Data: what’s copyright got to do with it? - Report from European Copyright Society Conference: Leuven 2023

Below are my reflections on the day and the themes which emerged. Statements attributed to particular speakers are based on my interpretation of the points they were making (mediated through my hastily-typed notes and imperfect memory) and should not be treated as gospel. In addition to the areas mentioned below, there were also some excellent thoughts on copyright and the Digital Services Act from João Pedro Quintais, on AI and copyright from Peter Mezei and Thomas Dreier, and on research/open data from Christophe Geiger and Mireille van Eechoud.

What is the EU trying to achieve with data regulation?

Alain Strowel started the day with a review of the background to the EU’s publication of its Data Strategy in February 2020. Building on the EU’s work on personal data in the 2010s, the open data directive and the free flow of non-personal data directive, the strategy aims to improve data governance, create a single European market for data and enable data driven innovation. Its publication coincided with the EU’s regulatory pendulum starting to swing away from increasing control and proprietary interests in data (which we had seen both in the copyright and personal data space), towards the free flow of data and enabling data access. The turning point came in 2018 when the European Commission abandoned plans to introduce a new IP right for data producers.

This change in regulatory approach was revisited later in the day by Séverine Dusollier. While the Commission’s regulatory pendulum has moved away from thinking about the need for property rights in data, the Data Act's approach of regulating the de-facto control which certain market participants enjoy over data still involves thinking of data as an exclusive asset. Séverine explored the alternative approach of framing data as a commons.

Which categories of data are the EU trying to regulate?

Several speakers examined the different categories of data which are subject to EU data regulation. Some categories are mutually exclusive (personal vs. non-personal, open data vs. trade secret). Others overlap in complex ways, which create regulatory tensions, e.g. the intersection between data protected by trade secrets and the data access provisions of the Data Act.

Alexander Peukert focused on the definition of “data” which has emerged in recent EU legislation and traced its origin back to a definition in the Open Data context, which refers to documents. Understanding data as “documents without paper” helps frame the Data Act as governing access to digital resources, rather than trying to manage rights in intangible goods. While framing the definition of “data” may appear a conceptual exercise, understanding exactly what we are referring to when we talk about data is now a key issue, as access to derived data and metadata are hotly contested issues in the final stages of the Data Act‘s legislative process.

How do IP rights fit in?

Often overlooked (although hopefully not unloved), database rights received a lot of airtime during the day. Less good news for fans of these rights (and the business models which rely on them) is Article 35 of the Data Act, which states that they do not apply to databases which contain data obtained from or created by a device or service which falls within the scope of the Data Act. Estelle Derclaye and Caterina Sganga debated whether Article 35 was clarifying an existing position arising from CJEU case law on the distinction between creating data and obtaining data, or a change in the law which will remove the protection which certain databases currently enjoy.

While copyright isn't mentioned expressly in the Data Act (although it does fall under the general references to "intellectual property"), Axel Metzger highlighted that there is a wealth of experience in the copyright space navigating some of the issues which the Data Act is now trying to grapple with. This includes discussions regarding technical protection measures, exceptions and limitations to rights in the public interest and the situations where the law should restrict parties' freedom to contract. Axel noted that the Data Act does not provide a way for parties to contractually agree to waive the access right, and asked whether this will be justified in situations where the data user has equal or greater bargaining power than the data holder.

Going deeper into the role of IP in data regulation Valérie Laure Benabou provided a highly insightful analysis of where value resides in the new data economy, and how this interacts with copyright's traditional focus on the value derived from human enjoyment of works. For many data-driven applications, value resides in factual information contained in works, statistical patterns which can be derived from large numbers of works, and metadata associated with works. Value also often resides in subject matter which isn't protected by copyright, leading to the "Ryanair paradox" (arising from the decision in Ryanair v PA Aviation, where the CJEU held that the holder of a database which isn't protected by a database right is free to impose contractual restrictions which are otherwise prohibited if the database is subject to a database right). A similar paradox exists with the EU's text and data minding exceptions; the lack of copyright or database rights protection appears to allow a data holder to contractually exclude the Article 3  text and data mining (TDM) exception in a way which isn't possible if the data is protected by these rights. These paradoxes are a sign that something isn't right with the way we are thinking about regulating data.

Martin Senftleben also discussed the Ryanair paradox, and asked whether the solution is to reframe exceptions to copyright and database rights as affirmative statements of the subject matter which should form part of the public domain, irrespective of whether they are protected by IP rights. A key issue with this approach will be understanding how it intersects with other legal rights which may control access, use and dissemination of data, e.g. contractual rights and trade secrets.  

What about trade secrets?

Aside from copyright and database right, trade secrets can be an important type of legal protection for data and the technology and processes used to gather, refine and extract value from data. They have also been receiving lots of attention in the context of the data access provisions under the Data Act.

Fortunately we had Virginie Fossoul from the Copyright Unit of DG Grow to give us some insight into the Commission's thinking on the relationship between trade secrets and data. Virginie explained that early on in the legislative process for the Data Act, the Commission realised that including a carve out to the data access provisions for trade secrets would potentially allow companies to circumvent them. Companies may also not always have a clear view on the scope of their trade secrets, and may overclaim on a precautionary basis. This concern has resulted in the amendments proposed by the European Parliament, which require data holders to proactively identify data which is protected by trade secrets and provides a dispute resolution mechanism if the data holder and data user cannot agree measures to ensure these trade secrets are protected by the user. While providing access to data is a key aim of the Data Act, Virginie explained that the Commission is keenly aware of the need to balance this against the risk of IP and trade secret theft.

Life (and EU regulation) is moving fast

One comment during the Q&A which especially resonated, was that the Data Act and AI Act are highly complex and technical pieces of legislation and are moving through the EU legislative process very quickly.

Even for lawyers and academics specialising in data, copyright and AI, keeping up with the legislative process the potential impacts of this EU legislation is a challenge. For the organisations impacted by this legislation, identifying the key internal stakeholders, mapping the impact on their business, formulating a position and articulating that position as part of the legislative process is a big challenge, even for large organisations with dedicated public affairs teams.

With the prominence of generative AI, the AI Act has also somewhat taken the spotlight away from the Data Act. There will be many organisations who are currently unaware of the Data Act and its potential impact on them once finalised (and the 18 month, as per the Parliament's draft, clock starts ticking on the law coming into force). Given the product design and contractual implications for suppliers of connected devices, achieving compliance is often going to take a significant amount of time and money. While it has been flying somewhat under the radar to date, the Data Act will soon be a big flashing light for many organisations.