EU data package highlights connections between the digital single market, privacy, and antitrust

On January 10, 2017, the EU Commission published a package of documents on the EU’s data economy strategy, including the “European Data Economy,” e-privacy and data protection. These documents represent the last package of proposals covered by the Commission’s digital single market (“DSM”) initiative announced in May 2015, and they illustrate again the strong links between the EU’s digital regulatory strategy, data protection, intellectual property and antitrust policy, notably including the Commission’s preliminary report on its sector inquiry on e-commerce, also launched in May 2015.

The European data economy documents include a Communication on Building a European Data Economy (the “Data Economy Communication”), accompanied by two consultations, one consultation on the European data economy (the “Data Economy Consultation”) and another on the EU directive on liability for defective products (the “Defective Product Consultation”). The e-privacy and data protection documents include a proposal for a new regulation on privacy and electronic communications (the “E-Privacy Regulation”) and a communication on exchanging and protecting personal data in a globalized world (the “Data Transfer Communication”).

The Commission’s proposals are wide-ranging and ambitious, including (for example) a potential new EU legal framework to promote access to data, which could include a requirement for companies to provide access to data generated on their own products and services through the Internet of Things (“IoT”); default contract rules that would invalidate data access and usage provisions in other contracts that are deemed unfair, including in a B2B context; and a mandatory portability right for non-personal data based on the EU portability right for personal data.

These initiatives are of critical importance for all companies doing business in the EU, not only technology companies. The Commission’s consultations are open until April 26, 2017. The Commission sets out a number of specific actions it plans to take in 2017 and 2018, following the consultations. In addition, the Commission plans to conduct bilateral discussions with individual stakeholders.

For more information on the Commission’s DSM strategy and e-commerce sector inquiry, see our summary of the initial announcement and updates from November 2015, December 2015, and August 2016.

The data economy communication looks at four main areas: obstacles to the free movement of data; data access and transfer; liability; and portability, interoperability, and standards.

Obstacles to free movement of data

In relation to obstacles to free movement, the communication focuses on data localisation requirements increasingly being considered and adopted at the national level. While the EU General Data Protection Regulation (the “GDPR”) bans restrictions on the free movement of personal data in the EU for the protection of personal data, the GDPR does not apply to restrictions for other reasons, and it does not apply to non-personal data, for instance non-personal machine-generated data.

The Commission was expected to propose a legislative measure banning national data localisation requirements, but it refrained from doing so for fear that the Commission would not be able to persuade the Council of the need for such a ban and a desire to explore the potential for existing EU law measures to address these issues.

Data localisation requirements arise from legal rules or administrative guidelines or practices that require the storage or processing of data in a particular jurisdiction and may be imposed for a variety of alleged reasons, including ease of access for supervisory authorities, auditors and law enforcement, as well as data security. In practice, however, the Commission believes that these measures rarely contribute to the objectives they are intended to achieve and notes that these restrictions can impair competition by limiting access to cheaper or more innovative data services, force businesses operating cross-border to arrange excess data storage and processing capabilities, and inhibit start-ups and SMEs from scaling-up their activities, entering new markets or centralising data and analytics capacities. Data localisation also hampers the wider adoption of cloud storage and computing, with potentially wider societal effects, including environmental effects. Nevertheless, data localisation requirements may be justified and proportionate in particular contexts or in relation to certain data, especially before effective cross-border cooperation arrangements are put in place, such as ensuring the secure treatment of data pertaining to critical energy infrastructure, or the availability of electronic evidence (e.g., localised copies of datasets) for law enforcement authorities, or local storage of data held in public registers.

In the Data Economy Consultation, the Commission seeks input on the extent, nature and impact of data localisation restrictions within the EU, what could constitute justified grounds for such restrictions, and to what extent businesses store or process data in multiple geographical locations within the EU. The Commission also seeks respondents' views on the perceived impact that the removal of data localisation restrictions within the EU would have on their businesses.

