Intersection between the Right to Data Portability under the GDPR and the Sui Generis Database Right
Do the two rights interfere with the free flow data generated from connected devices?
The Digital Single Market
The growth of internet has brought about vast knowledge in the form of ‘data’ to the 21st century. As a part of its Digital Single Market Strategy, the European Commission is committed to developing a European data economy and therefore the regulation and allocation of data is becoming increasingly important. Both the General Data Protection Regulation (‘GDPR’) and the Database Directive 96/9 (‘DbD’) confer rights for certain persons who have interest in relation to the data encoded in connected devices. In relation to the GDPR the right is given to individuals whose personal data is processed and in regards to the DbD the right to exclude others from extracting part(s) of his or her investment made in his/her database. It has come to show that the two rights may not be adequate for the EU data driven economy. The reason for the foregoing is that the two rights overlap or intersect where one can be used to bar the other, which may result in a segmented ‘data’ landscape for the purposes of data aggregation which is key for technological developments, artificial intelligence, machine learning and other data driven business models. The thesis focuses on describing to what extent the intersection, if any, may lead to a hampered data driven economy and provides recommendations on possible amendments that can be made to mitigate the extent of ‘clash’.
The growth of internet has brought about vast knowledge in the form of information or ‘data’ to the 21st century.[1] As a part of its Digital Single Market Strategy, the European Commission has become committed to developing a European data economy describing data as a ‘key’ source of innovation and growth and therefore effective data regulating regimes should be a priority.[2]
The General Data Protection Regulation (hereafter ‘GDPR’)[3] came into effect in on the 25th May 2018 and forms a regulatory innovation within EU law and was enforced by the Commission in efforts to create security and confidence for individuals whose personal data is collected by businesses[4] within the EU digital single market. The Right to data portability (hereafter ‘RtDP’) introduced by Article 20 of the GDPR is a novel right and allows for individuals to gain control of their personal data and enjoy increased choice of service providers by being able to transfer their personal data from one service provider to another without any hindrance. The scope of the GDPR is limited to the processing of personal data, hence “only information relating to a natural person who is identified or identifiable can be subject to a data portability request. Truly anonymous data is excluded.”[5] RtDP facilitates control for the purposes of reuse and may be collected in connected devices for technological developments.
Similarly, within EU law there is a sui generis right in databases encapsulated within the database directive 96/9[6] (hereafter ‘DbD’) which protects investment made into the creation of databases coined collectively as the SGDR (hereafter ‘SGDR’) and is an Intellectual Property Right (hereafter ‘IPR’) The DbD provides for protection of databases which may contain personal data of these individuals. The DbD goes beyond the level of protection provided by international law with the objective of harmonising the protection of the investment made in databases in all EU member states.
The DbD does not have direct applicability yet it may have direct effect. On the other hand, the GDPR is a binding legislative act which must be applied in its entirety across the EU and has direct effect and is directly applicable in all EU member states. For the foregoing reasons, legislative judgements, decisions and the scope of interpretation remain somewhat disseminated in relation to the DbD among individual member states; however this is not the case in relation to the GDPR due to its legal instrumental capacity. What the two regimes regulate is ‘data’, albeit of different capacities and forms. Data, coined the new prized economic assets of the 21st century,[7] is that which new business models compete for in order to survive in digital market. This is the reason why de facto dominant market players such as Google, Amazon and Facebook have been able to rise to such superiority by way of using their users/customers data with algorithms and deploying it to leverage their own market performance and outperform others.[8]
Connected devices including the Internet of Things (hereafter ‘IoT’) generate big data and are profoundly data dependant. In fact, IoT thrive on access to big datasets as indispensable inputs for training algorithms for Machine Learning (hereafter ‘ML’).[9] The interaction between connected devices and intellectual property plays a vital role as the latter affects the generation, analysis and use of data derived from connected devices.[10]
Without the ability to monetise revenue from the data there would be no incentive to collect them. Justifications for the wide sharing of data may diminish its economic value which is what the RtDP may bring about as controllers are obliged to transfer personal data to another service provider, leading to horizontal competition i.e. within the same industry. As with any IPR, when these are not protected then they can easily be copied by anyone, therefore require protection and remuneration ought to be given for the producers of inventors of such efforts.[11]
Aim and research question
The purpose of this thesis is to describe and analyse the interfaces and supposed conflicting nature between the RtDP and the SGDR, using the example of data which is collected, generated and transferred by connected devices. Towards the end of the thesis recommendations backed by scholarly opinions will be discussed and analysed in order to demonstrate how the hypothetical tensions, if any, between the two regimes may potentially be mitigated.
To fulfil the research purpose, the following questions will be answered:
1. Describe the extent to which the RtDP interact with the SGDR of the database rights holder?
2. To what extent can one prescribe the relevant law to the case of connected devices in a big data setting?
3. Are there any justifications for the amendment to the RtDP or the SGDR in the absence of exclusive rights or do the two legal frameworks result in a segmented data landscape where data aggregation is hard to achieve?
