The data economy communication looks at four main areas: obstacles to the free movement of data; data access and transfer; liability; and portability, interoperability, and standards.
Obstacles to free movement of data
In relation to obstacles to free movement, the communication focuses on data localisation requirements increasingly being considered and adopted at the national level. While the EU General Data Protection Regulation (the “GDPR”) bans restrictions on the free movement of personal data in the EU for the protection of personal data, the GDPR does not apply to restrictions for other reasons, and it does not apply to non-personal data, for instance non-personal machine-generated data.
The Commission was expected to propose a legislative measure banning national data localisation requirements, but it refrained from doing so for fear that the Commission would not be able to persuade the Council of the need for such a ban and a desire to explore the potential for existing EU law measures to address these issues.
Data localisation requirements arise from legal rules or administrative guidelines or practices that require the storage or processing of data in a particular jurisdiction and may be imposed for a variety of alleged reasons, including ease of access for supervisory authorities, auditors and law enforcement, as well as data security. In practice, however, the Commission believes that these measures rarely contribute to the objectives they are intended to achieve and notes that these restrictions can impair competition by limiting access to cheaper or more innovative data services, force businesses operating cross-border to arrange excess data storage and processing capabilities, and inhibit start-ups and SMEs from scaling-up their activities, entering new markets or centralising data and analytics capacities. Data localisation also hampers the wider adoption of cloud storage and computing, with potentially wider societal effects, including environmental effects. Nevertheless, data localisation requirements may be justified and proportionate in particular contexts or in relation to certain data, especially before effective cross-border cooperation arrangements are put in place, such as ensuring the secure treatment of data pertaining to critical energy infrastructure, or the availability of electronic evidence (e.g., localised copies of datasets) for law enforcement authorities, or local storage of data held in public registers.
In the Data Economy Consultation, the Commission seeks input on the extent, nature and impact of data localisation restrictions within the EU, what could constitute justified grounds for such restrictions, and to what extent businesses store or process data in multiple geographical locations within the EU. The Commission also seeks respondents' views on the perceived impact that the removal of data localisation restrictions within the EU would have on their businesses.
The Commission notes that any current or new Member State data location restrictions need to be carefully justified under the principle of free movement of data within the EU to verify that they are necessary and proportionate to achieve an overriding objective of general interest, such as public security. The Commission plans to discuss the justifications for and proportionality of data location measures with Member States and other stakeholders, and, where needed, to launch infringement proceedings challenging unjustified or disproportionate data location measures. Depending on the results of the Data Economy Consultation, the Commission may reconsider proposing a legislative ban on data localization requirements.
Data access and transfer
The Commission notes the increasing importance of data generated by machines or processes based on emerging technologies, such as the IoT, as a key component for new services, to improve products or production process and to support decision-making. The Commission believes that access to the raw data generated by these machines or processes is central to the emergence of a data economy, mentioning the transport, energy, smart living, and healthcare sectors in particular. The Commission notes that enterprises in the data economy deal with both personal and non-personal data, and that data flows and datasets often contain both types. Any policy measure must take account of the legal framework on the protection of personal data.
The Commission notes that companies holding large quantities of data tend to use mostly in-house data analytics capabilities and keep the data generated by their machines or through their products and services for themselves, so these data may not be available for reuse in downstream markets. Many companies do not benefit from or use application programming interfaces (“APIs”) specifying how different applications should interact with each other, which could serve as entry ports for new uses of such data. As a result, in the Commission’s view, data exchanges are currently limited, although data marketplaces are slowly emerging. In the Data Economy Consultation, the Commission seeks input among other things on whether businesses holding data or data sets license them to others, and if so on what terms.
The Data Economy Communication avoids the question of ownership of data but touches on the application of intellectual property protection to data, noting that there is currently no comprehensive policy framework at the EU or national level for the protection and use of raw machine-generated non-personal data. Raw machine-generated data are not protected by existing intellectual property rights, although the Database Directive (96/9/EC) gives makers of databases the right to prevent extraction and/or reutilisation of the whole or of a substantial part of the contents of a database whose creation involved substantial investment in obtaining, verifying or presenting its contents. For data to qualify as a "trade secret" under the Trade Secrets Protection Directive (2016/943/EU), measures have to be taken to protect the secrecy of information, which represents the “intellectual capital of the company.” In the Data Economy Consultation, the Commission seeks input on contracts in which data have been described as trade secrets. It is not clear whether the Commission is contemplating further action as regards the protection of data as trade secrets, but it plans to launch a separate review of the Database Directive in 2017.
