联系我们 | 加入收藏 今天是:2024-06-26
当前位置: 首页 》2021年 》China Legal Science 目录与摘要 》02期
CHINA LEGAL SCIENCE 2021年第2期|《网络安全法》中知识产权条款评释
日期:21-06-04 来源: 作者:zzs
IN-DEPTH INTERPRETATION OF INTELLECTUAL PROPERTY PROVISIONS IN CHINESE CYBERSECURITY LAW


Li Zonghui

I. INTRODUCTION

There are two articles in the Cybersecurity Law of China that explicitly mention ‘intellectual property’. The first is paragraph 2 of article 12: ‘Any individual or organization using the Internet should abide by the Constitution and laws, abide by public order, respect social morality, and must not endanger network security, use the network to engage in activities ... disturbing economic and social order, and infringing upon others’ reputation, privacy, intellectual property, and other legitimate rights and interests.’ The second is article 16: ‘The State Council and the people’s governments of provinces, autonomous regions, and municipalities directly under the Central Government should make overall plans, increase investment ... to protect the intellectual property of network technology, and support enterprises, research institutions and universities to participate in national cybersecurity technology innovation projects.’ These two articles indicate that maintaining cybersecurity must include the protection of intellectual property rights, and protecting intellectual property in network technology has a role in promoting and supporting cybersecurity. However, they are still thin declarative clauses, which can neither reveal how intellectual property is protected under the framework of the Cybersecurity Law, nor explain how intellectual property protection plays a role in promoting and maintaining cybersecurity. 

Before the formulation of the Cybersecurity Law, domestic research on the relationship between cyber security and intellectual property rights focused on two aspects: First, the impact of intellectual property legal systems and industrial policies on cyber security maintenance. The main point is that in the era of big data, China’s information security industry has fewer core technologies and a lower number of patent applications, which requires more reasonable intellectual property strategic planning and implementation. In addition, while fully mobilizing the enthusiasm of the private sector, it is necessary to avoid legal requirements that go beyond WTO rules and international practices. Second, empirical analysis and strategy research on intellectual property and cyber security in a specific technology or industrial fields. For example, the construction of a digital library should rely on the construction of technology with independent intellectual property to optimize information services while ensuring information security; the organization of information security and intellectual property in the application process of the Internet of things is closely related to the construction of a complete legal system; the Guiding Opinions on Intellectual Property and Information Security of Service Outsourcing and the Guidelines for Intellectual Property and Information Security of Service Outsourcing Enterprises should be formulated and implemented. After the formulation of the Cybersecurity Law, relatively few studies have been conducted on the relationship between the implementation of the Cybersecurity Law and intellectual property protection. Researchers mainly emphasized that intellectual property governance is a part of Internet content governance, and it is even necessary to formulate a special Internet intellectual property protection law. A coordination protection mechanism between cyber security and network intellectual property should be established. It is necessary to strengthen patent protection in the field of cyber security, such as trusted computing, and to clarify the principle of prioritizing cyber security through judicial interpretation in conflicts between cyber security and intellectual property. Generally speaking, the existing research is basically a macro discussion of the relationship between cyber security and intellectual property from theory and policy. Although the overall framework and direction are correct, it lacks a normative analysis starting from legal provisions and an empirical analysis starting from specific law enforcement practices, so it is not systematic and in-depth.

Chapter 1 of this paper starts from the Internet environment and international background in the new era, combined with General Secretary Xi Jinping’s important exposition on internet governance, discusses cyber sovereignty, legal independence, and cyber autonomy under legal governance, and two common principles that China must abide by when maintaining network security and protecting internet intellectual property. Chapter 2 analyzes the role of the Cybersecurity Law and related administrative regulations and departmental rules on the security obligations of network operators, cyber security technology administration systems, and comprehensive network law enforcement mechanisms on the protection of intellectual property. Chapter 3 discusses the macroscopic incentive function of the intellectual property law to the cyber security industry, as well as the microscopic cyber security maintenance functions of specific systems such as its protection objects, rights content, and protection measures. Chapter 4 elaborates the principle of priority of cyber security and the principle of proportionality of restrictions on intellectual property in the case of cyber security and intellectual property conflicts.

II. COMMON PRINCIPLES OF CYBERSECURITY LAW AND INTELLECTUAL PROPERTY LAW

In 2015, General Secretary Xi Jinping’s Speech at the Opening Ceremony of the Second World Internet Conference creatively proposed four principles and five-point propositions for cyberspace governance. The four principles are to respect network sovereignty, maintain peace and security, promote open cooperation and build a good order. The five-point proposal is to accelerate the construction of global network infrastructure, promote interconnection, create an online cultural exchange and sharing platform, promote exchanges and mutual learning, and promote the network economy. Innovate and develop, promote common prosperity, ensure cyber security, promote orderly development, and build an internet governance system to promote fairness and justice. These basic concepts are implemented in the intersection of China’s Cybersecurity Law and Intellectual Property Law, and there are two common principles that require special attention.

A. The Principle of Cyber Sovereignty and Legal Independence

In the early days of the Internet, information dissemination, knowledge sharing, and exchange of ideas were the initial goals and main operating status. Therefore, intellectual property law, especially copyright law, which also takes creative information protection as its object, became the first field of law to perceive the challenges brought by the network. Internet copyright legislation such as WCT and WPPT in 1996, the Digital Millennium Copyright Act of the United States of 1998 and the European Union’s Information Society Copyright Directive of 2001 all came into being. The advantages of developed countries in the formulation of international protection rules for intellectual property and their advantages in network technology and application have provided them with great convenience in implementing uniform high standards for the protection of network intellectual property, and have put a lot of pressure on developing countries. For example, at the 2003 APEC ministerial meeting, the United States even unreasonably set a timetable for China to join the WCT and WPPT. Since the 21st Century, multilateral trade conventions related to the protection of intellectual property in the network environment led by developed countries, such as ACTA and TPP, have all tried to popularize higher intellectual property protection standards. In the domestic judicial procedures, supported by their strong economic and technological strength, the developed countries and regions such as the United States also expand their ‘long-arm jurisdiction’, especially in online intellectual property cases.

