Why IP lawyers need to pay attention to the EU’s draft Data Act

Intended to stimulate the development of innovative services using the data generated by IoT devices and ensure competitive prices for aftermarket services and repairs, the draft Act grants users of connected devices the right to access and re-use data generated by their devices. It provides a right for users to share data generated by their devices with third party service providers and addresses the terms under which data shared in this way must be provided by the manufacturer. While the draft Act also addresses obligations for business to government data sharing in exceptional circumstances and customer switching between cloud service providers, this article focuses on the horizontal data access aspects and their impact on IP rights.

Where has this come from?

The draft Act forms a key part of the European Commission's European strategy for data. Published in February 2020, the strategy stated a desire to use a Data Act supporting business-to-business data sharing and mentioned issues relating to usage rights for co-generated data, and specifically mentions IoT data in industrial settings. It also suggested that a Data Act could impose compulsory access to data to solve sector-specific market failures which cannot be solved by competition law. Read our summary of the strategy here.

Further details emerged in May 2021 with the publication of an Inception Impact Assessment. This set out a range of policy options under consideration including transparency obligations for manufacturers of connected objects used in a professional context regarding rights to access and use non-personal data for the benefit of the users of such objects. The proposals also included clarifying the scope of application to machine generated data of the sui generis right under the Database Directive. Read our summary of the Impact Assessment here.

What are the data access proposals under the draft Act?

Chapter II of the draft Act grants users of connected products or related services several access rights relating to the data generated by through the use of those products or services:

• Article 3 imposes an obligation for products to be designed and manufactured (and for related services to be provided) in a manner which makes the data generated by their use directly accessible to the user, and an obligation to provide users with certain information e.g., the nature of the data generated, how they can access it and how the data will be used by the manufacturer or service provider.
• Article 4 provides a right for users to access and use data generated by the use of products or related services. It also provides that a data holder shall only use any non-personal data generated by the use of a product or related service on the basis of a contractual agreement with the user and prohibits the use of data “to derive insights about the economic situation, assets and production methods of or the use by the user that could undermine the commercial position of the user in the markets in which the user is active”.
• Article 5 provides the right for a user to have the data generated through the use of a product or related service provided to a third party “without undue delay, free of charge to the user, of the same quality as is available to the data holder and, where applicable, continuously and in real-time”.

A “user” for the purposes of these articles is a natural or legal person who owns, rents or leases a product or receives a service. A data holder is someone with the right to make non-personal data available through control of the technical design of the process or related service.

Aside from the data access rights granted to users under Chapter II, Chapter III of the draft Act states the conditions under which a data holder who is obliged to make data available to “data recipients” has to do so:

• Article 8 requires that data provided to a data recipient must be under fair, reasonable and non-discriminatory (FRAND) terms and in a transparent manner, with the obligation on the data holder to demonstrate that there has been no discrimination.
• Article 9 limits the compensation that a data holder can claim for making data available to that which is reasonable and, in the case of data provided to SMEs, the costs directly related to making the data available. In either case the data holder is required to explain the basis for the calculation.

“Data recipients” could be third parties who gain access to user data pursuant to a user’s request under Article 5. However, with a view to data access rights which may be granted under other EU legislation in future, the provisions of Chapter III will apply to any situation where EU law requires a data holder to grant access to a data recipient.

Impact on IP rights

Data can be protected by a range of IP rights in the EU, including database rights, database copyright and trade secrets, although the rights which apply to a specific data set will depend on the nature of the data and the way it has been collected or created. While copyright will generally not apply to machine generated data, the definition of “data” in the draft Act (“any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording”) is sufficiently broad that it would potentially catch creative works such as photographs and films protected by copyright and/or related economic rights. While recital (15) suggests that products such as cameras and sound recording systems primary designed to record content based on human input are not intended to fall within the scope of the draft Act, this does not appear to have been reflected in the articles. The extent to which copyright works could be considered data within the scope of the data access rights under the draft Act is currently unclear, and is likely to be an area of significant debate as the draft Act progresses.

Database Rights

One of the biggest, if not the biggest, impact on IP comes late in the draft Act. Article 35 states that, in order not to hinder the access rights set out earlier in the Act, the sui generis database right “does not apply to databases containing data obtained from or generated by the use of a product or a related service”.

