Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

DSM Watch: European Commission’s Data Package Explores Data Ownership, Localization, Liability and Portability, Highlighting Tensions with GDPR

shutterstock_419561389On January 10, 2017, the European Commission released a Communication, a fact sheet, a working document and a public consultation relating to Europe’s “data economy”.   The fact sheet states that “data is a new type of economic asset”, which is essential for innovation and growth. The Commission’s objective is to remove “unjustified restrictions” and “legal uncertainties” in order to facilitate data sharing and innovation.

Interface with GDPR

The Commission’s Communication on the data economy brings to light a fundamental tension between the policy on protection of personal data and the policy of developing an innovative data economy. The General Data Protection Regulation (GDPR) is built on a human rights approach, under which personal data is an extension of an individual’s right to auto-determination. The data economy package is built on an economic approach, pursuant to which data is an asset that can and should be exploited and shared to maximize social welfare. The Communication suggests that the two approaches can co-exist, but it is a bit like trying to mix oil and water. The Commission suggests that anonymization is key:  If the data are sufficiently anonymized, they fall outside the GDPR and can be freely shared and exploited. But if data are not sufficiently anonymized, the GDPR governs.

Putting the focus on anonymization is just pushing the problem into a different corner of the room. Under a fundamental rights approach, even a very small statistical risk that an individual may be re-identified will be considered an unacceptable risk. This could mean that data sets must be anonymized to such a high level that their economic and social value is significantly diminished. A data set that is anonymized at a level of 99.8% may be much more valuable to society than a data set that is anonymized at a level of 99.999%. It is unclear from the Commission’s Communication how this kind of trade-off will be managed.  The GDPR leaves some room for discussion, because the concept of anonymization is linked to the idea of “all the means reasonably likely to be used” to single out an individual. The terms “means reasonably likely to be used” give some flexibility to make trade-offs, but will also trigger differences in interpretation depending on whether you’re addressing the question from a fundamental rights standpoint, or from a “data as an asset” standpoint.

Data localization

One of the Commission’s main objectives is to abolish national data localization requirements. According to the Commission, the GDPR provides a harmonized level of data protection throughout the EU. Consequently data localization requirements between different Member States of the EU cannot be justified based on the protection of personal data. There may be other narrow reasons justifying national localization, but the Commission says that such cases should be extremely rare and would have to meet a high burden of proof to be considered legal. The Commission says that data localization rarely contributes to the objectives they are intended to achieve and that there is a general misconception that localized services are automatically safer than cross-border services. Localizing data comes at a cost, which the Commission has estimated at up to € 8 billion per year compared to a situation where no such localization requirements existed within the EU. Naturally the Commission does not address the question of data localization within the EU versus outside the EU. One can imagine that national legislation that requires data localization may morph into legislation that requires data localization within the EU.

Data access and transfer

The Communication aims at striking the balance in ensuring that data, which could aid in innovation and market development, is shared adequately, but avoiding overly intrusive regulations. The Commission seems to consider that competition law rather than new regulation is the first port of call in such fast moving markets. The Communication states that the use of existing general contract law and competition law instruments available might be a sufficient response to ensure that data which is essential to the provision of goods and services is not locked-in when assimilated by a handful of big market players.

Indeed competition law can offer a partial solution to opening up access to data. Even before the development of the term “Big Data” competition case-law dealt with the question of whether data can be an essential facility to one’s business under certain cumulative criteria. Refusal to grant the data thus could be deemed anticompetitive. However, the thresholds for invoking this argument are high. They require that the data is indispensable for the downstream product, that there would not be any effective competition between the upstream and downstream product, that refusal prevents the emergence of the second product, and there is no objective reason for the refusal. Only in rare occasions may such a claim be successful – but for owners of truly unique data this competition law doctrine becomes more relevant.

The accompanying Commission Staff Working Document alternatively refers to the possibility of developing what the OECD termed “data commons” where non-discriminatory access is granted to certain data for a wider group of market participants, similar to FRAND licensing. The Commission’s pending consultations with stakeholders in different sectors may explore in which sectors such an approach may be most appropriate.

What is certain is that as data becomes more crucial to the economy, the importance of competition law as a means of “regulating without regulation” data-related conduct becomes more important.

Data and intellectual property

Any kind of data being generated, exchanged or processed is deemed part of the European Data Economy. This also includes data forming or being part of intellectual property as well as data being subject to other statutory protection such as personal data or trade secrets.

In its Communication, the Commission emphasizes that the measures taken in the course of the building of the European Data Economy shall complement the protection data might already enjoy as an IP right, trade secret or personal data. Those rights are neither set aside nor overruled. The accompanying staff working document goes into even more detail mentioning in particular software applications and databases enjoying overriding statutory privilege.

However, the aimed-at scope of regulation shall fill gaps where no IP right renders protection. In this context, special focus is laid on machine-generated and industrial data, where data producers may have “de facto” ownership even in the absence of an intellectual property right. Such data does not qualify for copyright protection because it lacks the element of being the result of a human intellectual effort. Equally, there is currently no clear answer as to who may claim any kind of “ownership” to such data. In consequence, there is a remaining legal uncertainty particularly where contractual provision for allocation of rights are missing.

