Software Audits Project

[Jump to jurisdiction responses] Software license audits are an important issue for IT lawyers worldwide. Large software companies have a legitimate interest to verify whether licensees are using the software in line with the applicable restrictions. Therefore, many licensing terms allow for software audits. Even if this is not the case, applicable law may afford licensors similar rights. 

At the same time, software audits are a potentially massive intrusion in the licensee’s sphere, triggering employee data protection issues (as their use of the software will be verified) and the works council may have co-determination rights.

Finally, companies holding a license may face contractual and statutory penalties up to criminal liability of the management.

Against this background, you may be interested in checking the rules applicable to (1) consequences of insufficient licenses, (2) statutory rights to conduct software audits, (3) limitations of software audit clauses under contracts law, (4) works council co-determination rights, and (5) data protection implications, all with respect to the jurisdictions listed below:

Australia      Fred Chilton – Peter Leonhard

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    Where copyright is infringed, the copyright owner generally has the right to bring an action against the infringer to recover damages or an account of profits. Damages is a sum of money intended to compensate the copyright owner for money lost, or spent, in respect of the infringement. In the case of infringement by under-licensing, the starting point for calculation would be the cost of additional licences to bring the licence count up to actual usage. Special damages are seldom awarded, generally only in the case of deliberately flagrant breaches of copyright. An account of profits is the profit made by the infringer through infringement. Generally an account of profits will not be a suitable remedy in the case of under-licensing.

    A successful litigant will also generally receive an award of costs, calculated on a so-called ‘party-party’ basis and often about half of legal costs actually incurred by the litigant.

    An employee who infringes copyright is generally liable. The employer may also be liable, under he principle of vicarious liability. If the employee was acting on instructions from another staff member, that other person may also be liable for authorising the employee to infringe copyright. Authorisation liability may extend to anyone who authorises someone else to infringe copyright: that is, endorses or sanctions someone else’s infringement, for example by asking or encouraging them to infringe copyright, or by providing them with the means to do so.

    Only some infringements of copyright constitute a criminal offence. Generally, only infringements of copyright that involve commercial dealings or infringements that are on a commercial scale are criminal. For example, under the Copyright Act 1968 (C’th of Australia), it may be an offence to:

    • cause infringement on a commercial scale, even if the infringer makes no financial gain;
    • make “an article” that infringes copyright for sale or hire or to obtain a commercial advantage or profit, or to sell or otherwise deal with such an article, sometimes with the intention of obtaining a commercial advantage or profit, in specified ways;
    • possess an article that infringes copyright, for specified commercial purposes, including for distribution to obtain a commercial advantage or profit or in a way that prejudicially affects the copyright owner.

    It may also be a criminal offence to make or possess a device that is to be used to make infringing copies of a copyright work.

    Generally these criminal offences will not be relevant in cases of under-licensing within a business enterprise. Where criminal penalties apply, offenders may be liable for fines up to about AU$99,000 and/or up to five years imprisonment for individuals, and AU$495,000 and/or up to five years imprisonment for companies. In the case of an aggravated offence where the infringing copy was made by converting a copyright work from hard copy to digital, the maximum fine is AU$163,000 for individuals and AU$765,000 for corporations.

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    No.

    Pre-action search and pre-trial discovery is available under Court Rules. Pre-action search is generally only available in pirating cases where there is a significant risk that relevant evidence may be destroyed.

  3. Are contractual software audit clauses subject to restrictions under contracts law?

    Contractual software audit clauses are common in software licence agreements in Australia and often provide quite extensive powers for software owners to require access and cooperation of the software licensee to facilitate the conduct of a software audit.

    Contractual software audit clauses would be given effect subject to normal principles of contract law and contractual interpretation, as affected by statute law. In this regard we note the decision of Mrs Justice O’Farrell DBE handed down on 16 February 2017 in SAP UK Limited v Diego Great Britain Limited [2017] EWHC 189 (TCC). We would expect an Australian court to take a similar approach.

    Australian statute law provides some protections for Australian consumers in relation to unfair contract terms. In some cases these protections are available to small businesses, through extended operation of the definition of consumer under relevant deeming provisions. Such protections are not available for most Australian business enterprises or government agencies that may be subject to a software audit.

  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    No.

    Australia does not have equivalent co-determination rights. Employees’ Unions perform an advocacy role within an organisation and might therefore lobby an organisation if they formed the view that a software audit would have adverse consequences for employees.

    Many Awards and Enterprise Agreements also require employers to consult with employees regarding any major workplace changes. However, a typical software audit is unlikely to trigger these provisions.

  5. What are the data protection limitations to software audits?

    The conduct of an audit, including through the use of audit tools, is subject to the operation of data protection principles under the Privacy Act 1988 (C’th of Australia), which applies to Federal government agencies and most Australian business enterprises, and State and Territory information privacy and health information privacy statutes which apply to many State and Territory government agencies and some private sector organisations such as health services providers.

    In general software audits should be able to conducted in a manner which does not cause any personally identifying information relating to any individual to be disclosed to the software owner or its nominee conducting the audit. However, the information privacy statutes do provide a number of exceptions that may be relevant to the conduct of a software audit.

    For example, most Australian business enterprises and government agencies as regulated under the Federal Privacy Act, which provides an exception from the disclosure limitations under the Australian Privacy Principles (in particular APP 6) in the case of a permitted general situation as defined in section 16A of the Federal Privacy Act. Item 4 in section 16A provides an exception where “the collection, use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim”. Different and generally more limited exceptions apply under State and State and Territory information privacy laws.

Brazil      Simone Lahorgue Nunes - Tiago Soares de Aquino

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    According to Article 2 of Law No. 9,609, of February 19, 1998 (“Software Law”), software is protected by the same legal regime applied to artistic and literary works. Therefore Law No. 9,610, of February 19, 1998 (“Copyright Law”) applies to software in a supplementary manner.

    Pursuant to Article 12 of Software Law, the infringement of copyrights related to software in Brazil is a criminal offence subject imprisonment from six (6) months to 2 (two) years or fine. Taking into account that Article 9 of Software Law sets forth that the use of software shall be object of a licensing agreement, using software without license (or without sufficient licenses) may be considered an infringement for criminal purposes. Note that the characterization of such criminal offence does not require the use for commercial purposes , i.e., the mere use without license or the underlicensing is sufficient to trigger the criminal liability.

    As a general rule, this is a legal provision to be enforced by means of a private criminal action, meaning that the aggrieved party, which is the holder of copyrights in the software, needs to files a complaint against the violator (Article 12, Third Paragraph of Software Law). The managers directly responsible for the infringement by a certain company are the ones who may be held liable in the criminal sphere.

    Using software without license in Brazil is also a tort subject to indemnification for damages by the infringing company or individual, as the case may be. The Software Law does not provide for criteria to determine the amount of damages in such cases. The assessment should be made by relevant Courts on a case-by-case-basis.

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    There is no statutory law authorizing IP-holders to carry out audits, so audits require a contractual right.

    But Article 13 of Software Law states that the criminal action mentioned in item 1 above and the related preliminary service of search and seizure shall be preceded by an inspection. The right to conduct this inspection needs to be granted by a judicial order within a precautionary action, and the judge may order the seizure of the copies produced or commercialized in violation of copyrights if this is the case. Such judicial orders for inspection may be sought not only within criminal actions, but also within civil actions.

    Finally, whoever petitions for those judicial measures acting in bad faith or out of rivalry, caprice or gross error shall be held responsible for losses and damages thereof (Article 14, Fifth Paragraph of Software Law).

  3. Are contractual software audit clauses subject to restrictions under contracts law?

    There are no specific legal provisions establishing restrictions concerning software audit clauses, so they can be freely negotiated by the parties.

    However, Article 51, IV of Law No. 8,078, of September 11, 1990 (“Brazilian Consumer Protection Code”), establishes that shall be deemed null and void the clauses that, among others, establish obligations considered unfair, abusive or that may place the consumer in an exaggeratedly disadvantageous situation or clauses incompatible with the principles of good faith and equity.

    As a result, unreasonable software audit clauses in contracts subject to the Brazilian Consumer Protection Code may be challenged before Courts.

  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    No.

  5. What are the data protection limitations to software audits?

    There are no specific data protection limitations to software audits provided for by statutory law.

    • Article 5, X of the Brazilian Constitution states that the privacy, private life, reputation and images of persons are inviolable, and the right to compensation for pecuniary and non-pecuniary damages (moral damages) resulting from their violation is guaranteed. Also, Article 5, XII establishes the secrecy of correspondence and of telegraphic, data and telephone communications, except by court order for the pur-poses of criminal investigations.
    • Brazil lacks a general law on the protection of personal data. A Draft Bill for the Pro-tection of Personal Data has been recently subject to a public consultation proposed by the Ministry of Justice. A legal framework on this matter is expected within the next years.
    • Law No. 12,965, of April 23, 2014, known as the Brazilian Civil Rights Framework for the Internet, has data protection limitations applicable when internet connection or internet application providers carry out any act of collection, storage, guarding or processing of registry logs, personal or communications data in Brazil (article 11). It encompasses personal data, private communication content, connection and internet application access logs (Article 10).
    • Depending on how software audits are carried out (e.g., audit tools), they may be subject or not to the limitations set forth in the Brazilian Civil Rights Framework for the Internet. In summary, internet users must be provided with clear and complete information regarding the obtaining, use, storage, processing and protection of their personal data. This data can only be collected if it is necessary for the purposes of the internet application. The data collection and its purpose must be specified in the language of the terms of use (Article 7, VIII). Also, internet application providers are obliged to ensure data secrecy and obtain consent from the data owner for data storage, use and communication to third parties (Article 7, VII, VIII and IX). Protected data includes information on access to sites (Article 16, I), which must be kept in a "safe environment" by the internet application provider for at least six months (Article 15).
    • Irrespective of whether the Brazilian Civil Rights Framework for the Internet applies or not, software audits should only process data to the extent required for the IP-holder of the software to determine if there has been any infringement of its rights. Companies should avoid exposing personal data of employees and customers so as to avoid leaks and the resulting damages.