With the combination of the Internet and communication technology, and the closer connection with social development and personal life, cyberspace security, which has a broader meaning than the protection of intellectual property, has become a legally more pressing practical issue. China’s Cybersecurity Law was enacted and implemented in the context of this great era. In terms of cybersecurity legal governance, developed countries such as the United States have advocated cyberspace as the global ‘public domain’ and have vigorously advocated ‘de-sovereignty’, and then use their monopoly on network infrastructure and technical conditions to exercise cyber hegemony. In 2005, the United States’ Strategy for Homeland Defense and Civil Support stated that ‘the global commons consist of space and cyberspace.’ Based on this, the United States believes that freedom of information dissemination, technology applications, and other activities in cyberspace should take precedence over the jurisdiction of a government. But in fact, the United States has used its mastery and management of internet domain name root servers to control the operation of the entire Internet. The Prism Door incident in 2013 exposed the United States network monitoring of many countries in the world, and brought more awareness of the importance of cyber security for national security.

Whether in the field of cyber intellectual property or cyber security, there should be no universal legal norms that transcend national sovereignty under the cover of hegemonism or idealism. The subject of cyberspace is also the subject of the real world at the same time. Most of their behaviors and relationships are nothing more than cyber projections of real-world wishes and social relationships, only making use of the convenience of information dissemination and technology applications. Because of the virtuality and anonymity of cyberspace, more freedom of behavior can be obtained than in the real world, but if anyone harms the rights and interests of others or public interests as stipulated by the laws of a country, he/she still needs to bear corresponding legal responsibilities. In the field of intellectual property, from the creation of intellectual achievements, the acquisition, trading, management and protection of intellectual property, and even the gain of benefits, it is almost impossible to just rely on cyberspace. Rights holders are bound to be affected by a country’s existing knowledge resources, cultural consuming markets, rights management mechanisms, and judicial procedures. Therefore, regardless of whether we use the name of ‘the internet without borders’, we should not implement a global unified intellectual property law. In the field of cyber security, respect for national sovereignty and law is even more important. On the one hand, the Internet has now become an indispensable thing in people’s daily life. The control or attack on network facilities and technologies will seriously affect people’s normal use of the network, causing chaos in the social order and bringing public security crisis. On the other hand, the theft, disclosure, analysis, and utilization of various sensitive data in cyberspace pose a great threat to a country’s economic, political, social, and national defense security. Only by independently constructing domestic laws on the premise of respecting the national sovereignty of cyberspace can we set boundaries for the exercise of the subjective power of cyberspace, restrict and regulate cyberspace behavior, and maintain cyber security and national security.

B. The Principle of Combining Legal Governance and Cyber Autonomy

Compatible with cyber governance opinions that transcend national sovereignty and legal concepts are the concept of cyber liberalism that has existed since the birth of the Internet. In the early days of Internet development, many people were overly optimistic about the prospect of open sharing and independent autonomy on the Internet. John Perry Barlow even published A Cyberspace Independence Declaration at the Davos Forum in February 1996, which claimed: ‘Cyberspace consists of transactions, relationships, and thought itself, arrayed like a standing wave in the web of our communications. Ours is a world that is both everywhere and nowhere, but it is not where bodies live ... Your legal concepts of property, expression, identity, movement, and context do not apply to us.  They are based on matter, there is no matter here.’ Ironically, the WCT and WPPT aimed at regulating online copyright infringement were adopted at the WIPO diplomatic conference in late 1996. It can be seen that the fanatics of the Internet at that time had huge differences with representatives of the government and the copyright industry.

In 1999, Lawrence Lessig proposed a revised concept of cyber liberalism. He admits that cyberspace needs regulation, but believes that code is the law of cyberspace. In the field of intellectual property, ‘trusted systems’ generated by cyber codes can become an alternative to copyright law. In the field of sovereignty, the influence of cyberspace infrastructure on people’s behavior patterns has earned it sovereignty that is different from real space. In the competition with the rules of the real space, cyber space continues to win. It is the community norms, freedoms and laws in cyberspace that increasingly restrict the community norms, freedoms and laws that live in real space at the same time. This point of view only sees the positive role of cyber autonomy norms, but does not see the huge danger of allowing cyberspace to become a place for technological wrestling. Regard intellectual property protection in cyberspace, right holders can, of course, use technical measures to control the access and use of their intellectual creations, but infringers can always crack down on these technical measures. Without the prohibition and deterrence of cyber hacking by real-world laws, the creative information in cyberspace is likely to diminish, which will overshadow the otherwise splendid Internet. The other extreme of relying solely on code autonomy may be that the cyberspace has become a closed island of information. The reasonable use of information and the expression of opinions by the public cannot be achieved, which is contrary to the original intention of the Internet as an open sharing tool. 

In the field of security, on the one hand, with the breaking and deep integration of cyberspace and the real world, it is difficult to separate the social relationship between cyberspace and real society. The illegal monitoring of cyberspace and the search for human flesh are all infringing on specific subjects’ security in the real world, so the laws of the real world should act on cyberspace. On the other hand, even a cyber-society that has developed independently in a certain sense, it has become an important part of the national body. As a result, preventing and defusing the risks of the cyber society is the focus of the national legal governance system. Adopting a complete laissez-faire technology governance path will enable a few subjects with technological superiority and data monopoly to gain de facto control of cyberspace, thereby continuously expanding the digital divide and even threatening the survival of ordinary internet users in cyberspace.