It is no surprise that the draft Act contains a provision seeking to balance the sui generis database right and the access to and use of data. The uncertainty over the application of the database right to machine generated data had been raised as a concern in a number of studies (for example the 2020 study for the European Commission entitled “Trends and Developments in Artificial Intelligence – Challenges to the Intellectual Property Rights Framework”) and the Commission had clearly stated in the Intellectual Property Action Plan published in November 2020 that it would review the Database Directive with a view to facilitating the sharing of and trading in machine generated data and data generated in the context the IoT.

It is worth stepping back to see what harm this provision was intended to prevent. Database rights protect databases if the producer makes the necessary investment in obtaining, verifying and presenting the data. In 2004, the Court of Justice stated that the database right protected the investment in the collection of data into the database but not the creation of data as a by-product of another economic activity (British Horseracing Board Ltd v William Hill C-203/02). Despite this decision, uncertainty remains over the distinction between creation and obtaining data in the context of machine generated data. For example, if sensors are set up to measure meteorological data, that data could be said to be collected. But on the other hand, data internally generated by, for example, a machine in a manufacturing plant recording its own performance, could be said to be created. The distinction can, in some circumstances, be a fine one. However, in relation to live information from football matches (goals, times, scorers), the Court of Appeal in the UK had no difficulty in finding that investments necessary to record such data should be viewed as investments in obtaining the data and therefore the sui generis right applied (Football Dataco v Sportradar [2013] EWCA Civ 27).

As already noted, the draft Data Act was originally intended to clarify the position on the protection afforded to machine generated data and a draft leaked to the media at the start of February 2022 proposed a balance in that the sui generis right could not be invoked against databases containing machine generated data “to hinder the effective exercise of the access right provided for” in the Data Act.

However, the official draft which was published shortly thereafter goes far beyond what is necessary to protect the right to access and use data set out in Article 4 and the right to share data under Article 5. In stating that the sui generis database right does not apply if a database contains data obtained from or generated by the use of a product or a related service, it sweeps away protection for a very large number of databases.

Firstly, a product is given a very broad definition and applies to any item which obtains, generates or collects data concerning its use or its environments and is able to communicate data via a public communications service. It does not include products where the primary function is the storing and processing of data (Article 2(2)). Further, as discussed above, recital (15) suggests that products primarily designed to display or play content, or record and transmit content (including smart phones, cameras, webcams, sound recording systems and text scanners), should not be considered within the scope of the draft Act, although this is not reflected in the Articles. Not only does this list of exceptions appear somewhat arbitrary and have fuzzy edges, it is also quite narrow.

Secondly, recital (84), in a rather elliptical fashion, states that in order to prevent owners of databases that do not qualify for protection (i.e. those obtained or generate from e.g. sensors of connected products) from wrongly claiming rights in such databases, the draft Act “should clarify that the sui generis right does not apply to such databases as the requirements for protection would not be fulfilled”. In other words, the draft Act is aimed at stamping out what could be seen as an abuse of the Database Directive, or to put it in more neutral language, preventing an unintended consequence. Again, however, Article 35 goes much further in that it disallows protection to databases which presently qualify for protection if the original source of the data comes from the use of a connect product. An example would be where substantial investment has been made in the “verification” or “presentation” of the contents of the database. Cleaned and structured data that is ready for use can be extremely valuable, but on the current drafting of the Act could no longer receive protection under the sui generis right.

Thirdly, mixed or aggregated databases, will no longer be protected if any of the data came from the use of a product. The database in issue in the Football Dataco case mentioned above, was a mixed database in that it also included subjective data (who was the dominant player in the last 10 minutes of the match and who was man of the match) in the database. Such subjective data would not be protected under the sui generis right because it was “created”, but other mixed databases could, and increasingly do, contain data from a number of objective sources. In recognising that such databases will no longer receive protection if they also contain machine generated data, a study for the Commission bluntly stated that it will encourage companies to keep their databases separate and incentivise companies to invest in technologies that can categorise and track data after collection (Study to Support an Impact Assessment for the Review of the Database Directive, 2022).

If the Commission’s proposal is adopted as currently proposed, it will clearly have a significant impact on those industries that utilise database rights to protect and commercialise data which may give rise to unintended consequences. Organisations which collect and commercialise sports data based on database rights may, for example, decide to rely on manual data collection techniques rather than automated ones in order to ensure they still obtain protection for their investment. This move away from automation would appear to be an unintended consequence of the draft Act, rather than the result of an intentional policy decision on behalf of the Commission.

