Commission Inception Impact Assessment on a proposed Data Act: What does it mean for IP owners?

By Toby Bond

06-2021

Published in 2020, the European Commission’s Data Strategy set out a bold vision for the EU to become a leading role model for a society empowered by data to make better decisions (read our summary here). While the Data Strategy mentioned IP rights, it’s fair to say they haven’t been front and centre of the Commission’s work on the Data Strategy thus far. That looks set to change with the publication of an Inception Impact Assessment on a proposed Data Act, which sets out the Commission’s current thinking on removing barriers to data access and reuse. In this article we take stock of the Commission’s current thinking and look ahead to the points which are likely to generate the most debate amongst IP owners.

The Inception Impact Assessment, published on 28 May 2021, aims to inform stakeholders about the Commission's plans in order to allow them to provide feedback on the intended initiative and to participate effectively in future consultation activities. It is open to feedback until 25 June 2021, with the responses feeding into a draft Data Act planned for publication in Q4 2021. In parallel, the Commission is also running a consultation seeking views which will help it shape a Data Act. This consultation runs until 3 September 2021. While the Impact Assessment also addresses the role of smart contracts in facilitating data sharing and measures to establish a more competitive EU market for cloud computing services, this article focuses on the IP law and policy issues.

Where has this come from?

Back in February 2020, the Commission’s Data Strategy stated that it intended to evaluate the EU IPR framework with a view to further enhance data access and use. This was said to include a possible revision of the Database Directive and a possible clarification of the application of the Trade Secrets Directive as an enabling framework. This intention was repeated in November 2020 in the Commission’s IP Strategy (read our summary here), which added that the Commission was particularly interested in the role of the Database Directive and Trade Secrets Directive in facilitate the sharing of, and trading in, machine generated data and other IoT data. With the publication of the Impact Assessment, this outline has started to crystalise, as the Commission explains the specific problems it is looking to address and the policy mechanisms it is considering.

What problems are the Commission trying to solve?

According to the Impact Assessment, the Commission’s overall objective for a Data Act is to increase access to and further use of data, so that more public and private actors can benefit from big data and machine learning. The Commission is particularly interested in data usage rights in industrial value chains and whether there is a fair distribution of usage rights which allow all parties to benefit from data driven innovation. In this context the Impact Assessment identifies the following potential problems arising in relation to data access and use in business-to-business (“B2B”) scenarios:

  • Potential imbalances in negotiating power between data holders and those who wish to access the data they hold, which can lead to the imposition of unfair data licence terms on the data recipient, or a refusal to provide any access to data.
  • Access to and use of non-personal data generated in industrial contexts is often left to private contracts, which can raise competition questions in certain markets (e.g. suppliers, OEM-buyer relations and aftermarkets) and leave untapped the innovation potential presented by re-use of the data.
  • Legal uncertainty surrounding the application of the Database Directive to machine-generated data and data generated in the context of IoT devices, which may pose an obstacle to access and use of that data.

In addition to B2B data sharing, the Commission is also interested in ensuring positive effects from the use of data in the public interest, especially in the context of the use of privately-held data by the public sector (referred to as “B2G” data sharing). The Impact Assessment (referring to an earlier report by the High-Level Expert Group on Business-to-Government Data Sharing) highlights that the public sector is currently limited in making use of the full potential of these data for the common good. A lack of structures, rules and transparent information regarding privately held data are said to contribute to this, along with a fragmentation in rules for B2G data sharing across sectors and between Member States. The Commission believes this results in businesses being reluctant to provide the data they hold to the public sector. Instead they prefer to deliver services to the public sector based on their data, reducing the scope for data-based innovation in the public sector.

Objectives and Policy Options

The Impact Assessment identifies the Commission’s objectives for B2B and B2G data sharing and sets out various policy options under consideration.

