In this thirteenth article in our series on "Big Data & Issues & Opportunities" (see our previous article here), we offer a brief overview of what can be defined as a data sharing agreement, the rules that may apply to these agreements arising both from the law and from contractual obligations established by the parties, and of the guidance issued by the European Commission in this respect. This article also provides a critical analysis of the common practice to use data sharing agreements to govern the access to and/or exchange of data between stakeholders in a big data analytics lifecycle.
It follows from our previous articles in this article series that there is a multitude of actors on the market actively reaping the benefits of the data economy. The relationship between these actors is at the heart of the data value cycle. It is however also apparent from the previous articles that the legal framework is unfortunately not satisfactory at this stage. In fact, it is clear that one of the factors limiting the availability, use, and exchange of data in commercial settings is the legal regime – or lack thereof – in place.
As things stand, the various commercial entities exchanging data in the context of the (big) data value cycle do so mainly on the basis of contractual agreements (i.e. data sharing agreements or "DSAs"). It is therefore required to carefully assess the multiplicity of (often multi-layer) agreements governing the access and the exchange of data between the various actors, taking into consideration the type of data involved in the analytics processing.
Data sharing agreements: definition and applicable rules
A DSA can be defined as an agreement between two or more legal entities (or individuals) concerning the sharing of data or information of any kind between these legal entities (or individuals). The notion of 'data sharing agreement' is commonly used to refer to a broad typology of arrangements and documents between two or more organisations or different parts of an organisation. The present article does not intend to cover any contractual relationships with natural persons in their capacity as consumers or data subjects.
Depending on the specific needs of the parties, the sharing of data may take different forms, such as for instance reciprocal exchange of data, one or more organisations providing data to one or more third parties, several organisations pooling information and making it available to each other or to third parties, one-off disclosures of data in unexpected or emergency situations, different parts of the same organisation making data available to each other, etc.
Finally, the types of data shared may be of a different nature, such as for instance data about identified or identifiable natural persons ("personal data" – see also our second article on Privacy and Data Protection), data protected by intellectual property rights or another kind of property-like right, data considered confidential (including trade secrets and know-how), financial data, etc.
The parties to a DSA are bound to comply with obligations at two levels:
- Mandatory rules arising from the applicable law(s); and
- Contractual terms and conditions specifically set forth and agreed upon by the parties.
The DSA shall first of all be in line and comply with the applicable (national) laws and regulations concerning the formation and execution of an agreement, notably relating to the activity of data sharing. Most of such rules derive from the contract law applicable to the DSA.
Such rules may concern, among others:
- Formal requirements (when applicable): e.g. the applicable law may require that certain types of DSAs – for instance the data processing agreement to be executed between a data controller and a data processor – are executed in writing; or the choice of the law applicable to the contract is valid and enforceable only if agreed in writing between the parties.
- Formation of the contract: these rules are relevant to assess whether a DSA and its obligations are enforceable between the parties.
- Termination: the right of the parties to terminate the agreement.
- Liability: in case of breach of any contractual obligation, such as when one of the parties discloses the data received from the other party to another party not authorised to receive the data.
- Capacity of signatories: the legal capacity of the persons undersigning the agreement to act on behalf of an organisation (e.g. if a person who signs a DSA does not have the capacity or authority to sign it, the DSA will be ineffective).
- Assignment: the right of the parties to assign the DSA, or part of the rights and/or obligations under the DSA, to a third party (e.g. in most circumstances, and jurisdictions, the assignment or transfer of an agreement, especially if it is a DSA, requires the consent of the other party).
In addition to compliance with the possible restrictions laid down by the applicable legislations and/or regulations on the sharing of data in general, parties shall bear in mind when drafting the DSA that the sharing of the data under the agreed terms and conditions may need to comply with all specific rules that the applicable legislation may have set for a particular type of data or information, such as for instance financial data or health data.
Finally, within the limits identified above, the parties to a DSA are free to agree on additional terms and conditions applicable to their sharing of data. For instance, the parties may agree on details related to specific obligations connected to the sharing of data, time of disclosure, warranties (or lack of warranties) on the accuracy and completeness of data, obligations of the receiving party to manage the data according to specific rules and to apply certain security measures to protect the data, right of or prohibition to the receiving party to transfer onward/disclose the data to a third party, ownership of the data and intellectual property rights, payment of any consideration for the sharing of data, confidentiality obligations, audit of the receiving party by the disclosing party or by the authorities, warranties on the power to disclose and receive data, duration of the agreement, governing law, and competent court.
Guidance from the European Commission
Following a broad stakeholder consultation and dialogue, the European Commission recently deemed it inappropriate to take horizontal legislative action with respect to private sector data sharing. Companies had urged the Commission to be prudent when considering taking action in order to make more data available for re-use. It was argued that data value chains and data-based business models are extremely diverging and that a one-size-fits-all solution would most likely prove inadequate. Instead, companies expressed their preference for agreements as the way to address most concerns. Stating that "contracts build on trust", the latter was considered an essential prerequisite for all private sector data sharing.
