.  The defendants argued that the claimant’s database was merely a by-product of the leagues’ investment and was not protectable as a database. 

The decision given by the European Court of Justice on the 9th November 2004 in all these cases was somewhat surprising.  The European Court distinguished between the investment made in obtaining the contents of the database on the one hand and the investment concerning the verification and presentation of those contents on the other.  The European Court said that in order to be protected under database rights, there must have been a substantial investment in the verification or presentation of the data rather than the (mere) collection of the data.  Thus, it is the organisation of the data rather than the value of the data itself which requires a substantial investment. 

Although the European Court is not authorised to determine facts, in reality, it held that this test had not been satisfied either for the British Horseracing Board’s database nor for the English and Scottish Football Leagues? database.  In these cases, the European Court said that the value of the investment was in the original collection of the data and not the verification or presentation of the data within the database. 

The European Court also considered the issue of ?substantiality? under the database rights legislation.  This was of relevance in the William Hill case.  The European Court held that the extraction and re-utilisation carried out by William Hill, even though it was carried out in a repeated and systematic manner, concerned only insubstantial parts of the database.  Furthermore, the cumulative effect of William Hill?s actions did not amount to the making available to the public of the whole or a substantial part of the contents of the British Horseracing Board?s database.  There was therefore no infringement of the British Horseracing Board’s database rights. 

This rather narrow view of the legislation came as something of a surprise.  What it does mean in practice is that companies that wish to protect their database must ensure that they record not only the investment in making the underlying data (which will not afford protection to the database) but the investment they make in the verification and presentation of the data which will potentially afford protection to the database. 

9  DATABASE – CONCLUSIONS

Following these cases, it is not enough to show that the data itself is valuable.  What is more important, in order to be sure of database rights, is to show that there has been a valuable investment in the verification or presentation of the data within the database.  Further the owner of the database must be a citizen of or a company established within the European Economic Area. 

 

Seminars

December 2011
S M T W T F S
« Jul   Jan »
 123
45678910
11121314151617
18192021222324
25262728293031