Open source software: The importance of establishing an effective compliance system
Open source software can save companies from having to constantly reinvent the wheel. Indeed, it is even provided free of charge. Cost efficiency and time savings are just two of the many reasons why more and more companies are relying on the use of open source software. However, the risks associated with the use of open source software are often underestimated. Waiving the levying of licence fees does not mean that the rights holder waives its rights. Failing to comply with licensing requirements can instead have serious consequences. Apart from the automatic withdrawal of the licence, there is the risk of facing legal action in the form of an injunction or payment of damages. In addition, open source software users may be obliged to pass on refinements to the software only free of licence fees and by disclosing the source code (known as the viral effect). For reasons of protecting investment and know-how, an efficient open source software compliance system is therefore essential.
Against this backdrop, it is surprising that there is a clear discrepancy between the use of open source software components in companies and the setup of open source software compliance systems. The traditional approach, where IT compliance only covers IT security and data privacy, no longer applies to the real situation in companies. As mentioned above, there are some not insignificant risks associated with the use of open source software. These must be mitigated with an efficient open source software compliance system, in order to benefit from the huge advantages of using open source software in companies.
Obligations when using open source software
Unlike proprietary software, open source software, the source code of which is freely accessible, can be freely used, reproduced and modified. However, this does not relieve the licensee of certain obligations, which occur especially in the case of the transfer of open source software in an unchanged or refined form. The licensee’s specific obligations depend on the licence terms. In general, a distinction is made between copyleft licences (with a strong or weak copyleft) and permissive licences. While copyleft licences normally require the licensee to also apply the original open source licence terms to new developments of the open source software, permissive licences allow the licensee to choose which licence terms it wants to apply to the new versions.
Structure of an open source software compliance system
An open source software compliance system can be based on an open source software compliance policy. This is aimed at the employees of the relevant company and governs the handling of open source software components. The content of such a policy depends to a large extent on the field of activity of the company concerned. Possible subjects of provisions are the presentation of the different types of licence, the obligations arising from them and the consequences in the event of a licence infringement. In addition, clear guidelines for dealing with open source software components must be included. In this respect, differentiation according to the various fields of application, such as purchasing, development and sales, can be useful.
It is also advisable to set up a central body to decide on the use of open source software components or the choice of the right licence in borderline cases. The advantage of such a decision-making body lies first of all in the concentration of internal know-how. Furthermore, it can serve as a point of contact for staff. Besides, solidly anchoring such a body in the compliance process opens up the possibility of continuously monitoring the functionality and effectiveness of the compliance system.
In addition, it is recommended that staff training be conducted to raise awareness of the relevance of licence compatibility among employees who come into contact with open source software. The use of open source scanners as an additional tool is to be considered. Such programs allow software to be checked for open source components. This addresses the common problem that companies are often unaware of which open source software they are actually using.
In order to leverage the enormous potential of using open source software, it is therefore advisable for companies to establish an effective compliance system. In this way, the protection of know-how and industrial secrets is guaranteed while minimising liability risks.
Any questions? Please contact
: Dr Thomas Thalhofer
and Marieke Merkle
: Digital Business
, IT & Outsourcing
, Compliance & Investigations