Software license audits challenged in French court

Software vendors (licensors) have increased the number of software license audits over the past few years to chase intellectual property infringement through illegal use of software. Infringing users (licensees) are required to pay additional licensing fees or else they will be sued. Even if the user is duly licensed to use the software, only limited rights are granted by the licensors. The purpose of license audits is to ensure that the licensee complies with the rights granted by contract.

However, licensees tend to challenge software license audits more often. Their claims are often legitimate: increased complexity of the license agreements, difficulty for the licensees to keep track of the licensing rights actually used, or even bad faith by certain vendors who would threat to launch an audit to pressurize the client at the time of contract renewal.

The amounts at stake are usually quite high for both parties, vendors and licensees.

Two recent French cases, both involving Oracle Corporation, illustrate the tension between vendors and licensees, especially at the time of renewing - or not - the existing licenses. (1) These cases raise the issue of the purpose, scope and limitations of a software license audit, and of the legal grounds on which a case may be brought when challenging the non-compliance between the rights granted and actual software use.


1. Purpose, scope and limitations of a software license audit

Software is protected by intellectual property law. (2) The author, or software publisher, enjoys exclusive rights over his/its work and is free to decide how to distribute it, including the scope of the rights granted and the licensing fees charged.

The rights granted to the licensees are provided in the software license agreement. The scope of the rights granted is different depending on the vendors. The licensing rights can be limited according to the type or number of terminals, or servers, number of named users or of CPUs, user volume, etc. Limitations can also be territorial, per location, facility, country or region.

Each vendor is also free to set its own fee system: through the payment of a one-time licensing fee, through a recurring subscription assessed according to the number of terminals or user volume, or through fees evolving with the software (upgrades), etc.

To ensure that the software is used in accordance with the rights granted, software vendors usually include software license audit clauses in their contracts.

However, one of the fundamental principles of civil law is that contracts must be performed in good faith (art. 1134 of the French civil code). Under this principle, software audits must not be carried out for a purpose other than the original objective or be used as a threat against the licensee at the time of renewing the contract, in order to put financial and operational pressure on the licensee or to overreach and access licensee’s proprietary confidential data.

Both examples were raised in the cases examined here.

- The Oracle vs. Carrefour judgment of 12 June 2014 (Summary judgment)
In this first case, Oracle sued Carrefour after the latter had resisted Oracle’s request to run its data collection scripts on Carrefour’s systems during the software audit process.

Two Carrefour affiliates, Carrefour SA and Carrefour Organisation et Systèmes Groupe had entered into a framework license agreement to use the Oracle Database Management software. On 27 January 2012, after the agreement had expired, Oracle France notified Carrefour its decision to conduct a software license audit to check the compliance of the software used with the rights granted under the license agreement. The notification included a request to run scripts allowing to assess the number of licenses used and to check the documents provided by Carrefour regarding the use of the software.

Carrefour didn’t resist the audit but refused the process imposed by Oracle, i.e. to run Oracle’s auditing tools. Carrefour considered that the scripts used by Oracle gave them access to Carrefour confidential information, which was unnecessary for the purpose of the audit and which imposed a security risk on its IT systems.

In a summary judgment rendered on 12 June 2014, the Civil court of Nanterre (Tribunal de grande instance de Nanterre) held that Oracle could not compel Carrefour to run Oracle’s scripts to collect data for the audit since this process was not imposed by the agreement nor by law.

The judges held that Oracle did however justify a legitimate reason to be granted an expert assessment to establish evidence of potential contractual breaches and intellectual property violations by the defendants. On the other hand, Carrefour was not compelled to run Oracle’s data collection scripts, but the judges confirmed that Oracle could use all necessary data collected during the expert assessment to check Carrefour’s compliance of the use of the software programs with the licenses granted.

- The Oracle vs. AFPA decision of 6 November 2014
In a second case opposing Oracle to the AFPA (Adult professional training association) before the Civil court of Paris (Tribunal de grande instance de Paris), the AFPA claimed that Oracle had overreached its software auditing right to put pressure on them at the time of their license renewal with the intent to limit competition and to abuse its right to bring legal action against the AFPA if they didn’t renew the licenses.

The AFPA claimed that Oracle was using their audit right abusively “by distorting its purpose” to put pressure on the AFPA to deter them to migrate to a competitor’s software at the time of the license renewal. This method allegedly resulted in limiting competition (per art. L.420-2 of the commercial code) on the SGF and RDBMS solutions markets.

The judges were not convinced by the AFPA’s claim regarding an abuse of dominant position by Oracle, as they considered that in this case, Oracle’s dominant position on the RDBMS market was not ascertained.

