As data privacy laws evolve, businesses must strike the right balance between protecting proprietary databases and respecting personal data. Here’s how copyright enforcement is adapting in India and the UK.
In the digital economy, curated databases are often a company’s most valuable asset driving business decisions, customer engagement, and competitive advantage. There are many categories of data such as Customer profiles, corporate knowledge systems, supplier information, algorithmic training sets and more. However, the legal protection for such valuable information is not known or unclear to many. Furthermore, at the centre of complexity lies a convergence of copyright legislation, which is recognized for safeguarding architectural works and innovations, and data privacy regulations, which oversee the gathering and utilization of personal information.
It is pertinent to note that with the increasing awareness around Data Protection and with the introduction of India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the UK's evolving GDPR regime, businesses now face a legal quandary. Complexity arises when, even if the database is original and copyrighted, it may still be legally indefensible if it contains personal data obtained in violation of data protection laws. This article therefore aims for businesses to understand what may be protected by copyright in a database, how data protection obligations affect enforcement and how to avoid the pitfalls of unlawful data compilation.
Copyright in Databases: What is protected - India vs UK?
Copyright laws in both India and the UK do not protect raw data in fact it protects the original arrangement of data. In India, the Copyright Act, 1957 classifies databases as “literary works” when there is sufficient originality in the selection, coordination, or arrangement of content. The Supreme Court of India, in the case of Eastern Book Company v. D.B. Modak, explored whether copyright might exist in copy-edited versions of Supreme Court decisions. Based on the Canadian Supreme Court's decision in CCH Canadian Ltd. v. Law Society of Upper Canada, the Court rejected the "sweat of the brow" approach, declaring that labor and investment are insufficient for copyright. Instead, it embraced the "skill and judgment" requirement, which requires intellectual effort beyond mechanical input.
While judgments are in the public domain and excluded from protection under Section 52(1)(q)(iv) of the Copyright Act, 1957, the Court held that certain editorial inputs such as paragraphing, internal references, and identifying judicial opinions could attract copyright if they show a minimum level of creativity. In contrast, additions like correcting typos or inserting citations were too trivial. The decision clarified that copyright in compilations demands distinctive intellectual contribution, not just effort.
In V. Govindan v. E.M. Gopalakrishna Kone[1], the Madras High Court held that reproducing the sequence, meanings, and structure of a dictionary even where the words themselves are in the public domain amounted to copyright infringement. In the above-mentioned case, defendants had slavishly copied the plaintiff’s earlier work, including errors, with minimal changes. The case emphasizes that originality lies in intellectual contribution, not mere effort, and that unstructured compilations of facts lack copyright protection.
Whereas, in the UK, databases can obtain copyright protection according to the Copyright, Designs and Patents Act 1988 (CDPA) if there is enough intellectual creativity involved. Additionally, UK legislation offers extra protection through a special database right under the Copyright and Rights in Databases Regulations 1997, which is based on the EU Database Directive. This right applies basically to protect databases where there is substantial investment made in obtaining, verifying, or presenting the contents of the database.
In British Horseracing Board Ltd v. William Hill Organisation Ltd, the CJEU considered the possibility of a sui generis database right for a collection of horse racing schedules and associated information created by the British Horseracing Board (BHB). The court determined that while the data itself was not creative, the BHB had invested significantly in acquiring, verifying, and showcasing this data. This substantial investment warranted protection under the Database Directive, despite the absence of originality often needed for copyright. The ruling emphasized that the sui generis right's protection relies more on the financial and human efforts involved in compiling the data rather than its structural creativity.
The level of database protection, whether via copyright or sui generis rights, is evaluated individually, depending on factors like originality, creative input and financial commitment. Businesses ought to focus on organizing their data effectively. Simply holding raw data is insufficient. Copyright protection would also rely on the manner in which the data has been developed, organized and curated.
Ownership and Licensing: Who Holds the Right to the Database?
To maintain copyright protection, it is crucial to clearly define ownership in contracts. Both Indian and UK laws state that the original owner of the copyright is the creator of the work, meaning the individual responsible for selecting and organizing the data, unless another agreement specifies otherwise. However, if a database is created by an employee as part of their job duties, the employer is regarded as the owner again unless an alternative arrangement has been established.
It is wise for companies to include clear copyright assignments and work-for-hire clauses in their agreements to avoid possible disputes in the future. Businesses should set out explicit terms regarding the ownership and scope of use of the database, as well as the responsibilities after termination, such as the return or deletion of data once licensing agreements conclude, while also complying with applicable data protection laws. Without clear ownership, enforcing copyright becomes challenging if a disagreement arises. It is imperative to document authorship and licensing in written form.