1.3 Scope and constraints
There is interplay within the two data access regimes which may either allow for access of personal data or it may limit it as a result of measures that give exclusive control to de facto data holders and by market forces that drive access, transfer, trade and pricing of data. Consequently, it is vital to define the legal effect of the data access regimes. Constraint would be that as a result of the topic of, connected devices and also data protection within the GDPR since its inception in 2018 is fairly new there is not a lot precedent that may be referred to. Furthermore, there are only number precedents in relation to the DbD which are referred to within the thesis, as well. The commission has recently announced their incentive to create a digital single within the EU.[12]
Materials and method
To fulfil the purpose of this thesis and to answer the research questions, a legal scientific (dogmatic) method will be applied. Consequently, the methodology will be to (i) describe the concerned rights within the frameworks regulating the RtDP and SGDR, respectively (ii) prescribe how these rights interact with each other and (iii) justify why a supposed change is or is not required so as to mitigate the tension between the two rights within the European data economy. As a part of deploying a legal scientific method, this thesis focuses primary legislation such as the Treaties (TFEU) secondary legislation (regulations, directives and decisions) derived from rom the principles and objectives set out in the treaties. EU based legislative actions, in the form of white papers and working party papers and more and legal literature in the form of journals are used to explain concepts within the regimes used. In addition, supplementary sources such as empirical studies, impact assessments, and private initiatives along with public consultations by different private and public entities are referred to.
Summary and Conclusions
To answer the research question at hand, this thesis applies a legal scientific (dogmatic). Consequently, an attempt is made to describe the concerned rights within the frameworks regulating the RtDP and SGDR, prescribe how these rights interact with each other and finally justify why a supposed change is or is not required so as to mitigate the tension between the two rights within the European data economy. To do so in the following questions are sought to have been answered. (i)The extent to which the RtDP interacts with the SGDR of the database rights holder. (ii) The extent to which one prescribe the relevant law to the case of connected devices in a big data setting. (iii) Justifications for the amendment to the RtDP or the SGDR in the absence of exclusive rights and whether the two legal frameworks result in a segmented data landscape where data aggregation is hard to achieve.
The sine qua non of the EU Data Economy is determined to be ‘data’ which constitutes the very foundation for overflow of information in the digital economy. The interaction between connected devices and intellectual property plays a vital role as the latter affects the generation, analysis and use of data derived from connected devices. Without the ability to monetise revenue from the data there is no incentive to collect them. Justifications for the wide sharing of data may diminish its economic value. The conclusions that are drawn are that connected devices including the Internet of Things generate big data and are profoundly data dependant. Access to big datasets is an indispensable for the purposes of inputs for training algorithms for ML. Smart connected devices do not autonomously produce “raw data” about personal behaviour patterns of any said individual. These data are analysed by machines since ML and AI make use of statistical techniques and their closest and best estimates are dependent on the large size of the datasets generated by connected devices. In connected devices several variables may be present in the large datasets and therefore it is crucial that robust predictions are generated to diminish the existence of any errors. The larger the dataset the closer the prediction will be leading to better accuracy for user experiences and the functioning of devices.
Other aspects of the law, besides GDPR and SGDR considerations which touch upon ‘data’ are competition law related to anti-competitive behaviour by big data firms. Articles 101 and 102 of the Treaty of the Functioning of the European Union regulate anti-competitive practices within the EU. In order to minimise abuse of dominance which leads to anti-competitive behaviour the Court of CJEU has ruled that data holders could be obliged to allow data access under the requirements set out by the law. The example of care navigation systems was given stating that car navigation data needs to be aggregated by a navigation service provider (controller) in order to identify traffic jams and send this information back to drivers. There are considerable economies of scope in the aggregation compared to the marginal value of each individual car navigation dataset since benefits of using a combined dataset is higher than using each dataset separately. These datasets need not be completely separable; instead they should complement each other. Similarly, economies of scale prompt investments made in high quality datasets transmitted by connected devices for the purposes of training ML algorithms. This is expensive to achieve yet once trained the marginal cost of additional use of the algorithms have shown to be low. The justification for using these financial analytical techniques was to demonstrate the monetary value that data and the free flow of generates. A well-known fact is that smart cities, connected devices, AI and the digital economy as a whole thrive on data and the access to it. Limiting the free-flow of data may lead to a downward spiral for the purposes of the advancements in technology underpinned by the aforementioned techniques. With the advancements of ML and AI which crave enormous amounts of data The question posed is whether the current data access regimes allow for the innovation in the AI- driven technological world.
The RtDP stipulates that data must be provided in “structured, commonly used and machine-readable format” which allows for scalability. Secondly, data subjects have a right to “transmit those data to another controller without hindrance” which allows for aggregation and reuse. The data controller is obliged to provide the personal data for no monetary remuneration which lowers the barriers to entry and mandates a low threshold for access to the data. Hence, the foregoing economic justifications are linked to the requirement which discusses the requirements for the RtDP under the GDPR.