Regarding the abuse to bring legal action, the judges recalled that engaging legal proceedings is a right. If this right is used abusively, then the claimants must prove that a fault was committed, under article 1382 of the civil code (fault, damages and causality between the fault and the damages suffered).

However, although Oracle threatened the AFPA to launch an audit at the time of license renewal, in the present case, the AFPA didn’t demonstrate having suffered specific damages, other than the cost incurred in this legal procedure.


2. Characterizing an alleged non-compliance to the license: intellectual property infringement or contractual breach?

The case opposing Oracle to the AFPA raised a second interesting legal issue regarding the characterization of the dispute over the alleged non-compliance to the software license.

- The facts
Oracle distributes an ERP solution called Oracle E-Business Suite, comprising over 70 software application programs dedicated to enterprise management and clustered into “suites” (“Financials” for accounting and finance software, “Procurement” for purchasing management and suppliers).

Unlike most enterprise software, the E-Business Suite licensing system doesn’t work with activation keys used to manage licenses (blocking and unblocking access to the software, managing the license term, etc.), but instead is delivered on a CD which includes all the programs. The client or its service consultant is then responsible for the installation of the licensed programs on the client’s systems.

Following an RFP launched in September 2001, the AFPA executed an agreement with Sopra Group (an Oracle distributor and consulting company) for the provision of the Oracle E-Business Suite - Finance, for an initial group of 475 users.

In July 2008, Oracle France notified the AFPA its decision to carry out a software audit. The audit was actually conducted in May/June 2009, when the AFPA launched a new RFP to roll out the Procurement solution. According to the audit results, the AFPA was using 885 Purchasing software licenses. This software program was part of the Procurement suite, which was not included in the license granted.

After failing to settle the matter amicably, Oracle decided to bring an action against the AFPA on the grounds of counterfeiting based on the unauthorized use of the Purchasing software suite. To this effect, Oracle claimed the AFPA (and Sopra Group, under the contractual indemnification terms) to pay 3,920,550 euros as lump sum indemnification for the unauthorized copy and use of the Purchasing software for 885 named users, plus 9,487,731 euros as indemnification for the unauthorized use of the technical support services and Purchasing software upgrades, i.e. a total of 13,408,281 euros.

The defendants claimed that Oracle knew that the Purchasing software suite was part of the solution proposed by Sopra to the AFPA under the contract, the solution having been approved with the purchase order issued by Oracle. Indeed, Sopra had invoiced the AFPA for the installation, use and support services for the Purchasing program. The AFPA also claimed that they had been using Purchasing in good faith since the beginning of the contract term and that they had committed no breach.

- Disagreement over the legal qualification of the audit conclusions
In this case, the parties’ claims were based on conflicting legal characterizations resulting in  distinct legal consequences: intellectual property infringement vs. breach of contract

Oracle claimed that since the AFPA wasn’t authorized to use the software under dispute, they were infringing (counterfeiting) Oracle’s intellectual property rights. Counterfeiting is a continuing offense, not subject to prescription, and the counterfeiter cannot claim good faith.

Contrary to Oracle, the AFPA claimed that this was a contractual issue. According to the AFPA, the Purchasing suite was included in Oracle’s licensed software programs. If not, the AFPA claimed that they had performed the contract in good faith since the software programs had been installed by Sopra. Contractual claims are prescribed after 5 years (art. 2224 of the French civil code). Indemnification is governed by the rules regarding contract performance set forth in the Civil code.

- The Court decision
To characterize the dispute, the judges recalled that the only existing issue between the parties was whether the license included the Purchasing suite. Oracle never claimed that the AFPA had used counterfeit software or rolled out software not supplied by Sopra, or that the number of licenses did not correspond to the number of users. The judges therefore held that the dispute was only focusing on the scope and performance of the contract and not on a counterfeiting issue. Therefore, the 5 year statute of limitation and contractual indemnification rules applicable to the damage suffered as outlined in the French civil code are applicable.

Regarding the performance of the contract, Oracle had delivered four CDs, including one containing the Oracle Applications/E Business Suite II i solution, with the Financial and Purchasing suites. Oracle’s position was that although the Purchasing software was on the CD, it was not included in the license.

Based on the documents disclosed during the proceedings, the judges held that Oracle maintained doubt and confusion on what was really included in the software solution licensed: either the Purchasing software program wasn’t included in the scope of the AFPA license, and then it shouldn’t have been delivered to them, or it was included in the license since it was actually delivered in execution of the purchase order.

