European Union: European Data Economy: The Free Movement Of Data Principle And Other Tall Tales…

The European Commission's January 2017 Communication on Building an European Data Economy ('Communication') proposes a principle of free movement of data within the EU. Whilst the coming into force of the General Data Protection Regulation ('GDPR') on 25 May 2018, significantly changes and tightens the rules relating to the collection and use of personal data in Europe, those changes need to be read alongside the Communication (and the accompanying staff working paper) to fully understand the regulatory environment for data in Europe. The Communication examines actual or potential blockages to the free movement of data and presents options to remove unjustified and or disproportionate data location restrictions in the EU. It also considers the barriers around access to and transfer of non-personal machine-generated data, data liability, as well as issues related to the portability of non-personal data, interoperability and standards.

Principle of free movement of data in EU

Europe's Single Market is commonly understood to rest on four fundamental freedoms: freedom for people, services, goods and capital to move within the EU. In its Communication, the Commission says:

any Member State action affecting data storage or processing should be guided by a 'principle of free movement of data within the EU', as a corollary of their obligations under the free movement of services and the free establishment provisions of the Treaty and relevant secondary legislation. Any current or new data location restrictions would need to be carefully justified under the Treaty and relevant secondary law to verify that they are necessary and proportionate to achieve an overriding objective of general interest, such as public security"

The Commission explains that any data location restrictions within the EU need to be justified to be lawful. To progress this issue the Commission has entered into dialogue with Member States and other on the justifications for and proportionality of data location measures. Following these consultations and further information gathering, the Commission will consider what further action needs to be taken which may include infringement proceeding and other initiatives to ensure the free movement of data within the EU.

Improving IoT data access and transfer

Whilst respecting the protections for personal data under GDPR, the Communication sets out the Commission's objective and actions to improve data access and transfer, especially for Internet of Things (IoT) machine generated data. As a result of the GDPR requirement for privacy 'by design' and 'by default', the Commission envisages that much personal data will become non–personal through anonymisation. However, from an economic perspective, machine generated data is not currently protected by the existing European Database Right, which leads to a lack of legal clarity on the terms for economic exploitation and tradability. In turn, this may inhibit companies from trading or otherwise making available non-personal datasets held by them.

The Commission proposes that the future EU framework should achieve the following objectives:

  • Improve access to anonymous machine-generated data: Through sharing, reuse and aggregation, machine-generated data becomes a source of value creation, innovation and diversity of business models.
  • Facilitate and incentivise the sharing of such data: Any future solution should foster effective access to data, taking into account, for example, possible differences in bargaining power between market players.
  • Protect investments and assets: Any future solution should also take into account the legitimate interests of market players that invest in product development, ensure a fair return on their investments and thereby contribute to innovation. At the same time, any future solution should ensure a fair sharing of benefits between data holders, processors and application providers within value chains.
  • Avoid disclosure of confidential data: Any future solution should mitigate the risks of disclosing confidential data, in particular to existing or potential competitors. In this regard it should also allow for proper data classification to be performed, prior to the assessment of whether or not a certain piece of data can be shared.
  • Minimise lock-in effects: The unequal bargaining power of companies and private individuals should be taken into account. Lock-in situations, especially for SMEs and startups and private individuals, should be avoided.

The Commission proposes potential action in a number of areas:

  • Guidance on incentivising businesses to share data: To mitigate the effects of divergent national regulations and provide increased legal certainty for companies, the Commission could issue guidance on how non-personal data control rights should be addressed in contracts.
  • Fostering the development of technical solutions for reliable identification and exchange of data: Traceability and clear identification of data sources are a precondition for real control of data in the market. The definition of reliable and possibly standardised protocols for persistent identification of data sources can be necessary to create trust in the system. Application Programming Interfaces (APIs) can also foster the creation of an ecosystem of application and algorithm developers interested in the data held by companies. APIs can help firms and public authorities to identify, and profit from, different types of re-uses of the data they hold. On this basis, broader use of open, standardised and well-documented APIs could be considered, through technical guidance, including identification and spreading of best practice for companies and public sector bodies. This could include making data available in machine-readable formats and the provision of associated meta-data.
  • Default contract rules: Default rules could describe a benchmark balanced solution for contracts relating to data, taking due account also of the ongoing Fitness Check on the overall functioning of the Unfair Contract Terms Directive. They could be coupled with introducing an unfairness control in B2B contractual relationships which would result in invalidating contractual clauses that deviate excessively from the default rules. They could also be complemented by a set of recommended standard contract terms designed by stakeholders. This approach could lower legal barriers for small businesses and reduce the imbalance in bargaining positions, while still allowing a large degree of contractual freedom.
  • Access for public interest and scientific purposes: Public authorities could be granted access to data where this would be in the "general interest" and would considerably improve the functioning of the public sector, for example, access for statistical offices to business data, or the optimisation of traffic management systems on the basis of real-time data from private vehicles. Access to business data by statistical authorities would typically contribute to alleviating the statistical reporting burden on economic operators. Similarly, access to and the ability to combine data from different sources is critical for scientific research in fields such as medical, social and environmental sciences.
  • Data producer's right: A right to use and authorise the use of non-personal data could be granted to the "data producer", i.e. the owner or long-term user (i.e. the lessee) of the device. This approach would aim at clarifying the legal situation and giving more choice to the data producer, by opening up the possibility for users to utilise their data and thereby contribute to unlocking machine-generated data. However, the relevant exceptions would need to be clearly specified, in particular the provision of non-exclusive access to the data by the manufacturer or by public authorities, for example for traffic management or environmental reasons. Where personal data are concerned, the individual will retain his right to withdraw his consent at any time after authorising the use. Personal data would need to be rendered anonymous in such a manner that the individual is not or no longer identifiable, before its further use may be authorised by the other party.
  • Access for fair remuneration: A framework potentially based on certain key principles, such as fair, reasonable and non-discriminatory (FRAND) terms, could be developed for data holders, such as manufacturers, service providers or other parties, to provide access to the data they hold for remuneration after anonymisation. Relevant legitimate interests, as well as the need to protect trade secrets, would need to be taken into account. The consideration of different access regimes for different sectors and/or business models could also be considered in order to take into account industry differences.