Trade Secrets

The inner workings of a product (or related service) are usually the result of substantial investment in research and development and manufacturers of products and suppliers of services will take steps to protect this information as a trade secret to prevent others taking advantage of it, e.g., to develop competing products or services. Recognising that the data access right provided by Article 4 could potentially weaken or eliminate trade secrets protection, it also provides that:

3. Trade secrets shall only be disclosed provided that all specific necessary measures are taken to preserve the confidentiality of trade secrets in particular with respect to third parties. The data holder and the user can agree measures to preserve the confidentiality of the shared data, in particular in relation to third parties.

4. The user shall not use the data obtained pursuant to a request referred to in paragraph 1 to develop a product that competes with the product from which the data originate.

Similar provisions relating to the protection of trade secrets and a prohibition on developing a competing product are provided by Articles 5(8) and 6(2)(e) in relation to data which a manufacturer or service provider is required to give to a third party following a request by a user.

While these provisions go some way to reassuring trade secrets holders, concerns will remain. First, the obligation to disclose data to users and third parties eliminates one of the key protections for trade secrets: the trade secret holder’s ability to choose who to disclose it to. Second, while the draft Act includes measures to preserve the confidentiality of trade secrets with respect to third parties, a key aspect of trade secrets protection is the ability to control the use of the trade secret by a recipient. Normally this is achieved by contractually defining a limited purpose for which the trade secret can be used. However, under the draft Act a user appears to be free use the data they receive for any purpose other than the creation of a competing product, and it is unclear if a trade secrets holder is permitted to insist on limiting the use of their trade secrets by the user. Could a user, for example, use a trade secret they obtain through access to data to develop a competing service, or a different category of product? Similar questions arise with respect to third parties who receive data following a user’s request to give them access. Trade secrets holders are also likely to be concerned regarding the scope of the data caught by the access rights, and whether it extends to derived data processed using their proprietary technology. Data processed in this way is more likely to embody their trade secrets than “raw” sensor data. While recital (17) suggests that processed data are excluded from the Act, this is not clearly reflected in the draft articles.

Aside from the protection of trade secrets relating to the technology used to collect and generate data, the draft Act raises a more fundamental question regarding the protection of trade secrets. Aggregated data sets held by manufacturers may be secret, have commercial value due to their secrecy and have been subject to reasonable steps by the manufacturer to preserve their secrets, qualifying them for protection as a trade secret under the EU’s Trade Secrets Directive (2016/943/EU). A tension clearly exists between a users’ right under the draft Act to access a small set of data relating to their use of a product or service (which may not in itself qualify as a trade secret) and the value to the manufacturer of protecting the aggregation of data across many users as a trade secret. This tension is most acute where a manufacturer is required to provide access to a third party pursuant to user requests. If many users ask for a single third party to have access to their data, the net effect is that the third party will acquire the value of the manufacturer’s trade secret in the aggregation of data. The only limits on the ability of third party to extract the value of that trade secret through use of the data appears to be (i) using the data only in accordance with the purpose requested by the user; (ii) specific necessary measures agreed between the data holder and third party to preserve the confidentiality of the trade secret; and (iii) the prohibition on developing a competing product. If the third party is able to agree broad usage terms with users, they would appear to be free to extract the value of the manufacturer’s trade secret, provided they don’t use the data to create a competing product.

The interaction between the draft Act and trade secrets will clearly be a hotly contested area as the proposal progresses.

What’s next?

The draft Act is still in its early stages. The next step will be for the proposal to be considered by the European Council and Parliament. The Parliament will start by nominating one or more committees to review the proposal and a rapporteur (draftsperson) for the main report. In parallel, Member State representatives in the Council will review the proposal in the relevant working group. Both institutions will discuss and amend the proposal before adopting their positions on the draft. When both institutions have adopted their respective positions, the proposal will then enter three-way (“trilogue”) negotiations with a view to reaching agreement on a final text which can be adopted officially by the Parliament and endorsed by the Council. While somewhat speculative at this stage, under some scenarios the draft Act could become operative in the 2024-2025 timeframe.