On 10 January 2017, the EU Commission published a Communication on "Building a European Data Economy" where it notably suggests that Europe is not tapping into the potential of data for business, research and innovation purposes. Along with such Communication, the Commission published a Staff Working Document that provides additional evidence and a detailed description of the emerging issues relevant for the EU data economy, as well as a public consultation. The consultation period will run until 26 April 2017 and has the objective of collecting information on four main topics:
- Localisation of data for storage and / or processing purposes
- Access to and re-use of non-personal data
- Portability of non-personal data, interoperability and standards
The EU Commission already had the opportunity on multiple occasions of voicing the most important legal issues in a data environment. It did so in its data-driven economy Communication of July 2014, but also more recently in the context of its 2016 free flow of data initiative where it highlighted that "barriers to the free flow of data are caused by the legal uncertainty surrounding the emerging issues on 'data ownership' or control, (re)usability and access to/transfer of data and liability arising from the use of data".
In this context, Bird & Bird examined some specific legal issues in a data environment as part of its work performed in the EU-funded research and innovation big data project: TOREADOR. In particular, the research has been performed in a commercial context, relying on the concrete circumstances of the TOREADOR big data analytics project and its four use-cases. The results of our research are not only aimed at the partners of the aforementioned project, but also strive to provide additional evidence to policymakers on the emerging issues of data ownership. For the latter purpose, the results of our research are presented in a White Paper.
The White Paper provides an overview of the EU acquis in relation to data management and in particular on access to, ownership, exploitation or exchange of data. To this end, we provide a diagram with a snapshot of the current EU framework. Such mapping demonstrates the various categories of EU legislation related to data and potentially playing a role with respect to the possible "ownership" of data, but also with respect to the restrictions and requirements that may apply in relation to certain types of behaviours or certain types of data.
More specifically, our in-depth analysis has allowed concluding the following:
- There is at present no EU legislation that specifically regulates the question of ownership in data. Such absence of ownership-related legislation does however not exclude the fact that there are numerous legislations that have an impact on data or that may confer some kind of protection to certain types of data or on datasets (i.e., copyright, database rights and trade secrets).
- The case-law at EU level does not recognise explicitly an ownership right in data. However, according to some authors, the Court of Justice of the EU opened the door for a discussion on ownership in intangible assets in its UsedSoft judgment issued on 3 July 2012. Despite such ruling and the possible interpretation deriving from it, a high legal uncertainty remains.
- While it was found that at national level there are also no legislations relating to data ownership, the existing case-law in some Member States addresses, to some extent, the issue of data ownership. In the same vein, in some countries, legal scholars debate the question of ownership in data, suggesting a novel interpretation of existing civil law provisions.
- While the protection of individuals' privacy has triggered a lot of attention in the past months with the adoption of the General Data Protection Regulation, the White Paper does not examine in depth the issues related to privacy and data protection. This being said, the White Paper takes an approach whereby ownership is examined in relation to data, be it non-personal or personal data. Although some scholars suggest otherwise, we take the position that personal data is not necessarily owned by the individual and thus that an "ownership" right in data for data controllers or processors cannot be excluded. Such ownership would however be subject to the individual's control over his/her personal data.
- There has been a lot of attention from antitrust regulators and scholars for the various legal issues surrounding data and competition law. In particular, the difficulty lies in the fact that antitrust regulators still apply the legal principles of the nuts-and-bolts world to a reality in which data are the new corporate assets. Even though some solutions emerge in the framework of competition law, a lack of legal certainty remains in relation to key competition law notions and their practical implementation in the data-driven economy.
- Numerous legislations that may impact a company's control of, the access to, or the rights in data were identified. Such legislations regulate data sharing obligations in various ways and depending on various factors, such as the sector concerned or the reasons of public interest that have led to the adoption of the instrument (e.g., public security, public health, consumer protection, etc.). However, such legislations remain mute on the ownership in the data concerned.
- The ownership-like rights currently available are limited to intellectual property rights and trade secrets. However, none of these allow providing an adequate protection of (ownership in) data. With respect to copyright, while there are several features that can be seen as beneficial for the protection of data (e.g., long-term protection, broad exclusive rights, disclosure of data permitted), there are numerous disadvantages that hinder the protection of data by copyright (e.g., originality requirement, territoriality, exclusivity). As regards database rights, it is difficult for the current data economy to accommodate the dual protection in the EU (copyright and sui generis). On the one hand, the copyright protection on the structure has become moot. On the other hand, the sui generis protection awarded for the investment does not protect the data as such. Trade secrets protection, finally, is not fit for purpose as it was created for other reasons than the blanket protection of all data and requires the information to remain secret.
On the basis of the abovementioned findings, it is established that the existing legal framework in the EU is not optimal and does not sufficiently facilitate operations on or including data. In the same vein, it is concluded that the cumulative implementation of the current maze of different possibly applicable legislations is a significant hurdle to the uptake of data analytics in the EU and is creating legal uncertainty in this fast-growing market. It results from this situation that those involved in the data value cycle may currently hold back on data sharing initiatives and presently have no choice but to rely on contractual arrangements to manage their rights in data.
While relying on contracts may seem to provide greater flexibility to the contracting parties, it was found that it nevertheless comes with various difficulties. In particular, the lack of harmonisation of contract law in the EU, but also the limits of contractual arrangements towards third parties and the issues related to the validity of data-related agreements create a high legal uncertainty that affects the entire data value chain and all data flows. It is therefore concluded that such situation is not sustainable in a data-driven economy and with the fast-increasing development and adoption of data mining and analysis tools.
Against a background where the EU strives towards a data-driven environment in which both citizens and companies can reap the benefits of novel data technologies, but also against a background where the current legal framework does not sufficiently tackle all the issues related to data and where actors involved in the data value chain have no certainty as to the ownership of the data they have gathered, created, analysed, enriched or otherwise processed, we conclude that a more solid and legally secure solution is needed.
In such context, the last Chapter of the White Paper suggests the creation of a non-exclusive, flexible and extensible ownership right in data(sets), with a data traceability obligation as a safeguard. Such Chapter discusses the specificities of said right and obligation, their interaction with the other existing rights in data, their incidence on civil law, and their possible reflection in contractual arrangements.