This is an outstanding opportunity for businesses in many sectors: use of consumer data for profiling and product improvement, use of health data for research purposes, and use of vehicle data for product optimization are three examples.
However, these opportunities also involve important legal challenges for the companies that want to maximize the use of data, including compliance with data protection regulations, how to protect the data from an IP perspective, and the ways to transfer it and license it.
The European Strategy for Data
Exploring new and alternative possibilities to use and process data (including personal data) presents numerous obstacles. In particular, the use, re-use, and processing of massive sets of data for commercial purposes is a practice that has faced significant scrutiny from the relevant authorities, especially when the data is held by public bodies, contains personal data, or is protected by IP/trade secret laws.
The European Union institutions and bodies (the EU) are aware that data is an essential resource for economic growth, competitiveness, innovation, job creation and societal progress in general. In order to maximize the possibilities of the use of data, while safeguarding the rights of EU citizens, the European Commission has developed the European Strategy for Data, which aims at creating a single market for data that will ensure Europe’s global competitiveness and data sovereignty.
New tools that are available to maximize the use of data
Increasing the uses of consumers' data
Preliminary disclaimer: Directive 2019/770 expressly states that its content shall be construed without prejudice of data protection laws (i.e. the Data Protection Regulation (GDPR) and national laws "implementing" the GDPR). In the same sense, it also states that the content of the Directive does not change or affect any data protection principle or provision, including the GDPR. In fact, in the event of conflict between Directive 2019/770 and the GDPR, the latter will prevail.
Notwithstanding the foregoing, Directive 2019/770 has evidenced the possibility of consumers providing personal data in exchange for services, under certain conditions. Thus, a business might receive personal data provided by consumers that want to have access to digital content or services (even though this is subject to stringent requirements and privacy regulators are quite reluctant). In spite of the "negative view" held by privacy regulators, the option of providing data in exchange for digital content or services has been incorporated into Spanish consumer laws in a business-friendly way, which is very promising and makes room for future developments and business opportunities in this area.
And how does this work under the GDPR? The main compliance consideration that comes to mind is reliance on a suitable legal basis for processing. In this respect, it may be possible to rely on consent or legitimate interest. When applying any of these legal bases, companies must conduct a case-by-case assessment. As a positive note, the Spanish transposition of Directive 2019/770 expressly contemplates that the trader/data controller is allowed to terminate the contract in the event that the data subject objects to the processing or withdraws consent, respectively. We have further assessed this topic in this post.
Data mining: obtaining massive data from the internet
Another example that has become recently applicable in the EU member states’ laws is the possibility to use data mining techniques in the context of the internet (e.g., through web scraping techniques) in order to collect and process massive amounts of third party information from an IP perspective (we have also written about it here).
The information that is usually available on the internet is very often subject to the protection of IP laws. The Copyright Directive is establishing a new exception to the currently existing IP laws for any player to be able to use text and data mining techniques.
The new exception would apply to the following IP rights:
Please note that this exception only covers certain IP rights and not other rights such as data protection, trade secrets, etc. Besides, the rightsholder has the opportunity to prohibit the use of data mining (e.g., it can reserve his/her rights by the use of machine-readable means, including metadata and terms and conditions of a website or a service).
The possibility to re-use data: Open Data Directive and Data Governance Act
The Open Data Directive establishes the possibility to re-use documents (in a broad sense) held by the public administrations together with their metadata for commercial and non-commercial purposes, where possible and appropriate, by electronic means, in formats that are open, machine-readable, accessible, findable and re-usable. In relation to certain categories of documents, it contains even more business-friendly rules:
- Research data (i.e., collected or produced in the course of scientific research activities or used as evidence in the research process, etc.) shall be “open by default” and compatible with FAIR principles (i.e. data that is Findable, Accessible, Interoperable and Re-usable).
- High-Value Datasets (documents the re-use of which is associated with important benefits for society, the environment, and the economy) shall be generally available free of charge, machine readable, provided via APIs, and provided as a bulk download, where relevant.
However, the Open Data Directive does not cover many categories of data, such as personal data, data protected by IP provisions, trade secrets, etc. This is where the incoming Data Governance Act, which is still under legislative process (we have prepared a brief post about it here), plays a very relevant role, since it aims to provide new legal tools to enable the sharing of such data.
The key elements of the Data Governance Act are:
- Each public administration will need to make publicly available the conditions for allowing the re-use of data, which must be non-discriminatory, proportionate, and objectively justified.
- Data sharing service providers, who will act as intermediaries between public administrations and companies to facilitate re-use.
- The conditions for re-use of data may include the need to anonymize/pseudonymize the information before sharing or to access the information only within technical environments provided and controlled by the public administration, etc.
- The public sector body shall be able to verify the results of processing of data undertaken by the re-user.
- If under the GDPR there is no other legal basis to allow the sharing of personal data but the consent of the data subjects, the public administration shall support re-users in seeking consent of the data subjects and/or permission from the legal entities whose rights and interests may be affected by such re-use.
- The Data Governance Act also contemplates certain limitations and particular provisions in connection with international transfers of data.
The abovementioned possibilities can be interesting in almost every sector: the use of consumer data for profiling and product improvement, use of health data for research purposes, use of vehicle data for product optimization, property management data used for energy management and product lifecycle purposes….
These possibilities also bring new challenges to explore:
- How to lawfully collect the data and the categorization of said data (personal data?).
- How to process the data and maximize the purposes of processing (e.g. restrictions to use the data for AI systems, according to the EU Proposal for a Regulation on AI).
- How to determine the ownership of the data and the limits to its use, involving aspects in connection with IP rights.
- How to protect the asset (raw or processed) under trade secrets and IP laws.
- How to license the know-how/business models/algorithms to third parties and the appropriate ways to do so.
- How to safely transfer the data intragroup or to third countries.
- Companies should identify the data that they would like to use and select the appropriate legal tool to obtain such data;
- Companies should assess what they can and cannot do with the data and the regulatory requirements that apply (e.g., privacy impact assessments, obtention of relevant licenses, etc.).
- Companies should assess how to legally and technically protect the data (e.g., security measures, confidentiality clauses, and IP protection, etc.).
Authored by Gonzalo F. Gállego, Clara Regalado and Juan Ramón Robles