Canada      J. Fraser Mann

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    According to s. 42(1) of the Canadian Copyright Act (the “Act”), it is a eriminal offence to knowingly make for sale or rental an infringing copy of a copyright~protected work, or by way of trade to expose or offer for sale or rental an infringing copy of a copyright-protected work. The punishment imposed for this is imprisonment up to 5 years and/or a fine.

    Simple use of software without a sufficient licence is not in itself a criminal offence – the criminal offence requires additional factors outlined in s. 42(1) of the Act, for example makingjoffering up a copy of the software for sale or rental, or exhibiting it in public by way of trade. Key amongst these is the necessary intent for criminal infringement represented by the word ‘knowingly’.

    More broadly, any infringement of copyright is a civil (administrative) offence under s. 27 of the Act, which is the avenue typically used in Canada for software under-licensing. The pun-ishment imposed for this is a fine. Same of the factors that are considered in determining whether a work infringes the reproduction right for another work are the following:

    • Does copyright subsist in the plaintiff´s work?
    • Did the defendant have access to the plaintiff´s work?
    • Did the defendant copy the plaintiff´s work?
    • Are the defendanf´s work and the plaintiff’s work substantially similar?
    • Is the similarity due to causes other than copying?

    It is no defense to a civil copyright claim that the infringement is innocent, although the amount ofdamages awarded may be reduced in the circumstances.

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    Canadian law does not provide an explicit statutory right to conduct software audits. However, when pursuing allegations of copyright infringement, Canadian courts affer a range of mandatory disclosure mechanisms. The process may vary depending on the jurisdiction selected to pursue the claim. Claims for copyright infringement are typically brought in the Federal Court of Canada. Claims for contract breach, arising from an alleged violation of the terms of a software license agreement, or claims for both alleged copyright infringement and contract breach, are typically brought in provincial superior courts. Each jurisdiction has adopted certain procedural rules (e.g., in the case of claims before the Federal Court, the Federal Court Rules) to permit the discovery of documents that are relevant to the claim.

    In general, the right to document discovery in Canadian courts means that each party must provide an affidavit of documents that includes a list of any potentialty relevant materials in that party’s possession or control, or of which that party is aware. Upon request from the other party, access to and permission to reproduce any of these nonprivileged documents must generally be provided.

  3. Are contractual software audit clauses subject to restrictions under contracts law?

    Individually negotiated software audit c1auses are generally valid under Canadian contracts law. Such clauses typically set out the frequency with which an audit may be carried out, the length of any notice to be provided to the customer, and the manner in which the audit may be conducted (e.g., through the right to obtain copies of any relevant records, through an “on-premises” audit conducted of the systems on which the software is installed or through the right to obtain remote access to the applicable systems). A customer will typically impose certain conditions or constraints around the rights of a software supplier to conduct an audit, such as requiring the supplier not to access or use any information other than that which is directly relevant to the customer’s level of usage of the applicable software, and to comply with the customers reasonable policies for the protection of the customers systems and confidential information.

  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    There is no true equivalent to workers’ councils in Canada, however any organization engag-ing in a software audit would need to ensure that the process is in compliance with any obli-gations imposed by collective bargaining agreements with relevant unions.

  5. What are the data protection limitations to software audits?

    Protection of personal electronic data in Canada is covered by the Persona/Information Proteetion and Electronic DocumenlSAct(“PIPEDA”). With regard to use of employee infor-mation by employers, however, PIPEDA only applies to federally-regulated industries, such as banks and telecommunications companies. Several Canadian provinces have privacy laws that apply to employee information, including Alberta, British Columbia, and Quebec. In provinces such as Ontario, this legislation is generally limited to the protection of employees’ health-related information.

    Schedule 1 of PIPEDA contains the principles organizations should follow for the protection of personal information on an identified or identifiable individual. These principles are: ac-countability; identifying purposes; consent; Iimiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance.

    Specifically, s. 6.1 of PIPEDA suggests that the consent of the individual may be obtained for the use or disclosure of the information. Alternatively, the information may be colleeted without knowledge or cansent under 5.7 of PIPEDA, for example under {l)(a} if “the collection is c1early in the interests of the individual and consent cannot be obtained in a timely way”; or, in the case of employees, under (b.2) if “it was produced by the individual in the course of their employment, business or profession and the collection is consistent with the purposes for which the information was produced”.

    In general, use of any personal data for software audits would be covered by an agreement of the individual to participate in the audit, or potentially under s. 7, so long as the information collected is strictly limited to what is truly needed to evaluate copyright compliance, and the overall process is in line with the PIPEDA principles.

Denmark      Soeren Skibsted – Vagn Thorup

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    Software is generally copyright protected under the Danish Copyright Act section 1, para. 3. Reproduction of a copyright protected software without the consent of the right holder is a criminal offence, punishable by fine. Under particular aggravating circumstances, the punishment imposed is imprisonment up to 1 year and 5 months.

    The right to use a software requires a valid license agreement with the right holder of the software. As such, unlicensed use of proprietary software will be classified as a criminal offence.

    Criminal liability is necessary, but not sufficient to impose a punish-ment on the infringer. According to the Danish Criminal Code, a criminal offence requires intentional conduct in order to impose punishment. Therefore, unknowing and unintentional infringement of a software's copyright will not impose punishment on the infringer. As such, a director of an infringing company's management cannot be held liable, if he or she was unaware of the infringement.

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    There are no Danish statutory laws that entitles the right holder to conduct software audits. However, the Danish Civil Code section 653, schedule a-d allows the right holder to petition for a County Court ac-tion against the infringer, in order to secure evidence on an infringe-ment of the copyright. Such action may involve a forced software audit. The execution of the County Court actions requires a rendering of probability by the right holder that an infringement of the copyright is ongoing. The necessary evidence of an infringement is required to be clear, strong and convincing. If the right holder fails to render an infringement probable, the County Court will not grant the petition.

    In practical terms, the County Court rarely accommodates a petition to audit software. This is due to the right holder's inability to provide information on, what specific part of the defendants IT-structure in which the infringing software is located. This is further complicated by the inability to provide information on, where the infringing IT-structure is located. Mainly due to such lack of evidence, there are yet to be any Danish case law granting access to software audits through the County Courts.

  3. Are contractual software audit clauses subject to restrictions under contracts law?

    Software audit clauses are generally valid under Danish law, whether they are based on general terms and condition or subject to individual negotiation.

    However, the right holder's ability to uphold an otherwise valid access to perform software audits are not without limitation. The Danish Con-tracts Act section 36 entitles the Courts to review, and render void, any contract or term, which may constitute an unreasonable disadvantage for the licensee. Generally, the case law in this aspect is very restrictive. The courts may base their decision on any available information, but generally the clause must be clearly unreasonable, disproportionate or extensive. Insofar, there are no case law where the Courts render a software audit clause void.

  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    The Danish Companies Act section 140 states that in Danish limited liability companies which have employed an average of at least 35 employees in the preceding three years, the employees are entitled to elect a number of representatives and alternate members to the company's supreme management body, equal to half the number of the other members of management. The employee elected members of the management have the same rights and obligations as any other member of the management body. Therefore, there are no specific co-determination rights of the workers' council in respect to software audits.

  5. What are the data protection limitations to software audits?

    The Danish Data Protection Act will become harmonized by the Euro-pean data protection regulation by May 2018. This does not provide material changes to the current data protection legislation in Denmark. The following will be true following the implementation of the new data protection regulation.

    By performing a software audit, the auditor will usually gain access to personal data stored within the Company's IT-structure. The Danish Data Protection Act defines personal data as any information on an identified person or information that may help identify a person. The mere potential access to personal data (e.g. social security numbers of the employees) enables data protection requirements under the Danish Data Protection Act. By conducting a software audit, the auditor will be able to access (even though he or she might not utilize such access) different types of information, which may be used to identify a certain individual. Consequentially, the auditor will be regarded as a data processor, and thus the agreement allowing the right holder to perform software audits must include appropriate data protection assurances, including how the auditor will handle any personal data as well as which necessary technical, organizational and precautionary measures are made in order to avoid leakage of data to a third party.

    The employee, whose data might be accessed, must give his or her consent to the auditor prior to him or her access to the personal data. If no consent is given, the auditor may still perform the audit, if the processing of the data is required in order to pursue a legitimate interest. The legitimate interest here being the right holder's need to determine copyright compliance. The right holder's interest must be compared to the employee's interest to keep his or her data confidential from third parties. There are currently no Danish case law regarding the issue, though the literature tends to acknowledge the right holder's need to perform software audits, if such has been agreed and strictly performed in order to check the licensee's copyright compliance.

France      Anne-Sophie Poggi

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    In France software is protected under Copyright Law provided under the French Intellectual Property Code (article L112-1 Code de la Propriété Intellectuelle). Therefore, the use of software without sufficient licenses infringes software’s copyrights and consequently results in a counterfeiting offence (article L. 335-3 Code de la Propriété Intellectuelle).

    According to French Law, a counterfeiting offence can be a criminal offence. Both a substantive and a moral element need to be established in order to constitute a counterfeiting offence. The substantive element can be found in cases of litigious facts (reproduction or communication) and/or in cases of moral or property rights infringements. The moral element (or intentional element) ought to be proven in criminal matters, taking into account whether the counterfeiter acted in bad faith. and it refers to the principle of bad faith. It is entirely up to the victims as to which route they opt for; criminal or civil.

    The French Intellectual Property Code contains sanctions for counterfeiting offences. Accordingly, any software’s counterfeiter is liable to a penalty of imprisonment of up to three years and a maximum fine of 300.000 euros (article L. 335-2). For legal entities, the fine can go up to 750.000 euros. Also, the court can pronounce the confiscation of all or part of the revenues generated by the counterfeit but also of the material aimed for the counterfeit and any counterfeit items (article L. 335-6). In addition to the aforementioned sanctions, damages can be requested by the author on the grounds of civil liability (article 1240 of the Civil Code) and/or the destruction of the counterfeit items (French Act n°2007-1544, 29 octobre 2007).

