Legal Protection of Database Security Yue Kang International School of Beijing Univeristy of Posts and Telecommunications, Beiqijia Town, Changping District, Beijing, China 2011213224@bupt.edu.cn Abstract
database.
This paper introduces the legal protection to database under Chinese, EU and US laws. China and US have similar mechanisms to protect the selection and arrangement of database under copyright law and the content of database can be protected by the other laws. Database Directive of EU protects the structure of database if it is original. At the same time, EU also provides sui generis protection for database which is substantial investment.
EU, China and US adopt different kinds of laws to protect database based on the conditions of their own countries. The legislation development is also affected by the technological development.
Keywords
Chinese Laws China gives protection to database under copyright law and other types of laws.
Database; Security; Law
Copyright Protection
Introduction
Chinese law protects database under Article 14 of PRC Copyright Law [1]. Firstly, protection is given to the selection and arrangement of the content if the selection and arrangement is original. It means that the selection and arrangement of database should constitute author’s intellectual creation. The author needs to apply some creativity though it doesn’t need huge creativity. Some mental effort must be put by the author.
There is increasing number of data breaches happening all over the world, which should draw attention of countries all over the world. On December 19 of 2014, the second‐largest discount retailer of United States Target announced a data breach due to hacking .The number of affected customers reaches 70 million and the stolen information includes names, phone numbers, emails and mailing addresses and credit card data. This incident has a negative effect on the sales and profit of Target. United States Senate holds hearings to find out the cause of this breach. This essay analyzes the reasons and consequences of this massive breach, laws involved, what laws to do to protect customers’ personal information and similar breaches in China. All countries give the same right to original selection and arrangement of the database. However, different countries have different views about the protection of non‐original database. Developing countries are very against protecting factual data because there is less money to spend on accessing factual data in developing countries. There is also less R&D in developing countries. On the contrary, developed countries want more protection for factual data if they have made substantial investment in creating, obtaining, verifying, presenting the data. However, there is no international agreement on no‐original
Secondly, the law also protects the content of the database if the content meets requirements of copyrightability. This means that the content of database has to be original, meets de minimis requirement and it must have tangible form. In this way, copyright law of China gives narrow protection to database because it only protects “creative” data, such as photos, papers, music, etc. Then the ‘factual’ data is not protected by copyright and it can be copied and re‐use freely. Other Laws to Protect the Content of Database Even if authors can’t protect the content of the database under copyright law, they can still use a variety of other laws to protect the content , such as trade secrets, contracts, trespass, unfair competition, etc. The problem is that such protection is very risky because authors can’t make sure which argument court will agree, which law will be applied. Authors of database needs to calculate the risk to protect their
38 International Journal of Engineering Practical Research, Vol. 4 No. 1‐April 2015 2326‐5914/15/01 038‐04 © 2015 DEStech Publications, Inc. doi: 10.12783/ijepr.2015.0401.08
Legal Protection of Database Security 39
database under laws. EU Law As mentioned above, there is potential problem of Chinese copyright protection of database because a lot of databases don’t show any originality in selection and arrangement. For instance, we simply put factual data in some databases and arrange it alphabetically. However, there may be considerable financial investment for finding the facts although it doesn’t cost originality and intellectual effort. Nucleotide Sequence Database – EMBL never fails to confirm this point. EU Commission Database Directive provides 2 tier protection for database to solve above problem. Database Directive Protection under Copyright On the first tier, EU law provides copyright protection, same as all other countries, if selection and arrangement of the content of database shows originality. Databases which, by reason of the selection or arrangement of their contents, constitute the author’s intellectual creation [2]. In this term, the author of the database is a legal or natural person who selects and makes arrangement of the database if it is original. Similar to Chinese law, author’s intellectual creation means that the author has to show some intellectual effort, some originality to the selection and arrangement of database. Then author enjoys all the exclusive copyrights, including rights of reproduction, distribution, communication to the public, translation, adaption, arrangement, etc. Sui Generis On the second tier, EU law wants to protect the financial investment of the database. So they has Sui generis protection for the non‐original database. Sui Generis Protection is aimed at protecting database which owns substantial investment in obtaining, verification or presentation of contents of the database. However, database right is of lesser duration than copyright. Copyright lasts 70 years, but database right only lasts 15 years. Sui Generis protects database from two aspects: the temporary or permanent extraction and re‐utilization of the whole or of substantial part of the content of the database. It should be noted that EU law also protects the data temporarily stored, which is different from laws of many countries. Normally in most countries, it doesn’t infringe the law if it is temporarily
