LEGAL FRAMEWORK

The opportunities and challenges related to the emerging data economy are regulated to enable all potential of the data economy and at the same time sufficiently address potential risks and negative side effects. Data economy actors operating in the European Union needs to comply with different laws that might be divided into two larger groups: data related and human rights related laws. Learn more what are the most relevant ones for data holders, data users or for data distributors.

DATA DISTRIBUTORS

Data distributors match data holders and users. As long as they remain passive intermediaries their legal responsibilities are limited. The main responsibilities remain with data holders and users.

  • Agreements and terms between data distributors and users

    Typically, this agreement will contain exclusion of liabilities and warranties as well as information on the payments and termination (if the service is for profit).

  • eCommerce directive

    The eCommerce directive applies to information society services. Data distributor could fit into this definition. The directive guarantees freedom of establishment, determines conditions for a valid online contract and provides rules to delineate intermediary liability. As it’s measures have not been adapted to the recent digital reality(yet), certain amendments are expected in the near future.

  • PSI directive

    The directive requires Member States to make as much public organization owned information available for reuse as possible. It is intended to harmonise the Member States’ legislation in order to open the data to public access and encourage its reuse. The PSI directive is only relevant if the distributor operates with PSI.

  • Personal data protection

    If data distributors use personal data, they need to comply with provisions of data protection law such as technological measures to safeguard privacy, compliance with principles of fairness (e.g. principle of purpose limitation) and some other administrative provisions (e.g. breach notification duty). However, this is only relevant in case that data distributors actually process personal data (and not only act as an intermediary between data users with data holders without handling the data).

  • Cyber security/NIS directive

    The NIS Directive, adopted in May 2016, aims to improve the security of the Internet and the private networks and information systems (NIS) underpinning the functioning of our societies and economies. It looks at security measures not from the viewpoint of the (processing of) data, but from the viewpoint of the relevant networks and information systems. Hence, the party addressed is the provider of the service, not the data controller.

  • IP protection

    The software that companies use might be subject to copyright protection under the Computer Programs Directive or subjected to an open license with restrictions. Likewise, the data they use might be subject to copyright protection pursuant to the Copyright Directive, even if it is User Generated Content. The data might be susceptible to protection under other forms such as trade secrets in some case, as it is set forth by the Directive on the Protection of Trade Secrets.

DATA USERS

Data users exploit their own data or third-party data for decision making, service provision or product generation. Therefore, they need to comply mainly with those regulations that data holders need to (like data protection and IP law) however in case of international activities international data transfers and data localisation might also play a key role.

  • Agreements and terms between data holders and users

    Every detail beyond the general terms need to be agreed between the data holder and user. Private data publishers who want to profit from their data will usually enter into agreements where data will be transferred to the reuser for monetary value. On the opposite public-sector institutions as well as certain private entities will share data under open license. Typically, The Creative Common license and the UK governmental open license will be used as templates for such open data initiatives.

  • Personal data protection law

    The GDPR regulates how personal data can be processed. It is obligatory to have a legal basis for data processing and to observe principles of fair and accountable data processing. The strictness of the regulation depends on the personal data processed.

  • IP law

    The software that companies use might be subject to copyright protection under the Computer Programs Directive or subjected to an open license with restrictions. Likewise, the data they use might be subject to copyright protection pursuant to the Copyright Directive, even if it is User Generated Content. The data might be susceptible to protection under other forms such as trade secrets in some case, as it is set forth by the Directive on the Protection of Trade Secrets.

  • International data transfers

    The General Data Protection Right (GDPR) allows international data transfers to a limited degree and regulates it especially strictly outside the European Economic Area. The Privacy Shield allows online data to be transferred across the Atlantic and provides extra privacy protection for EU citizens.

  • PSI directive

    The PSI directive is relevant only if PSI information is reused. Businesses need to check under which conditions the public data is accessible and whether it is reusable. Data reusers need to be aware also of the measures the directive grants them if their request is unduly rejected. Since 2013 the directive covers not only ministries and governmental services but also libraries and cultural institutions.

  • Data localization

    Data localisation rules are provisions in laws that limit data processing to the territory of one state and restrict data flows between the countries. In the post-Snowden era these requirements are becoming more common as a means that states use to safeguard privacy and security of certain data. Data localization laws are especially troublesome in Russia but have been also proposed in some EU states.  It has been worrying that similar rules have been also proposed in some of the EU member states.

  • Digital assets after bankruptcy

    Under the GDPR companies cannot decide deliberately and independently of data subjects to whom data should be transferred if bankruptcy occurs. However, by using terms of service and complex language companies are able to get their consent.

  • Cyber security/NIS directive

    The NIS Directive, adopted in May 2016, aims to improve the security of the Internet and the private networks and information systems (NIS) underpinning the functioning of our societies and economies. It looks at security measures from the viewpoint of the relevant networks and information systems. Hence, the party addressed is the provider of the service, not the data controller. This is why those upcoming rules can be particularly important for data users.