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    Current French statutory law does not entitle the right for the editor to conduct software audits. However, according to article L. 122-6 of the Intellectual Property Code, software’s editors are entitled to set the conditions under which their copyright work (here, software) may be used by third parties. Therefore, this provision explains the right for editors to limit the licensed right to use the software and thus, to obtain information on the use of the licensed software. Conse-quently, it gives the right for the editor to claim a counterfeit offense when the use does not comply with the conditions of use.

    Software audits are usually specified in contracts under a software audit clause. In order to avoid any risk of conflict in their implementation, such clauses should be drafted in detail, especially regarding the notification period, the limit term, the scope and the cover of costs.

    In the two French county Courts decisions surrounding the giant, Oracle (TGI Nanterre, ord. réf., 12 juin 2014. – TGI Paris, 3e ch., 1re sect., 6 nov. 2014), it has been held that in the absence of ,an audit clause, audits cannot be imposed by the editor, save where an investigative measure is ordered by a judge.

    This is why the conclusion of the audit has to be contradictory, i.e. it has to be validated by the licensee. Furthermore, the Court of Appeal has recently pointed out that the editor can be held liable in the case of conduct that is unfair and contrary to good faith (Cour d’appel de Paris, Pôle 5, Chambre 1, 10 mai 2016).

  3. Are contractual software audit clauses subject to restrictions under contracts law?

    Audit clauses are valid per se.

    The aforementioned Oracle decisions (TGI Nanterre, ord. réf., 12 juin 2014. – TGI Paris, 3e ch., 1re sect., 6 nov. 2014 - Cour d’appel de Paris, Pôle 5, Chambre 1, 10 mai 2016) highlighted the very difficulty of implementing such audit clauses, accentuating the fact that audit clauses have to be executed in good faith and that the audit must be realized within the scope of the license. Indeed, following the new Ordonnance of 10th February 2016, the obligation of good faith is now a legal principle (article 1104 of the Civil Code).

  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    There are no co-determination rights of the workers’ council with respect to software audits.

  5. What are the data protection limitations to software audits?

    A software audit is subject to restrictions under the Data Protection Act of January 6th 1978 (Loi n°78-17 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés) as far as personal data is collected, processed and saved (article 2). Therefore, according to this law, the personal data controller has to: outline the purpose of the process, limit processing to the data strictly necessary, retain the data only for the necessary period of processing, respect the right of the persons concerned by the data processing and take all necessary measures to ensure the security and the confidentiality of the data. Article 50 of this law provides that violations of these obligations are punishable by the Penal Code (articles 226-16 to 226-24).

    Also, on 25th May 2018, the European data Protection regulation 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)) will apply to any processing of personal data (Section 3 par. 1). This will harmonize the European Union personal data protection law, strengthen individuals’ rights but more importantly, sanctions will be carefully designed, graduated and reinforced.

Germany      Dr. Martin Schirmbacher - Dr. Stefan Weidert - Dr. Matthias Orthwein - Dr. Marc Hilber - Valentino Halim

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    According to Section 106 para. 1, 2 of the German Copyright Act (“UrhG”) it is a criminal offence to reproduce a copyright protected work without the consent of the right holder (e.g. author or exclusive licensee) in manners other than those permitted by law, including the attempt to do so. The punishment imposed is imprisonment up to 3 years or a fine.

    Without a license agreement, the right to perform reproductions of copyright protected software in any form is exclusively granted to the right holder of such software. Therefore, using proprietary software without sufficient licenses (i.e. underlicensing) in business operations can be classified as a criminal offence of the responsible members of management and employees.

    However, contrary to concerns frequently expressed by e.g. board members, the mere involvement in the management of a company using software without sufficient licenses is not necessarily punishable, as personal criminal liability requires intentional conduct and negligence does not suffice, see Section 15 of the German Criminal Code. Consequently, as a rulean individual may only be punished if and to the extent he or she is aware of the misconduct and intends to pursue it. In addition, criminal proceedings are subject to the right holders complaint (see Section 109 UrhG).

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    Ultimately, German statutory law does not explicitly entitle the right holder to conduct software audits.

    • (a) However, under general civil law, licensors are entitled to request information on the contractual use of the licensed software subject to the good faith requirements pursuant to Section 242 German Civil Code (“BGB”). This aims at allowing the preparation of possible claims for damages arising from breaches of the license agreement.
    • (b) In addition, Section 809 BGB allows right holders which may be entitled to claims in respect to a certain object to require its possessor to present the relevant object or to permit its inspection in order to clarify as to whether such claim is justified. This also applies to the benefit of right holders of software.
      However, both claims described in (a) and (b) require a situation where the right holder has concrete grounds for suspecting some form of underlicensing.
    • (c) Moreover, there are further reaching copyright claims for information (Section 101 UrhG) and presentation or inspection (Section 101a UrhG) for the benefit of the right holder. However, these claims only arise under the strict conditions that the licensee has actually infringed the software copyright on a commercial scale (Section 101 UrhG), or with reasonable probability (Section 101a UrhG).

    Insofar, in most cases the licensor will in practice hardly be able to prove the described preconditions of these claims. Moreover, statutory inspections rights require the claimant to specify in detail what part of the defendant’s IT infrastructure holds the infringing software and where exactly such infrastructure is located. Only in rare cases will licensors be able to provide such precise and detailed instructions to the inspectors. As a result, software audits usually can not be carried out on a mere statutory basis but require a contractual right.

  3. Are contractual software audit clauses subject to restrictions under contracts law?

    Individually negotiated audit clauses are valid. However, audit clauses based on general terms and conditions (which are commonly used in practice) may be held void due to an infringement of the German law on general terms and conditions (Sections 305 et seq. BGB). Until now, there is no case law on this specific question, except for one decision of the Regional Court of Cologne which implicitly stated that audit clauses in general terms and conditions can be valid. In parts of legal literature, audit clauses entitling the licensor to conduct software audits without cause are found to constitute an unreasonable disadvantage pursuant to Section 307 para. 1, 2 No. 1 BGB and therefore be void.

    However, considering the right holders legitimate interest in verifying potential underlicensing of its software, it could also be argued that audit clauses in general terms are valid under the following preconditions: The clause shall provide that the audit is announced to the licensee reasonably in advance, conducted by an independent third party committed to confidentiality, only refers to information strictly necessary and ensures adherence to applicable data protection provisions. Nevertheless, there remains a certain legal risk to include such audit clauses in general terms and conditions.

  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    In case software audits shall be carried out, co-determination rights of the licensee’s works council may become relevant – depending on the license management tool (“audit tool”) used. Pursuant to Section 87 para. 1 No. 6 Works Constitution Act (“BetrVG”) the works council is – if not prescribed by legislation or collective agreement – entitled to co-determination in cases of the introduction and use of technical devices designed to monitor the behavior or performance of the employees. However, according to established case law of the Federal Labor Court it is sufficient that the technical device in question could be used for monitoring purposes (the licensor does not need to intend pursuing such use). Consequently, deployed audit tools are subject to co-determination regulations once behavior- or performance-relevant data can be collected. For example, this applies where the audit tool captures the beginning and end of an employee’s use of the audited software since this allows conclusions regarding employees working time.

    Unless a collective agreement has been agreed with the works council covering software audits, the licensee is not permitted to allow the implementation of the audit tool in question without the works council’s consent. If nevertheless implemented, the works council may prohibit its use by an action for injunction to the Labor Court. Violations of an obtained injunctive relief by the licensor may result in administrative fines up to EUR 250.000.

  5. What are the data protection limitations to software audits?

    The use of audit tools is currently still subject to restrictions of the German Data Protection Act (“BDSG”) as far as personal data is collected, processed or used. By May 2018, the current German data protection regime in general will be replaced by the harmonized European data protection regulation (and its German accompanying laws). Nevertheless, the new European regime will basically not implement substantially different regulations pertaining to the issues of software audits. Personal data thus means any information on an identified or identifiable individual (Section 3 par. 1 BDSG). In consequence, data protection requirements apply if the audit tool collects data on identified or identifiable employees. This is e.g. the case as far as any identifying information such as device numbers, personnel ID numbers, or – following the recent European Court of Justice judgment in case Breyer – IP addresses are collected and recorded by the deployed audit tool.

    Section 4 para. 1 BDSG states that personal data may only be handled (including collection, processing and use) if the BDSG or another statutory law permits to do so, or if the data subject has previously consented. For various legal and practical reasons controllers cannot rely on employees consents, inter alia as these can be revoked by the employee at any time. Software audits are also not permissible with respect to employee data under Section 32 para. 1 BDSG since they are not required for carrying out the employment contract. However, licensees may carry out software audits on the basis of Section 28 para. 1 No. 2 and para. 2 No. 2 a) BDSG if the underlying processing of personal data is necessary to safeguard the legitimate interest of the licensee and the licensor and there is no reason to assume that the employees’ privacy interest prevails. As a general rule, these preconditions will be fulfilled where software audits have been agreed, and the information processed during the audit is strictly required and only used to determine copyright compliance.

    Please note that the licensee has to comply with the employees statutory rights to notification and information according to Sections 4 para. 3 (notification upon collection with the data subject's knowledge), Section 33 (notification upon collection without the data subject's knowledge) and Section 34 (information upon request) BDSG.

Ireland      

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    Civil proceedings can be instituted in Ireland if software is used, copied or adapted without the consent of its owner. Under the Copyright and Related Rights Act 2000 (the "CRRA"), computer programs are included in the definition of literary works which attract copyright protection. Remedies for infringement under the CRRA includes damages, an injunction and account of profits as well as orders for delivery up and seizure of infringing copies and/or articles used to commit copyright infringement.

    Criminal offences under the CRAA including dealing in infringing copies of a copyright work. The penalties, on indictment, are up to five years imprisonment and fines of up to €127,000 or both. In addition, delivery up and search and seizure warrants can be obtained in relation to criminal offences.

