CV-Online Latvia: CJEU complicates the enforcement of database rights

CV-Online Latvia owns and manages cv.lv, which provides a searchable database of job ads published by employers. The defendant, Melons, operates a specialist search engine for job ads, KurDarbs.lv, which indexes websites containing jobs ads, including those featured on cv.lv. Search results presented to users of KurDarbs.lv display information including job titles, employers, geographical location of jobs, and dates. KurDarbs.lv obtains this information in advance by indexing pages from the cv.lv website, based on metatags added to each page by cv.lv. The search results shown by KurDarbs.lv also provide hyperlinks to job ads on cv.lv.

Following a first instance finding of infringement by the Latvian courts, on appeal the Riga Regional Court asked the CJEU whether Melon’s activities in operating its specialised search engine amounted to an extraction or reutilisation of CV-Online Latvia’s database of job advertisements. We reported on Advocate-General (AG) Maciej Szpunar’s opinion and its potential implications here. The CJEU’s decision follows the AG’s opinion, holding that the activities of a specialist search engine such as Melons could only be prohibited by the maker of a publicly available database where those activities adversely affect the maker’s investment in the obtaining, verification or presentation of the content, namely that they constitute a risk to the possibility of redeeming the maker’s investment through the normal operation of the database in question.

This article reviews the CJEU’s decision and considers its potential impact on the future enforcement of database rights in the EU and UK, along with two other current issues which owners and users of protected databases need to be aware of; the impact of Brexit and the EU’s forthcoming proposal for a Data Act.

The CJEU’s reasoning

The CJEU had been asked specific questions regarding whether the activities of a specialist search engine such as Melons’ amount to an extraction or reutilisation of a database. However, rather than answer these questions directly, the CJEU followed the AG’s approach of reformulating them into the more general question of whether the maker of a database that is freely accessible on the internet is entitled to prevent the use of that database by an internet search engine that specialises in searching the contents of databases.

Having formulated this general question, the CJEU considered it necessary to examine the scope and purpose of the sui generis right. From Recitals 40 and 41 of the Database Directive and its earlier decision in Innoweb (Case C-202/12) it identified the purpose of the sui generis right as being to ensure the protection of a substantial investment in the obtaining, verification or presentation of the contents of a database and to ensure that the person who has taken the initiative and assumed the risk of making a substantial investment in terms of human, technical and/or financial resources in the setting up and operation of a database receives a return on his or her investment.

In Innoweb the CJEU had found that the provision of a meta-search engine which allowed users to search the contents of a protected online database without visiting the official homepage undermined the sui generis right of the maker of the database, since it deprived that maker of income which would enable him or her to redeem the cost of his or her investment. Looking at the extraction and reutilisation of the content of the CV-Online Latvia database required to provide Melons’ specialist search engine, the CJEU held that such acts would be prohibited by the sui generis right provided that they have the effect of depriving that person of income intended to enable him or her to redeem the cost of that investment. The CJEU therefore characterised the task of a national court when assessing infringement of the sui generis right as establishing:

1. first, whether the obtaining, verification or presentation of the contents of the database concerned attests to a substantial investment (i.e. checking whether a database right exists in the first place); and
2. second, whether the extraction or re-utilisation in question constitutes a risk to the possibility of redeeming that investment.

According to the CJEU, infringement will only arise where both conditions are met. In reaching this conclusion the CJEU referred to a need to strike a fair balance between, on the one hand, the legitimate interest of the makers of databases in being able to redeem their substantial investment and, on the other hand, that of users and competitors of those makers in having access to the information contained in those databases and the possibility of creating innovative products based on that information. In the context of specialised search engines, the CJEU noted that the purpose of the sui generis right was to stimulate the establishment of data storage and processing systems in order to contribute to the development of the information market. By offering users a unified interface enabling them to search several databases, the CJEU noted that specialised search engines allow the information on the internet to be better structured and to be searched more efficiently, and contribute to the smooth functioning of competition and to the transparency of offers and prices.

What does the decision mean for enforcement of database rights in future?

The CJEU has adopted the AG’s conclusion that an extraction or reutilisation from a protected database which is made available online is only prohibited where it constitutes a risk to the possibility of the maker redeeming their investment in the creation of the database. In doing so it has converted statements made in Innoweb regarding the consequences of a reutilisation of a substantial part of a database into a threshold test for establishing infringement. To put it another way, the CJEU has taken what previously appeared to be a sufficient condition for establishing infringement and held that it is actually a necessary condition.

While the operative part of the CJEU’s decision is limited to specialist search engines, the reasoning that an infringement only occurs where there is a risk to the possibility of the maker redeeming their investment would appear to be a general principle capable of application to any situation involving infringement of database rights. Those accused of infringing a database right will want to consider carefully whether they can argue that their activities do not prevent the maker of the database from recovering the cost of their investment in its creation. Equally, database owners will want to present any extraction or reutilisation as harming their investment. These competing views on the impact of the extraction and reutilisation on the maker's investment are most likely to come to a head where the party accessing the protected database is doing so in order to use the data for a different purpose than that which the database is currently made available for. The alleged infringer will be likely to say that the use of the data for a new purpose does not prevent the maker from recovering their investment, as the maker retains the existing market for the database. In response, the maker may say that the new use is one which they may wish to capitalise on themselves, or to license to third parties for a fee. Who will win out in any given situation will be highly fact specific. However, it is fair to say that by introducing the “possibility of redeeming investment” test the CJEU has made the enforcement of database rights more complex.