For B2B data sharing, the Commission aims to promote fairness in data sharing contracts to further facilitate access to data and data sharing, while ensuring compliance with EU competition rules. It also aims to harmonise third party data access conditions in sector-specific legislation and improve legal certainty around access and use of co-generated non-personal data (such as that produced by IoT devices) to allow innovation and avoid lock-in effects. Looking at IP legislation, the Commission aims to ensure the Database Directive provides legal certainty for data access and trading, while ensuring the sui generis database right provided by the Directive does not pose an obstacle to the access and use of machine generated data.

The policy options under consideration to ensure fairness of data access and use in B2B situations include:

  • Specific transparency obligations for manufacturers of connected objects used in a professional context regarding rights to access and use non-personal data for the benefit of the users of such objects.
  • A B2B fairness test to avoid unilaterally imposed unfair conditions for data access and use and/or laying down data access and use rights, potentially on the basis of fair, reasonable, proportionate, transparent and non-discriminatory terms for non-personal data. These measures could apply to a specific category of data (e.g. non-personal data generated by IoT devices in a professional context), or to a broader set of data sharing situations. A farness test could also be accompanied by model contractual terms.
  • Establishing common principles which could be applied where horizontal data access rights are established by sector specific rules. These common principles would address procedures to be followed for parties to agree the terms for access to data where a sector specific rule permits that access. The common principles could, for example, provide that where access is permitted, it should be granted on fair, reasonable, proportionate, transparent and non-discriminatory terms agreed between the parties, with a dispute settlement mechanism if the parties cannot agree.
  • Clarifying the scope of application of the sui generis right under the Database Directive to increase legal certainty as regards, in particular, machine generated data.
  • Defining a specific access regime to facilitate trading in and access to databases in a balanced manner and other additional elements to modernise the Database Directive, particularly the sui generis right, e.g. by aligning the exceptions to more recent EU copyright instruments.
  • Clarifying guidance regarding the application of the Trade Secrets Directive may be issued following the conclusion of a study focusing on the application of the Directive in four key sectors (automotive, health, energy and financial services).
    For B2G data sharing the Commission wants to promote fair, reliable and transparent access to and use of (big) data sources held by private companies that can be valuable for innovative uses, the digital transformation of delivery of public services and better policymaking in a more flexible manner. The policy options under consideration for B2G data sharing include:
  • A flexible framework for B2G data sharing including data-sharing requirements, transparency requirements and safeguards which could cover both ad-hoc and more regular data sharing of big data which are too big to be subject to reporting obligations.
  • Intermediation structures or bodies which could aggregate supply (e.g. businesses who hold data) and demand (public sector bodies interested in that data) and facilitate agreement on the conditions of use, including renumeration, and provide a dispute resolution mechanism.
  • A specific right for the public sector to access privately held data for a range of defined public interest purposes.
    Any measures would aim to minimise the need for transmission of personal data, including confidential business information to the public sector, or offer appropriate safeguards.
Where are we headed?

The Commission clearly believes that the current market dynamics for B2B data sharing are failing to fully realise the potential of data-based innovation and that legislative intervention is required.

The challenge for a Data Act is that B2B data sharing is a huge topic, spanning a vast array of data types, industry sectors and market participants. While it’s easy for the Commission to ask itself the question “how do we improve B2B data sharing”, hidden beneath this are hundreds of distinct questions about how to encourage specific types of data to be shared between specific market participants in specific industries. A Data Act which aims to pull policy levers potentially affecting all types of data in all sectors therefore needs to walk a very careful tightrope of solving problems which may arise in some contexts while avoiding unintended consequences in others. IP policy is one of these fundamental policy levers, with the Database Directive playing a role in protecting the investment made in databases in a diverse range of sectors. Adjustments to the scope of the sui generis right to address a lack of clarity in the context of machine generated data could, for example, have unintended consequences in the market for sports data, where the sui generis right plays a well-established and fundamental role.