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    There is no statutory right under Irish law for an owner of software (usually, the licensor) to conduct a software audit. A licensor who wishes to conduct an audit should ensure that it has a contractual right of audit allowing access to the licensee's systems. Otherwise the licensor may fall foul of the Criminal Damage Act 1991.

  3. Are contractual software audit clauses subject to restrictions under contracts law?

    Express audit clauses which are individually negotiated between a licensor and a business are generally recognised.

    When dealing with consumers, audit clauses contained in general terms and conditions may be held void under the provisions of the European Communities (Unfair Terms in Consumer Contracts) Regulations 1995 and 2000. These Regulations apply to any term in a contract between a licensor and a consumer. A “consumer” for the purposes of the Act means “a natural person who is acting for purposes which are outside his business”. For the purposes of these Regulations, a contractual term shall be regarded as unfair, and consequently unenforceable, if, contrary to the requirement of good faith, it causes a significant imbalance in the parties’ rights and obligations under the contract to the detriment of the consumer. The nature of the goods or services for which the contract was concluded, all circumstances concerning the conclusion of the contract and all other terms of the contract are taken into account when considering this.

  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    There is no equivalent in Ireland.

  5. What are the data protection limitations to software audits?

    A software audit may involve the licensor or auditor having access to and processing personal data. The processing of personal data is currently governed by the Data Protection Acts 1988 and 2003 ("DPA"). The obligations under the DPA apply to a data controller namely a person who (either alone or with others) controls the contents and use of personal data. Under the DPA, “personal data” is defined as data relating to a living individual who can be identified either from the data or from the data in conjunction with other information that is in or likely to come into, the possession of the data controller.

    Section 2 of the Act sets out the obligations which a data controller must comply with in respect of personal data under their control. The data must have been fairly obtained and processed fairly. The data must be accurate and kept up to date where necessary. The data should be kept only for one or more specified and lawful purposes; should not be used or disclosed in any manner incompatible with that purposes or purposes; should be adequate, relevant and not excessive in relation to that purpose or those purposes; and should not be kept for longer than is necessary for that purpose or those purposes. Appropriate security measures must be taken by the data controller against unauthorised access to, or alteration, disclosure or destruction of, the data and against all unlawful forms of processing.

    Section 2A and 2B of the DPA lay down the pre-conditions that must be met before personal data can be lawfully processed. Section 2A sets out a series of pre-conditions and at least one of these pre-conditions must be satisfied. One of these pre-conditions is where the processing is necessary for the purposes of the legitimate interests pursued by a data controller or a third party which may be invoked in the current instance. The licensor and licensee must also comply with the other obligations under the DPA relating to security and transfer of personal data outside the EEA.

    As the DPA will be replaced by the General Data Protection Regulation ("GDPR") when it comes into force on 25 May 2018, the licensor and licensee will need to comply the GDPR.

Israel      Yuval Horn

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    Under Israeli law, copyright confers the exclusive right to perform certain acts, such as copying, publishing, publically performing, broadcasting, distributing, displaying, creating derivative works, and renting, with respect to a protected work, and to prevent others from doing so.

    Notwithstanding the existence of copyright, the law permits certain uses of a protected work. For example, copying software or making a derivative work thereof for certain prescribed purposes, such as back up, maintenance or interoperability, is permitted for a person who possesses an authorized copy of the software.

    A copyright owner (or exclusive licensee) whose rights were infringed is entitled to file a civil claim against the infringer. Such claims usually involve a claim for both injunctive and monetary relief.

    That said, where a copyright or a moral right has been infringed, but the infringer did not know or could not have known at the time of the infringement that copyright subsists in the work, he or she is not obligated to pay compensation in respect of the infringement.

    Some aspects of copyright infringement also constitute a criminal offence. Specifically, it is a criminal offence to make or import into Israel an infringing copy of a protected work for purposes of trading therein, to sell, let for hire or distribute an infringing copy, to possess infringing copies of a work for purposes of trading therein or to make or possess an object designed for the making of infringing copies of a protected work.

    A person who infringes the criminal provisions may be imprisoned or fined. The fine is doubled in the event that an offence is carried out by a corporate entity. Furthermore, a senior officer (an active director, a partner (but not a limited partner) or an officer) of a corporate entity is obligated to supervise and take any action necessary to prevent the commission of such criminal offence by the corporate body or any of its employees, and a failure to do so will attract a fine.

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    The Israeli Copyright Act 2007 does not explicitly entitle the right holder to conduct software audits.

    The law does explicitly provide, however, that in a claim for the infringement of copyright or moral right, the court may order the defendant to give the claimant a detailed report of the infringement.

  3. Are contractual software audit clauses subject to restrictions under contracts law?

    An assignment or exclusive license of a copyright protected work must be in writing.

    The foregoing requirement being an exception, the Israeli legislature and courts have shown little inclination to intervene in the contracts between authors and their assignees or licensees.

    Except to the extent that they breach privacy law (detailed below), software audit clauses provided by agreement between the relevant parties will thus typically be upheld by Israeli courts.

  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    Israel does have, in some industries, collective agreements which govern the relationship between an employer or an employers’ organization and an employees’ organization, which govern, inter alia, the terms of employment, labor relations, and the rights and obligations of the parties to the agreement. Co Determination does not exist in the sense it does in Germany. Agreements relating to the participation of employees in management do not necessarily impact software audits.

  5. What are the data protection limitations to software audits?

    Israel’s Basic Law: Human Dignity and Liberty provides that “every person is entitled to privacy and to the confidentiality of his life.” This Basic Law further provides that no entry shall be made into a person’s private premises without the person’s consent, no search shall be conducted on the private premises or personal effects of a person, and there shall be no violation of the confidentiality of conversation or of the writing or records of a person. The right to privacy conferred by this quasi-constitutional Basic Law may be violated only if and to the extent that it is permitted in a law befitting the values of the State of Israel, for an appropriate purpose, and to an extent no greater than required.

    Under Israel’s Protection of Privacy Law 1981, certain activities which constitute an in-fringement of privacy are specifically prohibited if they are performed without consent, a number of which are relevant to data protection. For example, copying an electronic mes-sage not intended for publication or using its contents without permission, and using or passing on information on a person’s private affairs other than for the purpose for which it was given, are prohibited. This law also prohibits spying on or trailing a person in a manner likely to harass him, or any other harassment. This prohibition may be particularly relevant in cases of online behavioral monitoring or use of location data.

    In a 2011 decision, the National Labor Court, imposed further restrictions on an employer’s ability to monitor employees’ use of workplace computer systems. Monitoring must be in the interest of a legitimate business purpose. Data collected by monitoring may not be used in a manner different from the pre-defined legitimate purpose. The employer must use surveillance technologies which involve the lowest degree of violation of employee privacy. The employer must implement a policy regarding computer usage and surveillance activities, which policy must be incorporated in the employment agreement. The employee must consent in writing to the violation of his privacy (certain mandatory language is required to appear in the consent) and this consent must be part of the employment contract. Third parties must be notified of surveillance activities.

    In addition, certain sector-specific laws provide additional protection for the types of information referenced in such laws. These include laws regulating inter alia, patients’ data, genetic data, communications data, wiretapping, biometric IDs, credit reports and search and seizure.

Italy      Daniela de Pasquale – Marco Dalla Vedova

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    The use of software without sufficient licenses constitutes a criminal offence. According to Section 171-bis of the Law No. 633/1941 (“Italian Copyright Act”), (i) the unauthorized duplication of computer programs, (ii) the commercial brokering of (i.e. importing, distributing, selling, holding for commercial purposes or renting with gainful intent) computer programs contained in a medium not bearing the Italian copyright collecting society SIAE’s duty stamp and (iii) the commercial brokering of any means the sole intended purpose of which is to allow or to facilitate the unauthorized removal or circumvention of any technical device applied to protect a computer program, constitute a criminal offence. Such conduct shall be liable of imprisonment between six months and three years and to a fine between 2,582 euros and 15,493 euros.

    These criminal sanctions apply only if the duplication of the copyright protected software is unlawful (e.g. without a specific license) and occurred outside the scope of application of Sections 64-ter and 64-quarter which provide third-party exceptions to the use of copyright protected. Moreover, the illicit conduct shall be performed voluntarily.

    Furthermore, according to Section 174-bis, without prejudice to the criminal sanctions applicable, an administrative pecuniary penalty can be levied, equivalent to the double of the market price of the work or medium . The minimum amount of such penalty is 103,00 euros. When the market price is hard to be determined, the infringement shall be punished by an administrative sanction amounting to a sum from 103,00 up to 1,032.00 euros for each conduct or infringing item. Moreover, under the Italian Copyright Act, even the private use of copyright protected software without sufficient licenses can be classified as a criminal offence.

    The application of such sanctions is quite frequent in Italy, with BSA (Software Alliance) being quite active in policing the market and a specific body of Guardia di Finanza (a branch of Italian Army) devoted to such offences.

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    Italian statutory law does not expressly provide rules which enable the licensor to conduct software audits.

    However, it is worth mentioning that:

    • (a) license agreement between the right holder and the licensee can include software audit provisions ruling their relationship;
    • (b) according to Section 156-bis of the Italian Copyright Act, the right holder avails of a specific injunctive relief remedy. Indeed, the party showing reasonable grounds and availing of sufficient elements may request, also ex parte, that the court orders the other party to give access to any relevant source of information and documents, including - with reference to software infringements - the possibility of making copies, snapshots or creating the imaging of servers or parts thereof or directories. Such activity is finalized to freeze the evidences required to bring an action for damages. Finally, the judge may order the other party to provide the elements for the identification of persons involved in the production and distribution of products or services that constitute violation of the rights;
    • (c) according to Section 64-bis of the Italian Copyright Law, the right holder has the right to control further rental of the program or of a copy thereof.
  3. Are contractual software audit clauses subject to restrictions under contracts law?

    Contractual audit clauses are not subject to restrictions according to the Italian contract law. In general, individually negotiated audit clauses are valid. However, audit clauses based on general terms and conditions shall comply with the requirement set forth under Section 1341 of the Civil Code.

