Internet entrepreneurs are often people with initiative, creativity, and the courage to turn their ideas into real, viable projects, but they do not necessarily have to be familiar with the many legal issues that arise when setting up a digital business. To resolve any doubts that may arise in this regard, it is best to consult with a lawyer specializing in digital law. However, with the intention of providing help and guidance to anyone who decides to take the plunge into entrepreneurship, below we will refer to a series of Basic legal issues that arise when starting a business in the digital sphere.
In this post, we do not intend to review each and every one of these legal issues exhaustively, but rather to provide a general, practical, and illustrative overview of The main legal aspects to consider when starting a digital business.
Legal form
The first legal issue that entrepreneurs must address is deciding what legal form their company should take. There are many options, but here we will refer to those that are by far the most common: the individual entrepreneur as a natural person (the self-employed) and the limited liability company.
To decide between one option or the other, entrepreneurs must weigh the pros and cons of each, mainly from two perspectives: tax and the extent of personal liability to which the entrepreneur is exposed. The complexity of the procedures for starting a business under one legal form or another must also be considered.
The sole proprietor or self-employed individual is personally liable, with all their present and future assets, for the obligations they incur in the course of their business. There is no difference between their business and personal assets: liability for their business debts extends equally to both. Furthermore, if the self-employed person is married under the community property regime, liability for debts incurred extends to their spouse's assets.
The scope of liability to which individual entrepreneurs or self-employed workers are exposed is, as we have seen, very broad. So, it is worth asking what advantages this legal form offers.
Firstly, the procedures for setting up as a sole trader are very simple. They basically boil down to register with the tax authorities y in Social Security (within the Special Regime for Self-Employed Workers). Furthermore, since no company is being formed, No minimum share capital is required to start the business..
On the other hand, in certain cases, self-employment may be the most attractive option from a tax perspective. Sole proprietors are taxed on the Personal Income Tax (PIT). Income tax is a progressive tax, In other words, as the tax base increases, so does the tax rate. Conversely, when the tax base decreases, so does the tax rate. Therefore, paying this tax may be of interest to entrepreneurs who expect their business to generate little profit in its initial phase (which is usually the case at first). If the business subsequently prospers and generates greater profits, it will always be possible to set up a company and pay corporate income tax.
The limited liability companies (SL) are taxed on the Corporate Income Tax (CIT). This tax establishes a fixed type of the 25%, although there are exceptional cases for which a lower rate is provided. For example, the Corporate Income Tax Law provides that during the first two tax periods from the one in which the tax base is positive for the first time, the tax rate will be 15%.
Therefore, it may be the case that, initially, corporate income tax may be more expensive for the entrepreneur than personal income tax (although each case must be analyzed individually). However, as turnover and profits increase, corporate income tax may result in greater tax savings than personal income tax (which, it should be remembered, is a progressive tax).
On the other hand, in a limited liability company, as its name suggests, the liability of the partners for the obligations incurred in the course of business is limited to the value of their contributions. That is, in this case, unlike what happens in SLs, the partner is not liable with his or her personal assets.
Setting up a limited liability company is relatively straightforward, although more complex than setting up as a sole trader. First, limited liability companies must have a minimum share capital of 3,000 euros. This capital may be contributed in cash or in kind (computer equipment, software, furniture, etc.).
However, in the event that this amount cannot be provided initially, the Corporation Law contemplates the figure of the limited liability company of successive formation. This figure allows for the incorporation of a limited liability company even when the required capital is not available, but the company thus incorporated is subject to significant restrictions on its operations. Specifically, there are limits on the amounts that can be distributed as profits and on the remuneration of partners and administrators, and at least 20% of the profits obtained must be allocated to reserves.
In addition to having the minimum capital, The incorporation of an SL (limited liability company) entails compliance with a series of requirements and procedures.: drafting and signing before a notary public of the deed of incorporation and the company's articles of association, obtaining a Tax Identification Number (NIF) from the tax authorities, paying the Transfer Tax and Stamp Duty to the regional tax authorities, and registering the company in the Commercial Register. If the company intends to hire employees, it will also be necessary to obtain an employer number from Social Security.
It is up to each entrepreneur to assess, bearing in mind their business model, which option is most beneficial to them. To do this, it is highly advisable to seek the advice of specialists in the field.
Brand (…and domain name?)