In summary, in terms of cyber intellectual property protection and cyber security maintenance, legal governance should be in a prerequisite, dominant, and linear position, determine and correct the direction of cyber autonomy, and prevent cyber autonomy from sliding into the abyss of the runaway. Without a doubt, we should also notice the supplementary effect of cyber autonomy on legal governance to a certain extent, such as increasing the means of legal governance, expanding the boundaries of legal governance, and optimizing the organizational structure of legal governance.

III. INTELLECTUAL PROPERTY PROTECTION BY CYBERSECURITY LAW

According to the provisions of paragraph 2 of article 12 in the Cybersecurity Law, the security interests of cyberspace include two parts: public interests and private interests. Intellectual property is a kind of private interests. Therefore, although the Cybersecurity Law does not have a specific design for the protection of intellectual property, there are many systems that can objectively exert such function.

A. The Intellectual Property Protection Function of the Network Operators’ Security Obligations

Since subjects in the real world are participating in cyberspace activities in various ways, the Cybersecurity Law does not and cannot classify and manage the cyberspace entities in a strict sense, but based on the control of network operations and the difference in influencing ability, it still stipulates the network operator’s security obligations which are different from the general internet users. Article 9 of the Cybersecurity Law stipulates: ‘network operators must comply with laws and administrative regulations, respect social ethics, observe business ethics, be honest and trustworthy, perform network security protection obligations, and accept government and social supervision when conducting business and service activities and assume social responsibility.’ Network operators’ fulfillment of network security protection obligations can not only reduce and avoid intellectual property infringement themselves, but also help prevent and prohibit intellectual property infringement from their clients.

According to the definition of the Cybersecurity Law, network operators include network owners, managers and internet service providers. In theory, we can divide it into operators who provide internet access to the public, network information service providers, and other network products or service providers. 

Network access service providers have a certain ability to review and control the behavior of users at the entrance and source, and play the role of gatekeeper in the protection of intellectual property in cyberspace in a certain sense. For example, France began implementing the ‘three strike out’ statute against internet piracy in 2010, that is, for internet users who frequently illegally download and upload pirated works and still continue to infringe after being notified three times, they may suffer penalties, including internet disconnections, fines, and imprisonment. Although only the court has the final power to determine the punishment, the monitoring of internet file transmission, the issuance of the first infringement notice, and the implementation of the internet disconnection punishment all need to be completed by the network access service provider. In addition, network access service providers are also able to timely discover and stop many intellectual property infringements during the fulfillment of cyber information security obligations in accordance with the law, such as public information inspection, complaint handling, illegal information handling, cooperation with supervision and inspection, internet log recording, and reporting to competent authorities.

In relation to network information service providers, China’s strict market access and content review and supervision systems have well eliminated many intellectual property infringement risks in advance. According to the provisions of article 4 of the Administrative Measures on Network Information Services, China implements a licensing system for operating network information services and a filing system for non-operating network information services. When the network information service provided by an unauthorized subject infringes the intellectual property, the relevant competent authorities naturally protect intellectual property in the process of preventing and punishing their violation of administrative licensing. For legally licensed network information service providers, article 47 of the Cybersecurity Law stipulates: ‘network operators should strengthen the management of the information published by their users. If they find information prohibited by laws or administrative regulations from publishing or transmitting, they should immediately stop transmitting this information, take measures such as elimination, prevent information from spreading, keep relevant records, and report to the relevant competent authorities.’ China’s series of regulations related to internet information management also stipulate the content review obligation of network information service providers. The review obligation emphasizes that the information it produces, reproduces, publishes, and distributes must not contain ‘infringing the legitimate rights and interests of others’ and ‘other content prohibited by laws and administrative regulations.’ Some regulations also specifically stipulate the intellectual property review obligations of network information service providers. For example, article 7 of the Administrative Regulations on Internet Audio and Video Information Services states: ‘internet audio and video information service providers shall implement the main obligation of information content security management, equip with professionals suitable for the scale of the service, establish and perfect systems for user registration, information release review, information security management, ... intellectual property protection, etc.’

Like network information service providers, providers of other network products or services are also obliged to conduct various reviews to maintain cyber security and protect intellectual property. For example, article 5 of the E-Commerce Law stipulates: ‘e-commerce operators shall follow the principles of voluntariness, equality, fairness, and integrity in conducting business activities, abide by laws and business ethics, participate fairly in market competition, and perform obligations of ... intellectual property protection, cyber security and personal information protection.’

B. The Intellectual Property Protection Function of Cyber Security Technology Administration System

Article 22 of the Cybersecurity Law stipulates that network products or services themselves should comply with the compulsory requirements of relevant national standards, and the provider’s obligation to maintain the network products or services in a safe manner, while article 10 stipulates the construction, and operation of the Internet or the technical security obligation of providing services through the Internet in a general sense, that is, ‘should take technical measures and other necessary measures in accordance with the provisions of laws and administrative regulations and the mandatory requirements of national standards to ensure cyber security and stable operation, and effectively respond to cyber security incidents, prevent cybercriminal activities, and maintain the integrity, confidentiality, and availability of internet data.’ This internal and external cyber security technology management system also has a positive effect on intellectual property protection.

