At GOTO 2016 I want to cover the issues that will affect you as developers, along with your organizations. I’ve studied both law and computer science, and I’m both a practitioner and an academic.
As an academic, I’ve worked on several cloud law projects, including being the lead author of eight chapters of a cloud computing law book. As a practitioner, I advised clients who are both cloud providers and customers on legal issues having to do with cloud computing.
As a disclaimer, the following is just general information, and not legal advice. What I say represents my own opinions and not necessarily any organization with whom I’m associated.
Intellectual Property Rights
Laws are simply rules that the state will enforce. They can come from legislation, Acts of Parliament, and what judges say.
A contract is just an agreement between parties detailing who will do what, and what happens if they don’t. It’s a legally enforceable promise, enforceable by the state. Contracts can be invalid however, because certain terms in it may be invalid.
Intellectual property is intangible property, and it’s state backed. IP is the right to control or monopolize the use of information. Examples include copyright, as in source code, patents, and inventions, which is possible for some kinds of software.
Ownership of data
Ownership, like any other law, is a state-backed concept. If the state passes a law saying they’re going to expropriate your house, then they will own your house and you won’t. In contrast, with data, it’s about control.
Get more development news like this
You can control data through intellectual property rights like copyright, based on the limits of the law, but there are also other laws concerning data protection, which enable control of data - which is not the same as ownership. Legal control is not the same as practical control.
The key issues with intellectual property rights
Some questions about intellectual property rights:
- How do we get them?
- Do you have to register or file to get a right?
- When will the right expire, and how can you transfer or license them?
Different jurisdictions have different laws. Some may be broadly similar because of international treaties, but with many, the details are different.
It’s actually difficult to reconcile all the laws and to work out which ones apply. So the main thing I want to focus on is the implications when creating software, such as the rights attached to your source code and content.
The ownership rights that apply to source code is typically a copyright or patent, or inventions that apply.
When you write code, who actually owns the copyright depends on a variety of factors.
Are you an employee or a contractor? In most countries, if you’re an employee then the code you create in the course of your employment belongs to your employer in terms of copyright, including in your spare time. On the other hand, if you’re a contractor, you own the code. Even if somebody paid you lots of money to write the code for them, you own it unless the contract says that they own it and assigns the copyright to them.
If you’re going to start a new job, check the contract before you sign and start work. Similarly, if you’re a company that’s hiring a contractor, make sure you have the contract correct before performance takes place.
The risks of creating software
Open source code
What if you are using code where someone else owns the copyright?
You might be using open-source code but there are complications when combining open source code with your own. An interesting example where some companies took open-source code and modified it, then offered it as a service in the cloud. By claiming they’re not distributing it, they argued they did not have to contribute their additional modifications.
APIs can be copyrighted
There was a case in the EU, though not directly on APIs, is interpreted as meaning APIs cannot be copyrighted. In the US, this is different.
The case was about Google’s use of Java APIs in Android. The appellate court reversed the lower court’s decision, and ruled that APIs can be copyrighted, and because the Supreme Court refused to hear the case, the latest decision stands.
Google’s argument in the case was that despite the copyright, what it did fell into fair use, and Oracle - who owns Java - tied Google up in the appeals process.
When it comes to exploitation - that is getting money out of the software that you’ve created, an answer that’s important to know is how it’s being supplied, and the terms/conditions attached to the use of it.
For example, with online terms and conditions, they may not be enforceable depending on the situation, and your delivery model will be important, as it legally makes a difference to the contractual exclusions of liability.
Many developers offer their software through SAAS (software as a service). If you aren’t self-hosting, you’ll use a cloud service with which you have a contractual agreement. If you have mismatching contracts, this will be a liability risk.
For example, often the ultimate cloud provider will disclaim liability for data integrity. If you’re using a cloud service for content, storing content, or generating content, this is a risk.
I would emphasis you should involve your in-house or external lawyers early. In the long run, it’s cheaper to involve lawyers earlier rather than later. There are also related practical issues which you can address through measures like backups, failovers, encryption, if your contract does not cover those.
Location is really important because laws are pre-digital. The internet and cloud is often location independent.
In the law, location makes a big difference. If you are writing a novel and storing it in the cloud, or you’re hosting it on a server somewhere, the location of the server will be important because that’s where the recording is taking place.
This can also make a difference as to which country’s laws apply.
In the EU there’s a database right when you collect data, but not when you create it. If you do this and you store your database in the US, which doesn’t recognize the database right, you may not have a database right at all.
Currently, we have the data protection directive that regulates the processing of personal data of data subjects, individuals, by data controllers. It’s important to note that the same words can mean different things in the ordinary, technical, and the legal sense.
To a lot people, the phrase processing data sounds like computation, as in doing something to the data. But in the legal sense, processing includes storing. If you’re holding data or transmitting data, you’re processing it.
The data protection directive is implemented nationally by legislation from each country. For example, in the UK there is the Data Protection Act. The liabilities and obligations are on the controller, who controls the purposes and means of processing personal data. The controller has to comply with certain rules when it processes personal data, like fair processing security measures.
The relevance of cloud here is that if you’re using a cloud provider to process, store or otherwise work on your data, then the cloud provider is considered your processor, and you have to comply with the rules.
The General Data Protection Regulation will replace current directive on May 2018. Processors are directly liable under the GDPR, including cloud providers. If you are providing your software as a service via SAAS, then you are a cloud provider and a processor for the purposes of data protection law.
Fines and Accountability
Failing to prove that you’re compliant with the law can result in big fines. There are two tiers:
- The lower tier: 10 million Euros, or two percent of annual turnover if higher
- Higher tier: 20 million Euros and four percent of annual turnover if higher.
Start preparing for this regulations now because it’s less than two years before it comes into effect.
From a developers viewpoint, if your software is dealing with personal data, accountability, evidence, privacy by design apply to controllers. Whereas security obligations apply to both controllers and processors.
This means that secure coding will be more important. This can mean taking action against SQL injection, having secure architecture in general, in addition to encrypting what you can, and not collecting as much data.
Because of this accountability and evidence emphasis, it’s important to have logging. If you’re producing software that’s meant to handle personal data, your customers will be demanding more logging and audit trails.
The delivery model offered in the cloud will be more difficult, with the terms and obligations more detailed, resulting in having much of the agreement flowing down to your end users.
Privacy by design and privacy engineering is going to be a lot more important. Before you start a new project, your risk assessment must include data protection, and it’s a good idea to include legal counsel early on.
For legal news affecting technology, I personally believe Out-Law is the best resource.
About the content
This talk was delivered live in October 2016 at goto; London. The video was transcribed by Realm and is published here with the permission of the conference organizers.