After deciding what form the company will take, the next step is to distinguish your products and services from those of other competing companies in the sector. To do so, the new company must acquire one (or several) brands.
This is a fundamental step, which should not be taken lightly, but rather respond to a in-depth strategic analysis. A brand must be designed that is not only distinctive, i.e., that clearly identifies the company's products and services, but also capable of conveying the values and ideas that are expected to remain linked in the consumer's mind to the company's products and services. This aspect, brand positioning, should be studied by marketing specialists.
Likewise, A trademark should be chosen that does not resemble other existing registered trademarks. and thus avoid coming into conflict with their owners. We published this post about using the free tool TMView; where you can get a first impression of whether or not your trademark has been previously registered, or if it resembles any previously registered trademarks. In any case, it is advisable to seek the help of a specialist to develop a brand feasibility report, and know in advance the chances of success of the new registration.
But, in addition, the brand strategy must respond to two questions: where the company will carry out its activities and what products or services it will market.
First, you must consider the geographical scope of the business activity. Depending on the answer to this question, you can choose between registration of a national trademark, a European Union trademark, or a international brand.
It should be noted that the international trademark, rather than a trademark per se, is an administrative procedure established by two international treaties (the Arrangement of Madrid and the Madrid Protocol) which allows registration as a national trademark in member countries of the Madrid System (the contracting states of the aforementioned treaties) with greatly simplified procedures.
Specifically, thanks to the Madrid System, it is not necessary to apply for the trademark in each country, in its own language, and carry out the necessary procedures for its granting in all of them. Instead, it is sufficient to apply for the trademark once, indicating the countries or international organizations (such as the EU or the African Intellectual Property Organization) that are members of the Madrid Union in which you wish to register. Currently, The Madrid Union has 106 members representing 122 countries..
In addition, trademark management is also much simpler and more economical. It should be noted that international trademarks (like Spanish national trademarks and European Union trademarks) are valid for 10 years, after which they must be renewed. Renewing an international trademark, with a single procedure, is much easier than renewing several national trademarks in several countries, with different deadlines and fees. The same applies to other actions that may be required in the management of the trademark, such as a change of owner or representative.
Now then, In order to enjoy the advantages of the Madrid System, it is necessary to have previously registered or applied for a trademark in one of the contracting countries of the aforementioned treaties. (or in one of the international organizations that are party to the Madrid Protocol; therefore, an EU trademark is a valid basis for applying for an international trademark).
Secondly, after deciding on the type of trademark to register based on the territorial scope of protection required, it will be necessary to determine for which products and services the trademark is registered. Trademarks are not registered for all products and services in general, but for one or more categories of products or services provided for in the Nice Classification.
Now, one might think that it is best to register each trademark covering the largest possible territorial scope (for all member countries of the Madrid Union or, at least, registration of a European Union trademark) and for all products and services included in the Nice Classification. However, there are two circumstances that make this approach inadvisable.
First, that The fees payable increase the larger the territorial scope covered by the trademark and the more products and services are designated.. The registration fee for a European Union trademark is significantly higher than the fees for registering a national trademark. Similarly, the more countries designated in an international trademark, the higher the fee to be paid. Likewise, fees for all types of trademarks are set according to the number of classes of goods and services in the Nice Classification that are designated: the more classes, the higher the fee.
On the other hand, it should be noted that defensive trademark registrations are not permitted. A trademark cannot be registered for the sole purpose of preventing others from using it. Therefore Trademarks must be effectively used in commerce to distinguish the goods and services for which they were registered.. If such use cannot be proven, the trademark could be canceled, so it is absurd to register trademarks in territories and for products and services for which they will not be used. We already discussed this topic in this post.
Once you have decided on the type of trademark and the products and services it will cover, you can proceed with its registration. This registration generally entitles the owner to: prevent any third party from using an identical or similar trademark for identical or similar products or services in the market of the territory in which it has been registered; as well as opposing applications for trademarks identical to yours and also the registration of similar trademarks, provided that there is a risk of confusion or association between the products or services of one company and another. In any case, it will be the owner who must oppose, in a timely manner, the application for trademarks that are identical or similar to the point of confusion or association with their own; the Spanish Patent and Trademark Office (OEPM), the European Union Intellectual Property Office (EUIPO) and, in general, the main registry offices do not refuse registrations ex officio for this reason.