The judges decided that the AFPA used the Purchasing software suite without fault since this program had been included in the CDs prepared by Oracle. Oracle must have always understood and admitted that the license included the use of that software suite.

As a consequence of this legal characterization, the judges held that the AFPA didn’t infringe Oracle’s intellectual property rights since the software was presumably included within the contractual scope of the license. The judges therefore decided that Oracle’s claims against the AFPA were prescribed and Oracle’s claims of 13,408,281 euros were unfounded. In addition, Oracle had to pay procedural fees to the AFPA and to Sopra amounting to 100,000 euros (art. 700 of the procedural code). This decision is pending appeal.


    Based on this case law, software license audits are indeed legitimate tools for vendors to check that the licenses are performed within the contractual boundaries. However, audits should not be used outside and beyond their original purpose. As shown with these two cases, given the amounts claimed by the vendors, users no longer hesitate to challenge such practice, claiming bad faith or abuse from the vendors (although such claims much be proved legally). Another potentially valid claim could be the complexity of certain types of licensing rights which can be extremely difficult for licensees to manage effectively.

Although these cases didn’t raise the issue of license complexities, but were brought essentially because of misunderstandings and communication issues between the parties, we recommend that software vendors ensure that licensing rights are set forth in clear terms and that licensees can easily keep track of the rights used.


                                                        * * * * * * * * * * *

(1) Nanterre civil court of first instance (Tribunal de grande instance de Nanterre), summary judgment, 12 June 2014, Oracle Corp., Oracle International Corp., Oracle France vs. Carrefour, Carrefour Organisation et Systèmes Groupe ; Paris civil court of first instance (Tribunal de grande instance de Paris) 6 November 2014, Oracle Corp., Oracle International Corp., Oracle France vs. Association Nationale pour la Formation Professionnelle des Adultes (AFPA) & Sopra Group

(2) Article L.112-2 of the Intellectual property code

 

Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

December 2015

Personal data transfers from the EU to the US after the cancellation of Safe Harbor by the CJEU

In a landmark decision on 6 October 2015, the Court of Justice of the European Union (CJEU) held that the Safe Harbor principles, in effect between the EU and the US since 2000, were invalid. All European companies working with US commercial organizations adhering to Safe Harbor must reassess the conditions under which they are transferring personal data to these entities. (1)

The purpose of this article is to review the main rules governing cross-border personal data transfers and to provide a few answers and solutions following this landmark decision.


1. Personal data transfers outside of the European Union and the cancellation of the Safe Harbor principles

Although the 1995 Data Protection Directive lifted all restrictions to cross-border personal data transfers within the EU, transfers outside of the Union remain prohibited in principle, except in limited cases. (2)

    1.1 Rules governing personal data transfers outside of the European Union

With the globalization of the economy, and even more so with the digital economy, most companies transfer data to third countries, either to their headquarters or affiliates, to subcontractors, or to service providers. While personal data transfers outside of the European Union are prohibited, there are however a few exceptions to this principle. The following cross-border personal data transfers are allowed:

    - data transfers to a country acknowledged by the European Commission as providing a sufficient, or “adequate” level of protection. Only a handful of countries outside of the EU are deemed to have enacted laws providing a level of protection equivalent to those in effect in Europe; (3)
    - data transfers between two entities (exporting and importing data) having signed the EU Standard contractual clauses (SCC) adopted by the European Commission. This contractual solution is applicable either between two data controllers or between a data controller and a subcontractor;
    - data transfers between two or more affiliates within a multinational corporation, subject to that multinational corporation having implemented Binding Corporate Rules (BCRs), applicable among all the affiliates and approved by one of the national data protection authorities (“national supervisory authorities”) such as the CNIL in France or the ICO in the UK;
    - data transferred in exceptional situations, if the data subject has given his consent to such transfer;
    - and until the 6 October 2015 decision, data transfers to the United States, subject to the importing company adhering to Safe Harbor.

The Safe Harbor principles include a set of personal data protection rules, negotiated between the US authorities (US Commerce Department) and the European Commission in 2000, and approved by a Commission decision dated 26 July 2000. (4)

The Safe Harbor principles include rules concerning the protection of personal data, designed after the principles of the 1995 Data Protection Directive. The Safe Harbor framework only applies to those US companies that have voluntarily declared to adhere to the principles. The US Federal Trade Commission (FTC) is in charge of administering the Safe Harbor principles including publishing the list of companies adhering to the system.

However, the Safe Harbor principles were declared invalid by the European Court of Justice on October 6.

    1.2 The Schrems decision

In its decision issued on 6 October 2015, the Court of Justice of the European Union invalidated the Safe Harbor framework, deciding that a national supervisory authority could suspend personal data transfers from the EU to the United States.

