The European Commission’s January 2017 Communication on Building an European Data Economy (‘Communication‘) proposes a principle of free movement of data within the EU. Whilst the coming into force of the General Data Protection Regulation (‘GDPR‘) on 25 May 2018, significantly changes and tightens the rules relating to the collection and use of personal data in Europe, those changes need to be read alongside the Communication (and the accompanying staff working paper) to fully understand the regulatory environment for data in Europe. The Communication examines actual or potential blockages to the free movement of data and presents options to remove unjustified and or disproportionate data location restrictions in the EU. It also considers the barriers around access to and transfer of non-personal machine-generated data, data liability, as well as issues related to the portability of non-personal data, interoperability and standards.
Principle of free movement of data in EU
Europe’s Single Market is commonly understood to rest on four fundamental freedoms: freedom for people, services, goods and capital to move within the EU. In its Communication, the Commission says:
any Member State action affecting data storage or processing should be guided by a ‘principle of free movement of data within the EU’, as a corollary of their obligations under the free movement of services and the free establishment provisions of the Treaty and relevant secondary legislation. Any current or new data location restrictions would need to be carefully justified under the Treaty and relevant secondary law to verify that they are necessary and proportionate to achieve an overriding objective of general interest, such as public security”
The Commission explains that any data location restrictions within the EU need to be justified to be lawful. To progress this issue the Commission has entered into dialogue with Member States and other on the justifications for and proportionality of data location measures. Following these consultations and further information gathering, the Commission will consider what further action needs to be taken which may include infringement proceeding and other initiatives to ensure the free movement of data within the EU.
Improving IoT data access and transfer
Whilst respecting the protections for personal data under GDPR, the Communication sets out the Commission’s objective and actions to improve data access and transfer, especially for Internet of Things (IoT) machine generated data. As a result of the GDPR requirement for privacy ‘by design’ and ‘by default’, the Commission envisages that much personal data will become non–personal through anonymisation. However, from an economic perspective, machine generated data is not currently protected by the existing European Database Right, which leads to a lack of legal clarity on the terms for economic exploitation and tradability. In turn, this may inhibit companies from trading or otherwise making available non-personal datasets held by them.
The Commission proposes that the future EU framework should achieve the following objectives:
- Improve access to anonymous machine-generated data: Through sharing, reuse and aggregation, machine-generated data becomes a source of value creation, innovation and diversity of business models.
- Facilitate and incentivise the sharing of such data: Any future solution should foster effective access to data, taking into account, for example, possible differences in bargaining power between market players.
- Protect investments and assets: Any future solution should also take into account the legitimate interests of market players that invest in product development, ensure a fair return on their investments and thereby contribute to innovation. At the same time, any future solution should ensure a fair sharing of benefits between data holders, processors and application providers within value chains.
- Avoid disclosure of confidential data: Any future solution should mitigate the risks of disclosing confidential data, in particular to existing or potential competitors. In this regard it should also allow for proper data classification to be performed, prior to the assessment of whether or not a certain piece of data can be shared.
- Minimise lock-in effects: The unequal bargaining power of companies and private individuals should be taken into account. Lock-in situations, especially for SMEs and startups and private individuals, should be avoided.
The Commission proposes potential action in a number of areas:
- Guidance on incentivising businesses to share data: To mitigate the effects of divergent national regulations and provide increased legal certainty for companies, the Commission could issue guidance on how non-personal data control rights should be addressed in contracts.
- Fostering the development of technical solutions for reliable identification and exchange of data: Traceability and clear identification of data sources are a precondition for real control of data in the market. The definition of reliable and possibly standardised protocols for persistent identification of data sources can be necessary to create trust in the system. Application Programming Interfaces (APIs) can also foster the creation of an ecosystem of application and algorithm developers interested in the data held by companies. APIs can help firms and public authorities to identify, and profit from, different types of re-uses of the data they hold. On this basis, broader use of open, standardised and well-documented APIs could be considered, through technical guidance, including identification and spreading of best practice for companies and public sector bodies. This could include making data available in machine-readable formats and the provision of associated meta-data.
- Default contract rules: Default rules could describe a benchmark balanced solution for contracts relating to data, taking due account also of the ongoing Fitness Check on the overall functioning of the Unfair Contract Terms Directive. They could be coupled with introducing an unfairness control in B2B contractual relationships which would result in invalidating contractual clauses that deviate excessively from the default rules. They could also be complemented by a set of recommended standard contract terms designed by stakeholders. This approach could lower legal barriers for small businesses and reduce the imbalance in bargaining positions, while still allowing a large degree of contractual freedom.
- Access for public interest and scientific purposes: Public authorities could be granted access to data where this would be in the “general interest” and would considerably improve the functioning of the public sector, for example, access for statistical offices to business data, or the optimisation of traffic management systems on the basis of real-time data from private vehicles. Access to business data by statistical authorities would typically contribute to alleviating the statistical reporting burden on economic operators. Similarly, access to and the ability to combine data from different sources is critical for scientific research in fields such as medical, social and environmental sciences.