However, in order to oppose the application for a trademark that is identical or similar to the point of confusion or association with one's own, the first step is to detect it, to know of its existence. And this is not always so easy. The Spanish Patent and Trademark Office (OEPM) has a system that notifies owners of applications for trademarks that are identical or similar to those they have registered, but this system is not always reliable and, furthermore, is not binding on the Office. It is therefore highly advisable to use the services of intellectual property specialists, like us, who, thanks to our specialized software and technical expertise, are equipped to screen applications and detect those that conflict with our clients' trademarks. This enables us to provide effective defense of our clients' trademarks.
You should also bear in mind that domain name registration (for example, a .com through one of the registrars authorized by ICANN; or a .es through any of the registrars authorized by Red.es) does not equate to trademark registration. As we explained in our Frequently Asked Questions, the legal regime governing trademarks and domain names is different, and A domain name does not provide the same protection as a trademark.. A domain name grants the right to use certain terms or words for a specific period of time, which replace, through the DNS system (Domain Name System), the numbers of an IP address, where the content of a website is hosted, so that it is easier for users to remember. A domain name does not grant an exclusive and exclusive right to a sign, as trademarks do. Furthermore, the use of a domain name whose name constitutes a trademark right of a third party may constitute an infringement of that trademark right.
On the other hand, we discuss the following legal issues:
Data protection
Once registered with the tax authorities and social security, the company has been set up (if we have opted for this legal form) and the trademark has been registered, we are ready to start trading. However, it is very likely that during its development the company will have to make some kind of processing of personal data, whether from customers, from workers, from suppliers, or all of them. In this case, the company is subject to the obligations imposed by the relevant legislation, primarily the General Data Protection Regulation (Regulation 2016/679 of April 27, GDPR) and the Organic Law on Personal Data Protection and Guarantee of Digital Rights (Organic Law 3/2018, of December 5, LOPDGDD).
The obligations set forth in these regulations cannot be taken lightly, as penalties are provided for in the event of non-compliance. administrative penalties of up to 20 million euros. And in the case of companies, the penalty may amount to an equivalent of 41% of the previous year's turnover, provided that this amount exceeds the aforementioned €20 million. Furthermore, it should be noted that, in accordance with current legislation, it is up to the employer to prove that they have fulfilled all their obligations..
That being the case, we must refer to the main data protection obligations that employers must fulfill.
Firstly, the GDPR states that every controller and processor must keep a recording of processing activities. The data controller is the natural or legal person who decides why and how personal data will be processed. The data processor is the natural or legal person who processes personal data on behalf of the data controller, for example, the advertising agency that processes the company's customer data when carrying out a marketing campaign aimed at them, or the agency that processes employee data when preparing payroll. The relationship between the controller and the processor must be governed by a data processor agreement, with the content provided for in the GDPR.
The record of processing activities will contain various information relating to the data processing carried out within the company (the types of processing carried out, its purpose, the measures adopted for data security, etc.), and must be available upon request by the Spanish Data Protection Agency (AEPD).
Not all companies are required to keep a record of processing activities, only those that employ 250 or more workers. However, companies with fewer than 250 employees will also be required to keep a record of processing activities when certain types of data belonging to so-called special categories (race, ideology, religion, trade union membership, health, sex life or sexual orientation, or health, genetic or biometric data) are processed, or when data relating to criminal convictions and offenses are processed, or, in the most common case, when the processing of personal data is not occasional but part of the company's regular business.
Another obligation to which those responsible for and in charge of personal data processing may be subject is the appointment of a data protection officer (DPO). Specifically, companies must appoint a DPO when the processing to be carried out requires regular, systematic, and large-scale monitoring of personal data. Similarly, a DPO will be required when the processing of data, although not regular and systematic, is large-scale and relates to the special categories of data mentioned above, or to data relating to criminal convictions and offenses.
The DPO is the person responsible for advising the company on all matters relating to data protection and to ensure that legal obligations in this area are met. In addition, it acts as channel of communication with the AEPD and, frequently, with the interested parties whose data is processed by the company.
The DPO may be a natural or legal person, a worker of the company or a external contractor. In any case, it is very important to ensure that independence y autonomy in the exercise of their duties, protecting them from any possible conflict of interest.
The DPO you do not need to hold a specific qualification to perform this role, although specialized technical knowledge of data protection law and experience in this field are recommended.