The case concerns an Austrian citizen, Maximillian Schrems, a Facebook user since 2008.

The data provided by European Facebook users are stored by its subsidiary, located in Ireland, prior to some of it then being transferred to the United States. Mr Schrems lodged a claim before the Irish Data Protection Commissioner, considering that following Edward Snowden’s disclosure regarding the activities of the US intelligence services (including the NSA and the FBI), the United States didn’t properly protect the personal data provided by the European citizens and residents against surveillance activities. The Irish data protection authority dismissed the claim, arguing that in its 26 July 2000 decision, the European Commission had considered that the United States provided an adequate level of protection of personal data transferred under the Safe Harbor framework.

Mr Schrems then brought an action before the High Court of Ireland which decided to refer  two questions to the CJEU for a preliminary ruling. The Irish judges wanted to know if the 2000 European Commission decision prevented the national data protection authorities from investigating when a data subject claims that a non-EU country doesn’t provide an adequate level of protection to the personal data transferred. Is the plaintif irrevocably bound by the European Commission decision, without any possible legal recourse?

In its 6 October 2015 decision, the CJEU decided that the European Commission should have assessed whether the United States did provide adequate protection, through their legislation or through their international commitments, and at least, “a level of protection that is essentially equivalent to that guaranteed within the European Union by virtue of the European directive, read in the light of the Charter of Fundamental Rights of the European Union.”

The Court noticed that the US authorities practiced massive and indiscriminate surveillance over the data transferred without granting effective legal protection to the data subjects.

US companies are subject to US mandatory laws and regulations which supersede the Safe Harbor principles. According to the Court, the European Commission didn’t research whether the United States did provide an adequate level of protection to personal data, and the US authorities through their massive surveillance program overreached their power to circumvent the privacy principles. The Court decided that the 2000 Commission decision was therefore invalid.

According to the CJEU, even though the European Commission did acknowledge that the United States granted adequate protection to personal data, the national data protection authorities must be able to control whether data transfers of a data subject to a non-EU country comply with the requirements of the 1995 Data Protection Directive.

The Court concluded that if a national data protection authority had doubts about the adequacy decision of the Commission, that authority must be able to bring an action before the national courts so that they may then send the case to the European Court of Justice. The 2000 decision of the European Commission cannot prevent data subjects and the national data protection authorities from such legal recourse.


2. The consequences of the Schrems case: legal insecurity requiring action

Personal data transfers to the United States made under the Safe Harbor principles are therefore no longer valid. This implies that data transfers which were previously valid are no longer legal, but also that it is no longer possible to initiate new personal data transfers under the Safe Harbor principles.

    2.1 Consequences of the Schrems case

- The article 29 working party (art. 29 WP): the French data authority (CNIL) is currently reviewing, together with its colleagues of the art. 29 WP (representatives of the national data protection authorities of the Member States), the legal and operational consequences of the CJEU decision.

In the meantime, the art. 29 WP has requested the national data protection authorities to implement a solution to overcome the current legal insecurity caused by the CJEU decision. In a declaration made on 15 October, the art. 29 WP invited the European institutions to initiate discussions with their American counterparts to find a new system allowing the transfer of personal data in compliance with the European fundamental rights, such decision to be reached by 31 January 2016. (5)

If the parties fail to reach an agreement by this deadline, the national data protection authorities may then “launch any action necessary, including coordinated punitive actions.”

- The national supervisory authorities: further to the CJEU decision, several national authorities have already taken “preventative” measures.

The data protection authorities from the German Länder and the national German supervisory authority have announced that they would no longer authorize new data transfers to the United States, including under the EU Standard contractual clauses or BCR schemes.

The Spanish data protection authority (Agencia Española de Protección de Datos - AEPD) announced that they would send a message to the entities that had declared transferring personal data under the Safe Harbor principles, enquiring about the alternative solutions that they plan to implement.

The Schrems decision has also spread beyond the boundaries of the European Union, including  for those non-EU countries providing an adequate level of protection, regarding their data transfers to the US.

The Israeli data protection authority (Israeli Law, Information and Technology Agency - ILITA) has decided to suspend personal data transfers to the United States.

And the Swiss authority announced that as long as a new agreement with the US government hadn’t been reached, the “U.S.-Swiss Safe Harbor Framework” would no longer be considered as legal basis for transfers of personal data to the US in compliance with the Swiss law on data protection.

Other third countries are also reconsidering the conditions of cross-border data transfers to the United States and other countries.