    In particular, general conditions drafted by one of the parties, are binding on the other party only if known by the latter at the time when the contract was concluded or if that party might have known them by using ordinary diligence.

    In other words, as for all general terms and condition which are set by one party only, the licensor shall have to ensure that the provisions related to software audit be known or cognisable by the licensee according to the criteria of ordinary diligence.

  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    According to the Italian labor law, there are no specific legal rules dealing with software audits, but it might prove cautious to specifically agree on audit proceedings potentially involving work force of a company.

    Indeed, according to Section 4 of the Italian Statute of Workers (Law No. 300/1970), those instruments and equipment which are potentially able to monitor employees are admitted only to the extent they are required to satisfy organizational, production-related, security of the work and the protection of business assets, and provided that their use is agreed with the trade union representations established in the company (RSA/RSU).

    In case of a lack of this agreement, the same instruments can be implemented after having obtained the authorization by the competent office of national labor inspectorate.

    Finally, with reference to those instruments and equipment which are used to perform the employees’ duties (i.e. personal computer, laptop, tablet,…), audits can be carried out by the employer if the employees have been previously advised on the instruments and equipment’s allowed uses (i.e. IT Policy and/or guidelines).

  5. What are the data protection limitations to software audits?

    Software audits are subject to restrictions pursuant to the Italian Data Protection Code as far as third-party personal data might be processed by the licensor. As a general rule, personal data can be processed only if the data subject has expressed its prior consent or the processing does not require consent pursuant to statutory law, in particular Section 24 of the Italian Data Protection Code.

    However, data protection rules apply only in the case in which the audit involves data which can identify or make identifiable an individual.

    In particular, according to Section 8 of the Italian Statute of Workers, the employer, prior to hiring and during the employment relationship, may not carry out any checks or investigations, even through third parties, regarding the employees’ political opinions, religious beliefs, union membership, or on any matters which do not strictly relate to the employee s professional skills.

    According to Sections 113 and 114 of the Italian Data Protection Code, the provisions laid down under Sections 4 and 8 of the Italian Statute of Workers shall be left unprejudiced. Accordingly the employer shall not carry out any checks or investigations, even through third parties, regarding the employees’ believes (Section 4) and audit tools shall be subject to the consent of the trade union representations established in the company or, in the case of lack of this agreement, by the territorial office of national labour inspectorate (Section 8).

    Moreover, even for home-based work and telework, according to Section 115 employers shall be required to ensure that the employees’ personality and moral freedom are respected, ensuring confidentiality as necessary with regard to all family-related matters.

Korea      Doil Son - Samuel Sungmok Lee - Kee Jeong Kim, Esq.

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    First, in Korea, the use of software without sufficient licenses would not result in an administrative offence. There is no government entity that keeps track of software licenses and proper use within those licenses.

    Second, in regard to criminal liability, the intentional use and reproduction of software that is outside the scope of the license, i.e., without sufficient licenses, would be considered copyright infringement and can result in criminal liability. Software is protected as a work of authorship under the Korean Copyright Act (hereinafter “Copyright Act”). Copyright infringement is subject not only to injunctions and damages (Article 123 and 125 of the Copyright Act), but also to criminal liabilities when committed with knowledge of the infringement, including imprisonment up to five years and/or a fine of 50 million KRW (approx. 45,000 USD) (Article 136(1) of the Copyright Act). In the event the infringement is committed by an employee, the employer may also be fined up to 50 million KRW, unless the employer can show that it used commercially reasonable efforts to prevent such an infringement (Article 141 of the Copyright Act).

    Regarding the preconditions, criminal liability for copyright infringement requires intentional conduct and a complaint filed within six months of actual knowledge of the complaint. Please note, however, that the Copyright Act also includes an exception, where the prosecutor may independently pursue a criminal investigation (i.e., without a complaint filed by a victim) if the infringing acts are committed for profit. The question is how to draw the line between for profit and non-profit. This exact question is currently at issue in a case that is currently pending before the Korean Supreme Court (case number omitted for confidentiality issues)

    The defendant in the above-referenced pending Supreme Court case, an importer and distributor of food products, applied for marketing approval of the products as a health food at the Korea Ministry of Food & Drug Safety, attaching an allegedly pirated academic paper as supporting material. An importer of a competing product and the author of the paper filed criminal complaints for unauthorized copying of the paper, but only after the six month period expired. Since there was no valid criminal complaint due to failure to meet the six month requirement, it was questioned whether the defendant copied and submitted the paper for profit.

    The District Court ruled that a sufficient nexus is required between the infringing act and the profit therefrom, and that the exception would not apply when the only nexus found is that the defendant is an enterprise which by its nature pursues profit. The District Court dismissed the case without looking into the merits for lack of a valid complaint. The appellate court vacated the district court decision and found the defendant guilty. The defendant appealed and the case is currently pending before the Supreme Court.

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    In Korea, there are no statutes specifically related to software audits. Software audits are conducted pursuant to the agreements entered into by the parties.

    It should be noted that, even when there is no audit clause agreed in advance, the licensor may obtain a search warrant from the court, if the licensor proves a reasonable possibility of infringement. Because the evidence of infringement is normally held only by the licensee, and enforcing a search warrant for finding the evidence is normally not viewed as seriously disruptive to a licensee’s business, courts seem to be relatively generous in issuing search warrants. Unreasonable and repeated refusal to cooperate to proposed audits may sometimes be the basis for the court to find infringement.

    Moreover, copyright owners often incorporate technical means to detect potential infringement, e.g., IP addresses of the PCs running unauthorized copies, which often lead to physical addresses. Many End User License Agreements (EULAs) include a provision that allows the licensor to collect information from licensees’ devices.

    Therefore, licensees should not disregard audit proposals lightly merely because they were not previously agreed to in advance.

  3. Are contractual software audit clauses subject to restrictions under contracts law?

    The Korean contract law does not provide any restrictions on software audit clauses in contracts.

    Under the Korean Act on Regulation of Standardized Contracts (hereinafter the “Standardized Contracts Act”), the party, who prepares a form contract for use on multiple occasions and proposes an agreement by such a form contract, is required to explain important clauses therein to the opposing party (Article 3(3) of the Standardized Contracts Act). Failure to provide the explanation would make the clause unenforceable, unless it is significantly difficult to do so considering the nature of the contract.

    However, in most cases, audit clauses are not likely to be ‘important’ enough under Article 3(3) of the Standardized Contracts Act, because the courts have taking the position that most licensees would have entered into the license agreement even if they were aware of the audit clause. Further, under circumstances where software is distributed over the Internet without a face-to-face negotiation, providing a separate explanation of the audit clause would be implausible for the licensor.

  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    No.

  5. What are the data protection limitations to software audits?

    Generally speaking, as long as software audits include access to employees’ computer, the Personal Information Protection Act (the “PIPA”) is the primary governing law among others.

    Under Article 2, personal information means information that pertains to a living person, including the full name, resident registration number, images, etc., by which the individual can be identified. Personal information also includes information by which the individual can be identified through a combination with other information. For example, device numbers, IP addresses can also be deemed as personal information depending on circumstances.

    Therefore, if the software audits collect and/or use personal information, consent from the people who will be the subject of the data audit should be obtained for each device before the audit. However, if the audit tool doesn’t have any access to the personal information and only focuses on figuring out whether the software is installed and used or not used, the tool will not be subject to PIPA and no consent will be required.

The Netherlands      Joost Linnemann – Bart van Reeken

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    Pursuant to article 31 of the Dutch Copyright Act, copyright infringement is a criminal offence. The punishment imposed is imprisonment of up to 6 months or a fine.

    According to article 10 under 12, ‘computer programs’ are a copyright protected work, which means it falls within the scope of the Dutch Copyright Act. Therefore, the use of software without a sufficient license is a criminal offence (article 33 Dutch Copyright Act).

    Personal criminal liability – because of the use of a copyright protected work without the consent of the right holder – requires intentional conduct. This means that the infringement has to be made knowingly and wilfully.

    As stated above, the use of software without a sufficient license is a criminal offence under Dutch law. However, the criminal prosecution of such offences is very unusual in the Netherlands. In practice, copyright infringements is enforced through civil action by the right holder, rather than through criminal enforcement by the state.

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    Under Dutch law, a specific statutory right to conduct software audits does not exist. Pursuant to article 1019c of the Code of Civil Procedure (“Rv’’), however, a party can make a copyright attachment for the purpose of preserving evidence. The purpose of this provision is to help the copyright owner to preserve the evidence of the infringement on his rights.

    For the execution of copyright attachment for the purpose of preserving evidence, the right holder has to file an application with the judge in preliminary relief proceedings. In the appli-cation, the software licensor has to describe exactly what evidence he wants to secure. A bailiff will execute the attachment. According to article 1019c Rv section 1 in conjunction with article 702 section 1, third parties are obliged to cooperate.

    Of course, the right to conduct software audits can also be included in a contract. The right to include a software audit clause in a license agreement is based on the freedom of contract. Pursuant to article 217 of Book 6 of the Dutch Civil Code (“BW’’), an agreement is established by an offer and the acceptance of that offer. Therefore, if both parties have agreed to the terms of the contract, the software audit clause can be lawfully included in the license contract. However, please note that sometimes restrictions might apply to the freedom of contract.

  3. Are contractual software audit clauses subject to restrictions under contracts law?

    In general, contractual clauses can be restricted by:

    • (a) Mandatory law
      Pursuant to article 40 of Book 3 BW, any legal act that is a violation of a statutory provision, can be held void. The same applies to contractual software audit clauses.
    • (b) Requirements of reasonableness and fairness
      Article 248 section 2 of Book 6 BW states that any clause in a contract can be held void due to an infringement of the requirements of reasonableness and fairness. However, the reliance on the article 248 section 2 of Book 6 BW is not easily accepted. The derogatory (restrictive) effect of the requirements of reasonableness and fairness can only be invoked if a clause in a contract is unacceptable according to the standards of reasonableness and fairness. As said before, this is hardly ever the case. A clause in a contract between two professional parties is especially hard to be held void. Besides, software audits are never really incriminating for the employer or employee, which makes it even harder to rely on article 248 lid 2 of Book 6 BW.