One of the obligations of the employer, in the fulfillment of which the DPO can advise, is the implementation of risk analysis. It is the responsibility of the employer, as the data controller or processor, to adopt the necessary technical and organizational measures to ensure the security of the data being processed. However, in order to adopt these measures, it is first necessary to identify the risks arising from the processing, i.e., the impact that potential threats to the integrity, confidentiality, and availability of the data would have if they were to materialize, and the likelihood that they would actually materialize.
All companies, without exception, are required to analyze the risks of the treatments they perform and adopt appropriate safety measures.
There are two types of risk analysis that can be performed. On the one hand, there is the basic risk analysis, more general and simplified, and on the other hand, the impact assessment, which is more in-depth and performed for each treatment. Which analysis is performed will depend on the level of risk involved in the treatment. To determine this, a prior analysis. If the level of risk detected is low, a basic analysis should be carried out; if, on the other hand, it is high, an impact assessment should be carried out.
In the basic risk analysis, The processing activities, grouped by common processes, are described indicating what the processing consists of, what data is processed and by whom, as well as the technology used to carry it out. Each set or category of processing is then assigned a risk level and, depending on its function, certain security measures are adopted. To assist in the risk analysis, the AEPD has made the tool available to data controllers and processors. FACILITATE, intended for companies that process personal data that, a priori, appear to carry a low level of risk (such as the processing of customer or supplier contact details).
However, as noted above, when data processing involves a high level of risk, a basic analysis will not suffice; rather, a data protection impact assessment. An impact assessment is always necessary when personal data is to be processed automatically for profiling (data mining), when special categories of data are processed on a large scale, and when the data comes from large-scale observation of public access areas (video surveillance).
Furthermore, beyond these three cases we have just mentioned, impact assessments will be mandatory whenever the processing involves a high level of risk to the rights and freedoms of those affected. In this regard, the AEPD has published a treatment list that require an impact assessment to be carried out.
The impact assessment must describe the processing activities to be carried out and their purpose. Next, the actual need to carry out these activities in order to achieve the proposed purposes must be assessed, as well as the risks inherent in doing so. Finally, the necessary security measures to prevent these risks must be proposed.
However, even though all appropriate security measures have been taken, a security breach may still occur. In this case, the GDPR requires controllers to notification requirement the security breach to the supervisory authority (the AEPD) within a maximum period of 72 hours. In addition, if the security breach entails a high risk to the data subjects concerned, you must also communicate to these interested parties.
This is one of the many information obligations set forth in data protection legislation in favor of data subjects. Another of these obligations is to inform data subjects of their rights, which will be discussed in the section of this article entitled “Legal texts.”.
In any case, we always recommend that you put yourself in the hands of lawyers specializing in data protection so that they can advise you on any questions you may have.
Information society
The Law on Information Society Services and Electronic Commerce (Law 34/2002 of July 11, LSSICE) contains a broad concept of information society services that encompasses all services provided remotely, electronically, and at the individual request of the recipient, even when they are services not remunerated by their recipient, provided that they constitute a economic activity of the service provider (For example, when a website that is free for users to access is monetized by placing advertisements on it).
In view of this broad concept of information society services, An entrepreneur who carries out their activity (of an economic nature) on the Internet must be considered an information society service provider and, therefore, is subject to the obligations set forth in the LSSICE..
The LSSICE states that service providers are subject to civil, criminal, and administrative liability that may arise in the course of their activities. In other words, the fact that they carry out their activities on the Internet does not serve as an excuse for failing to comply with the obligations imposed on us all by law. However, current legislation also stipulates that when service providers provide brokerage services, and provided that certain conditions are met, they shall be exempt from liability for third-party content that they transmit, host, or provide access to.
Intermediation activities are those related to the transmission, copying, hosting, and location of third-party data on the Internet. The service provider shall be exempt from liability for the content it intermediates, provided that a series of conditions are met, which, broadly speaking, consist of: (1) that it is unaware that the information it intermediates is unlawful, and (2) that, as soon as it becomes aware of the illegality of the information or content it is intermediating, it acts quickly to remove it or make it inaccessible.
However, if the service provider's activity consists of storing protected works of all kinds (films, photographs, songs, plastic arts, etc.) uploaded to its website by third parties and providing access to them (a YouTube-type business model, for example), then the following must be borne in mind: Directive 2019/790 of April 17.