Firstly, the network product or service provider must reach a license agreement with right holders of standards-essential patents to use the corresponding technology, which itself means respect and protection of intellectual property. In fact, the field of Internet and information technology is a field in which various technical standards are very concentrated and developing rapidly, such as digital broadcast television, cloud computing, Internet of things, 5G and artificial intelligence, etc., all generating a large number of technical standards. While complying with these technical standards, specific network products or services actually apply and protect the intellectual property of related internet technology innovations.

Secondly, in cyberspace, the attack on cybersecurity and intellectual property and technical measures to prevent these attacks are similar. Generally speaking, the technical infringement or threat of network security mainly has the following forms: privilege escalation, virus, worm, trojan horse, spyware, spam, hoax, adware, rootkit, botnet, logic bomb, etc. With the development of internet technology and applications, some new forms of attacks have emerged, such as deep and dark webs, web crawlers, database collisions, and unauthorized use of data. Infringements on internet intellectual property mainly manifest as illegal copying, dissemination, modification, counterfeiting, misappropriation, theft, and deep linking of rights-protected information without permission. The technical methods used by infringers overlap with or cross over the above attacks that endanger cyber security. The two technical management and protection systems all include the basic layer, data layer and application layer in the overall architecture, that is, the security protection technology of the network hardware environment and the basic software system, the technology for authentication and identification of metadata such as rights information and security identity, and the technology to control and track the access and use of data. Regard specific types of technology, encryption technology, authentication technology, key management technology, certificate revocation technology, digital watermark technology, rights description language, and tamper-proof software and hardware technology are usually used. The adoption of compulsory technical standards by the Cybersecurity Law directly confirms the legality and effectiveness of intellectual property-related technical protection measures, which is conducive to regulating illegal acts that avoid or destroy technical measures. Article 27 of the Cybersecurity Law further stipulates the legal protection of technical measures: ‘any individual or organization ... shall not provide programs and tools for activities that jeopardize cyber security, such as internet intrusion, interfere with the internet’s normal functions and protective measures, or steal internet data; anyone who knows that others are engaged in activities that jeopardize cyber security shall not provide them with technical support, advertising promotion, payment settlement, etc.’

Finally, cyber security protection technology has positive significance for the security of intellectual property transactions in cyberspace and the judgment of intellectual property infringement. The former is what Lawrence Lessig calls a ‘trusted system’: the intellectual property supplier and the consumer have agreed on the security-related attributes in advance and coded according to the time logic to outline the boundary of the trusted operation without having to specify the exact function of the intellectual property. Suppliers will produce evidence of these security attributes and provide them to consumers along with related intellectual property products. Consumers can, therefore easily and automatically check the correctness of security evidence to verify that the relevant intellectual property rights comply with the agreed attributes. The latter is also often applied in the legal practice of various countries. For example, the National Institute of Standards and Technology (NIST) cybersecurity technology framework is recommended as one of the standards for whether relevant subjects have fulfilled their reasonable due diligence obligations for intellectual property, helping to confirm best practices and punishment for market participants who fail to comply with it, which in turn helps to better protect intellectual property in a multi-center governance path.

C. The Intellectual Property Protection Function of Cyber Security Comprehensive Law Enforcement Mechanism

Compared with network operators established with permission or filing, the ordinary internet users’ violations of cybersecurity law are more scattered and difficult to regulate. Therefore, the Cybersecurity Law provides a comprehensive law enforcement mechanism to try to make up for this shortcoming. This comprehensive law enforcement mechanism is also of great benefit to the protection of intellectual property in cyberspace.

Paragraph 1 of article 14 in the Cybersecurity Law provides for reporting mechanisms, law enforcement agencies and transfer jurisdiction over acts that jeopardize cybersecurity, that is, ‘any individual or organization has the right to report acts that jeopardize cybersecurity to cyberspace administration, telecommunications administration, public security administration, etc. The department that received the report should deal with it in time according to law; if it is not the responsibility of the department, it should be transferred to the department that has the power to handle it in time.’ Although this provision still has the problem of unclear law enforcement authority, law enforcement period and law enforcement procedures, it provides a multi-sectoral relief channel for ordinary internet users to maintain their legitimate rights and interests in cyberspace and the public cybersecurity interest, and is generally still a positive legal norm. In addition, article 50 of the Cybersecurity Law stipulates: ‘If the national cyberspace administration and relevant departments perform the duties of cyber information security supervision and administration in accordance with the law, and discover information prohibited by laws or administrative regulations, they shall require the network operator to stop transmission, take measures such as elimination and keep relevant records; for the above-mentioned information originating from outside the People’s Republic of China, relevant institutions should notify relevant organization to take technical measures and other necessary measures to stop the spread.’ 

For the intellectual property protection in cyberspace, although network operators have a certain review obligation, right holders can also seek timely remedies under the ‘notification-deletion’ rule, but in the face of massive user infringement on commercial-scale websites, it is costly and unrealistic for right holders to issue notices one by one, and network operators are inefficient in handling infringement notices. Even with the help of intelligent technology, it is still difficult to protect the interests of all rights holders. Moreover, in the case of the counter-notification by the notified user, intellectual property owners still need to seek administrative or judicial protection with mandatory binding force. Therefore, intellectual property owners who do not pursue damage compensation as their main objective are more willing to choose to report illegal publication or transmission of information to the cyber security enforcement agencies to achieve rapid and effective protection of their rights. 

In addition, the cyberspace information release and the transmitter’s illegal behavior are often complex, that is, in order to attract attention, not only some information that infringes intellectual property but also other information that jeopardizes cyber security, when the cybersecurity law enforcement agencies stop and punish those illegal behaviors, it successfully cracks down on intellectual property infringement at the same time. In recent years, the Sword Net action jointly launched by the National Copyright Administration, the National Cyberspace Administration, the Ministry of Industry and Information Technology and the Ministry of Public Security to combat online piracy, only the National Copyright Administration and the Ministry of Public Security law enforcement power come from copyright laws and regulations, the law enforcement powers of the National Cyberspace Administration and the Ministry of Industry and Information Technology are actually sourced from the relevant laws and administrative regulations of cyber security.