    General terms and conditions
    Software audit clauses included in general terms and conditions are subject to more re-strictions. Pursuant to article 233 section 1 of Book 6 BW, a contractual clause based on gen-eral terms and condition can be held void when it is unreasonably onerous. However, according to article 235 of Book 6 BW, larger companies cannot rely on this provision. To contractual software audit clauses effected by companies with more than 50 employees, the ‘general restrictions’ (mandatory law and requirements of reasonableness and fairness) apply.

  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    Generally, the interference of the workers’ council with respect to software audits is unusual. There are no specific statutory provisions that state the co-determination rights of the workers’ council in case a software audit shall be carried out.

    The involvement of the workers’ council with respect to software audits depends on the audit tool used. Pursuant to article 27 para. 1 under l of the Works Councils Act (‘’WOR’’), the works council has a right of co-determination in cases where devices are introduced that can be used to monitor the appearance, behaviour and performance of the employees. For example, the introduction of a personnel tracking system for the purposes of a software license compliance, can only be done with the consent of the workers’ council. If, however, the software audit is carried out in such a way that the appearance, behaviour and performance of the employees can not be monitored, the co-determination rights of the workers’ council do not apply.

  5. What are the data protection limitations to software audits?

    Article 1 under a of the Personal Data Protection Act (‘’Wbp’’) states that personal data is any information on an identified or identifiable individual. Consequently, if the audit tool collects data on identified or identifiable employees, data protection limitations apply.

    Personal data must be processed in accordance with statutory law (article 6 Wbp), and may only be collected for specified, explicit and legitimate purposes (article 7 Wbp). The conduct of a software audit can be seen as a legitimate purpose within the meaning of article 7 Wbp. Pursuant to article 8 Wbp, the processing of personal data may only be based on a limited number of statutory ground. A relevant ground in this context could be unambiguous consent of the data subject (which, in case of a corporate licensee, would be the person or persons using the software). Besides the practical problems related to obtaining consent from potentially numerous users, it is also problematic that the consent can be withdrawn at any time. The most relevant ground is found in article 8 under c Wbp: this permits processing where it is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. One could argue that license compliance constitutes a legitimate interest of the licensor, which is not overridden by the privacy interests of the user(s).

New Zealand      Ken Moon

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    Under the criminal provisions (section 131) of the New Zealand Copyright Act 1994 as amended in 2008 it is likely not to be an offence to use software without a licence or beyond the terms of a licence. The Act’s criminal provisions only make business dealing with ‘objects which are infringing copies a criminal offence. Further, the term ‘object’ is likely to be interpreted by the courts as meaning a tangible item and not intangible software files

    The use of software without a licence or beyond the scope of a licence may well constitute a copyright infringement restrainable by the copyright owner in civil proceedings with civil remedies such as injunctions and damages so far as such use involves reproduction of the software code. This is because the permitted act of transient reproduction is limited to enabling ‘lawful use’

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    New Zealand Copyright Act does not provide a statutory right for licensors of copyright works, including software, to conduct audits of their licensees’ use of software and other copyright products. The right to conduct such audits can only be created contractually as a term in the software licence or sub-licence.

  3. Are contractual software audit clauses subject to restrictions under contracts law?

    To be valid and effective, licence terms providing for audits must set out the audit procedure with considerable clarity. Any ambiguities will be construed against the licensor.

  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    There are no rights or rules under New Zealand’s labour laws relevant to software audits. Em-ployment agreements could conceivably contain terms which may be relevant to a software audit.

  5. What are the data protection limitations to software audits?

    The New Zealand Privacy Act is considered a ‘light-handed’ privacy law compared to Europe and provided employees are informed that personal information may be collected as part of an audit process and are informed of the purpose of the collection privacy law would not restrict software audits. The means of collection must be fair and the situation would certainly be different if the collected information was used for a different purpose to that disclosed.

Sweden      Jorgen Axelsson - Bjorn Gustavsson – Joacim Johannesson

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    According to Section 2 of the Swedish Copyright Act (1960:729) (SCA) (Sw. lag om upphovsrätt till litterära och konstnärliga verk (1960:729)), copyright gives the rights holder an exclusive right to exploit the software by making copies of it. Thus, a copyright infringement is committed when copies are made without proper rights.

    Under Swedish copyright law, the use of software without sufficient licenses is a criminal offence, according to Section 53 of the SCA. However, it is only punisha-ble in case of intent or gross negligence. These prerequisites entail that only the person who has committed the infringement with intent or gross negligence is liable. If however, an employee or such is ordered to make copies of the software by a superior, the latter is the person liable.

    Further, the crime is punishable with imprisonment for up to two years or with a fine. What has been said applies in case of attempt or preparation to commit such crimes.

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    Under Swedish law, there is no general statutory right to conduct a software audit. The basis is purely contractual.

    However, if it can be reasonably suspected that someone has committed a copyright infringement in a case regarding a possible copyright infringement, the courts may or-der for an inspection to be undertaken in respect of that party, according to Section 56 a of the SCA. This can be made for the purpose of preserving evidence relating to the infringement. Further, the inspection is undertaken to search after objects and docu-ments that can be presumed have significance for an investigation of the infringement. As already stated, the investigation takes aim at preserving evidence. By this precondi-tion, the investigation can be undertaken for the search of documents or other objects that can be assumed to be of value for the question of whether or not an infringement has taken place. The information that is sought after can be of digital or physical nature.

    An inspection may however only be ordered if it is deemed a proportional measure, where the reasons for the investigation outweigh the inconvenience or other disad-vantages that it may cause the party subject to the investigation. In this respect, the right to privacy must be taken into consideration when ordering such an investigation, and more so for private individuals. Also, in the assessment of proportionality, the risk for disclosure of know-how and trade secrets must also be taken into consideration.

  3. Are contractual software audit clauses subject to restrictions under contracts law?

    There are no restrictions under Swedish contract law. However, in cases where a clause in an agreement can be considered to be unreasonable, an adjustment or disregarding of the term may occur, according to Section 36 of the Swedish Contracts Act (1915:218). A clause can be deemed unreasonable having regard to the contents of the contract, and also the circumstances connected with the entering into contract as well as subsequent events. The mentioned section of the Swedish Contracts Act is however applied restrictively, even more so in business-to-business relations. Thus, a general rule cannot be laid out for when these clauses may be deemed unreasonable. In fact, the possibility of adjusting or disregarding a term will very much depend on the individual case.

  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    N/A - Under Swedish law, there are no co-determination rights for workers’ coun-cils with respect to software audits.

  5. What are the data protection limitations to software audits?

    The data protection limitations regarding software audits are those that generally apply regarding processing of personal data. Thus, all personal data, i.e. data that may be referable to a person, must be processed with that person’s consent, or if the processing can be made with other legal grounds. Such a legal ground is if it is necessary for a purpose concerning a legitimate interest of the data controller or a relevant third party, according to Section 10 of the Swedish Personal Data Act (1998:204). The interest of processing the data must be of greater weight than the interest of the registered person’s interest of privacy. In cases of software audits, the data pertaining to individuals could be argued to be of smaller importance as the purpose of the audit is to review the software used in relation to the licenses in place. This however depends on the nature of the audit and what kinds of data are processed. Lastly, it should be noted that if the employee opposes processing, it is generally much harder for a processing to be deemed legal.

Switzerland      Roland Mathys - Clara-Ann Gordon - Dr. Samuel Klaus

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    Under the Swiss Copyright Act ("CopA"), the willful use of software without sufficient licenses (i.e. without proper permission to use) is a criminal offence (copyright infringement).

    According to Art. 67, para. 1, lit. e CopA, it is a criminal offence to "produce copies of a work in any manner", which includes the unauthorized installation as well as the unauthorized use of software. The unauthorized use of software would lead to at least a temporary copy of the software. The making of temporary copies is only permitted by law if (inter alia) such copies "have no independent economic significance" (Art. 24a lit. d CopA). Since use of software in excess of the licensed amount of instances would have "economic significance", the making of temporary copies in such case would not fall within the scope of the exemption.

    According to Art. 67, para. 1, lit. gbis CopA, it is a criminal offence to "make a work available through any kind of medium in such a way that persons may access it from a place and at a time individually chosen by them", which includes the making available of software through remote access (e.g. by use of thin-clients, in a SaaS-setup or similar). In such case, both the making available (on the server) and the making of temporary copies (on the client) constitute criminal offences, the former according to Art. 67, para. 1, lit. e CopA, the latter according to Art.67, para. 1, lit. gbis CopA.

    In order to be punishable, the acts must be unlawful and committed willfully (Art. 67, para.1 CopA). Use of a copyrighted work is unlawful if it is neither permitted (i.e. licensed) nor based on a statutory exemption (e.g. for archival purposes, Art. 24 CopA). Willfulness requires knowledge and intent (negligence is not punishable under the CopA).

    Copyright infringement as per Art. 67 para. 1 CopA is punishable by custodial sentence (imprison-ment) of up to one year or a monetary penalty (fine) of up to CHF 1'080'000 (Art. 34, para. 1 and 2 Swiss Criminal Code). If an infringement is committed for commercial gain, more severe criminal charges will apply (Art. 67 para. 2 CopA).

    If offences are committed "in business activities", then Art. 71 CopA in connection with Art. 6 and 7 of the Swiss Act on Administrative Criminal Law provides that the employer (or principal in general) may be punishable under the same provisions as the offender if he wilfully fails to prevent the offence or to remedy its consequences.

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    No, there is no statutory right to conduct software audits under Swiss copyright law.

    Art. 62, para. 1, lit. c CopA does, however, provide the rightholder with a specific information right: In civil proceedings related to copyright infringement, the rightholder may demand from the defendant to provide information on the "quantity of items in his possession that have been unlawfully manufactured". If the (alleged) infringer refuses to provide such information, then he is punishable according to Art. 67 para.1 lit. k CopA by custodial sentence (imprisonment) of up to one year or a monetary penalty (fine) of up to CHF 1'080'000 (Art. 34, para. 1 and 2 Swiss Criminal Code).