The Commission will undertake both general and sector-specific discussions with stakeholders to discuss how to best take these issues forward.

Clarifying liability rules

The Communication identifies ambiguity in the current rules on liability in the data economy in relation to products and services based on emerging technologies such as the Internet of Things (IoT), the factories of the future and autonomous connected systems. Whilst noting that IoT is a rapidly growing network of everyday objects, such as watches, vehicles, and thermostats, which are connected to the Internet and that autonomous connected systems, such as self-driving vehicles, act independently of humans and are capable of understanding and interpreting their environments and that each is likely to contribute to more safety and quality of life, the Commission highlights that:

inevitably there remains the possibility of design errors, malfunctioning or manipulation in every device. This could result from the transmission of erroneous data by a sensor, due to, for instance, software defects, connectivity problems or incorrect operation of the machine. The nature of these systems means that it may be difficult to establish the exact source of a problem that leads to damages, raising the issue of how to ensure that these systems are safe for the users, in order to minimise the occurrence of damage and who should be held liable for damage if it occurs."

The Communication highlights that the issue of how to provide certainty to both users and manufacturers of such devices in relation to their potential liability is therefore of central importance to the emergence of a data economy. The Commission therefore will consult stakeholders on the adequacy of current EU rules on liability in the context of IoT and autonomous connected systems, as well as on possible approaches to overcome the current difficulties in assigning liability. A parallel public consultation on the overall evaluation of the application of the Products Liability Directive is also being conducted. The Commission will assess the results and consider options for future action, which in addition to the status quo may include:

  • Risk-generating or risk-management approaches: Under these approaches liability could be assigned to the market players generating a major risk for others or to those market players which are best placed to minimise or avoid the realisation of such risk.
  • Voluntary or mandatory insurance schemes: Such schemes could be coupled with the above liability approaches. They would compensate the parties who suffered the damage (e.g. the consumer). This approach would need to provide legal protection to investments made by business while reassuring victims regarding fair compensation or appropriate insurance in case of damage.

Portability, interoperability and standards

Finally, the Commission identifies further barriers to the data economy: non-portability of personal data and a lack of system interoperability in part stemming from a lack of appropriate standards. The Commission is therefore also consulting on:

  • Developing recommended contract terms to facilitate switching of service providers: As data portability and switching of data service providers are mutually dependent, the development of standard contract terms requiring the service provider to implement the portability of a customer's data could be examined.
  • Developing further rights to data portability: Building on the data portability right provided by the GDPR and on the proposed rules on contract for the supply of digital content, further rights to portability of non-personal data could be introduced, in particular to cover B2B contexts, whilst taking due account of the outcome of the ongoing Fitness Check on key pieces of EU marketing and consumer law.
  • Sector-specific experiments on standards: To develop a robust approach to portability rules encoded through standards, sector-specific experimental approaches could be launched. These would typically involve a multi-stakeholder collaboration including standard setters, industry, the technical community, and public authorities.

Status of consultation and information gathering

The Commission has published a high-level summary of responses from its initial consultation, and is now in the process of carrying out a series of workshops. The Commission plans to publish a full synopsis report in July 2017, and we will report back once that has been published.

Conclusion

Amongst all the noise surrounding GDPR implementation, the measures being considered in Europe to stimulate the data economy are often overlooked. Of course, the real question is whether these issues are better addressed by the market bottom-up or by top-down regulatory action. Whilst Europe would perhaps cite GSM as an example of a global technology that needed top-down regulation, the US would counter with the internet bottom-up innovation in a free-market. Only time will tell, but for now the US and EU are proceeding on very different regulatory paths.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.