Driven by the rise of e-commerce, social media, cloud services and now the Internet of Things (IoT), application programming interfaces (APIs) have become pivotal to our economy and personal Internet use. Following the recent decision in Google v. Oracle in the US, we take a look at the intellectual property (IP) and contractual protection of APIs in the EU.
Article written by Lindsay Korytko, Senior Associate, IP & Tech Law at NautaDutilh / Credits © NautaDutilh
What are APIs?
An API is a set of functions, procedures, definitions and protocols for machine-to-machine communication and the seamless exchange of data. Simply put, APIs are requirements that allow two applications to communicate and interact with each other. They let developers interact with third-party services through simple instructions. For instance, a news website can plug into an API to obtain third-party weather information, a camera app can plug into a social media application to share images, a taxi-hailing app can use Google Maps API to extract location data, and the APIs of companies like Stripe can simplify the acceptance of payments and their integration with client billing systems.
APIs and IP rights
A key legal debate is whether APIs can be made subject to copyright protection (as they rarely qualify for patent protection). A ten-year legal battle between Google and Oracle (the owner of the Java software platform) ended on April 5 of this year, with the US Supreme Court arguably dodging the question of copyright protection but nonetheless holding that Google’s reimplementation of the Java API declaring code in Android OS constituted lawful fair use. Fair use is a limitation to copyright that releases the user of a protected work from liability for infringement where the use is considered fair.
In the EU, API source codes, logos and manuals are protected by copyright provided they are original, meaning they reflect their author’s own intellectual creation (for more information on copyright protection in the EU, please see our previous article). The fact that the US fair use limitation is not recognised as such under EU law means that the permission of the copyright holder is needed in order to use copyright-protected APIs. Such permission can take various forms.
“The fact that the US fair use limitation is not recognised as such under EU law means that the permission of the copyright holder is needed in order to use copyright-protected APIs.”
The contractual framework applicable to open APIs
Permission can be easily obtained in the context of so-called open or public APIs, i.e. those that anyone may use subject to compliance with the API provider’s terms and conditions. APIs can of course also be made available in open-source (as opposed to proprietary) mode, which provides users with a great deal of freedom.
The European directive on open data and the re-use of public sector information (Directive (EU) 2019/1024), also known as the Open Data Directive, recommends that public sector bodies offer open APIs as part of their obligation to make available certain high-value datasets to third parties for re-use by the latter for their own (even commercial) purposes. These datasets – which will undoubtedly present new business opportunities – comprise data relating to, amongst other things, statistics, company ownership and mobility.
IP licensing and beyond with partner APIs
In other cases, the API provider may wish to restrict, either for business reasons or due to the sensitivity of the data exchanged, the use of its API to specific organisations.
A so-called partner API is one that is not generally available to the public and only accessible to a predefined group of users via an authentication and authorisation mechanism. A specific contract, either in the form of a licensing agreement or a broader agreement often containing an IP licence, will be concluded. The contractual terms may cover issues such as the number of calls the user’s application can make to interact with the provider’s application over a given period, fees, the number of individual users, access to the API keys, systems and security provisions, and if and how the user can use the provider’s trademarks and logo in its own offering.
Other clauses will be necessary if the data to which the API provides access are regulated or subject to restrictions. For instance, the GDPR applies where the data concerned qualify as personal data. Likewise, banking secrecy rules apply to client data of Luxembourg financial institutions. Additional provisions will thus be important to limit how the retrieved data may be used and shared, the ultimate aims being to avoid liability and to protect and, as the case may be, correctly monetise the API provider’s IP.
This article is brought to you by NautaDutilh and reflects only the opinion of the author.