The sentence says you can fall under more onerous terms if the project is “organized,” whatever that means, and even under the loosest terms you are required to report security issues to an outside organization. So there is liability if you don’t. And virtually any project has arguable security issues.
CYA & report all issues to said outside organization? Any bug where a feature doesn't work is a denial of service on that feature, and therefore a security issue. Lack of accessibility features is a DoS against people who need those features and thus a security issue, and so adding screenreader support is a security fix. Etc, etc.
If people knew about all the vulns in their software the vulns wouldn’t exist. You can’t disclose if you don’t know. And establishing when you “should” know or what counts as an actionable report will require basically a lawyer to untangle. CYA = hire a lawyer for your open source code. No thanks I think I’ll keep it on my drive and off GitHub.
sure, I have no control if the software is monetized or not. And this is still a fundamental change in how open source works. A name behind every line of code.
The one selling it is the one that has the obligations. If a company grabs open-source code from you and sells it (e.g. as part of a bigger product) to someone else, they have to assume liability towards their customer, you don't have to be involved at all if you don't want to. That's the good thing about the carve-outs established, it's not your problem if you are just publishing your code for fun, the ball is entirely in the court of people that want to profit from it.
If you allow yourself to make money from the code, you're accepting liability for it. If you choose not to accept money in exchange for it, you don't have to accept liability.
This seems fair to me - the law doesn't let you both "sell" it (however low the minimum price is) and refuse to give any rights to the people who gave you money.
The big problem is reward risk. Risk is 15,000,000 euros. Reward is peanuts.
In the past we could choose to work for peanuts with low risk. Now we can't. We have to work for nothing or work for a lot to have a chance of covering compliance.
The GDPR carries a fine risk of up to 20 million, but usually the fines are a few hundred/thousand euros depending on the entity. Think "300 euro fine to a driving school" rather than "300 million euro fine to Google".
And even then, you have to be unlucky enough to actually get caught and investigated by market surveillance authorities. I think you're going to be more likely to get caught up in income/donation/gift tax bracket fraud investigation than to ever feel the impact of the CRA as a hobby open source dev.
It would be foolish to ignore the risk, however, especially if you work on something potentially controversial, such as encryption, privacy tools, or any software that may have uses that the EU frowns upon. I strongly suspect that this will eventually be used as a cudgel against disfavored projects/devs to compel project changes or even kill the project outright (or force it to move overseas).
If you’re a FOSS dev in the EU who works on something controversial, and you accept donations, it would be better to outsource the project “ownership” to someone unnamed or outside of EU jurisdiction.
Now, from a US perspective rather than an EU one, even being investigated in the US carries a huge risk. It is especially bad in the case that someone wants to prove a point against you. You could suddenly find yourself having to spend huge amounts of money defending yourself because someone wants to make a name for themselves, or you pissed a large political donor off.
Greg K-H's explanation (as paraphrased by the journalist) confirms that, for example, receiving payment for an article which is accompanied by a software example would not trigger the requirements that come with monetization. Here's the exact quote - look at the "even when" part:
"There is no legal risk for individual contributors simply sharing code online or in publications, even when they receive payment for writing an article, as long as the software itself is not monetized or organized."
So, maybe EU developers would have to learn the safe wording through which to solicit and accept donations, but at the very least, donations supporting their software activities in general (and not tied to a specific software program) will likely not increase CRA requirements - and maybe even voluntary donations to support development of a specific software program but which are not in any way mandatory.
Patreon/LiberaPay style individual sponsorship should be a simple path around this. If I am sponsoring an individual because I like the work they do in general, I am not contributing towards a single “project”. Especially if the dev contributes to more than one project. The wider the grey area the better.
Perhaps the future is shadowy projects led by an anonymous figure who merely merges pull requests, while named devs contribute work and receive support from their fans/supporters.
