Website Law

Website content theft is an extremely common problem. Quality content can take a lot of time and effort (or money) to create – and it can be stolen in seconds by a child with a computer and a internet connection.

Legal proceedings are the ultimate weapon, the nuclear option, in your armoury against website content theft. But before issuing proceedings, you should consider in detail the other options open to you.

I should say that the title to this post is misleading (at least to an English lawyer). Theft is a criminal offence. Whilst the unauthorised copying of website content will usually constitute a civil infringement of copyright, it will not usually constitute a criminal infringement of copyright. So, it’s unlikely that the police or trading standards officers will assist you if someone copies material from your website. There are, however, a number of things you may be able to do on your own, without incurring the expense of a lawyer.

First, you should consider contacting the person responsible for the website asking for the material to be removed. If the website in question does not have a contact email address or HTML form, you can perform a WHOIS search (e.g. at Domain Tools) and write to the email address(es) given.

If that does not work, you should consider writing to the ISP hosting the website. You will usually be able to identify the servers hosting the site (and the relevant ISP) from the WHOIS search.

If the ISP is in the USA, you should make your notice to the ISP compliant with the requirements of the Digital Millenium Copyright Act (see Wikipedia). A list of designated agents for the service of DMCA notices is available on the US Copyright Offices website.

If the ISP is in the EU, you should point out in your notice that, as a result of your notice, the ISP will lose any protection under the Ecommerce Directive that it may have had against proceedings relating to the infringing contract.

In any case, your communications with the website owner and ISP should make it clear: (i) what the infringing material is; (ii) where the infringing material can be found; (iii) your full name and contact details; and (iv) details of your rights in respect of the material (e.g. that you the author or an exclusive licensee of the material). The appropriate degrees of politeness, aggression, etc will depend upon the circumstances.

If neither the website owner or the ISP responds – or if neither responds helpfully – that is usually the time to consider legal proceedings.

Database right is similar to copyright, but distinct. Both database right and copyright may subsist in a single database quite independently. However, this note is concerned exclusively with the protection afforded to websites by database right, not copyright.

In the UK, the key piece of legislation is the Copyright and Rights in Databases Regulations 1997. Many of the questions you may have about database right can be answered by reading the Regulations.

A “database” is defined in the legislation as “a collection of independent works, data or other materials which- (a) are arranged in a systematic or methodical way, and (b) are individually accessible by electronic or other means”. In some industries this might be called a “dataset” rather than a database. Nonetheless, it is databases so defined that are the subject of the 1997 Regulations.

Database right will subsist in a database if there has been a substantial investment in obtaining, verifying or presenting the contents of the database. The leading case on the meaning of this is British Horseracing Board v. William Hill. In that case the court ruled that BHB’s database of runners and riders fell outside the scope of protection because the resources used to create the database did not constitute an investment in the obtaining and verification or presentation of the contents of the database.

If your website has an integrated database that can overcome the limits on protection set out in the Regulations and in the BHB case, then any person who extracts or re-utilises a substantial part of your database without your consent will likely infringe the database right. For example, data mining and scraping activities often infringe.

As the owner of the database right, you may be entitled to damages and an injunction against any infringer.

One general exception to protection is this: individuals who are not EEA nationals, or habitually resident in an EEA state, and companies that are not incorporated in an EEA state, do not usually get the protection of the database right.

The centrepiece of UK data protection law is the Data Protection Act 1998 (the “DPA”). This legislation was enacted pursuant to a European Directive.

Data protection law governs the “processing” of “personal data”. “Processing” is defined in the Act to mean:

“… obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including – (a) organisation, adaptation or alteration of the information or data, (b) retrieval, consultation or use of the information or data, (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data.”

In other words, almost anything you do with data will constitute “processing”.

“Personal data” is broadly defined to mean:

“… data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”

So, for example, a list of names and addresses of customers will be personal data, as will an email address containing a person’s name.

Most of the key obligations in the DPA are placed upon “data controllers”. A data controller is defined as:

“… a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.”

In respect of personal data collected and processed through your website, you (or the company or other person who operates the website) will be the data controller.

The main consequences of this status are as follows.

First, the DPA requires “notification” from data controllers, unless an exemption is available (unlikely in your case). You can find out more about notification (which costs £35 per year) on the Information Commissioner’s website.

Second, individuals have certain rights under the DPA in relation to their personal data – for example, the well known subject access right – with which data controllers must comply.

Third, in the processing of personal data, data controllers must comply with the data protection principles.

In practice, a large number of UK websites operate in breach of data protection laws. Nonetheless, it is important that data protection compliance issues be addressed. Breaches of data protection legislation can lead to criminal as well as civil liability.