It is in this scenario that the Commission wishes to introduce structures and standards allowing for free flow, access and transfer of data within the Digital Single Market. These can be understood as the yet missing piece in the context of the ever-increasing digitisation of the European economy.

Data liability

The Communication points out that the issue of providing certainty in relation to potential liability issues is “of central importance to the emergence of the data economy”. This is because, whilst it’s recognized that the innovations are “likely to contribute to more safety and quality of life”, there may be new issues raised by the interactivity of the technology that give rise to uncertainty when it comes to responsibility for compliance, and for liability in the event of something going wrong.

In the Communication, the Commission focuses on the liability aspects, pointing to the distinction between contractual liability, and “extra contractual” liability, with specific reference to the EU Product Liability Directive (85/374/CEE). It is suggested that uncertainty might arise due to the characteristics of the systems (specifically in relation to interdependencies), the “legal nature” of IoT products (for example whether they are “products” or “services”), and the autonomous nature of the technologies.

The development of policy in this area needs to find the right balance. Whilst uncertainty itself can stifle innovation and erode confidence of the market in adopting new technologies, the costs will be even greater if liability rules are implemented that fail to strike the right balance between the need to promote good innovation, and the need to adequately protect those who might be damaged if the technology does not operate as expected.

Rather than suggesting a specific way forward, the Communication simply identifies at a high level some broad approaches for dealing with any uncertainties. These are:

  1. Maintain the status quo, potentially supported by European Commission guidance;
  2. Create rules that assign liability based on those who are best placed to avoid the risks created by the technologies;
  3. Establish voluntary or mandatory insurance schemes to ensure injured parties (particularly consumers) are compensated if they suffer damage.

It is noted, importantly, that the Commission has launched a broad evaluation of the Product Liability Directive, with specific reference to its appropriateness to deal with issues raised by emerging technologies such as IoT and autonomous connected systems. Alongside this, the Communication indicates that the Commission will consult with stakeholders on the adequacy of current liability rules in the contexts of IoT and autonomous connected systems, and on possible approaches to deal with any difficulties that arise.

Interestingly, the Communication does not address in this context the parallel question of responsibilities for safety compliance of IoT technologies, which is particularly relevant to the question of liability, especially within the European regulatory environment. The determination of which parties are responsible for ensuring the safety compliance of IoT technologies when placed into service, and the extent to which that responsibility extends to the ongoing performance of that technology, will become an increasingly challenging issue for policy-makers.  The way in which those issues are resolved will themselves have a significant influence on how questions of liability for damage are to be dealt with in the EU.

The good news is that it is clear from the Communication that the Commission is not rushing to confirm what is the right policy response to these complex questions. The Commission is right in identifying that the resolution of uncertainty is “of central importance” to the development of the technology.  However, it is even more important that policy-makers avoid the development of liability rules that have a direct adverse and unwarranted effect on innovation, or a detrimental impact on the confidence of the market generally in these technologies.

This is an area for companies to carefully monitor, and to contribute to the discussion. As the relevant Commission agencies consult on these issues, companies innovating in this area need to understand the issues, and participate in the discussion, so that the policy outcomes are fit for purpose and provide the right level of support for dynamic and stable markets in Europe moving forward.

Data portability

The Commission highlights an ambiguity in the data portability article of the GDPR. Data portability under the GDPR relates to personal data that the data subject has “provided” to the controller. The ambiguity relates to what the term “provided by the data subject” means in a given situation. The position of the Article 29 Working Party is that this should also include any data that is generated by virtue of the use of the service. This would potentially cover broad ranges of raw data generated by a person’s vehicle or thermostat. The recent French law on the digital republic expressly provides for data portability for so-called usage data. The Article 29 Working Party’s broad interpretation of data portability may therefore be inspired by the new French law.

The Commission’s Communication addresses data portability from a broader economic perspective, pointing out that the absence of data portability can increase switching costs and therefore harm competition between platforms, but also pointing out that data portability could have a chilling effect on companies’ incentives to invest and innovate. The Commission also points out that data portability could be technically demanding and costly because different providers of similar services may store data differently. As a complement or substitute for data portability, the Commission recommends interoperability standards that make sharing and portability technically possible, but leaving open the question of whether portability in a given case should be imposed. Interoperability would permit data to be shared either in the context where data portability is imposed by law, or in the context where data portability is established by commercial agreement. In either case, interoperability and appropriate standards would reduce the friction for data to travel from one service provider to the other, which is what the Commission is trying to accomplish.

The GDPR is the tip of the iceberg

The Commission’s data economy package shows that the GDPR is only one element of a broader debate on how to create a regulatory framework that maximizes social welfare in the data economy. An environment with too many vertical data silos will hamper innovation and growth. Yet excessive sharing will violate personal data rights and/or the legitimate rights of certain data producers. We urge our clients to contribute to the Commission’s public consultation, either in their own name or through industry associations.

This post was originally published on Hogan Lovells’ Global Media and Communications blog.