While most of the proposals regarding B2B data sharing in the Impact Assessment are framed in general terms, to walk the legislative tightrope we may well see the Commission narrowing its focus to specific categories of data or industry sectors as time goes on. Non-personal data generated by IoT devices which are used in a professional context is a reoccurring theme in the Impact Assessment and may therefore end up being one of the main focuses of the Data Act.

The Impact Assessment also indicates that the Commission understands it will need to carefully frame the Data Act to avoid conflict with existing EU legislation. It repeats several times that any new rules would need to comply with GDPR, the ePrivacy Directive and the Trade Secrets Directive. Several of the B2B policy proposals are therefore framed as applying only to non-personal data. While there is a suggestion that guidance may be issued on the application of the Trade Secrets Directive, there is no suggestion that the Directive itself will be amended.

These boundaries with GDPR and the Trade Secrets Directive may appear clear at present. However, they will become increasingly important as the Commission attempts to define the scope of a Data Act. On the one hand, the scope of what can be considered personal data has been on an expansive trajectory. Advances in data analytics have given rise to user profiling based on the data they generate through their interactions with products and services, bringing new categories of data within scope of data protection legislation. On the other, there will be many instances where a database may qualify for protection both by the sui generis right and as a trade secret. Creating a data access regime which distinguishes between personal and non-personal data and data which is and isn’t protectable as a trade secret will place significant weight on the definitions of personal data and trade secrets. While the definition of personal data has been well explored in official guidance, the application of the definition of a trade secret contained in the Trade Secrets Directive to data sets is less well understood. For example, the circumstances in which data collected by IoT sensors can be considered a trade secret is not always clear cut, e.g. can sensors present on public property generate data which qualifies as a trade secret, are records of transitory phenomena more likely to qualify as a trade secret than records of permanent ones? While the Commission has identified a lack of clarity in the application of the Database Directive to machine generated data, as the Data Act progresses they may well discover that the application of the Trade Secrets Directive to machine generated data is also not entirely clear.

The B2B data sharing proposals contain several mentions of data access agreements made on fair, reasonable, proportionate, transparent and non-discriminatory terms agreed between the parties. Those familiar with standard essential patents (SEPs) will already be well acquainted with the concept of fair, reasonable and non-discriminatory (FRAND) terms. They will also know the complexity of establishing what FRAND terms are and how those terms should be decided if the parties cannot agree between themselves. The addition of the terms “proportionate” and “transparent” (FRPTAND?) is therefore of interest. One of the debates currently underway in the SEP licensing world is how open SEP owners should be required to be regarding the terms on which they have granted licences. A requirement for transparency in data access agreement licensing terms suggests the Commission may want more openness than is currently the case in the SEP world. The proposal for a dispute resolution mechanism where parties cannot agree terms between them also appears to be a response to the ongoing debate in the SEP licensing world regarding the correct forum for determining FRAND terms.

However, despite the potential similarities with SEP licensing there are clearly important distinctions to be drawn in the context of the Commission’s proposals. First and foremost is the potential for a data sharing obligation to be unilaterally imposed on a data holder to share their data in certain circumstances. This differs significantly from the SEP licensing context where SEP holders voluntarily commit to license their patents on FRAND terms by way of their participation in the organisations which set the standards to which their patents relate. Data licensing is also inherently more complex that SEP patent licensing. A common approach to determining a FRAND rate in the SEP context is to review comparable licences in order to establish a fair “market rate”. However, data can be processed, modified and aggregated in complex ways which need to be addressed by a data licence, often in the context of a very specific intended use case for the data. A diversity of licensing terms for data access will significantly reduce the pool of comparable licences and increase the challenge of establishing a fair rate. Compared to a SEP licence covering a well-established technology, the value of a data access licence to a particular dataset may be highly speculative, creating additional challenges in arriving at a fair valuation.

There is clearly much food for thought in the Commission’s current proposals. Responses to the consultation process, an evidence collection exercise and the eventual results of an ongoing study on fairness in data sharing and access to data, will feed into the eventual proposal for a Data Act, which is due to be published in the third or fourth quarter of 2021.