From the perspective of assuming legal responsibilities, articles 70 and 71 of the Cybersecurity Law stipulate that the publication and transmission of information that violates the prohibitions of the Cybersecurity Law and other laws and administrative regulations shall be punished and recorded in the credit file, which establishes a linking mechanism between the Cybersecurity Law and relevant laws and administrative regulations, which of course includes intellectual property laws and administrative regulations.

IV. INTELLECTUAL PROPERTY LAW MAINTENANCE OF CYBER SECURITY

Article 16 of the Cybersecurity Law only broadly stipulates the promotion and support function of ‘intellectual property protection of cyber technology’ on cyber security, while this promotion and support can be specifically reviewed from macro and micro perspectives.

A. The Incentive Function of Intellectual Property Law on Cyber Security Industry from the Macro Perspective

Internet that uses intangible technology and information as the basis for operation and development has a naturally close relationship with the intellectual property system that also uses intangible innovative technology and information as the protection object. The United States, which pioneered the creation and commercialization of the Internet, has also insisted on broadening its internet and trade hegemony through the intellectual property system. The United States’ National Cyber Strategy of 2018 clearly stated that strong intellectual property protections ensure continued economic growth and innovation in the digital age. The United States government has fostered and will continue to help foster a global intellectual property rights system that provides incentives for innovation through the protection and enforcement of intellectual property rights such as patents, trademarks, and copyrights. The United States government will also promote the protection of sensitive emerging technologies and trade secrets, and we will work to prevent adversarial nation states from gaining an unfair advantage at the expense of American research and development.

For every sovereign country, in the face of the threat of American cyber hegemonism, the maintenance of national cyber sovereignty and cyber security must be premised on the innovation of core technologies and the acquisition of intellectual property. In April 2018, General Secretary Xi Jinping pointed out at the National Cybersecurity and Informatization Work Conference, ‘Core technology is the most important thing in the country. We must make up our minds, maintain perseverance, find the center of gravity, and accelerate the breakthrough of the core technology in the field of information.... Strengthen centralized and unified leadership, improve the system environment such as intellectual property protection, optimize the market environment, and better release the innovation vitality of all kinds of innovation subjects.’ This shows that technological development and industrial innovation of cyber security are inseparable from the important incentives for intellectual property protection.

Statistics show that, as the intensity of intellectual property protection continues to increase, since 2005, the number of effective invention patents and patent applications in China’s cyber security field has been increasing linearly. In 2015, the number of Chinese patent applications for cyber security technology of domestic enterprises has occupied a clear advantage, and it has a balanced layout in the four key technical subject areas of firewall, VPN, intrusion detection and identity authentication, and has the technical ability to compete with foreign companies in the domestic market. Driven by the application of technological innovation and intellectual property protection, the scale of China’s cyber security industry reached 51.092 billion yuan in 2018, an increase of 19.2 percent over 2017; 217 new companies were added, with a growth rate of 8.09 percent; and the average net profit of 10 listed companies reached 268 million yuan, an increase of 6.67 percent from 2017, and their average R&D investment was 267 million yuan, an increase of 25.2 percent from 2017. At present, China has formed a network security industry chain covering 15 large categories and 75 subcategories, including terminal security, data security, application security and Internet of things security.

From a macro perspective, the direct incentive effect of the intellectual property legal system on the development of the cyber security industry is mainly reflected in two aspects: the first is the fast priority patent examination mechanism. Article 3 of the Administrative Measures on Patent Priority Examination of the State Intellectual Property Office implemented on August 1, 2017 states: ‘a patent application or patent reexamination case in one of the following circumstances may request priority examination: (1) involving ... new generation of information technology ... and other key national development industries ... (3) involving the Internet, big data, cloud computing and other fields and the technology or product update speed is fast ... (6) others that are of great significance to national interests or public interests need priority examination.’ The vast majority of cyber security technology patent applications can comply with one or more of the above (1) (3) and (6), thereby obtaining priority examination and those who meet the statutory conditions can obtain patent rights quickly. The second is the high amount of compensation for the infringement damage of the cyber security patent technology. For example, in the patent infringement dispute between Sony Mobile Communications Products (China) Co., Ltd. and Xidian Jietong Wireless Network Communication Co., Ltd., the involved patent No. ZL02139508.X ‘a method for securely accessing wireless LAN mobile equipment and data confidential communication’ is a typical cyber security patent technology. The court finally decided that Sony China Company should compensate Xidian Jietong Company for the economic loss of 8,629,173 yuan and reasonable expenditure of 474,194 yuan.

Intellectual property law can also indirectly promote the healthy and orderly development of the cyber security industry through reasonable judicial definition and regulation of related infringement or unfair competition. For example, in the famous 360 vs QQ case, the Supreme People’s Court pointed out that ‘the appellant has developed a deduction bodyguard specifically for the QQ software. After the deduction bodyguard runs, it deeply intervenes in the QQ software. After prompting the corresponding operation, making all or part of the function keys of the QQ software unusable, it will change the original operation mode of the QQ software and destroy the integrity of the software operation.... The appellant induces and provides tools to actively help users change the operation mode of the appellee’s QQ software, and at the same time guides users to install their 360 security guards, replaces the QQ software security center, undermines the security of QQ software-related services and poses a strong threat to the overall QQ software.’ As another example, in the dispute between Huawei Technologies Co., Ltd., ZTE Corporation, and Hangzhou Alibaba Advertising Co., Ltd. for infringement of invention patent rights, the patent in question was the invention of Huawei’s ‘a method to prevent IP address spoofing during dynamic address allocation’, the Supreme People’s Court examined Huawei’s retrial application and concluded that ‘the existing evidence provided by Huawei can only prove that the patented method in question will be reproduced in the infringing product under the specific networking method it claims, which is not sufficient. It is not sufficient to prove that ZTE Corporation has infringed upon the patent right of the invention involved in the case. The reason for the retrial application cannot be established. The corresponding retrial request lacks facts and legal basis, and this court will not support it.’