The Data Protection Overlay & Impact on Copyright Enforcement
In India, the current data protection regime the Digital Personal Data Protection Act, 2023 stipulates that personal data can be processed only with the data principal's consent or for legitimate purposes specified in the Act. This law maintains that personal data must be processed solely for legitimate reasons, used for the intended purpose, and not retained for longer than necessary. Furthermore, the Act establishes criteria for valid consent, requiring it to be free, specific, informed, and clear. Although the Digital Personal Data Protection Act (DPDP Act) of 2023 has been enacted, it is not yet fully functional, as the rules and guidelines needed for its implementation are yet to be finalized.
The UK has strict regulations concerning data protection. The Data Protection Act 2018, in conjunction with the UK GDPR, imposes stringent rules on how personal data is collected, stored, and shared. Consent must be obtained freely, must be specific, informed, and clear. Organizations are obligated to demonstrate accountability and to implement security measures from the very beginning. A database, regardless of its unique design, may face legal issues if the personal data it contains was collected without proper consent or used for purposes other than those for which it was initially gathered. Individuals in the UK have the right to contact the Information Commissioner’s Office (ICO) to lodge complaints or express grievances.
Intellectual Property (IP) rights may not shield businesses where the underlying data was unlawfully obtained. In the Golden Eye litigation, the UK High Court acknowledged that even if copyright enforcement was legitimate, the court must consider whether privacy and data protection rights of individuals were being disproportionately impacted. In Golden Eye (International) Ltd v. Telefonica UK Ltd[2]the claimants sought a Norwich Pharmacal Order[3] compelling Telefonica to disclose the names and addresses of thousands of broadband users alleged to have infringed copyright via peer-to-peer file sharing.
The High Court initially accepted that copyright owners have the right to seek information to pursue infringers, but Justice Arnold emphasized that granting such disclosure would intrude on individuals’ privacy and data protection rights under the UK GDPR and Article 8 of the European Convention on Human Rights. The Court assessed whether disclosure was proportionate, necessary and justified and then refused the order in part where it found the claimants’ motives were commercial and exploitative such as sending speculative “pay-or-else” letters to users.
In the Peppermint Jam v. Telecom Italia[4] dispute (2007), the German record label Peppermint Jam obtained a court order compelling Telecom Italia to hand over the names and addresses of more than 3,000 individuals suspected of illegally sharing music files using peer-to-peer networks. The interim injunction was granted ex parte and allowed Peppermint to initiate potential legal action against alleged infringers.
However, this large-scale data acquisition triggered significant backlash. The Italian Data Protection Authority ruled that the collection and processing of this personal data violated Italian data protection law. It held that:
- The request was disproportionate to the alleged harm;
- The individuals were not properly notified; and
- The data was processed without valid consent or lawful justification.
The Authority further ordered destruction of the data and issued a strong warning against using privacy-invasive tactics for mass copyright enforcement. This case is often cited as an example of data protection overriding IP enforcement when due process and safeguards are not followed.
A business’s copyright cannot cure illegal data practices. Copyright enforceability hinges not just on originality but also on lawful collection.
Legal Risks to Non-Personal Databases:
Databases without personal data also remain vulnerable to scraping, copying, or misuse. In India, such databases can also be protected through copyright in original selection or arrangement, contract law and breach of confidence, though there is no standalone database right.
The UK sui generis database right also offers collections with substantial investment, even if they lack creativity. Businesses should classify valuable datasets as confidential, use clear licensing terms, and document effort or structure to assert IP and contractual claims.
Copyright Enforcement: Legal Risks and Strategic Alternatives
Infringement of database copyright typically occurs when a substantial part of the structure, arrangement, or creative compilation is copied. This includes duplicating curated information, search filters or customized tables. However, enforcing copyright over databases that contain personal data presents unique legal challenges in India and the UK.
Balancing Disclosure and Data Privacy:
During litigation, courts in both India and the UK may compel disclosure of database details to establish copyright ownership or infringement. However, businesses must carefully navigate privacy obligations if the database contains personally identifiable information. Disclosure orders, such as Norwich Pharmacal Orders in the UK, require a balancing test: courts weigh the legitimate interests of IP owners against individuals' data protection and privacy rights. Even where enforcement is justified, excessive exposure of personal data can be blocked or limited to protect fundamental rights.