The Commission notes that any current or new Member State data location restrictions need to be carefully justified under the principle of free movement of data within the EU to verify that they are necessary and proportionate to achieve an overriding objective of general interest, such as public security. The Commission plans to discuss the justifications for and proportionality of data location measures with Member States and other stakeholders, and, where needed, to launch infringement proceedings challenging unjustified or disproportionate data location measures. Depending on the results of the Data Economy Consultation, the Commission may reconsider proposing a legislative ban on data localization requirements.

Data access and transfer

The Commission notes the increasing importance of data generated by machines or processes based on emerging technologies, such as the IoT, as a key component for new services, to improve products or production process and to support decision-making. The Commission believes that access to the raw data generated by these machines or processes is central to the emergence of a data economy, mentioning the transport, energy, smart living, and healthcare sectors in particular. The Commission notes that enterprises in the data economy deal with both personal and non-personal data, and that data flows and datasets often contain both types. Any policy measure must take account of the legal framework on the protection of personal data.

The Commission notes that companies holding large quantities of data tend to use mostly in-house data analytics capabilities and keep the data generated by their machines or through their products and services for themselves, so these data may not be available for reuse in downstream markets. Many companies do not benefit from or use application programming interfaces (“APIs”) specifying how different applications should interact with each other, which could serve as entry ports for new uses of such data. As a result, in the Commission’s view, data exchanges are currently limited, although data marketplaces are slowly emerging. In the Data Economy Consultation, the Commission seeks input among other things on whether businesses holding data or data sets license them to others, and if so on what terms.

The Data Economy Communication avoids the question of ownership of data but touches on the application of intellectual property protection to data, noting that there is currently no comprehensive policy framework at the EU or national level for the protection and use of raw machine-generated non-personal data. Raw machine-generated data are not protected by existing intellectual property rights, although the Database Directive (96/9/EC) gives makers of databases the right to prevent extraction and/or reutilisation of the whole or of a substantial part of the contents of a database whose creation involved substantial investment in obtaining, verifying or presenting its contents. For data to qualify as a "trade secret" under the Trade Secrets Protection Directive (2016/943/EU), measures have to be taken to protect the secrecy of information, which represents the “intellectual capital of the company.” In the Data Economy Consultation, the Commission seeks input on contracts in which data have been described as trade secrets. It is not clear whether the Commission is contemplating further action as regards the protection of data as trade secrets, but it plans to launch a separate review of the Database Directive in 2017.

Absent a clear legal framework governing the use of machine-generated data, the Commission notes that the protection of such raw data is largely left to contractual solutions and competition law enforcement. Where the negotiation power of the different market participants is unequal, however, the Commission argues that market-based solutions alone might not be sufficient to ensure fair and innovation-friendly results, facilitate easy access for new market entrants and avoid lock-in situations. The Commission notes that Member States are considering regulations to ensure access to machine-generated data and notes that national measures risk creating fragmentation and impeding development of the EU data economy and the cross-border data services and technologies. In the Data Economy Consultation, the Commission seeks input on businesses’ trading practices in relation to non-personal data, perceived barriers to trading and re-use of such data and ways to enhance access to and re-use of data and data trading. More specifically, the Commission seeks input on whether and to what extent businesses have access to the data they need to develop or conduct their tasks and to assess the role of existing legislation on unfair contract terms and commercial practices.

The Commission also asks whether businesses consider possible denials of access to data to amount to abuses of dominant positions for antitrust purposes and whether current competition law enforcement mechanisms adequately address potentially anti-competitive behaviour of companies holding or using data. The Commission seeks input on the importance respondents’ attach to different policy objectives (e.g., promoting trading and sharing of machine generated data, versus protecting investments into data collection capabilities and confidential information) and what types of access to data respondents would agree to give public sector bodies, researchers, and commercial operators. More generally, the Commission asks whether there is a need to revise or introduce legislation to support the European data economy.