- Data producer’s right: A right to use and authorise the use of non-personal data could be granted to the “data producer”, i.e. the owner or long-term user (i.e. the lessee) of the device. This approach would aim at clarifying the legal situation and giving more choice to the data producer, by opening up the possibility for users to utilise their data and thereby contribute to unlocking machine-generated data. However, the relevant exceptions would need to be clearly specified, in particular the provision of non-exclusive access to the data by the manufacturer or by public authorities, for example for traffic management or environmental reasons. Where personal data are concerned, the individual will retain his right to withdraw his consent at any time after authorising the use. Personal data would need to be rendered anonymous in such a manner that the individual is not or no longer identifiable, before its further use may be authorised by the other party.
- Access for fair remuneration: A framework potentially based on certain key principles, such as fair, reasonable and non-discriminatory (FRAND) terms, could be developed for data holders, such as manufacturers, service providers or other parties, to provide access to the data they hold for remuneration after anonymisation. Relevant legitimate interests, as well as the need to protect trade secrets, would need to be taken into account. The consideration of different access regimes for different sectors and/or business models could also be considered in order to take into account industry differences.
The Commission will undertake both general and sector-specific discussions with stakeholders to discuss how to best take these issues forward.
Clarifying liability rules
The Communication identifies ambiguity in the current rules on liability in the data economy in relation to products and services based on emerging technologies such as the Internet of Things (IoT), the factories of the future and autonomous connected systems. Whilst noting that IoT is a rapidly growing network of everyday objects, such as watches, vehicles, and thermostats, which are connected to the Internet and that autonomous connected systems, such as self-driving vehicles, act independently of humans and are capable of understanding and interpreting their environments and that each is likely to contribute to more safety and quality of life, the Commission highlights that:
inevitably there remains the possibility of design errors, malfunctioning or manipulation in every device. This could result from the transmission of erroneous data by a sensor, due to, for instance, software defects, connectivity problems or incorrect operation of the machine. The nature of these systems means that it may be difficult to establish the exact source of a problem that leads to damages, raising the issue of how to ensure that these systems are safe for the users, in order to minimise the occurrence of damage and who should be held liable for damage if it occurs.”
The Communication highlights that the issue of how to provide certainty to both users and manufacturers of such devices in relation to their potential liability is therefore of central importance to the emergence of a data economy. The Commission therefore will consult stakeholders on the adequacy of current EU rules on liability in the context of IoT and autonomous connected systems, as well as on possible approaches to overcome the current difficulties in assigning liability. A parallel public consultation on the overall evaluation of the application of the Products Liability Directive is also being conducted. The Commission will assess the results and consider options for future action, which in addition to the status quo may include:
- Risk-generating or risk-management approaches: Under these approaches liability could be assigned to the market players generating a major risk for others or to those market players which are best placed to minimise or avoid the realisation of such risk.
- Voluntary or mandatory insurance schemes: Such schemes could be coupled with the above liability approaches. They would compensate the parties who suffered the damage (e.g. the consumer). This approach would need to provide legal protection to investments made by business while reassuring victims regarding fair compensation or appropriate insurance in case of damage.
Portability, interoperability and standards
Finally, the Commission identifies further barriers to the data economy: non-portability of personal data and a lack of system interoperability in part stemming from a lack of appropriate standards. The Commission is therefore also consulting on:
- Developing recommended contract terms to facilitate switching of service providers: As data portability and switching of data service providers are mutually dependent, the development of standard contract terms requiring the service provider to implement the portability of a customer’s data could be examined.
- Developing further rights to data portability: Building on the data portability right provided by the GDPR and on the proposed rules on contract for the supply of digital content, further rights to portability of non-personal data could be introduced, in particular to cover B2B contexts, whilst taking due account of the outcome of the ongoing Fitness Check on key pieces of EU marketing and consumer law.
- Sector-specific experiments on standards: To develop a robust approach to portability rules encoded through standards, sector-specific experimental approaches could be launched. These would typically involve a multi-stakeholder collaboration including standard setters, industry, the technical community, and public authorities.
Status of consultation and information gathering
The Commission has published a high-level summary of responses from its initial consultation, and is now in the process of carrying out a series of workshops. The Commission plans to publish a full synopsis report in July 2017, and we will report back once that has been published.
Amongst all the noise surrounding GDPR implementation, the measures being considered in Europe to stimulate the data economy are often overlooked. Of course, the real question is whether these issues are better addressed by the market bottom-up or by top-down regulatory action. Whilst Europe would perhaps cite GSM as an example of a global technology that needed top-down regulation, the US would counter with the internet bottom-up innovation in a free-market. Only time will tell, but for now the US and EU are proceeding on very different regulatory paths.