Re: [open-regulatory-compliance] More edge cases

["Steve Millidge (Payara)" <steve.millidge@xxxxxxxxxxx>]

 

Is Q1 covered by recital 15? In which case they are an economic operator and subject to the CRA?

(15)  This Regulation applies to economic operators only in relation to products with digital elements made available on the market, hence supplied for distribution or use on the Union market in the course of a commercial activity. Supply in the course of a commercial activity might be characterised not only by charging a price for a product with digital elements, but also by charging a price for technical support services where this does not serve only the recuperation of actual costs, by an intention to monetise, for instance by providing a software platform through which the manufacturer monetises other services, by requiring as a condition for use the processing of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software, or by accepting donations exceeding the costs associated with the design, development and provision of a product with digital elements. Accepting donations without the intention of making a profit should not be considered to be a commercial activity.

--

Steve Millidge

 

From: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> On Behalf Of Dirk-Willem van Gulik via open-regulatory-compliance
Sent: Thursday, July 4, 2024 12:31 PM
To: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx>
Subject: [open-regulatory-compliance] More edge cases

 

So in the ASF we've been discussing edge cases. And I'd like to test one here. So would love your feedback/insights on below:

 

1)          Tomcat is open source software from the ASF 

 

              And the ASF is an open source steward that qualifies.

 

2)          BigCo sells support for Tomcat. Their customers obtain Tomcat direct from the ASF and then BigCo helps then install, configure.

 

              BigCo does not contribute to the Tomcat community at all.

 

Q1. Is BigCo subject to the CRA?

 

I guess the fair starting position here is that IF the customer ‘honestly’ obtains it from the open source steward. And that this is an informed, intentional action where they have the know how to understand what they are doing (why: EU law is much more about intend than letter/loopholes). 

 

In which case BigCo is not placing Tomcat on the market. And, for Tomcat, escapes the CRA.

 

There is probably going to be case law for situations where its install and configure is soo much manifesting a ‘product with digital elements’ into being that that gets seen as placing it on the market. 

 

I.e. where the Customer cannot reasonably be seen as the entity fetching Tomcat. 

 

I.e. there will be some legal test that "BigCo is not essential to Customer using Tomcat". And if it is - then the CRA starts to fall on BigCo.

 

3)          After installing it - BigCo operates Tomcat for Customer.

Once BigCo _operates_ Tomcat - other (delivering a service (with digital elements) aspects start to kick in.  So let’s assume it does not operate it - only does some L2 and L3 support.

And within that constrain - all this dodges the CRA if Tomcat came from an Open Source Steward.

4)          If BigCo opens bug reports against Tomcat on behalf of their customers does that change the answers to Q1 & Q2? 

My take - No - BigCo  is still not placing a product with digital elements on the market.

5)          If BigCo provides patches with some of those bug reports does that change the answers to Q1 & Q2? 

 

and

 

6)          If BigCo employs one or more committers of the Tomcat project and allows them to work on Tomcat tasks as part of their employment does that change the answers to Q1 & Q2?

So the intention of the whole brouhaha & why the CRA was in earlier version so deadly was that in this case BigCo ended up on the hook for not just its own customers; but for any downstream of the tomcat it  indirectly ever contributed to. This issue / chain was broken by the open source steward concept.

So my answer here would be - no BigCo is not on the hook.

With one caveat — if it provides those patches directly (or more timely / ahead of integration by Tomcat) to the customer or is essentially marketing these by itself. E.g an early access programme, etc.

As then it starts to place (part of) a product with digital elements on the market. And thus is on the hook.

There are quite a few companies doing that sort of preferential / paying-customers-first / freeloaders later thing.

 

6-variant)        If BigCo employs one or more committers of the Tomcat project and INSTRUCTS them to work on Tomcat tasks as part of their employment does that change the answers to Q1 & Q2?

 

Not sure here (at the ASF - we have no relations with companies and every one is volunteering on a personal basis). Would love to hear peoples thoughts.

 

7) If BigCo employs a lot of the of committers of the Tomcat project and allows them to work on Tomcat tasks as part of their employment does that change the answers to Q1 & Q2?

So if we assume that the Open Source Steward of tomcat has solid governance & can demonstrate that it has processes in place to prevent BigCo from running the show (i.e. sufficient committer diversity, not too many form one company, sensible release votes, PMC +1 votes for release must be multi-employer and all the usual good stuff, etc) - then no - not on the hook.

But the moment BigCo is trying to game the system (even if it can be shown to fail) - yes - fully on the hook.  My take is that this is intentional - and that the CRA was written with a fair bit of distrust and (over) sensitive to ‘commercial open source’ bypasses/loops. And even more distrust of BigCo.

So BigCo better be at legal/etc arms length from the open source foundations too. I.e there is some sort of governance expectation that ensures that BigCo's money cannot meaningfully influence what developers do or work on at that open source steward.

8) If BigCo employs ALL of committers of the Tomcat project and allows them to work on Tomcat tasks as part of their employment does that change the answers to Q1 & Q2? 

 

Yes - they are now under the CRA - as Tomcat clearly is no longer an open source steward - but a (joint venture / extension of a commercial activity).

 

7) If BigCo produces "BigCo Web Server for Java that is based on Apache Tomcat" then clearly they will be subject to the CRA for that product.

 

Fully under the CRA.

 

Would love to hear where this goes wrong / your reasoning / my mistakes !

 

With kind regards,

 

Dw.