The aforementioned Directive stipulates that entrepreneurs who carry out this type of activity (known as online content-sharing service providers) must inform the public of the works to which they provide access on their website, even if these have been uploaded by third parties. This means that if such works have been uploaded to the platform without the consent of their authors or the holders of the rights to them, the service provider will be liable, without the exemption from liability provided for in the LSSICE (Law on Information Society Services and Electronic Commerce) that we have just seen being applicable.
The only way to avoid liability in this case is to have authorization from the rights holders or, failing that, to meet three conditions: (1) demonstrate that serious efforts have been made to obtain such authorization, (2) demonstrate that diligence has been exercised to prevent access to the protected works, provided that the rights holders have identified them, and (3) immediately remove the protected works when the rights holders notify you that they have been uploaded to the web platform without their consent.
As of the date of publication of this post, Directive 2019/790 is pending transposition (a period of two years is expected for this) and, therefore, its provisions are not yet applicable. But they soon will be. Therefore, entrepreneurs who aspire to develop an Internet business must keep them in mind when planning their business. For more information on Directive 2019/790, please consult this post.
In addition to the above, if in the course of our business we plan to send a newsletter, of the LSSICE, we must particularly bear in mind that the Sending advertising or promotional communications by electronic means is prohibited. unless: 1) it has been previously requested or authorized by the recipient (i.e., there is a list of newsletter subscribers whose data has been validly obtained for that purpose); or 2) there is a prior contractual relationship with the recipient and the newsletter is related to the products or services contracted. In any case, the business owner must provide the recipient with the option to unsubscribe from the newsletter in each mailing, and to object to the processing of their data for this purpose at the time of data collection (which normally translates into a box on the contact form indicating that they do not wish to receive commercial communications).
This provision of the LSSICE aims to prevent the annoying spam, as this is conduct that is not permitted by law. Therefore, our recommendation is that you do not promote your products and services by sending emails to individuals or companies that you do not know and who have not authorized the receipt of such emails; instead, call them by phone and ask, for example, to schedule a meeting.
Legal texts
Business owners are subject to multiple reporting obligations imposed by both the LSSICE and data protection regulations. The way for online entrepreneurs to comply with these obligations is to draft various legal texts that will be readily available for consultation on their website.
One of these texts is the legal notice, through which the information obligations imposed by the LSSICE are fulfilled. First, it must include the identification and contact details of the service provider responsible for the website. This includes the name or company name, email address, telephone number, and tax identification number. If a legal entity, such as a limited liability company, was chosen, its registration details in the Commercial Registry must also be included.
Furthermore, if the activity carried out on the website is subject to prior administrative authorization (energy, transportation, metal production and processing, chemicals, food and tobacco industry, waste management, private security, bars and restaurants, gambling and betting, etc.), the details of such authorization and the competent supervisory body must be indicated.
On the other hand, if the service provider exercises a regulated profession, they must state their membership number, academic or professional title and country of issue, and the code of ethics governing the exercise of that profession. Regulated professions are those whose access is conditional on obtaining a specific qualification, passing special exams (e.g., state exams), and/or registering with a professional body (such as a professional association) in order to practice. Examples of this type of professional include lawyers, solicitors, doctors, architects, auditors, private investigators, nurses, sports coaches, pharmacists, and engineers, among others.
If the service provider adheres to a code of conduct, this circumstance must be indicated, specifying how it can be consulted online.
The LSSICE requires that all this information be clearly visible and identifiable. However, provided that website users can always find it easily, it can be placed wherever you prefer (in the footer, on a page reserved for this purpose).
However, if personal data is going to be collected in the course of the activity (which is very common), it will also be necessary for the website to provide the information required by Article 13 of the GDPR, through another legal text, the privacy policy.
This information may be offered to interested parties in two “layers”, i.e., basic information must appear directly on the website (at the bottom or on a page designated for that purpose), while the rest of the information may be consulted by means of a link or other method that allows easy and immediate access.
The basic information that must be provided in the first layer includes (at a minimum): the identity of the data controller, the purpose of the data processing (marketing activities, order management, etc.), the legitimacy of the processing (i.e., the legal basis, as provided for in Article 6 of the GDPR, which justifies it), the recipients to whom the data will be communicated, and the possibility of exercising the rights recognized in Articles 15 to 22 of the Regulation (access, rectification, erasure, restriction of processing, portability, objection, and the right not to be subject to automated individual decision-making). In addition, a link to the second-layer information must be included.