  • Privacy and anti-discrimination

    When anonymized data is used, data protection law does not apply anymore. This happens, for example, when large databases of anonymized data are mined in order to find new, interesting patterns. The results of such analytics might nevertheless influence individuals and can generate some discriminatory effects. In absence of data protection rules data users should pay  attention to other relevant fundamental provisions such as prohibition of discrimination and protection of private life.

DATA HOLDERS

  • Personal data protection law

    The GDPR regulates how personal data can be processed. It is obligatory to have a legal basis for data processing and to observe principles of fair and accountable data processing. Different rules are valid for different data subjects and the strictness of the regulation depends on the personal data processed.

  • Data transfers

    The General Data Protection Right (GDPR) allows international data transfers to a limited degree and regulates it especially strictly outside the European Economic Area. The Privacy Shield allows online data to be transferred across the Atlantic and provides extra privacy protection for EU citizens.

  • IP law

    Data holders, so long as there is no analysis involved, are less susceptible under IP law. Nevertheless, the software used to make the data manageable on their storage system might be subject to copyright protection under the Computer Programs Directive or subjected to an open license with restrictions.

  • PSI directive

    The PSI directive is relevant only if the data holder is a governmental organization collecting or generating PSI. These organisations need to comply with the PSI directive and make as much of their data open as possible and motivate therefore reuse. Public authorities need to be aware of the limitations of data sharing and reusing (e.g. IPR or data protection right) and need to respond in time to reuse requests and inflict excessive charges. Since 2013 the directive covers not only ministries and governmental services but also libraries and cultural institutions.

  • Cyber security/NIS directive

    The NIS Directive, adopted in May 2016, aims to improve the security of the Internet and the private networks and information systems (NIS) underpinning the functioning of our societies and economies. It looks at security measures not from the viewpoint of the (processing of) data, but from the viewpoint of the relevant networks and information systems. Hence, the party addressed is the provider of the service, not the data controller.  This is why those upcoming rules can be particularly important for data holders.

  • Competition law

    Competition law aims at safeguarding competition by limiting actions of companies that are dominant on a relevant market. Some companies on the data market are clearly dominant, e.g. Facebook and Google, which is the reason that authorities intervene to restrict their dominance and safeguard a level playing field for all the actors in the data economy. By safeguarding competition, the law adds to consumers’ welfare.

DID YOU KNOW?

  • The absence of legal provisions as for the ownership of data does not automatically entail a downside effect on data reuse

    The lack of mandatory provisions in terms of who own the data might be seen as convenient for companies since their freedom of contract is not inhibited.

    The Commission has suggested the implementation of an industry data protection right that states that the entity or individual that has generated/produced the data should own it.

    Currently, national laws from the European countries seem to apply provisions related to contract law, trade secret and competition law in order to grant protection in this regard. Among them, the Directive on Trade Secrets appears to be one of the most suitable solutions to address legal issues regarding ownership of data.

  • There is a growing realization that consumer protection is vital to foster data flow in the digital economy

    Consumer protection law and competition law are valuable means to regulate and assist consumer-friendly data economy.

    The most important precondition for strengthening the digital economy is the consumers’ trust to digital service providers and products. Antitrust measures are a suitable way to protect both data economy and the consumer.

    The above two laws and the future Directive on digital content, which is to be implemented shortly, shape the legal framework entrusted to ensure the consumer’s safety.

  • Cyber security and data localisation laws are impacting data reuse in an ambivalent way

    It is clear that cyber security is gaining importance and it is turning from being a threat to an enabler for the data value chain in order to guarantee a safe business, to build up trust among stakeholders and thereby facilitate the rapid rise in data exchange.

    At the same time, cyber security might be used as the perfect alibi to implement certain actions, which ultimately turn out to data localization components, like the Chinese government’s corresponding law, which requires storing certain personal and business information within the Chinese borders and subordinates the international transfer of them to government permissions.

  • The new Copyright Directive proposal may be geared toward modernizing copyright rules for the digital age but might hamper data reuse when it comes to user generated content

    The number of businesses that are based on user-generated content has been growing in the past years (e.g. YouTube or Facebook). The implementation of a surveillance and take down system by the information society service providers along with rightholders may obstruct the existence of such generated content and might consequently affect data reuse.

    It is thus essential to find the right balance between the protection of IP rights as well as related regulations and the generation of new content by users avoiding protective measures, which could result in censuring policies.

  • There still exists a great imbalance between the contracting parties as for the negotiation of Standard terms and conditions2

    Contractual provisions between data holders and users as agreed in Terms of Service or another contract are considered the ones that influence relationships most directly.  By nature, Terms and Conditions are not usually subject to modification by the non-dominant party and consequently the latter has no choice but to reject or to accept the agreement in its entirety.

    The work of consumer associations, where applicable, sometimes helps to outweigh this inequity.



CONTACT

Project coordinator

Mr Daniel Bachlechner

Fraunhofer ISI

E-mail: daniel.bachlechner@isi.fraunhofer.de

 

Communication leader and liaison manager

Ms Klara Süveges-Heilingbrunner

ICT Association of Hungary

E-mail: hklara@ivsz.hu