- The EU Commission: on 6 November 2015, the Commission issued guidance on transatlantic data transfers which will remain effective until a new system is implemented.

The Commission analyzed the repercussions of the Schrems case and proposed alternatives to transfer personal data legally to the United States (including the EU Standard contractual clauses or BCR). (6)

- Toward Safe Harbor 2.0?: the EU Commission had already decided to review the Safe Harbor framework following disclosure by Edward Snowden in 2013 on the surveillance program of the NSA since the American security laws came into effect after the 9/11 terrorist attacks. In November 2013, the Commission issued 13 recommendations to improve the then current Safe Harbor rules.

Since the Schrems decision of 6 October 2015, the EU Commission has been accelerating negotiations with its US counterparts to set up a new framework improving the legal protection for  transfers of European personal data to the United States. The goal is to reach a new framework agreement by the end of January 2016.

    2.2 Data transfers during the interim period

The cancellation of the Safe Harbor principles creates uncertainty for companies that were transferring data cross-border under the Safe Harbor framework.

Can organizations transferring personal data to the United States pursue their operations without switching to a new legal framework until new Safe Harbor rules are issued by the EU Commission? Should they plan for the longer term and implement alternative solutions?

Should all data transfers to the United States be suspended, or should they be confined to Europe, or transferred to a country providing an adequate level of protection?

For data transferred under a cloud computing service agreement, what should the client do if the  US service provider refuses to amend the transfer terms?

The three months deadline to reach agreement on a new Safe Harbor framework may seem “aggressive” and nothing warrants that this deadline will be met by the authorities.

Until the authorities and institutions find a solution and a new 2.0 Safe Harbor framework comes to life, corporations must find legal and technical solutions to limit legal risks and circumvent transfer restrictions. Penalties for illegal cross-border data transfers can reach up to €300,000 and 5 years in prison. 

- Legal and technical compliance audits: as a first step, entities exporting personal data to be processed in the United States should conduct a legal and technical audit of current data transfers as well as a risk analysis. The data processes, types of data transferred and legal regime under which the data are transferred must be clearly identified and characterized. Once a map of the data transfers has been set up, the impacts of the cancellation of Safe Harbor will be assessed on a case by case basis, with a short and a medium term evaluation.

- Compliance solutions: further to the compliance audit, alternative compliance solutions may have to be adopted. Three options can be considered : the EU Standard contractual clauses (SCC), private ad hoc contracts, and Binding corporate rules (BCRs) within a multinational group of companies.

The EU Standard contractual clauses (SCC) may appear as the easier short term option. It is however necessary to identify the types of Standard clauses that are relevant to the data processes, and have them executed “as is” by each party. Should any of the clauses be amended, the document will have to be approved by a national data protection authority.

Unless an agreement is reached with its US service providers to operate under the EU Standard contractual clauses, the European client entity may have no other solution than terminating the current agreement with its American service provider and select an alternative European provider, or a company located in a country providing an adequate level of protection.

The ad hoc contractual option, i.e. a contract drafted by the parties and adapted to the data process under consideration could be the best option. An ad hoc contract is indeed more flexible and adapted that the Standard contractual clauses. It is however necessary to take into account the cost, process and delays to receive an authorization from the national data protection authority. This contractual option may be used between two commercial entities or between affiliates (in lieu of BCRs).

Binding Corporate Rules (BCRs) can only be used within a multinational group of companies and are not an alternative to govern the relationship with third party commercial partners or service providers. BCRs also usually require several months to be drafted, then get approval from a national authority prior to being rolled out within the group of affiliated companies.

The benefit of these alternative solutions to Safe Harbor is their stability and the fact that they can remain the preferred solution after a new Safe Harbor framework is launched. If the authorities reach an agreement on a 2.0 Safe Harbor framework, the Schrems decision recalls that in case of alleged breach of their legal obligations, data subjects have a legal recourse against US companies adhering to the Safe Harbor principles.

                                                        * * * * * * * * * * * *


(1) CJEU, Gd Chamb., 6 October 2015, Maximillian Schrems / Data Protection Commissioner

(2) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data

(3) The countries providing an adequate level of protection, and to which personal data may be transferred without additional formalities or authorizations are: Argentina, Canada, Iceland, Israel, Liechtenstein, Norway, New Zealand, Switzerland, Uruguay

(4) EU Commission Decision 2000/520 dated 26 July 2000

(5) Brussels 15 October 2015 : “Statement of the Article 29 Working Party”.

(6) EU Commission press release dated 6 November 2015 “Commission issues guidance on transatlantic data transfers and urges the swift establishment of a new framework following the ruling in the Schrems case”


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

December 2015