The second layer must provide the contact details of the data controller, the identification details of the data protection officer, if any, the purpose of the processing (in greater detail), the data retention period, whether or not international data transfers will be carried out, how the rights of data subjects can be exercised in practice, the right of data subjects to lodge a complaint with the Spanish Data Protection Agency (AEPD) if they consider that their rights have been violated, and, finally, information must also be provided on whether the data collected will be processed automatically for profiling purposes.
On the other hand, it is most common for digital entrepreneurs to install on their websites cookies for various purposes (technical, personalization, analysis, advertising). Cookies collect information about users' browsing habits on the website, including personal data, and therefore must also comply with data protection legislation requirements.
To this end, the website must include another legal text, the cookie policy, informing users of the cookies installed on the website, the data they collect and why they collect it, the data retention period, the legal basis for processing personal data, any data transfers that may be made, and users' rights regarding their data. In other words, all the information that, according to the GDPR, must be communicated to data subjects regarding the processing of their data, but this time specifically referring to personal data collected through cookies.
In addition, the cookie policy must explain how to disable or block cookies. This is particularly important when the legal basis for processing is the consent of the data subject (a very common scenario), as Article 7.3 of the GDPR states that “the data subject shall have the right to withdraw consent at any time.”.
Finally, if the purchase of products or services is permitted through the website, the following must also be drafted: general terms and conditions of purchase, which will govern the relationship between the company and its customers for the products or services contracted. This contract must be drafted taking into account the provisions of the Law 7/1998, of April 13, on general contracting conditions (LCGC). Likewise, as required by the LSSICE, the prices of products and services must be clearly and accurately stated, indicating whether taxes and shipping costs are included or not.
In addition to the above, if the digital company is going to sell its products or provide its services to consumers (and not to other companies), the following must also be taken into consideration: General Law for the Protection of Consumers and Users (1/2007, dated November 16, TRLGDCU), which establishes a series of consumer rights and business obligations. In particular, with regard to the drafting of terms and conditions, Article 102 of the aforementioned law must be taken into account. This article establishes the right of consumers to withdraw from the contract entered into, within 14 days from the date of conclusion, without having to give any reason for doing so. The terms and conditions must state the existence of this right, how it can be exercised, and also the exceptions in which the consumer may not exercise it.
At this point, after the company has adopted the most appropriate legal form, obtained and registered the trademark or trademarks necessary to distinguish its products in commercial traffic, registered its domain name, prepared to comply with legal requirements regarding data protection and the information society, and having drafted the necessary legal texts taking into account all the legal requirements imposed by the applicable regulations (GDPR, LSSICE, LCGC, TRLGDCU), we can say that the new digital company meets the basic legal requirements to carry out its activity with peace of mind and security. However, it should be noted that if the activity to be started is subject to administrative authorization (such as gaming, healthcare, private security, etc.), there are specific legal requirements that must be met.
Compliance with the legal obligations outlined in these two articles is an essential condition for the peaceful and satisfactory development of the business activities to be undertaken. It is therefore of the utmost importance to seek appropriate expert advice in order to avoid risks and ensure that digital businesses can continue to thrive without disruption.
One important issue remains to be addressed: legal protection of software. Many digital businesses are built around applications that can be downloaded by users. These programs, whose development requires considerable investment, are often one of the company's main assets. Hence the need to provide them with adequate legal protection.
But this is when the question arises as to which legal instruments are valid and most effective in achieving this protection: the patent? the copyright? the trade secret?
We will begin by pointing out that The legal protection of computer programs should, in principle, be achieved through copyright., not through the patent. In this sense, both the Patent Law Spanish (Article 4.4) as well as the Convention on the Grant of European Patents (Art. 52.2) expressly exclude computer programs from patentability. On the contrary, the Intellectual Property Law regulates the protection of computer programs by copyright in Articles 95 et seq.
However, section 5 of the aforementioned article 4 of the Patent Law states: “The provisions of the preceding paragraph exclude the patentability of the subjects or activities mentioned therein. only to the extent that the patent application or patent relates exclusively to one of them considered as such”Paragraph 3 of Article 52 of the Convention on the Grant of European Patents establishes a similar provision.