Using the results of the Data Economy Consultation, the Commission intends to explore a possible future EU framework for data access, revolving around the most effective ways to improve access to anonymous machine-generated data and facilitate and incentivise data sharing. More specifically, the Commission is considering a range of options, including:

• Issuing guidelines on how non-personal data control rights should be addressed in contracts to incentivise businesses to share data;

• Fostering the development of technical solutions such as APIs, making data available in machine-readable formats and the provision of associated meta-data, for example through best practice guidance;

• Developing mandatory default contract rules and recommended standard contract terms, which could result in unfair contractual clauses being invalidated and lower barriers for small businesses;

• Mandating data access without remuneration for public interest and scientific purposes, such as access for statistical offices or traffic management systems;

• Granting owners or lessees of devices generating data a right to use and authorise the use of non-personal data generated by the device; and

• Creating a new legal framework, which may vary by sector, requiring data holders, such as manufacturers and service providers, to provide access to their data based on fair, reasonable and non-discriminatory (FRAND) terms.

Liability

The Data Economy Communication discusses liability issues that can arise in relation to products and services based on technologies such as the IoT, factories of the future and autonomous connected systems. It may be difficult to establish the exact source of a problem that leads to damages, raising the issues of how to ensure that these systems are safe, minimise damage and assign liability.

At EU level, the Products Liability Directive (85/374/CEE) establishes the principle of strict liability where a defective product causes damage to a consumer, but application of this directive in the context of IoT and autonomous connected systems (e.g., robotics) may be unclear. The Commission plans to explore various approaches to enhance legal certainty with regard to liability, including creation of a framework allocating liability to market players who generate major risks for others or to those best placed to minimise or avoid the realisation of the risk, and the establishment of voluntary or mandatory insurance schemes.

In the Data Economy Consultation, the Commission seeks input from producers and users of IoT technologies and autonomous systems on their level of awareness, experiences and issues related to liability for related products and services. The Defective Product Consultation further seeks input on these ideas and seeks to assess whether the Products Liability Directive is appropriate for emerging technologies such as IoT and autonomous connected systems.

Portability, interoperability and standards

The Data Economy Communication also addresses the issues of the portability of non-personal data, the interoperability of services to allow data exchange, and appropriate technical standards for implementing meaningful portability. While the GDPR gives individuals a portability right for personal data, there are no such requirements for non-personal data. The Commission notes that data portability is generally associated with low switching costs, and hence with low entry barriers, but implementing data portability can be technically demanding and costly and needs to take account of broader data governance considerations involving transparency for users, managed access and interoperability to link different platforms.

Data portability considerations are closely related to data interoperability. In the case of online platforms, data interoperability facilitates not only switching, but also the concurrent use of several platforms (so-called "multi-homing") as well as widespread cross-platform data exchange, which has the potential to enhance innovation. According to the Commission, effective portability policies must be supported by appropriate technical standards to ensure interoperability.

In the Data Economy Consultation, the Commission seeks to identify business situations where portability of non-personal data could unlock opportunities and/or eliminate blockages in the data economy and requests views on the possible effects of introducing portability rights for non-personal data regarding cloud services, data generated by machines, tools and/or devices and/or data generated by online platforms.

Taking account of the responses to the Data Economy Consultation, the Commission is considering developing recommended contract terms to facilitate switching of service providers; developing further rights to data portability of non-personal data, building on the data portability right provided by the GDPR and the proposed rules on contract for the supply of digital content; and sector-specific experiments on standards to develop portability rules encoded through standards.

E-Privacy Regulation

The proposed new E-Privacy Regulation is intended to ensure stronger privacy in electronic communications by updating current rules set out in the e-Privacy Directive (2002/58/EC), extending the rules to providers of services that run over the internet (referred to as “over-the-top” or “OTT” service providers), by introducing a broad definition of “electronic communication services.” As a result, the privacy rules in the E-Privacy Regulation will also apply to providers such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber.

The Commission hopes that the E-Privacy Regulation will be adopted by May 2018, in time for the GDPR’s entry into force. A number of provisions in the E-Privacy Regulation demonstrate the intended alignment with the GDPR, including the territorial scope provision. The penalty provisions in the E-Privacy Regulation also align with the GDPR, including exposing organisations to fines up to 4% of worldwide annual turnover for certain breaches.

The E-Privacy Regulation would protect privacy for both content and metadata derived from electronic communications (e.g., time of a call and location). Both will need to be anonymised or deleted if users have not given their consent, unless the data is required for instance for billing purposes. Once consent is given, traditional telecoms operators will have more opportunities to use data and provide additional services, such as heat maps indicating the presence of individuals to help public authorities and transport companies when developing new infrastructure projects.