Absent a clear legal framework governing the use of machine-generated data, the Commission notes that the protection of such raw data is largely left to contractual solutions and competition law enforcement. Where the negotiation power of the different market participants is unequal, however, the Commission argues that market-based solutions alone might not be sufficient to ensure fair and innovation-friendly results, facilitate easy access for new market entrants and avoid lock-in situations. The Commission notes that Member States are considering regulations to ensure access to machine-generated data and notes that national measures risk creating fragmentation and impeding development of the EU data economy and the cross-border data services and technologies. In the Data Economy Consultation, the Commission seeks input on businesses’ trading practices in relation to non-personal data, perceived barriers to trading and re-use of such data and ways to enhance access to and re-use of data and data trading. More specifically, the Commission seeks input on whether and to what extent businesses have access to the data they need to develop or conduct their tasks and to assess the role of existing legislation on unfair contract terms and commercial practices.
The Commission also asks whether businesses consider possible denials of access to data to amount to abuses of dominant positions for antitrust purposes and whether current competition law enforcement mechanisms adequately address potentially anti-competitive behaviour of companies holding or using data. The Commission seeks input on the importance respondents’ attach to different policy objectives (e.g., promoting trading and sharing of machine generated data, versus protecting investments into data collection capabilities and confidential information) and what types of access to data respondents would agree to give public sector bodies, researchers, and commercial operators. More generally, the Commission asks whether there is a need to revise or introduce legislation to support the European data economy.
Using the results of the Data Economy Consultation, the Commission intends to explore a possible future EU framework for data access, revolving around the most effective ways to improve access to anonymous machine-generated data and facilitate and incentivise data sharing. More specifically, the Commission is considering a range of options, including:
Issuing guidelines on how non-personal data control rights should be addressed in contracts to incentivise businesses to share data;
Fostering the development of technical solutions such as APIs, making data available in machine-readable formats and the provision of associated meta-data, for example through best practice guidance;
Developing mandatory default contract rules and recommended standard contract terms, which could result in unfair contractual clauses being invalidated and lower barriers for small businesses;
Mandating data access without remuneration for public interest and scientific purposes, such as access for statistical offices or traffic management systems;
Granting owners or lessees of devices generating data a right to use and authorise the use of non-personal data generated by the device; and
Creating a new legal framework, which may vary by sector, requiring data holders, such as manufacturers and service providers, to provide access to their data based on fair, reasonable and non-discriminatory (FRAND) terms.
The Data Economy Communication discusses liability issues that can arise in relation to products and services based on technologies such as the IoT, factories of the future and autonomous connected systems. It may be difficult to establish the exact source of a problem that leads to damages, raising the issues of how to ensure that these systems are safe, minimise damage and assign liability.
At EU level, the Products Liability Directive (85/374/CEE) establishes the principle of strict liability where a defective product causes damage to a consumer, but application of this directive in the context of IoT and autonomous connected systems (e.g., robotics) may be unclear. The Commission plans to explore various approaches to enhance legal certainty with regard to liability, including creation of a framework allocating liability to market players who generate major risks for others or to those best placed to minimise or avoid the realisation of the risk, and the establishment of voluntary or mandatory insurance schemes.
In the Data Economy Consultation, the Commission seeks input from producers and users of IoT technologies and autonomous systems on their level of awareness, experiences and issues related to liability for related products and services. The Defective Product Consultation further seeks input on these ideas and seeks to assess whether the Products Liability Directive is appropriate for emerging technologies such as IoT and autonomous connected systems.
Portability, interoperability and standards
The Data Economy Communication also addresses the issues of the portability of non-personal data, the interoperability of services to allow data exchange, and appropriate technical standards for implementing meaningful portability. While the GDPR gives individuals a portability right for personal data, there are no such requirements for non-personal data. The Commission notes that data portability is generally associated with low switching costs, and hence with low entry barriers, but implementing data portability can be technically demanding and costly and needs to take account of broader data governance considerations involving transparency for users, managed access and interoperability to link different platforms.
Data portability considerations are closely related to data interoperability. In the case of online platforms, data interoperability facilitates not only switching, but also the concurrent use of several platforms (so-called "multi-homing") as well as widespread cross-platform data exchange, which has the potential to enhance innovation. According to the Commission, effective portability policies must be supported by appropriate technical standards to ensure interoperability.
In the Data Economy Consultation, the Commission seeks to identify business situations where portability of non-personal data could unlock opportunities and/or eliminate blockages in the data economy and requests views on the possible effects of introducing portability rights for non-personal data regarding cloud services, data generated by machines, tools and/or devices and/or data generated by online platforms.
Taking account of the responses to the Data Economy Consultation, the Commission is considering developing recommended contract terms to facilitate switching of service providers; developing further rights to data portability of non-personal data, building on the data portability right provided by the GDPR and the proposed rules on contract for the supply of digital content; and sector-specific experiments on standards to develop portability rules encoded through standards.