The EU has moved up a gear lately and it is producing new legal tools for businesses to maximize the possibilities to collect and use data (including personal data) as part of its European strategy for the data. This approach is implemented, among other aspects, by introducing intellectual property exceptions (for example, database rights), enhancing the possibility of reusing government data and exploring the possibility for consumers to provide personal data in exchange for certain digital services.

This is a tremendous opportunity for businesses across many industries: the use of consumer data for profiling and product improvement, the use of health data for research, and the use of consumer data. Vehicle data for product optimization are three examples.

However, these opportunities also come with significant legal challenges for companies wishing to maximize the use of data, including complying with data protection regulations, how to protect data from an intellectual property perspective, and how to protect data from an intellectual property perspective. means of transferring and authorizing them.

The European data strategy

The exploration of new and alternative possibilities for the use and processing of data (including personal data) presents many obstacles. In particular, the use, re-use and processing of massive data sets for commercial purposes is a practice which has been subject to careful scrutiny by competent authorities, in particular where the data is held by public bodies, contain personal data or are protected. by intellectual property / trade secret laws.

The institutions and bodies of the European Union (EU) are aware that data is an essential resource for economic growth, competitiveness, innovation, job creation and societal progress in general. In order to maximize the possibilities of using data, while protecting the rights of EU citizens, the European Commission has developed the European Data Strategy, which aims to create a single data market that will ensure global competitiveness and Europe’s data sovereignty.

New tools available to maximize data use

Increase the use of consumer data

Preliminary disclaimer: Directive 2019/770 expressly states that its content should be interpreted without prejudice to data protection laws (i.e. Data Protection Regulation (GDPR) and laws national laws “implementing” the GDPR). In the same sense, it also indicates that the content of the directive does not modify or affect any principle or provision of data protection, including the GDPR. Indeed, in the event of a conflict between Directive 2019/770 and the GDPR, the latter will prevail.

Notwithstanding the above, Directive 2019/770 has highlighted the possibility for consumers to provide personal data in exchange for services, under certain conditions. Thus, a business may receive personal data provided by consumers who wish to access digital content or services (even if this is subject to strict requirements and privacy regulators are quite reluctant). Despite the “negative opinion” of privacy regulators, the ability to provide data in exchange for digital content or services has been incorporated into Spanish consumer laws in a business-friendly manner, which which is very promising and leaves room for future developments and business opportunities in this area.

And how does it work under GDPR? The main compliance consideration that comes to mind is the use of an appropriate legal basis for processing. In this regard, it may be possible to rely on consent or legitimate interest. When applying any of these legal bases, companies must make a case-by-case assessment. As a positive note, the Spanish transposition of Directive 2019/770 expressly provides that the trader / controller is authorized to terminate the contract in the event that the data subject objects to the processing or withdraws their consent, respectively. We have explored this subject in depth in this article.

Data Mining: Getting Big Data from the Internet

Another example that has recently become applicable in the laws of EU member states is the possibility of using data mining techniques in the context of the Internet (for example, via web scraping techniques) in order to collect and process massive amounts of third-party information from an intellectual property perspective (we also discussed this here).

Information usually available on the Internet is very often subject to the protection of intellectual property laws. The Copyright Directive establishes a new exception to currently existing intellectual property laws so that any actor can use text and data mining techniques.

The new exception would apply to the following intellectual property rights:

Please note that this exception only covers certain intellectual property rights and not other rights such as data protection, trade secrets, etc. In addition, the rights holder has the option to prohibit the use of data mining (for example, it may reserve its rights through the use of machine-readable means, including metadata and terms and conditions of a website or service).

The ability to reuse data: Open Data Directive and Data Governance Act

The Open Data Directive establishes the possibility of reusing documents (broadly defined) held by public administrations with their metadata for commercial and non-commercial purposes, where possible and appropriate, by electronic means, in open formats , machine readable, accessible, findable and reusable. Regarding certain categories of documents, it contains rules that are even more favorable to companies:

• Research data (that is to say, collected or produced during scientific research activities or used as evidence in the research process, etc.) should be ‘open by default’ and compatible with the FAIR principles (i.e. findable, accessible data , interoperable and reusable).
• High-value datasets (documents whose reuse is associated with significant social, environmental and economic benefits) should be generally available free of charge, machine-readable, delivered through APIs, and delivered as a download en masse, where relevant.

However, the Open Data Directive does not cover many categories of data, such as personal data, data protected by IP provisions, trade secrets, etc. This is where the new Data Governance Law, which is still in the legislative process (we have prepared a short article on this here), plays a very relevant role, as it aims to provide new legal tools. to enable the sharing of this data.

The key elements of the law on data governance are:

• Each public administration will have to make public the conditions allowing the reuse of data, which must be non-discriminatory, proportionate and objectively justified.
• Data sharing service providers, which will act as intermediaries between public administrations and businesses to facilitate reuse.
• Conditions for re-use of data may include the need to anonymize / pseudonymize information before sharing or accessing information only in technical environments provided and controlled by public administration, etc.
• The public sector body should be able to verify the results of the data processing undertaken by the re-user.
• If, under the GDPR, there is no other legal basis for allowing the sharing of personal data other than the consent of the data subjects, the public administration should help the reusers to seek the consent of the data subjects and / or authorization of legal entities whose rights and interests may be affected by such reuse.
• The Data Governance Act also provides for certain limitations and special provisions in relation to international data transfers.

Legal challenges

The possibilities mentioned above can be interesting in almost any industry: using consumer data for profiling and product improvement, using health data for research purposes, using vehicle data for optimization of products, real estate management data used for energy and product life cycle management purposes….

These possibilities also bring new challenges to explore:

• How to legally collect the data and the categorization of said data (personal data?).
• How to process the data and maximize the purposes of the processing (e.g. restrictions on the use of data for AI systems, in accordance with the EU proposal for an AI Regulation).
• How to determine the ownership of data and the limits of its use, involving aspects related to intellectual property rights.
• How to protect the asset (raw or processed) under trade secrets and intellectual property laws.
• How to license know-how / business models / algorithms to third parties and the appropriate means to do so.
• How to securely transfer intra-group data or to third countries.

Next steps

• Businesses need to identify the data they want to use and select the appropriate legal tool to obtain that data;
• Businesses need to assess what they can and cannot do with the data and applicable regulatory requirements (for example, privacy impact assessments, obtaining relevant licenses, etc.).
• Companies need to assess how to legally and technically protect data (for example, security measures, confidentiality clauses, intellectual property protection, etc.).