These legal provisions mean that computer programs as such cannot be patented, but such programs they can be patented as part of an invention that solves a specific technical problem. These are the so-called computer-implemented inventions.
Computer programs that cannot be patented are those that are abstract creations without a specific technical purpose. However, in general terms, When a specific technical problem can be identified that is solved by the program, then it can be patented.. And that regardless of the medium on which the program is stored, whether it is physical media (for example, a program that improves the efficiency of a car engine and is installed on the vehicle's hardware) or intangible media, such as applications that we download from the Internet. What matters is that the program solves a specific technical problem, not its medium.
It should be clear, however, that Not all computer programs have the technical character necessary to be patentable.. The technical nature of a computer program can be found “in the additional effects derived from the execution (by the hardware) of the instructions given by the computer program” (Decision of July 1, 1998, of the Board of Appeal of the European Patent Office). When these effects resulting from the execution of the program solve a specific problem, then the software will be patentable. Thus, when considering whether or not a computer program is patentable It is of the utmost importance to accurately determine the technical problem being solved., as this will determine whether or not it can ultimately be patented.
Now that we know when it is possible to patent a computer program, we must ask ourselves whether it is advisable to do so. In other words, we must weigh up the advantages and disadvantages of legal protection for software through patents against the advantages and disadvantages of protection through copyright and trade secrets.
The copyright protection has some benefits very noteworthy. First, it stands out for its simplicity. Unlike patents, copyright protection does not depend on any formal act. It is not necessary to register the program in order to be the owner of all the rights that the Intellectual Property Law grants to its author.; on the contrary, by the mere fact of its creation, it already enjoys this protection.
In relation to this, it should be clarified that the Intellectual Property Law considers the author of a computer program, when it is created on the initiative and under the coordination of a natural or legal person (normally the case for programs developed within companies), to be the natural or legal person who publishes and distributes it under their name. Therefore,, the author under the law of a computer program developed and marketed by a company is the company itself., and as such has all the rights granted by the Intellectual Property Law, from the moment the program was created, without being subject to any other formal requirements.
In addition, The protection afforded by copyright is almost universal, as it is recognized in widely ratified international conventions. (for example, 105 countries are part of the WIPO Copyright Treaty). Thus, copyright automatically provides legal protection for the program in most countries around the world, rather than having to register the patent in each one (a more complex and expensive process).
Copyright protection for software in different countries is simpler, even when compared to the system created by the Patent Cooperation Treaty, which allows you to present a single application patent that will be valid in all contracting states, although each state will assess whether or not the patent applied for will ultimately be granted in accordance with the criteria established in its own legislation. In short, it is a system similar to that provided for trademarks in the Madrid Agreement and Protocol, which we analyzed in the first part of this article.
Another advantage of copyright is the durability of protection. In Spain, the duration of protection afforded by the Intellectual Property Law (LPI) to program owners is 70 years from January 1 of the year following its disclosure (or its creation, if the program has not yet been disclosed). In contrast, the maximum duration of a patent in our country is 20 years from the date of filing of the application. And bear in mind that the protection afforded by the IPL extends to successive versions of the original program.
Finally, patented inventions are subject to publication, which is not always in the interests of software development companies. However, it should be clarified that None of the articles of the Patent Law or the Convention on the Grant of European Patents require the source code of the program to be provided., and the Spanish Patent and Trademark Office does not require this. It is sufficient for the concept of the invention to be described in the patent application with sufficient precision for an expert in the field to be able to carry out the invention.
Now, the copyright protection also presents some disadvantages important. In particular, This form of protection applies to the way in which the program is expressed, but not to its underlying ideas.. In other words, copyright prevents the program from being copied verbatim, but it does not prevent potential competitors from developing their own software in parallel based on the ideas that inspired the original. In fact, Article 100 of the Intellectual Property Law allows legitimate users of a copy of a computer program to “observe, study, or verify its operation, without prior authorization from the owner, in order to determine the ideas and principles implicit in any element of the program”, that is, the program may be decompiled (albeit with certain limitations). Conversely, The protection afforded by the patent is much stronger because it does cover these ideas..
Furthermore, it should be noted that the patent grants its owner the right to prohibit any third party from exploiting the invention patented by him. This means that, Unlike copyright, it is not necessary to copy the program for there to be a patent infringement.. This is particularly relevant in a sector such as information technology, where different companies, acting independently and without copying their competitors, may develop programs inspired by similar ideas that solve the same technical problems.