reproduction. Only permanent reproduction is unlawful. However, the Database Directive of EU even doesn’t allow the temporary transfer of data. This means that there is a complete ban on extracting the data. On top of preventing anyone from taking the content of other’s database, reutilizing by any means to make database available to the public is not allowed by EU law. Besides , the degree of ‘substantial’ should be evaluated qualitatively and quantitatively. For example, taking eighty percent of non‐core data should be equivalently severe as taking twenty percent of data which is the heart of the database. In brief summary, what Sui Generis prevents is that an individual can’t take substantial part of the database and can’t keep repeatedly extracting from database which owns substantial investment. At the same time, there are some exceptions to above provisions. If a user extracts insubstantial part of the database or what his/her behavior doesn’t conflict with three Berne test, this is allowed by the Database Directive. Besides, the use of the extracted or reutilized data should be taken into consideration. Extraction of data for the teaching, scientific research, public security or of administrative procedure is lawful in EU. Influence of EU Law EU law tends to stimulate the investment to database by protecting the content of the database. However, there is considerable controversy about the Directive. Some argue against it because it may cause monopolies of information, further restricting the competition in some fields. For example, the news and factual data may be grasped by some leading journals. The Directive makes it difficult to compete for small business. Same problem exists in the area where single source data is monopolized by producer such as telephone directories, programmes listings or event data[3]. But on the other hand, others are in favor of the Directive which fosters competition, reduces costs related to protection of database and facilities the marketing of database by giving license of content of database, especially the European publishing industry. Rulings of ECJ To mitigate the negative effects and narrow the protection of Directive, four decisions made by ECJ offer more guidance and clarify the key issues of Directive. BHB’s activities and fixture lists don’t need independent substantial investment to obtain and
40 Yue Kang
verify the content of the database. What they do is just a “spun‐off” database. This decision clarifies that the purpose of Directive is to encourage the investment of database, not the material as side‐effect of other activities. But at the same time, ECJ’s decision seems to make it intricate to differentiate the creation of data and obtain or verify the content of the database. US Law Similar to Chinese law, US law protects the selection and arrangement under copyright law and it protects the content under other laws. Though US doesn’t have sui generis, it doesn’t mean they don’t have content protection. It only means they don’t have copyright protection for content. But court will always look at some other laws to protect the content of the database, such as misappropriation laws, trade secret laws, contract laws , etc. Database Protection Under Copyright Law Database can be treated as compilations to be protected in US. Similar to Chinese law, the selection and arrangement of the database ought to be original to be copyrighted. After Feist decision, copyright law of US doesn’t protect the factual data of database. In this way, authors of database tend to implement legal and business strategies to be qualified to be protected under copyright law. One solution is to change the structure or content of the database to make the arrangement original. Alternative way is that they include some copyrightable contents in the database. Database with copyrightable information is more likely to be protected than that of purely factual data. Databases which take either of two strategies are referred as “value‐added databases”. In particularly, US law allows data aggregation as long as the author can express the content of the database in a new type of way. Basically, US law supports electronic website services to aggregate data as long as something new is created, as long as author adds value or creates services which are novel. Protection under Laws Other Than Copyright Laws 1) Misappropriation Laws Because of the value of time‐sensitive data, US protects such information under misappropriation laws. If individuals copy precious time‐sensitive information, such as stock quotes, statics for games, etc, they will be held misappropriated use in US.