The European Commission then issued guidance on 'Sharing private sector data in the European data economy'. This was aimed at providing a practical toolbox for both data-holding and data-using businesses across industries regarding the legal, business, and technical aspects of data sharing. The guidance addresses data sharing among private companies (i.e. business-to-business or "B2B"), as well as the provision of data from a private company to the public sector (i.e. business-to-government or "B2G"). Taking account of the fact that data sharing usually takes place on the basis of an agreement, the Commission establishes five principles to govern B2B data sharing agreements and six principles to govern B2G data sharing agreements. These will be briefly addressed below.
Illustration in the transport sector: On 19 October 2018, the European Commission published its Roadmap on Cooperative, Connected and Automated Mobility (CCAM) in light of its aim to publish a Recommendation on this subject during the first quarter of 2019. In addition, a Public Consultation was kicked off on 24 October 2018. One of the issues to be addressed by the Recommendation is access to in-vehicle data. The Commission indeed deems the centralisation of in-vehicle data (as it is currently practiced by some market players) insufficient to ensure fair and undistorted competition between service providers. The Commission Recommendation therefore aims to provide further guidance on a governance framework for access to and sharing of data generated by connected vehicles. The Roadmap and the Public Consultation were open for feedback on the Better Regulation platform until 16 November 2018 and 4 December 2018 respectively. Any feedback will be taken into account for further development of the initiative.
B2B data sharing agreements
On a preliminary note, the Commission identifies five principles which should govern private data sharing in order to ensure "fair markets for IoT objects and for products and services relying on data created by such objects". These principles are displayed in the table below:
The section on DSAs also contains a list of considerations to help companies in the preparation and/or negotiation of data sharing agreements. It covers topics such as what data should be made available, who can access and (re-)use that data, what can that (re-)user do with the data, the definition of technical means of data access and/or exchange, what data should be protected and how, liability questions and audit rights for both parties. We briefly address the most important considerations below.The guidance then goes on to discuss some of the legal aspects related to B2B data sharing through DSAs (i.e. data usage or licensing agreements). It recognises that data monetisation agreements are not necessarily bilateral and may be concluded between multiple parties. Emphasis is also put on the fact that these contracts do not exist in a legal vacuum and attention should therefore be given to ensure compliance with existing legislation, particularly legislation that would prevent data sharing or make it subject to specific conditions. This includes for instance the GDPR whenever personal data are involved, but may also cover sector-specific obligations. The Commission also voices its plans to collect best practices, existing model contract terms and checklists through a Support Centre for data sharing which is expected to become operational in the course of 2019.
Companies are advised to describe the data in the most concrete and precise manner possible. This ideally includes the levels of updates to be expected in the future. Another important question concerns the quality of the data. The Commission states that good quality data is accurate, reliable and where necessary up-to-date and that a dataset ideally does not have missing, duplicate or unstructured data. It should in any case be ensured that the rights of third parties are respected, including intellectual and industrial property rights.
The contract should determine in a clear and transparent manner who has a right to access, a right to (re-)use, and a right to distribute the data. According to the Commission, rights to access and re-use do not need to be unlimited and may be subject to conditions, which should be clearly defined in the DSA. The contract may limit e.g. the right to access to members of a certain group, or affiliates of a certain company, or limit the right to re-use to certain specific purposes. Companies should moreover consider if and how data may be licensed for re-use and include the necessary specifications in this regard. Sub-licensing may also be considered in the sense that it should either be expressly excluded, or the conditions under which it is allowed should be clearly stipulated.
The parties gaining access to the data should be as open and clear as possible about how the data will be used, including by other parties downstream. This ensures transparency and increases trust of the data supplier. The contract can address this by specifying the exact usage that can be made of the data, including rights on derivatives of such data (e.g. analytics). Non-disclosure rules regarding downstream parties and others may be helpful in this respect.
The DSA should moreover determine the technical means and modalities for data access and/or exchange. This includes among others the frequency of data access, maximum loads, IT security requirements and service levels for support.
Considerations regarding the protection of data should be made at two levels. On the one hand, a company should require appropriate measures to be put in place for protecting its data. The measures ought to apply to data sharing transactions as well as data storage, taking account of the fact that data can be subject to theft or misuse by both organised groups and individual hackers. On the other hand, organisations should consider the protection of trade secrets, sensitive commercial information, licences, patents and other intellectual property rights. Neither party should aim at retrieving sensitive information from the other side as a result of the exchange of data.
It is recommended to include liability provisions to cover situations of supply of erroneous data, disruptions in data transmission, low quality interpretative work if shared with datasets, or the destruction/loss or alteration of data (if unlawful or accidental) that may potentially cause damages. Companies are also advised to define a right for each party to perform audits regarding the respect of the mutual obligations. The duration of the contract and possibilities for termination should of course be carefully considered, as well as the applicable law and dispute settlement options.
