3D Printing: Rights to Data and IT Security in the Field of Additive Manufacturing

Additive manufacturing is way past the point of only being used for the construction of prototypes. The concept is also applied when manufacturing end products. In the context of 3D printing, this is accompanied by modified production processes, the usage of new raw materials, altered delivery, and performance relationships as well as innovative business concepts, leading to multiple legal questions. For companies involved, it is of particular importance to detect the complexity of those legal questions and their interrelations early on in order to exploit the full economic potential of their business by including solutions to those issues in the relevant business model. This article considers selected questions with regard to the digital value chain of 3D printing.  

Intellectual property rights

It should be clarified whether and to what extent data arising in the 3D printing value chain is protected by law; e.g. CAD files under copyright and patent law. Since there are immense and precise possibilities of duplication when using 3D printers, intellectual property rights and their defense play a key role in the legal context. Different scenarios have to be distinguished:

First of all, the question arises as to whether and to what extent the individual stages of the production process of additive manufacturing are legally protected and who can claim such protection. Also, to what extent not only printing templates such as CAD files may be subject to (copyright) protection, but also objects that are the products of this technology. Acts of reproduction, such as adding CAD files to an Internet platform for (free) distribution to third parties or reprinting an object may impair individual property rights – such as copyrights, patent rights, design rights, or trademark rights.

Generally speaking, the substantial requirement for protection in copyright law is a minimum of uniqueness of the work, meaning that the work must not be merely the result of a purely mechanical creation. A mere technical solution to a construction project, i.e. stringing together construction elements, does not fall under the protection of copyright law. 
Under these requirements, objects like paintings, sculptures, figures, jewelry, objects of utility with artistic aspirations, tools, car bodies, and other objects of industrial design can be protected. This protection also encompasses visual/technical displays in a CAD file because (German) copyright law also protects scientific or technical displays including sketches, plans, and blueprints, provided that the displayed work is distinct, thereby meeting the requirements for protection. As such, a CAD file can also enjoy the legal protection of copyright. Beyond that, it is doubtful that copyright law protection can be granted to each CAD file as a computer program. It is crucial that the visual display of the object to be printed, including all technical information in the CAD file, is only the result of the application of a corresponding computer program.

Finally, it should be noted that the basic concepts of copyright law generally also apply in the international context. Nonetheless, German and Anglo-American copyright laws show considerable differences. Under German copyright law, copyright is always associated with the person of the originator, i.e. the creator of the work. By entering into a license agreement with the originator, a company can become the holder of all — and exclusive — usage and exploitation rights of the work in question. However, the so-called inalienable author’s moral rights, which, for example, include the right to be named, generally stay with the originator. Anglo-American law, on the other hand, does not have such inalienable author’s moral rights. In that respect, German copyright law emphasizes the ideal relation of the originator to his work, while Anglo-American law stresses the economic aspect. Under Anglo-American copyright law, rights of decision and exploitation are often not attributed to the originator, but to the economic right holder. As a result of these differences, affixing a copyright note is generally not necessary in Germany. Under German law, copyrights originate with the work’s creation without entry in the register.

Rights to data

In addition, a special aspect leading to discussions not only with regard to 3D printing, but also in connection with the Internet of Things and Industry 4.0, is the issue of rights to data generated by machines that are not personal data related to an individual. German law does not recognize ownership of data or a conceptual equivalence like intellectual property rights to non-personal data. In relation to this, the 3D printing industry is in dire need of action when it comes to legal solutions.  

Most of the supply chain is digitalized. The companies involved in the manufacturing processes exchange specific data, technical specifications, information stemming from the product development, and, most importantly, the technical construction data through interfaces connected to the Internet. This data includes highly sensitive and valuable data, particularly regarding intellectual property and know-how of a company. It is therefore important to assess who should be allowed to have access to the data, to whom the data is assigned, and who is liable in case of damages. The European Commission started a consultation on the “creation of European data management”, which is concerned with the above-mentioned topics on a European scale, this year.

From a German perspective and under the current legal framework, companies involved in additive manufacturing are recommended to agree on contractual regulations in order to assign rights to the technical data generated by machines.

IT security

However, all data within the 3D printing process also need to be protected thoroughly against manipulation and data theft. The significance of IT security can be clarified by a quote from Bruce Schneier in “Secrets and Lies” from 2000: “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”  

Cyber attacks can pose a grave threat to companies and result in significant financial losses, e.g. because of a production downtime. As the complexity of these attacks continues to grow, detection becomes increasingly difficult. Software providers are facing the need to provide additive manufacturers with software that offers protection in this regard. Software providers and additive manufacturers often stipulate a contractual obligation to provide suitable evidence that relevant security requirements have been met. One should also keep in mind that company IT security is a dynamic process and constantly needs adjustment. 

The issue of IT security can only be solved if companies in the relevant sectors communicate with each other and address the implementation of their security measures. Otherwise, appropriate measures by one company may be rendered ineffective when the technological infrastructure of another company within the supply chain does not enjoy an adequate level of protection. Security measures may also include encryption technologies. However, in an international context, cryptography has encountered some restrictions. The US, for instance, might limit the export of secure encryption technology leading European companies to use non-secure encryption technology when using US software. 

Finally, it should be noted that management is responsible for installing a system that detects security issues and runs a regular risk analysis to tackle potential and existing vulnerabilities and attacks early. The lack of such a system may result in the personal liability of management and executive directors. 

Klaus Brisch, LL.M. is a certified specialist lawyer for information technology law in Germany. He consults complex IT projects in the areas of transactions, compliance, IT security, data protection, and data security, advises companies in the entire field of internet law and electronic commerce as well as on hardware and software contracts. He also focuses on eGovernment.

Marco Müller-ter Jung, LL.M. is also a certified specialist lawyer for information technology law in Germany. His consulting practice lies in the areas of information technology law, intellectual property rights and copyright law. He advises in the entire field of internet law, e-commerce law (e.g. e-business, contract law, law of general terms and conditions, consumer protection, data protection and privacy, etc.) and IT contract law.

Klaus Brisch and Marco Müller-ter Jung are focused on the legal issues and requirements related to future technologies like industrial-internet, additive manufacturing, connected devices and cars, big data, wearables to name but a few.