Intellectual property and data protectioni Data protection
In the Netherlands, client data is protected under various data protection rules. This includes the GDPR and the Dutch GDPR Implementation Act, the Protection of Business Secrets Act (PBSA) and the Law to Protect Networks and Information Systems (LPNIS), as further described below.
Client data that relates to an identified or identifiable natural person (e.g., bank account details but also owners and representatives of a company) qualifies as personal data and is protected under these laws. Data relating to legal entities and deceased individuals do not fall within the scope of the GDPR or the GDPR Implementation Act.
Companies falling under the scope of the GDPR and the GDPR Implementation Act are accountable for processing personal data with a lawful basis and with transparency integrity and confidentiality. For instance, customer due diligence activities must be based on a statutory data processing ground and must be proportionate to its aim. In addition, data subjects (meaning the individuals to whom the personal data relates to) must be informed on the data processing activities carried out. There are no special rules that apply to digital profiling of clients under the GDPR. However, the GDPR does apply to automated processing of personal data that evaluates certain things about an individual (profiling) and sets out certain rules for such processing activities. For instance, such processing may require an individual's explicit consent.
The PBSA provides companies with a tool to protect their confidential know how and other business information. This can include any type of information, including client data. However, the information must be secret, must have a commercial value and must be adequately protected in order to qualify as a business secret, thereby falling under the scope of this Act.
The LPNIS requires providers of essential services and of digital services to implement measures that decrease the likelihood of cyber-incidents occurring. These measures should also ensure minimum negative consequences in the event that such incidents occur. This law also requires companies to report serious incidents to the Ministry of Justice and Safety, which is the incidents response team in the Netherlands.ii Intellectual property rights
Several types of intellectual property rights may play a role when it comes to protecting fintech business models and related software. The most relevant type is copyright protection. In extraordinary cases, patent protection may be available as well. When a business model is not eligible for copyright protection or copyright protection, the PBSA may still provide protection of such a business model.
When it comes to copyright protection, the Dutch Copyright Act (DCA) requires that a work has an 'original character' and 'bears the personal mark of the author'. This is, in essence, the same criterion as the criterion developed by the European Court of Justice in the Infopaq judgment (16 July 2009): a work must be one's 'own intellectual creation'. A basic principle under the DCA is that mere 'ideas' do not qualify for copyright protection as such. Ideas need to be worked out in detail to become copyright protected. If a certain work has sufficient originality, it is automatically protected by the DCA. There are no registration formalities in the Netherlands.
With respect to software, the DCA explicitly provides that software and material to prepare software is eligible for copyright protection. The copyright protection of software programs applies to the expression (in any form) of a computer program. Equal to the aforementioned basic principle, ideas and principles that underlie elements of a computer program, or ideas that underlie interfaces, are not copyright protected. This means that financial company A and financial company B can have, in essence, the same software solution in place, while both solutions have been programmed in a different manner (have a different source code), by different persons (but with the same underlying ideas).
While it is relatively easy to qualify for copyright protection, qualifying for patent protection is a different – and complex – story. Software as such (the program 'stand-alone' or 'as such') cannot be protected by a patent in the Netherlands (nor in the European Union). If the software has a certain 'technical effect' – when it is for instance implemented in hardware and directs or determines a certain movement of such hardware – it may be eligible for patent protection included in the technical solution as a whole. The threshold for obtaining patent protection is, however, still rather high and process of obtaining patent protection is time consuming. During the application process, it will be assessed whether the technical solution is sufficiently 'new' as compared to existing solutions to the same problem. The technical solution may not be incorporated in prior art.
The copyrights to a certain software program, are automatically attributed to the employer if an employee develops the software in the course of his or her employment. The same more or less applies to patentable inventions made by an employee in the course of his or her employment. In case of the latter, the Dutch Patent Act explicitly provides that the employee should be paid a reasonable compensation for the invention based on the financial interest of the invention. With respect to copyrights, the DCA does not require a reasonable compensation for the employee.
Financial companies that hire independent contractors for developing fintech business models or software, should arrange for the transfer of the copyrights that come into existence during or after the development by written contract. Otherwise, the independent contractor will be the owner of the copyrights. Patent protection will only be obtained after application and subsequent registration, but it is advisable to agree with an independent contractor in writing that only the client (in this case the financial company) shall be allowed to apply for patent protection.