The so-called “cookie provision” under the e-Privacy Directive, which has resulted in an overload of consent requests for internet users, would be streamlined to give users more control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. The proposal clarifies that no consent is needed for non-privacy-intrusive cookies improving internet experience (e.g., to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will also no longer require consent.

The E-Privacy Regulation would ban unsolicited electronic communications to consumers by any means, including emails, SMS and phone calls, without users’ consent. However, marketers may continue to use electronic contact details they receive in the context of a sale of a product or service for direct marketing of similar products and services if customers are given an opportunity to opt-out of such use. Moreover, Member States may elect to give consumers the right to object to voice-to-voice marketing calls on an opt-out basis, for example by registering their number on a do-not-call list. In any case, marketing callers will need to display their phone number or use a special prefix that indicates a marketing call.

The E-Privacy Regulation would require software placed on the market permitting electronic communications to offer end users an option to prevent third parties from storing or processing information on terminal equipment. The E-Privacy Regulation further provides that, upon installation, the software must inform end-users about the privacy setting options and, to continue with the installation, require the end-user to consent to a particular setting. These provisions have been watered down compared to a draft of the regulation leaked in December 2016 that would have required all terminal equipment and software used to retrieve and present information on the internet to be configured with default options preventing third parties from storing information on, or using information about, a user’s device.

Data transfer communication

The data transfer communication sets out the Commission’s approach to international personal data transfers in light of the GDPR and the adoption of the EU-U.S. Privacy Shield, which replaced the Commission’s “safe harbour” decision invalidated by the European Court of Justice in the 2015. The Commission will engage proactively in discussions with key trading partners in East and South-East Asia, starting with Japan and Korea in 2017, but also with interested countries of Latin America and the European Neighbourhood to enable the Commission to reach "adequacy decisions" to allow for the free flow of personal data to countries with "essentially equivalent" data protection rules to those in the EU. In addition, the Commission will make use of alternative mechanisms provided by the GDPR to facilitate the exchange of personal data with other third countries with which adequacy decisions cannot be reached.

In its European data strategy package, the Commission raises a plethora of interrelated issues cutting across multiple areas of law and policy, including ICT regulation, antitrust, intellectual property, consumer protection and data protection. If implemented, some of the Commission’s proposals -- such as requiring companies collecting data on their own products and services to make those data available for free or on FRAND terms and to use standard APIs and take other steps to ensure interoperability and portability -- would be revolutionary and impact virtually all large companies doing business in the EU.

As the Data Economy Communication itself notes, EU and other antitrust laws already provide a path for companies to ask antitrust authorities to order competitors to provide access to “essential facilities” or inputs. Recognizing that companies are free to decide how best to use their own assets and with whom to do business, however, the European Courts and the Commission have developed strict conditions that must be fulfilled before such access will be required, and the Commission has done so only in rare cases after detailed investigations. For the Commission to propose an across-the-board access obligation on all companies, dominant or not, with no regard to well-established case law, is extraordinary.

By contrast, the Commission’s failure to propose a legislative ban on Member State data localisation requirements will disappoint many multinationals who expected such a ban as part of the Commission’s free movement of data initiative. The Commission may yet propose such a ban depending on the outcome of the Data Economy Consultation.

On the data protection front, the E-Privacy Regulation would expand current requirements to more service providers, impose new requirements relating to privacy setting options in software and bring in more onerous requirements around how consent is obtained. It would also significantly increase the penalties for breach. On the other hand, the E-Privacy Regulation is somewhat more business-friendly compared to a draft of the regulation leaked in December 2016 as regards “privacy by design” and extending marketing restrictions to corporate users.

Given the importance of the Commission’s data package and the controversial nature of some of the Commission’s proposals, it will be very important for industry, not just the ICT sector, to make their views known through the Commission’s consultations and anticipated stakeholder dialogues. Although the E-Privacy Regulation is not covered by the Commission’s consultations, there will no doubt be extensive opportunities for interested parties to communicate their views on this proposal to the European Parliament and Council.