    Furthermore, the Swiss Code of Civil Procedure contains a provision regarding the "precautionary taking of evidence", intended to protect a claimant's position in cases where evidence might be at risk. According to Art. 158 of the Swiss Code of Civil Procedure "the court shall take evidence at any time if [...] the applicant shows credibly that the evidence is at risk or that it has a legitimate interest". In case a software audit could not take place, e.g. due to the lack of a contractual soft-ware audit clause and the licensee's refusing to cooperate, the court might grant a licensor's re-quest for such precautionary taking of evidence in preparation of a corresponding claim.

  3. Are contractual software audit clauses subject to restrictions under contracts law?

    No, there are no specific restrictions under contract law regarding contractual software audit claus-es in general.

    However, Art. 27 of the Swiss Civil Code states that no person may surrender his or her freedom or restrict the use of it to a degree which violates the law or public morals. The courts have used this provision to limit the extent to which one may commit oneself by contract. For example, an unlimited contractual audit right that may be exercised at any time without prior notice and with an unlimited scope might be held void and unenforceable in court.

    With the exception of such extreme cases, individually negotiated audit clauses will not be subject to restrictions under contract law. Clauses contained in general terms and conditions may, howev-er, be subject to restrictions based on general contract law principles and case law:

    • In B2C relationships, the use of general terms which, in contradiction to the principle of good faith, provide for a substantial and unjustified disproportion between the contractual rights and obligations to the detriment of the consumer, may constitute an act of unfair competition (Art. 8 Swiss Unfair Competition Act).
    • In B2B relationships, the application and interpretation of general terms and conditions clauses are governed by general legal principles only, providing, for example, that a con-tract party must have had the opportunity to notice the terms and conditions and that certain clauses which could not be expected by the counterparty in good faith would not become part of the agreement.
  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    No, the Swiss Act on Co-Determination does not provide for any such co-determination rights.

  5. What are the data protection limitations to software audits?

    The Swiss Data Protection Act ("DPA") is applicable to "personal data", i.e. "all information relating to an identified or identifiable person" (Art. 3 lit. a DPA). It has to be emphasized that the DPA is applicable to personal data of both natural persons (individuals) as well as legal persons (legal entities), Art. 3 lit. b DPA.

    Most data collected during a software audit will relate to the licensee and is as such subject to the provisions of the DPA. In addition, if a software audit also leads to the collection of personal data pertaining to third parties (e.g. employees, contractors, clients, providers or other business partners of the licensee), such personal data will also be subject to the provisions of the DPA.

    The processing (i.e. collection, storage, use, revision, deletion, etc.) of data must, inter alia, be lawful, carried out in good faith (including proper and transparent information regarding the pro-cessing), and be proportionate (Art. 4 para. 1 and 2 DPA). Personal data may only be processed for the purpose indicated at the time of collection, that is evident from the circumstances, or that is provided for by law (Art. 4 para. 3 DPA). The collection of personal data and in particular the purpose of its processing must be evident to the data subject (Art. 4 para. 4 DPA). Deviations from those principles are possible in certain circumstances, e.g. if justified by an overriding private interest (Art. 13 para. 1 DPA), which, inter alia, is the case if the processing person processes personal data "in direct connection with the performance of a contract and the personal data is that of a contractual party" (Art. 13 para. 2 lit. a DPA). The processing of personal data pertaining to the licensee might thus, and depending on the actual circumstances, be justified.

    However, regarding personal data pertaining to third parties (in particular the employees), such justification would not be applicable. Furthermore, the principle of proportionality requires that only such data is collected that is required for the intended (and properly disclosed) purpose. As long as it cannot be shown that a software audit requires collection of personal data pertaining to third parties (which might be rather difficult to assert), such would not be permitted under the DPA at all.

    Finally, a cross-border transfer of the data collected from within Switzerland to another country might lead to additional issues, due to the fact that most other countries do not, from a Swiss data protection regulation perspective, provide for adequate protection of data pertaining to legal entities.

Turkey      Ceylin Beyli

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    Software is generally copyright protected under the Turkish Copyright Law. Reproduction of a copyright protected software without the consent of the right holder is a criminal offence, punishable by imprisonment from 3 months to 1 years or by administrative fine. Under particular aggravating circumstances, the imposed imprisonment punishment may be up to 2 years.

    The right to use a software requires a valid license agreement with the right holder of the software. As such, unlicensed use of proprietary software will be classified as a criminal offence.

    Criminal liability is necessary, but may not be sufficient to impose a punishment on the infringer. According to the Turkish Criminal Law, a criminal offence requires intentional conduct in order to impose punishment. Therefore, unknowing and unintentional infringement of a software's copyright will not impose punishment on the infringer. As such, a director of an infringing company's management may be held liable, if he or she was unaware of the infringement. Nevertheless, the said act being an unfair act, the infringing party may be liable with severe indemnity.

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    There are no Turkish statutory laws that entitles the right holder to conduct software audits. However, the Turkish Copyright Law foresees and enables software copyright holders to file complaints before Public Prosecutors, who in their turn may engage police and relevant administrative bodies for determination of use of unlicensed software or for conducting software audits in that regard, which can be followed by a seizure order from Criminal Court and then filing of a criminal action along with confiscation of illegal goods.

  3. Are contractual software audit clauses subject to restrictions under contracts law?

    Software audit clauses are generally valid under Turkish law, whether they are based on general terms and condition or subject to individual negotiation.

  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    No.

  5. What are the data protection limitations to software audits?

    The Turkish Data Protection Law was enacted and entered into force back in 2016. The said Law is somewhat a reflection of the Directive 95/46/EC. In this respect, the Law does not include any specific limitations to software audits, but require its clauses to be respected when it comes to protection of data within a software.

Ukraine      Nazar Chernyavsky

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    Depending on the amount of pecuniary damages caused by the use of software without appropriate licensing, such usage may be classified as criminal or administrative offence.

    Article 176 of the Criminal Code of Ukraine stipulates that illegal reproduction, distribution, and other infringements of copyright resulting in considerable damage (from about EUR 560 up to about EUR 5,600 in UAH equivalent) shall be classified as a criminal offence. This criminal offence is punishable with a fine (up to EUR 590 in UAH equivalent) or correc-tive labour for up to two years, or imprisonment for the same term.

    If the same actions are committed repeatedly or upon prior conspiracy by a group of per-sons, or if these action result in extensive damage (from about EUR 5,600 to up to about EUR 28,000 in UAH equivalent), it is punishable with a fine (ranging from about EUR 590 up to about EUR 1,180 in UAH currency equivalent), or corrective labour for up to two years, or imprisonment from two to five years.

    If the above illegal acts are committed by an official through abuse of office or committed by an organized group of persons leading to particularly extensive damage (more than UAH equivalent of about EUR 28,000), it is punishable with a fine (ranging from about EUR 1,180 to about EUR 1,790 in UAH equivalent) or imprisonment from three to six years, to-gether with a possible additional ban on occupying certain positions or conducting certain activities.

    The form of guilt is only direct intent. Moreover, IP rights infringement cases belong to pri-vate prosecution cases. This means that a criminal case can only be initiated based on an application from a legal entity or individual that has information about the criminal offense or by a victim.

    The above criminal liability is central in cases of copyright infringement. However, depend-ing on the peculiarities of the individual crime, it can be combined with other crimes (cumu-lative crime). By way of example, Article 203-1 of the Criminal Code of Ukraine provides for liability for illicit disc circulation for laser reading systems, matrices, equipment and raw materials for their production. The punishment for the latter actions is a fine.

    Where pecuniary damage is less than UAH equivalent of about EUR 560, then such of-fences with respect to use of the software without license will be classified as an adminis-trative offense. The punishment imposed is a fine (from EUR 6 to EUR 590 in UAH equiva-lent) with confiscation and destruction of the infringing goods, equipment, and materials used for any illegal production. The form of guilt for these infringements can only be direct intent.

    Finally, as in the case with criminal law, the Code of Ukraine on Administrative Offences contains provisions on the illegal production, export, and import of discs for laser reading systems, and on illegal export and import of equipment and raw materials for their produc-tion (Article 164-13). The punishment for these actions is a fine.

    Because discs are no longer the main means of committing piracy, both criminal and ad-ministrative liability for illegal production, export and import of discs for laser reading sys-tems and on illegal export and import of equipment and raw materials for their production are less relevant for business.

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    Ukrainian statutory law does not explicitly entitle the rights holder to conduct software au-dits.

    However, Article 52 of the Law of Ukraine “On Copyright and Neighboring Rights” ("Copy-right Law") allows for the application of the following means of protection of rights:

    • (i) Take part in inspection of production facilities, warehouses, and techno-logical processes and commercial operations related to the manufacture of the copies of the copyrighted works suspected of infringing or threatening to infringe the rights.
      The rights holder can be engaged in inspection in accordance with the procedure approved by the Cabinet of Ministers of Ukraine. According to Item 20 of the Regulation on Intellectual Property State Inspector of the Intellectual Property Service of Ukraine approved by Resolution No. 674 of the Cabinet of Ministers of Ukraine dated 17 May 2002 (as amended) ("Inspection Procedure"), the Intellectual Property State Inspector may decide to engage the rights holder upon the request of the latter. Notably, Inspection procedure permits the rights holder to engage consultants and other experts for inspections.
    • (ii) Demand information about third parties engaged in production and distri-bution of counterfeit copies of copyrighted works from the infringer.
      This right is not straightforward. In order to exercise it, the rights holder must apply for an appropriate order from the court.

    In addition, in order to protect copyright, Article 53 of the Copyright Law grants the courts the authority to apply the following temporary measures to preserve evidence of an in-fringement:

    • (i) Inspection of those premises where acts associated with the infringement of copy-right are believed to be occurring;
    • (ii) Arrest and seizure of documents that can serve as evidence of the infringement or possibility to infringe copyright.