It is also important to keep in mind that CJEU’s decision in CV-Online Latvia is only one piece of the puzzle regarding access to online information. A further complexity which was not the subject of the CJEU’s decision is the interplay between database rights and website terms and conditions of use. Under the decision, extractions or re-utilisations of a database accessible via a public website which do not constitute a risk to the possibility of redeeming a maker’s investment are not prohibited by the sui generis right. These acts may however be in breach of website terms of use, which commonly prohibit the use of automated data collection (or “web scraping”) techniques or the use of the data present on the website for anything other than personal, non-commercial purposes. Could a website owner therefore skip over database rights and enforce their website terms and conditions against the party obtaining the data? The answer to this question will ultimately depend on the law governing the contract and its formation, whether expressly defined by a choice of law provision or determined by a court by applying conflict of law rules (such as the Rome I within the EU). Equally, could the website owner argue that the party accessing the site is not authorised to do so (or has exceeded their authorisation) and has therefore committed some form of offence for computer misuse? Again, the answer will depend on the relevant national laws regarding computer misuse. In each case, a general rule of thumb is that the legal risk will increase once the party accessing the website is put on notice that the website owner objects to their activities.

Will CV-Online Latvia apply in the UK?

Following its departure from the EU, the UK has retained its national implementation of the Database Directive. However, the CJEU’s decision in CV-Online Latvia has no binding effect on the courts in the UK. This is not to say the decision will be ignored entirely. Under section 6(2) of the European Union (Withdrawal) Act 2018 UK courts may take regard of CJEU decisions made after 31 December 2020 “so far as they are relevant to a matter before them”. How far the UK courts will in practice follow CJEU decisions on previously harmonised IP rights remains to be seen. As the decision in CV-Online Latvia involves the CJEU starting a new line of thought regarding the sui generis right, rather than following an existing direction of travel, it is likely that there will be everything to play for when the scope of protection of the sui generis right next comes before the UK courts.

Looking ahead for database rights

After almost a decade of relative tranquillity for database rights, the CJEU’s decision in CV-Online Latvia is the second in a trio of changes to database rights in Europe.

Brexit

The first change is the impact of Brexit on the ability of organisations to obtain database rights in the UK and EEA. Created by the Database Directive and implemented in the national law of Member States, the EU sui generis database right has always been a bundle of national rights, e.g. an Italian database right protected the maker of a protected database against extraction or reutilisation of their database in Italy, their German database right protected them in Germany and so on. However, Article 11 of the Database Directive imposed a fundamental limitation on the beneficiaries of the protection under the sui generis right. In order for a right to arise, the maker of the database must either be a natural person resident or domiciled in the EEA, or an EEA company with its central administration or principle place of business in the EEA, or a registered office with a genuine economic link to an EEA member state.

While the UK-EU Withdrawal Agreement provided for reciprocal recognition of pre-existing database rights, no further agreement on forward looking reciprocal recognition was reached in the UK-EU Trade Cooperation Agreement. From 1 January 2021, database makers in the UK will therefore no longer be able to obtain new database rights in EEA member states. The UK has also amended its national implementation of the Database Directive, such that from 1 January 2021 only UK citizens, residents and businesses can obtain new database rights in the UK. This loss of the ability for UK businesses to obtain new rights in the EEA and vice versa is already starting to have an impact on real world business decisions. For example, it was recently reported that this issue is one of a number of factors which prompted OpenStreetMap to consider relocating its operations to the EU. Through the use of UK and EU subsidiaries it is possible for most organisations to work round these limitations and continue to generate rights in both the UK and EEA. However, these schemes will often require careful structuring and legal input on IP, corporate, taxation and employment issues, making them feasible only for those organisations where database rights are crucial to their business model and who have the time and resources to make the necessary arrangements. The optimal outcome for many would be a further agreement between the UK and EU, permitting UK and EEA businesses, nationals and citizens to enjoy reciprocal recognition of their database rights.

The Data Act

Back in February 2020, the European Commission’s Data Strategy stated that it intended to evaluate the EU IPR framework with a view to further enhance data access and use. This was said to include a possible revision of the Database Directive and a possible clarification of the application of the Trade Secrets Directive as an enabling framework. This intention was repeated in November 2020 in the Commission’s IP Strategy (read our summary here), which added that the Commission was particularly interested in the role of the Database Directive and Trade Secrets Directive in facilitating the sharing of, and trading in, machine generated data and other IoT data.

More recently, in June 2021 an Inception Impact Assessment for a proposed Data Act highlighted the Commission’s concern that there was legal uncertainty surrounding the application of the Database Directive to machine-generated data and data generated in the context of IoT devices, which may pose an obstacle to access and use of that data (read our summary and analysis of the Inception Impact Assessment here). One specific policy initiative currently under consideration is clarifying the scope of application of the sui generis right to machine generated data, which could either involve expressly including or excluding machine generated data from the scope of the right. A study is currently underway to gather evidence which will inform the Commission’s proposed approach and views can be submitted by way of an online questionnaire (available here).

The Commission has also indicated that it is considering a specific access regime to facilitate trading in and access to databases in a balanced manner and other additional elements to modernise the Database Directive, particularly the sui generis right, e.g. by aligning the exceptions to more recent EU copyright instruments. What exactly this may entail is not yet clear, although the draft Data Act is expected to be published in Q4 2021 so we may not have that long to wait to find out.