The sentence says you can fall under more onerous terms if the project is “organized,” whatever that means, and even under the loosest terms you are required to report security issues to an outside organization. So there is liability if you don’t. And virtually any project has arguable security issues.
CYA & report all issues to said outside organization? Any bug where a feature doesn't work is a denial of service on that feature, and therefore a security issue. Lack of accessibility features is a DoS against people who need those features and thus a security issue, and so adding screenreader support is a security fix. Etc, etc.
If people knew about all the vulns in their software the vulns wouldn’t exist. You can’t disclose if you don’t know. And establishing when you “should” know or what counts as an actionable report will require basically a lawyer to untangle. CYA = hire a lawyer for your open source code. No thanks I think I’ll keep it on my drive and off GitHub.
sure, I have no control if the software is monetized or not. And this is still a fundamental change in how open source works. A name behind every line of code.
The one selling it is the one that has the obligations. If a company grabs open-source code from you and sells it (e.g. as part of a bigger product) to someone else, they have to assume liability towards their customer, you don't have to be involved at all if you don't want to. That's the good thing about the carve-outs established, it's not your problem if you are just publishing your code for fun, the ball is entirely in the court of people that want to profit from it.
I understand that part. But I could read 'monetized' as a project the received a donation.
I think that's how it's intended to be read.
If you allow yourself to make money from the code, you're accepting liability for it. If you choose not to accept money in exchange for it, you don't have to accept liability.
This seems fair to me - the law doesn't let you both "sell" it (however low the minimum price is) and refuse to give any rights to the people who gave you money.
The big problem is reward risk. Risk is 15,000,000 euros. Reward is peanuts.
In the past we could choose to work for peanuts with low risk. Now we can't. We have to work for nothing or work for a lot to have a chance of covering compliance.
The GDPR carries a fine risk of up to 20 million, but usually the fines are a few hundred/thousand euros depending on the entity. Think "300 euro fine to a driving school" rather than "300 million euro fine to Google".
And even then, you have to be unlucky enough to actually get caught and investigated by market surveillance authorities. I think you're going to be more likely to get caught up in income/donation/gift tax bracket fraud investigation than to ever feel the impact of the CRA as a hobby open source dev.
It would be foolish to ignore the risk, however, especially if you work on something potentially controversial, such as encryption, privacy tools, or any software that may have uses that the EU frowns upon. I strongly suspect that this will eventually be used as a cudgel against disfavored projects/devs to compel project changes or even kill the project outright (or force it to move overseas).
If you’re a FOSS dev in the EU who works on something controversial, and you accept donations, it would be better to outsource the project “ownership” to someone unnamed or outside of EU jurisdiction.
This is a rather big maybe.
Now, from a US perspective rather than an EU one, even being investigated in the US carries a huge risk. It is especially bad in the case that someone wants to prove a point against you. You could suddenly find yourself having to spend huge amounts of money defending yourself because someone wants to make a name for themselves, or you pissed a large political donor off.
Greg K-H's explanation (as paraphrased by the journalist) confirms that, for example, receiving payment for an article which is accompanied by a software example would not trigger the requirements that come with monetization. Here's the exact quote - look at the "even when" part:
"There is no legal risk for individual contributors simply sharing code online or in publications, even when they receive payment for writing an article, as long as the software itself is not monetized or organized."
So, maybe EU developers would have to learn the safe wording through which to solicit and accept donations, but at the very least, donations supporting their software activities in general (and not tied to a specific software program) will likely not increase CRA requirements - and maybe even voluntary donations to support development of a specific software program but which are not in any way mandatory.
Patreon/LiberaPay style individual sponsorship should be a simple path around this. If I am sponsoring an individual because I like the work they do in general, I am not contributing towards a single “project”. Especially if the dev contributes to more than one project. The wider the grey area the better.
Perhaps the future is shadowy projects led by an anonymous figure who merely merges pull requests, while named devs contribute work and receive support from their fans/supporters.