B. Specific Maintenance Function of Intellectual Property Law from the Micro Perspective

In addition to the overall incentives and guidance for the cybersecurity industry, several specific aspects of the intellectual property law system can play a role in maintaining cyber security.

First, many objects of intellectual property protection belong to cyber security information or are closely related to cyber security. In the patent law, patent protection of key infrastructure, network key equipment and special security products, cyber data security protection and utilization technology, and cyber security management technology methods, etc. surely have a direct effect on cyber security, while patent protection of various business methods developed based on online transactions and interactive considerations can also indirectly affect the information security and operating order of cyberspace. Certain cyber security technologies can also be included in the scope of confidential patents when necessary. In terms of copyright law, cyber security software itself can obtain copyright protection. The copyright protection of internet operations, maintenance and service software, industrial software, application software, and original databases also has positive significance for ensuring cyber security. In recent years, the global cyber security software service outsourcing industry has grown rapidly, reaching USD 16.7 billion and USD 18.5 billion in 2017 and 2018, which further highlights the important value of software copyright protection in maintaining cyber security. In trademark law, the protection of commercial marks such as trademarks and domain names in cyberspace has a direct effect on preventing online fraud and maintaining the security of consumers’ online transactions. In the anti-unfair competition law, the protection of business secrets in cyberspace is both related to the security of internet operations and the security of cyber information.

Second, some specific rights of intellectual property are directly related to information dissemination, technology application, or business models in cyberspace, and thus have a profound impact on cyber security. As far as copyright is concerned, the right of information network dissemination can prohibit the unauthorized interactive dissemination of copyrighted works in cyberspace, which not only is a maintenance of the order of the online cultural market, but can also reduce the illegal acts of mixing copyrighted works and information that endangers cyber security to attract attention. The right of adaptation and modification can prevent others from distorting and tampering with copyright works, especially malicious, vulgar and other changes that violate the law and the principles of public order and good customs, and maintain the ecological cleanliness of cyberspace. Performance rights, filming rights, screening rights can also prohibit others from disseminating information in cyberspace that is not suitable for presentation and dissemination in the form of video. The right to sign can prohibit others from misappropriating the name and reputation of well-known authors to spread information that jeopardizes cyber security. The patent rights of offering for sale, sale, import, and the use of certain method patents may also directly or indirectly affect cyber security. In practice, the online offering for sale and sales of patented products have shown a growing trend, and the corresponding infringement disputes have also increased significantly. According to the statistics, from 2010 to 2017, more than half of the judicial judgments on online offering for sale cases in China issued interdicts, which effectively maintained the order of the online patent technology market. It is worth noting that the unauthorized use of cyber security method patents seems good to the maintenance of cyber security apparently, but in the long run, it is not conducive to encouraging the continuous development and market application of cyber security technology, so it is still needed to strengthen the regulation of such infringements. For trademarks, the right holders prohibit others from tarnishing and vilifying the anti-dilution rights of their trademarks, and are also often associated with cyber information security because the trademarks are a public cultural function of cognitive symbols in a sense.

Third, some procedures and specific measures for the protection of intellectual property can prevent and resolve cyber security risks in a timely and effective manner. Due to the real-time and open nature of online information dissemination, infringement and illegal activities in cyberspace have a common feature, that is, the damage is easy to expand sharply and it is difficult to make up for it. Therefore, a rapid legal response mechanism is particularly important. In this sense, when the infringement of online intellectual property rights directly or indirectly affects cyber security, the notification-deletion rule can play its due role to a certain extent and scope. Another fast and effective procedure system is the pre-litigation behavior preservation system for intellectual property infringement. By the people’s court ruling that the respondent immediately ceases the case-related behavior, it can not only avoid further expansion of the applicant’s intellectual property damage, but can also prevent the escalation of cyber security risks or events. In addition, as mentioned earlier, the technical measures for intellectual property protection in cyberspace may overlap with the technical measures for cyber security. Therefore, the technical management system of the cyber security law is conducive to intellectual property protection. In turn, the protection provided by intellectual property laws for technical measures can also play a role in maintaining cyber security.

V. RESOLUTION OF CYBERSECURITY AND INTELLECTUAL PROPERTY CONFLICT

Cyber security is a holistic public interest and normative order, while intellectual property is a private right. Therefore, under certain circumstances, the two will inevitably produce a certain conflict. Although there are no direct and clear provisions on how to deal with such conflicts in the Cybersecurity Law and intellectual property-related legislation, appropriate interpretations still can be made in conjunction with relevant provisions, general legal principles and practical needs.

A. The Principle of Cyber Security Priority

In the process of internet operation and cyberspace information dissemination, the conflicts between intellectual property and cyber security generally have three kinds, and the resolution of these conflicts usually applies the principle of cyber security priority.