Court makes decisions based on following five principles: (1)It costs financial investment or effort to create the database. (2) Information has high sensitivity to time. (3) Defendant shouldn’t make use of the author’s effort for his interest. (4) Illegal use of defendant constitutes competition to the creator. (5) Products or services of database’s author are influenced by the illegal use of data. Therefore, this so‐called “hot news” doctrine guarantees the fair competition in the marketplace[4]. 2) Electronic Trespass US laws are against trespassing to restrict the illegal extracting and copying of the content of database. According to NY CLS Penal § 156.10, computer trespass means individual knowingly uses, accesses a computer, service or network without authorization. An individual will be held guilty if he/she intentionally means to commit crime by illegal access or he/she intends to get material by gaining access [5]. In some cases, users still collect the content of other’s database when they are explicitly notified that illegal use of the information from database is forbidden. Such behavior may be held trespassing or breach of contract[5]. 3) Trade Secret Database owners may use trade secrecy laws to protect their own works. However, not any database can be protected as trade secret. There are three elements to be considered. Firstly, the protected database should be non‐public, which means it should be maintained internally by the company and it is not available to the public. Secondly, the database needs to be kept as trade secret by the company, which means the database owner needs to take reasonable measures to protect its security, such as password‐protected computer system to limit access to database. Finally, the protected database ought to provide business advantage. If a database contains information that is generally known or easy to obtain in the industry, the database is unlikely to be treated as trade secret for protection. Though the information in the database doesn’t need to too novel or unique, it needs to be non‐obvious to the individuals who may make profit from the disclosure of data[6]. 4) Contract Laws For many database creators, contracts functions as
Legal Protection of Database Security 41
a main source of protection. Owners strengthen the protection of contract in recent years by fitting the terms of using to the organization and users. Although specific terms may be different based on the products or companies, the core coverage of the terms of user is generally the same: limited access, permitted conditions of use, enforcement and remedy. Contractual protection effectively complements copyright law to protect database.
introducing specified laws similar to EU, to protect database. REFERENCES
ʺComputer Trespass Law &legal Definition.ʺ USLEGAL. N.p.,
n.d.
Web.
25
May
<http://definitions.uslegal.com/c/computer‐trespass/>. ʺCopyright Law of Peopleʹs Republic of China.ʺ Npc. N.p.,
5) Pending Laws
n.d.
US has the tendency of introducing specified database laws to protect the database: HR 354 and HR 1858. This action means that US wants to regulate the protection of database by specified laws, similar to EU. Though the existing laws of US is similar to China, US tends to adopt similar legislative system like EU to protect the database. That’s where it is different from China.
<http://www.npc.gov.cn/englishnpc/Law/2007‐
Conclusions EU, China and US protect intellectual creativity of author under copyright law. They grants copyright protection to the original selection and arrangement of the database. However, only EU provides Sui Generis protection to the content of database which is substantial investment. Though there are some potential problems of such protection, ECJ rulings narrow the interpretations. China and US treat database as compilation for copyright protection. The content of database can be protected by other laws. But there are potential risks for author to choose qualified legal arguments and laws under such mechanism. Therefore, US is under the way of
2014.
Web.
25
May
2014.
12/12/content_1383888.htm>. ʺDatabase and Collections of Information Misappropriation Act of 2003.ʺ Copyright. United States House of Representatives, 23 Sept. 2003. Web. 25 May 2014. <http://www.copyright.gov/docs/regstat092303.html>. ʺDirective 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the Legal Protection of Databases.ʺ EUR‐lex. N.p., 27 Mar. 1996. Web. 25 May 2014. <http://eur‐ lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:319 96L0009:EN:HTML>. Fishmen, Stephen. ʺProtecting Databases Without Copyright Law.ʺ NOLO. N.p., n.d. Web. 25 May 2014. <http://www.nolo.com/legal‐encyclopedia/protecting‐ databases‐without‐copyright‐law.html>. Seville, Catherine. ʺCopyright and Related Rights.ʺ EU Intellectual Property Law and Privacy. Cheltenham: Edward Elgar Limited, 2009. 45‐48. Print.