    These measures can be applied at the rights holder’s request before filing a lawsuit, or if the infringer does not provide access to the premises or information. Such requests must be considered within two days after filing with the court. The temporary measure order is subject to immediate enforcement by state enforcement agencies with participation of the rights holder.

    Notably, before applying temporary measures, the court is entitled to require the posting of a bond by the rights holder. The bond value should not be less than the UAH equivalent of about EUR 60 and must be more than the amount of the claimed damages.

    It also worth mentioning that the same measures can generally be applied according to the Commercial Procedural Code of Ukraine and the Civil Procedural Code of Ukraine without regard to the provisions of the Copyright Law.

    In practice, requesting temporary measures by the rights holders is extremely rare due to difficulties with substantiation of the need for taking such measures before the court (irre-spective of whether provisions of the Copyright Law are applied or the rights holder relies on the provisions of the respective Procedural Code only).

  3. Are contractual software audit clauses subject to restrictions under contracts law?

    Based on the freedom of contracts principle stipulated by the Civil Code of Ukraine, we believe that software audit clauses are valid if individually negotiated by the parties to a li-cense agreement. The rights, remedies, and procedures stipulated in Articles 52 and 53 of the Copyright Law generally support this position.

    However, it is important to note whether said audit clauses comply with general principles and requirements of the Ukrainian contract law. In particular, to avoid any potential claims of abuse of IP rights and, thus, increasing the risks of audit clause invalidation, we believe that it is important to balance the audit procedure within such clauses (e.g., prior audit no-tice, limitation of the audit to premises, documents and information that directly relate to the possible infringement).

    At present, we are not aware of any jurisprudence declaring such audit clauses to be valid or void.

  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    No.

  5. What are the data protection limitations to software audits?

    Personal data processing during the course of software audits is subject to limitations pre-scribed by the Law of Ukraine “On Personal Data Protection” (“PDP Law”). The PDP Law defines personal data as information or data relating to an individual, who is identified or identifiable. Notably, while the PDP Law does not contain any express provisions on its territorial effect, it can be argued that it also applies to processing of personal data that relates to Ukrainian citizens or residents regardless of where the data operator is established, server is located, or personal data are processed.

    It seems that the parties would need to comply with the above requirements when a par-ticular natural person is specifically and intentionally identified for some legitimate rea-son(s). An IP address per se is usually not sufficient to qualify as personal data.

    Pursuant to Article 6 (5) of the PDP Law, personal data may only be processed for expressly described and justifiable purposes. Licensor and licensee should comply with this requirement irrespective of legitimate reason of personal data processing.

    The PDP Law requires that the data subject must consent, not only to processing its per-sonal data for a specific purpose, but also to the (i) scope (categories) of personal data subject to processing; (ii) information on how personal data will be used; (iii) information about dissemination of personal data; and (iv) information about access of third parties to personal data.

    However, as is the case in other jurisdictions, it may be impractical for the controllers to rely on employee consent as for example, this consent may be revoked by the employees at any time.

    It worth mentioning that obtaining consent is not the only legitimate reason of personal data processing. In addition and as an alternative to obtaining consent, the following legitimate reasons may be the most relevant for software audits:

    • (i) Protection of legal interests of a data controller or a third party to which personal data is transferred. The PDP Law also stipulates that the need for protection of the discussed legal interests should outweigh the need for personal data protection. The latter should be discussed and decided on a case-by-case basis.
    • (ii) Processing is necessary for the establishment, exercise or defense of legal claims. This legitimate reason is applicable only to processing of sensitive personal data (Article 7 of the PDP Law) and cross-border transfer of personal data to jurisdictions which do not ensure an adequate level of protection of personal data (Article 29 of the PDP Law).

    There is also a general legal requirement to notify the data subject in relation to personal data collection on the day of collection (if collected from individual) or within 30 business days after such collection (in all other cases). The PDP Law sets specific requirements to the content of the notification (e.g., purpose of personal data collection, third parties to whom its personal data can be transferred).

    In addition, the data subject must be notified within 10 business days about each modifica-tion, deletion, or the destruction of its personal data. In practice, many Ukrainian data con-trollers choose to take a risk-based approach in relation to this requirement, on the basis that as of now, the likelihood of enforcement for non-compliance with this PDP Law re-quirement is relatively low.

    Finally, once so-called extreme risk data (e.g., any pre-trial procedures applied to the per-son, any investigative procedures against the person, location and travel routes) are going to be collected and processed, it is important to notify the Ukrainian DPA about such pro-cessing. The Ukrainian DPA should be notified within 30 days of commencing any extreme risk data processing.

United Kingdom      Julian Hamblin – Chris Holder – James Harper – Christopher Millard – Sarah Pearce – Clive Thorne

  1. Is the use of software without sufficient licenses a criminal or administrative offence? What are the preconditions and consequences of such an offence?

    Unauthorised use of software may be a criminal or civil offence under the UK Copyright, Designs and Patents Act 1988 (CDPA). The CDPA includes a "computer program" within the definition of literary works which attract copyright protection under section 1(1)(a). Without an appropriate licence, it is an infringement of copyright to copy (i.e. reproduce) or adapt software in which copyright subsists (sections 17 and 21, CDPA).

    Civil
    Copyright is a property right, and therefore the possible civil remedies for infringement include damages or account of profits, order for delivery up, and/or interim injunctions, freezing orders or search orders. (Chapter VI, CDPA). If a software licence contains additional restrictions which are not complied with or other protections, the licensor will have remedies (including under a breach of contract claim).

    Criminal
    Under section 107, CDPA it is a criminal offence to make or deal with an infringing copy of software. This covers activities such as making the copy available for sale, hire or import into the UK (not for domestic use), or other acts which prejudicially affect the copyright owner, whilst knowing or believing that the copy is an infringing copy. The maximum sentence for this offence is 10 years imprisonment and/or an unlimited fine.

    Currently, where a section 107 offence is committed by a corporate body, the officers of that company will be liable where they consented (or conspired) to the unlawful activity (section 110 of the CDPA). In the future, company officers may have greater exposure to potential liability. The direction of travel of UK public policy is to hold company officers personally criminally liable where the corporate body has committed the offence and the officers "failed to prevent" the commission of the offence. The Ministry of Justice is currently consulting on whether this should be the approach for all economic crimes including for copyright infringement.

  2. Does a statutory right to conduct software audits exist under your jurisdiction’s (copyright) law?

    There is no statutory right under English law for an owner of rights in software (usually the licensor) to conduct a software audit.

    A software licensor who wishes to conduct an audit should take particular care to ensure that it has the benefit of a sufficiently robust express contractual right of audit allowing access to the licensee's systems. Without this right, the licensor runs the risk of falling foul of Section 1 of the Computer Misuse Act 1990, which creates a statutory offence of unauthorised access to a computer. This carries a maximum sentence of 2 years imprisonment and/or a fine.

  3. Are contractual software audit clauses subject to restrictions under contracts law?
    • (a) Freedom of Contract
      Where a software licence contains a clear right of audit, generally this will be valid, as English common law recognises the doctrine of freedom of contract, subject to statutory or public policy limits. Recent case law including Globe Motors v TRW Lucas Varity [2016] EWCA Civ 396 and MWB v Rock Advertising Ltd [2016] EWCA Civ 553 support the proposition that 'the parties have freedom to agree whatever terms they choose to undertake, and can do so in a document, by word of mouth, or by conduct.'

       

      Where a business-to-business software licence contains an onerous or unreasonable audit provision, even in a standard form contract that the licensee has little opportunity to negotiate, it is still likely to be enforceable. The Unfair Contract Terms Act 1977 is not likely to apply, as it only applies to clauses that unreasonably limit or exclude liability, directly or indirectly.

      If there is no express audit right, courts will not imply such a right into a commercial contract, unless the contract would lack commercial or practical coherence without the audit right being an implied contract term (Marks and Spencer v BNP Paribas [2015] UKSC 72).

    • (b) Contractual Construction
      Where there is an express contractual right of audit, the scope of the audit right granted is a question of contractual construction. In the case of 118 Data Resource Ltd v IDS Data Services Ltd [2014] EWHC 3629 (Ch) there was a broadly worded right of audit in respect of a data licence. 118 applied to the High Court for an order for specific performance to enforce this audit right. There was disagreement as to whether the audit right would allow 118 to see commercially sensitive material. The contractual clause was not clear and the court therefore refused to grant the discretionary remedy.
  4. Are there any co-determination rights of the workers’ council with respect to software audits?

    Co-determination and the worker's council are German legal concepts; there is no equivalent in England and Wales.

  5. What are the data protection limitations to software audits?

    A software audit may involve the licensor (or auditor) having access to and processing personal data. Processing of personal data is regulated by the Data Protection Act 1998 (DPA). The obligations under the DPA apply to a data controller, the party that (either alone or in common with other parties) determines the purposes for which and the manner in which personal data are processed.

    The licensee will want to ensure that any access and processing of personal data on its systems complies with the DPA. If the licensor processes personal data in connection with the audit as a data controller it will also need to comply with the DPA.

    The DPA requires that any personal data is processed fairly and lawfully. This includes satisfying at least one "condition for processing" set out in the DPA and providing transparency to data subjects. The most relevant condition that is likely to be relied on in practice is the "legitimate interests" condition.

    Issues to be considered in complying with the legitimate interests condition and the DPA generally include: (i) whether and to what extent access to personal data is required and documenting any restrictions or prohibitions on access within any audit contract clauses; (ii) anonymising or pseudonymising personal data where appropriate; (iii) limiting access to that which is strictly necessary; (iv) including in audit contractual clauses obligations to keep personal data confidential and secure and to use it only as strictly required for the purpose of the audit; and (v) giving transparency to data subjects in fair processing notices and privacy policies that personal data may be accessed and processed by software licensors.

    The licensor and licensee will also need to comply with other requirements of the DPA (e.g. relating to security and transfer of personal data outside the EEA). From May 2018, the licensor and licensee will need to comply with the new EU General Data Protection Regulation (GDPR) which will replace the DPA.