The first kind of conflict between intellectual property and cyber security is that the spread or use of certain information or technology that may be suitable as an object of intellectual property rights will jeopardize cyber security. For such conflicts, the provisions of separate legislation on intellectual property have in fact given a clear answer. Article 4 of the Copyright Law stipulates: ‘Copyright holders must exercise their copyright without violating the Constitution and laws, or harming the public interest. The state supervises and administers the publication and dissemination of works.’ Paragraph 1 of article 5 of the Patent Law stipulates: ‘No patent rights shall be granted for inventions and creations that violate the law, social ethics or hinder public interests.’ Article 10 of the Implementation Rules of the Patent Law further explains: ‘Inventive creations that violate the law as mentioned in article 5 of the Patent Law do not include inventions and creations whose implementation is prohibited by law.’ It can be seen from the above-mentioned regulations that technologies developed by themselves to undermine network security and that do not have other beneficial uses certainly cannot be patented. There is no obstacle to obtaining copyrights and patents for works that violate the Cybersecurity Law and only the implementation of inventions that violate the Cybersecurity Law, but the law prohibits the publication, dissemination of such works and illegal implementation of such patents. Since trademarks are symbols that are directly perceived by consumers in commercial activities, the provisions of article 10 of the Trademark Law are stricter, which explicitly prohibits the ‘use’ of certain types of signs as trademarks, not to mention obtaining ‘registrations’. That is to say, the illegal use of relevant signs as the main body of the trademark not only bears the corresponding legal responsibility, but also cannot obtain trademark rights from the beginning. Many of the signs prohibited from use as trademarks are related to cyber information security, especially signs that are ‘harmful to socialist morals or other adverse effects’.

The second kind of conflict between intellectual property and cyber security is that excessive self-protection or abuse of intellectual property violates other legitimate rights and interests of internet users. As early as 1997, such cases have occurred in China. In order to prevent illegal decryption and use by pirates, Jiangmin Company installed the so-called ‘logical lock’ in its newly released ‘KV300L++’ version of antivirus software, but it was identified that the internet upgrade version of this antivirus software contains functions that disrupt the computer subprograms may disrupt the normal operation of the computer information system. Therefore, the Beijing Municipal Public Security Bureau determined that Jiangmin’s behavior was deliberately importing harmful data into the computer information system, and imposed a fine of 3,000 yuan on Jiangmin in accordance with the Computer Information System Security Protection Regulations. Coincidentally, on October 21, 2008, Microsoft launched a new round of genuine verification and value-added programs in China. The unverified Windows XP operating system will receive a pirated reminder that the desktop background becomes pure black every hour. Microsoft’s ‘black screen’ behavior is considered to exceed the limit of self-relief, infringement of computer users’ property rights and privacy rights, violation of antitrust laws, and illegal intrusion into computer information systems. In the current era of big data and artificial intelligence, the technical measures for intellectual property protection often exceed the purpose of ‘protection’ and collect personal information of network users, and carry out precise marketing after user consumption portraits, which constitute an infringement of the user’s privacy and personal information rights. Under these circumstances, the rights of internet users’ privacy and ownership of their computers are more prioritized and fundamental than intellectual property, and intellectual property right holders’ behavior constitutes an abuse of rights, so the latter should be given regulation to maintain cyber security.

The third kind of conflict between intellectual property and cyber security is that the maintenance of a particular cyber security interest requires appropriate restrictions on the autonomy or specific ways in which intellectual property rights are exercised. In the field of copyright law, according to article 12 of the Regulation on the Protection of the Right to Network Dissemination of Information, ‘carrying out any testing on the computer as well as its system or the safety performance of the network through the information network’, the relevant technical measures may be avoided, whereas the techniques, devices or components of the technical measures may not be provided to any other person and the other rights as enjoyed by the owner according to the law may not be injured. ‘Where the state organ exercises its functions according to the administrative and judicial procedures’, technical measures may also be avoided so that copyrighted works can be used. While article 37 of the Cybersecurity Law stipulates: ‘personal information and important data collected and generated by operators of critical information infrastructure during operations within the territory of the People’s Republic of China should be stored in the territory. The security assessment shall be conducted in accordance with the measures formulated by the State cyber space administration in conjunction with relevant departments of the State Council; if the laws and administrative regulations provide otherwise, the provisions shall be followed.’ This security assessment requirement for data localization and cross-border transmission will inevitably impose certain restrictions on the exercise of the copyright of database works. In the field of patent law, article 49 of the Patent Law stipulates: ‘In the event of a state of emergency or extraordinary situation in the country, or for the purpose of public interest, the patent administration department of the State Council may grant a compulsory license to implement invention patents or utility model patents.’ When China suffers a cyber-attack or the public interests of cyber security are infringed, and it is necessary to urgently use a method of patent response to the attack, repair loopholes, or restore the original state, the State Intellectual Property Office may issue a compulsory patent license under the recommendation of the competent authority of cyber security. In the field of trade secret protection, in order to reduce the risk of algorithm discrimination to cyber security, the regulatory authority can require corresponding technology developers and users to assume a certain degree of algorithm transparency obligations, and accept security examination of their algorithm codes.

B. Proportionality of Intellectual Property Restrictions

Although the principle of prioritizing cyber security applies in conflicts, this does not mean that the restrictions on intellectual property rights are not limited; it should follow the principle of proportionality. The principle of proportionality is a principle that originated in the field of public law and was gradually extended to the field of private law. Its core is to emphasize appropriate intervention in individual freedom and autonomy of private law, and prohibit excessive intervention. It is generally believed that the principle of proportionality can be divided into three sub-principles: the principle of appropriateness, the principle of necessity, and the principle of balance. In the case where intellectual property rights need to be restricted due to the maintenance of cyber security, the above three sub-principles can play a good role in review and judgment.