In addition to the legal (contractual) aspects, the Commission considers the technical aspects of B2B data sharing in its guidance. It notably distinguishes three types of technical data sharing mechanisms: (i) one-to-many via unilateral mechanisms, such as an application programming interface (API) or an industrial data platform; (ii) data monetisation via a many-to-many data marketplace; and (iii) data sharing via a technical enabler.
The Commission also identifies six principles to govern data sharing by private companies with public sector bodies (B2G data sharing), under preferential conditions for re-use. Said principles are listed in the table below.
Similarly to the part on B2B data sharing, the guidance then lists a number of considerations to help public bodies and private companies in the preparation and/or negotiation of DSAs. These will not be examined in detail in this article but include topics such as (i) identification of a public interest purpose and of the private data concerned; (ii) identification of internal challenges and constraints related to the sharing of data; (iii) definition of technical means and modalities of data access and/or exchange; (iv) conditions for implementation; (v) common guiding principles for monitoring implementation of the contract; (vi) liability concerns; and (vii) dissemination by the public body of the results and/or insights of the collaboration without compromising the confidentiality of the data involved.
The Commission also outlines the following technical means to achieve B2G data sharing: (i) data platforms; (ii) algorithm-to-the-data; and (iii) privacy-preserving computation.
Data sharing agreements: a critical analysis
As already mentioned in other articles in this article series, big data analytics involves a multitude of complex data flows, data sources, algorithms, analyses, etc. Also, it entails the participation of many different actors and many different activities that can be performed on the data. To this end, access to and/or exchange of data must be enabled and facilitated. It is apparent from our research that, at least from a legal perspective, this can currently only be achieved through the conclusion of data sharing agreements. In view of the aforementioned complexity and multitude of actors, data sources, data flows, algorithms, etc., an intricate chain of data sharing agreements should be put in place in order for the big data analytics to (legally) function in practice.
However, the authors of this article are reticent to settle for data sharing agreements as the one and final solution forevermore, given the inherent limitations of agreements in a big data context. Some of these limitations are briefly discussed below.
First, contractual agreements in principle only generate rights and obligations for the parties to such agreements. They can therefore not be enforced vis-à-vis third parties. In practice, this would entail that there is no recourse available against third parties that obtain unjustified access to and/or misuse the data.
Second, contractual agreements require a clear and precise definition of the concepts they intend to regulate. It proves however extremely difficult to clearly define the concept of "data" as no strict legal definition of this concept exists. In practice, this leads to a myriad of possible interpretations of "data" in different agreements without any harmonised view on the legal meaning of "data". In the same vein, similar difficulties arise when stakeholders active in the big data analytics lifecycle attempt to contractualise data ownership through the terms of the DSA, given that the concept of "data ownership" is not legally defined. Such stakeholders can therefore try to define the concepts of "data" and "ownership" as broadly as possible, thereby creating a far-reaching entitlement to any element included in the big data analytics process, which would practically impede the implementation of the big data analytics as a whole.
Third, aside from a broad definition of "data ownership", the specific terms of a data sharing agreement covering the permitted actions to be performed on or with the data may be phrased in a highly restrictive manner, thereby prohibiting actions such as reverse engineering, merging, enriching, sharing, decompiling, translating, adapting, arranging, preparing, structuring, cleansing, altering, displaying, reproducing, visualising, communicating, loading, running, transmitting, storing, observing, studying, testing, etc. In essence, this would render the whole data sharing exercise, and therefore the big data analytics, unworkable as the recipient(s) would be unable to do anything with the data.
Fourth, any restrictions on the downstream use of the data (such as e.g. those that may be imposed by a holder of intellectual property rights) and any warranties regarding the upstream source of the data (such as e.g. personal data collected directly from the data subject with the latter's consent) should be covered by complex back-to-back warranty clauses in the multiple data sharing agreements in order to ensure the proper legal functioning of the big data analytics. In absence of such clauses, the further use of data may be prohibited or restricted, which would allow blocking the whole big data analytics chain.
This article examined the common practice of using contracts, i.e. data sharing agreements, to govern the access to and/or exchange of data between stakeholders in a big data analytics lifecycle.
It is unclear, however, whether such practice enables covering all possible situations with the necessary and satisfactory legal certainty. Indeed, data sharing agreements entail numerous limitations in the absence of a comprehensive legal framework regulating numerous rights (e.g. ownership, access or exploitation rights) attached to data, the way in which such rights can be exercised, and by whom.
Against a background where the EU strives towards a data-driven environment in which both citizens and companies can reap the benefits of novel data technologies, but also against a background where the current legal framework does not sufficiently tackle all the issues related to data and where actors involved in the data value chain have no certainty as to the ownership of the data they have gathered, created, analysed, enriched or otherwise processed; a more solid and legally secure solution would be desirable.
Our next article will address liability in the context of big data, with illustrations drawn from the transport sector.
This series of articles has been made possible by the LeMO Project (www.lemo-h2020.eu), of which Bird & Bird LLP is a partner. The LeMO project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement no. 770038.