Alternative Remedies: Contractual and Confidentiality Breaches:
When enforcing copyright risks breaching data protection laws or exposing personal data unnecessarily, businesses may find it more strategic to pursue contractual remedies instead. By enforcing well-drafted contractual and confidentiality rights, businesses can avoid the complexities and risks associated with copyright litigation over databases involving personal data.
While copyright law remains a tool for protecting database structures, businesses must adopt a dual strategy. They should not only structure their databases creatively but also embed strong contractual safeguards to mitigate the challenges arising from modern privacy regulations.
Cross-Border Enforcement and Legal Remedies
Cross-border enforcement and legal solutions present significant challenges regarding the transfer of databases due to the difference in laws around the world. Nonetheless, here are some potential approaches. Upholding database copyright or sui generis database rights between India and the UK involves managing reciprocal judgment systems and international regulations. Both nations permit mutual enforcement of civil judgments: Indian courts can carry out UK decrees under Section 44A of the Code of Civil Procedure, 1908, while English courts have the authority to register Indian judgments under the UK’s Foreign Judgments (Reciprocal Enforcement) Act 1933. In practice, a rights-holder may pursue legal action in the foreign jurisdiction for injunctions or damages or enforce a domestic judgment abroad if it satisfies the legal requirements.
Moreover, the Berne Convention guarantees that member countries provide “national treatment” to foreign authors, ensuring that database creators from other nations receive the same protections as those from the host country. As members of the WTO, both countries adhere to the TRIPS Agreement, which stipulates the provision of effective legal remedies (including access to evidence, injunctions, damages, etc.) to address intellectual property infringements.
Best Practices for Businesses: Copyright and Compliance
To protect databases without falling afoul of data laws, businesses should follow these core steps:
- Curate, filter, and structure your data intentionally. Keep internal records of the creative process.
- Document authorship and ownership especially in outsourced work. Use assignment clauses and NDAs.
- Consent should be clear and documented while collecting, processing and sharing the data.
- Restrict and clearly lay out how the shared data is supposed to be used in your agreements. Include data protection and copyright warranties.
- Align copyright audits with data processing inventories.
Conclusion:
In today’s privacy-first legal environment, whether in India or the UK, enforcing copyright in business-critical databases is no longer just a matter of demonstrating originality, it is equally a matter of demonstrating compliance. A business may invest significant time, resources, and creativity into structuring a protectable database, but if the underlying personal data was collected without valid consent or lawful basis, the entire legal foundation collapses.
To safeguard their rights, businesses must prioritize regular internal audits. At a minimum, quarterly compliance checks should be conducted to detect any violations early. Both the Intellectual Property (IP) and Data Protection teams must work closely to monitor the lifecycle of data from collection to storage to sharing. Even where appointing a Data Protection Officer (DPO) is not legally mandatory, having one in place is a wise move, offering businesses a strategic layer of protection against evolving risks.
Those that structure data lawfully, collect it ethically, document ownership thoroughly, and uphold data protection standards will not only defend their rights more effectively they will also future-proof their operations in the emerging data economy.
Whether you are a startup, small business, or large corporation, the same foundational questions must be asked:
- What data are you collecting?
- How are you using and storing it?
- Are your practices fully compliant with applicable Data Protection laws?
When building a database, it is crucial to go beyond mere accumulation. Introduce unique structures that showcase intellectual creativity. Moreover, when sharing databases with marketing agencies, technology partners, or during mergers and acquisitions, ensure that ownership rights, usage limits, confidentiality, and data protection obligations are clearly established in formal agreements.
Additionally, when transferring databases across borders whether during international expansion, outsourcing or licensing, businesses must assess both intellectual property protection and data transfer compliance. This includes:
- Setting jurisdiction and governing law clauses;
- Using Standard Contractual Clauses (SCCs) or equivalent mechanisms for personal data;
- Establishing ownership, permitted use and obligations upon termination; and
- Having dispute resolution clauses if a dispute arises.
Where disputes arise between companies based in different jurisdictions for instance, UK and India, arbitration can offer a neutral, enforceable forum. In this evolving landscape, protecting databases means thinking beyond copyright it requires building compliance, ownership clarity, and enforceability into the very architecture of your data assets.
[1] Govindan v. Gopalakrishna, AIR 1955 Mad 391
[2] Golden Eye (International) Ltd v. Telefonica UK Ltd, [2012] EWHC 723
[3] Norwich Pharmacal Co. v. Customs & Excise Comm’rs, [1974] A.C. 133 (H.L.).
[4] Peppermint Jam v. Telecom Italia, Italian Data Protection Authority (2007)
Disclaimer: The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Authors:
Mohit Porwal, Associate Partner
Krupa Vyas, Associate