Along with this, have a patent, that is, with an official title that certifies the holder as the owner of the rights granted by the Patent Law, can make the difference between getting investors or not. Patents are therefore an essential asset for innovative companies, especially startups.
As things stand, it turns out that both copyright and patent protection offer advantages and disadvantages. The good news is that one and the other are not incompatible among themselves. Indeed, Article 96 of the Intellectual Property Law provides that “When computer programs form part of a patent or utility model shall enjoy, without prejudice to the provisions of this Law, the protection to which they may be entitled under the legal regime governing industrial property.”.
Therefore, in each case First, it must be assessed whether it is possible to patent the computer program, which depends on the criteria established in the legislation of each country (in Europe, as we have seen, the program is required to solve a technical problem). Next, if the patent is possible, a cost/benefit analysis must be performed to decide in which countries it is advisable to apply for a patent and in which cases the legal protection of the program will be entrusted solely to copyright.
On the other hand, if you prefer to opt for protection through trade secret, this cannot be combined with the patent because they are inherently incompatible: patents are public, while trade secrets must obviously be kept secret.
In Spain, trade secrets are regulated in the Law 1/2019, of February 20, on Trade Secrets (LSSEE), which sets out the requirements that information must meet in order to be considered a trade secret. First, must be confidential, that is, that the information in question is not generally known in the field to which it refers (the field of computer science when we talk about computer programs), nor easily accessible.
This last clarification is of great importance to the issue at hand because, as mentioned above, if the Intellectual Property Law allows software to be decompiled, even in a limited way, it will be difficult to argue that it is not easily accessible. Therefore, When referring to programs that are free and easily downloadable from the Internet, trade secrets do not seem to be the best option for protection.. However, there are other programs that can be kept secret.. Let's imagine that a company develops, for example, database management software. This program will be used by the developer company itself or licensed to other customers (companies, institutions, etc.), but it will not be easily accessible on the Internet; access to it is restricted. Thus, the database management software in our example could meet the requirement of being secret information. Furthermore, beyond the protection of the software that makes them work, databases themselves are also protected by copyright, in Articles 12 and 133 to 137 of the Intellectual Property Law.
However, it is not enough for information to be inaccessible for it to be protected by the Trade Secrets Act. It must also it is necessary that the holder of the information has taken reasonable measures to preserve confidentiality. These measures may be technical (user and password access control to databases where information is stored, video surveillance in sensitive areas, etc.), contractual (confidentiality agreements or Non-Disclosure Agreements (NDA) with customers and employees, etc.), or organizational (limiting the information accessible to employees based on their roles, returning confidential information at the end of the employment relationship, etc.).
As a final requirement, the information covered by trade secrets it must be valuable from a business perspective. This value does not necessarily have to be current, but can be potential, as it is a secret and may refer to a product that has not yet been marketed. For example, a computer program in the development phase does not have a current economic value, as it is unfinished, is not marketed, and does not generate any income, but it does have a potential value, as there is an expectation that, in the future, when its development is complete and it is offered on the market, it will be able to generate income for the company.
If the three requirements indicated (secrecy, reasonable measures to preserve it, business value) are met, the computer program can be considered a secret protected by the LSSEE. This protection offers significant benefitsFirstly, as with copyright and unlike patents, consideration as a trade secret is not subject to compliance with formal requirements and the protection it provides is not restricted to a territory.
Furthermore, trade secrets have the unique characteristic that its duration is indefinite. Unlike copyright and patents, the protection afforded by trade secrets is not subject to any legal time limit, but rather will continue for as long as the secret can be kept.
However, the latter is also its main disadvantage, since once the secret is revealed, the protection is lost provided by the LSSEE.
As we have seen throughout this article, when it comes to protecting software, copyright, patents, and trade secrets each have their own scope of application, advantages, and disadvantages. Therefore, when seeking legal protection for computer programs, it is necessary to devise a strategy that weighs the pros and cons of each of the options indicated, considering the scope of protection to be given to these assets and weighing the cost/benefit ratio. Consequently, when designing this strategy, it is highly recommended to seek the advice and support of experts in the field.
At Bamboo, we are specialists in patents and trademarks, and we can help you with any of the procedures mentioned above.
[Article written by Luis Mª Benito Cerezo]