The principle of appropriateness, also known as the principle of adequacy, means that the measures taken by the subject of public power must be able or at least contribute to the realization of its legitimate purpose and belong to appropriate means. The principle of appropriateness emphasizes the legitimacy of the purpose itself and the appropriateness of the means to achieve it. When restricting intellectual property due to cyber security, the legitimacy of the purpose must be able to be reflected in specific cyber security interests, rather than vaguely indicating that it is based on cyber security issues. There are three main methods for judging whether network security interests are specific or not: the first is to see whether there is a normative basis for cyber security such as laws, administrative regulations and departmental rules, etc. The second is to see whether the rights or security interests that may be infringed or affected in cyberspace by the exercise, excessive protection or abuse of intellectual property rights can be clearly described. The third is to see whether IP-related violations have caused quantifiable security damage. Satisfying one of the above three standards constitutes a legitimate and specific cyber security interest. The appropriateness or adaptability between the method and the purpose should mainly be considered: whether the risk or damage of cyber security is caused by the related intellectual property abuse or illegal behavior, or whether restricting intellectual property rights is the only or limited way to eliminate danger, stop infringement, or make up for the damage. Time urgency is also an important consideration for the appropriateness of intellectual property restrictions.

The principle of necessity, also known as the principle of least damage, means that the subject of public power should choose the method that minimizes the damage to the interests of the parties to achieve the legitimate purpose prescribed by law. According to the principle of necessity, first, when there are prohibitive measures and burden measures in the ‘same effective’ measures, the burden measures should be used instead of the prohibition measures. For example, when APP illegally collects personal information of internet users and endangers cyber security, it should require its operators to collect legally limited information under the premise of informed consent and voluntary choice of users and under government supervision, rather than simply and roughly prohibit the continued promotion of APP. Second, when there are compulsory measures and guiding measures in the ‘same effective’ measures, the guiding measures should be used instead of the compulsory measures. When excessive protection or abuse of intellectual property rights causes minor or potential cyber security risks, the relevant regulatory authorities should properly use the ‘interview’ mechanism provided in article 56 of the Cybersecurity Law, give network operators the opportunity to self-rectify and eliminate hidden dangers, instead of directly conducting administrative investigations and punishments. Third, when there are several ‘same effective’ measures, the infringed person shall have the right to choose. When the intellectual property owner can take technical measures to eliminate the cyber security risks caused by his previous actions, or to compensate for the cyber security damage, it is generally not necessary to limit the intellectual property rights.

The principle of balance, also known as the principle of proportionality in a narrow sense, refers to the benefits brought by the exercise of public power in accordance with its legitimate purpose should exceed the damage it causes. The principle of balance has a natural fit with the interest balance theory of intellectual property law, which is a further extension and refinement of the latter. In cases where intellectual property rights are restricted due to cyber security, the principle of balance has a relatively direct expression. For example, when we need a compulsory license to use a patented technology due to a sudden cyber-attack or virus, we must limit the shorter period of compulsory license, and the implementing body that obtains protection from the compulsory license should give the patentee appropriate license fee. When state organs evade technical measures of copyright in order to carry out official duties related to cyber security, or use software and database works rationally, they should consider the impact on the market interests of copyright holders and whether there are other options with lower costs.

VI. CONCLUSION

Although the two intellectual property clauses of the Cybersecurity Law reveal the mutually reinforcing, and the dialectically unified relationship between cyber security and intellectual property, they are still generally thin declarative norms that require systematic in-depth interpretation.

According to the four principles and five points of cyberspace governance proposed by General Secretary Xi Jinping’s Speech at the Opening Ceremony of the Second World Internet Conference, there are two important common principles in the field of interweaving cyber security and intellectual property: the principle of internet sovereignty and legal independence, and the combination of legal governance and internet autonomy. The former emphasizes that both the protection of intellectual property rights and the maintenance of security in cyberspace are matters within the sovereignty and legal scope of a country, and there are no laws that transcend the country; the latter emphasizes that the Internet is not a laissez-faire place and an autonomous field of pure technical wrestling. Legal governance is dominant in the protection of intellectual property and cyber security.

On the basis of observing the above basic principles, the mutual promotion and complementarity of cybersecurity law and intellectual property law can be reflected in many specific aspects. The provisions of the Cybersecurity Law on the security obligations of network operators, such as internet access service providers, internet information service providers, and other network products or service providers, have the role of guarding portals and pre-examination for the protection of intellectual property rights. The technical management system of cyber security is helpful for the application, protection, transaction and infringement judgment of intellectual property. The comprehensive law enforcement mechanism of cyber security has strengthened the intensity, breadth and efficiency of intellectual property protection. Macroscopically, the Intellectual Property Law has strengthened the incentive effect on the cyber security industry through the priority and rapid examination mechanism and the adjudication of high amount of infringement compensation. At a micro level, the object, rights and procedures of intellectual property protection also have the function of directly or indirectly maintaining cyber security.

Intellectual property and cyber security may conflict in certain situations. First, the dissemination or use of certain information or technology that may be suitable as an object of intellectual property will jeopardize cyber security. Second, excessive self-protection or abuse of intellectual property rights infringes upon other legitimate rights and interests of internet users. Third, the maintenance of a specific cyber security interest requires appropriate restrictions on the autonomy or specific ways in which intellectual property rights are exercised. The resolution of these conflicts generally follows the principle of giving priority to network security, but the restriction of intellectual property rights must follow the principle of proportionality, highlighting the specificity of cyber security interests, the necessity of restrictions on intellectual property, and to achieve a balance between the protected cyber security and the restricted intellectual property.

 

关注我们
中国法学杂志社

友情链接

LINKS