It is established the RtDP exists to “further strengthen [data subjects’] control” (recital 68) over their personal data in an attempt to uphold the individual right to privacy EU Charter of Fundamental Rights as per article 8(1). The RtDP was introduced and the conditions for individuals to have their data ported between service providers. The scope of the RtDP i.e: (i) a right to receive and transfer personal data (indirect portability), and (ii) a right to have it transmitted directly from one controller to another (direct portability), “without hindrance” is a qualified right contingent upon certain conditions for protection. Firstly, in order for a RtDP request to be successful the lawful processing ground must be fulfilled. Five main processing grounds exists which are (i) the data collected must be personal data (ii) the processing must be based on contract or consent (iii) the request may not affect the rights and freedoms of others (iv) the data has to be provided to the controller (v) data processed on any other legal ground including legitimate interest.
In an environment of connected device, personal data is said to be ‘observed’ and not ‘provided by’ the data subject. Hence, the RtDP may not be invoked by the data subject up against a database right holder in a ‘big data’ scenario which is created with and by the use of connected devices. Furthermore, The RtDP is subject to limitations in the interests of third parties as laid down in Article 20(4) GDPR. These could be data protection rights of other platform users[170] but also IP rights, rights of others, and more. It can is deduced that the RtDP is closely linked to the right of access. A limitation to the right of access under Article 15(4) of the GDPR is stated within recital 63 “right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property.”
The conditions and scope for the protection under the SGDR right are discussed and the fact that the novel was introduced as a result of the need to incentivize the production of databases. Thus, investment in the creation of the database is protected. The conditions leading up to the protection are analysed. The conditioned for protection are; (i) the definition of ‘database’ must be satisfied (ii) substantial investment in (iii) either the obtaining verification or presentation of the contents (iv)to prevent extraction and/or re-utilization (v)of the whole or substantial part (v) evaluated qualitatively and/or quantitatively. The conditions are explained primarily with the opinion and judgment of one seminal case British Horseracing Board v William Hill [2004]. One major takeaway from the case is that the substantial investment should not be made in the resources used for the creation of materials which make up the contents of a database, but rather refer to the resources used to seek out existing independent materials. Further, extracting or re-utilising a substantial part of the contents can result from the repeated and systematic extraction or re-utilisation of insubstantial parts of the contents of a database. SGDR protects against extraction and reutilization of substantial part of the database, or also of its insubstantial part if made systematically.
When applying the above criteria to the case of data generated by connected devices, in the Autobahnmaut decision it was held by that a highway company could claim a sui generis right in a database of machine-generated data about motorway use. If the same line of reasoning may be applied by the CJEU provided a preliminary ruling is requested then big data would be covered, most likely.
The intersection RtDP and SGDR are discussed which occurs when the RtDP and the conditions therein are fulfilled which may lead to unlawful extraction of the database makers SGDR allowing him or her to prevent the extraction and re-utilisation of their database. It is not exclusively clear if the individual invoking their RtDP amount to the conditions of its “extraction or re-utilisation.”
It is determined that ‘smart’ devices will often make use of data analytics, machine-learning and artificial intelligence.” Thus, these smart connected devices do not autonomously produce “raw data” about personal behaviour patterns of any said individual. Furthermore, connected devices are not limited to those that communicate autonomously through the Internet of Things.
The right holder of the database is obliged to provide the personal information which is in the form of raw data within the database. We can take the example of software within the connected device which observes the personal information and analyses it. Data in its most natural state which has not been analysed can be provided. Therefore, it has been recommended that controllers should also make use of API’s which allows for data to be in their most interoperable formats for the purposes of compliance with the GDPR or else the data subject will not be able to claim access to the data and neither is the data controller under any obligation to transfer it to another service provider. The processing of the data has to be based on consent or contract.
The SGDR may indeed limit the free flow of data and creates a lock-in effect where the individual may be barred from exercising their right of control over their personal data. Conversely, upholding the rights of the database maker leads may lead to innovation and provides incentives for the creation of databases.
Here, it is discussed whether the SGDR even applies to data collected by connected devices, as it could be argued that the data included in such databases are “created” instead of “obtained”. In relation to the RtDP it is unlikely that the personal data that is ‘observed’ by the connected or IoT device has been ‘provided’ by the data subject. It is concluded that, it may become increasingly difficult to satisfy the SGDR requirements in a big data economy context, given that the processes of obtaining, verifying and/or presenting the data will happen more and more automatically, as they will be normally conducted using algorithms and analysis of raw data by ML and AI.
The extent of control the RtDP will carry is contingent on how its balancing with IP law is led in practice. While the GDPR is intended as a general-purpose control mechanism that applies irrespective of the type of reuse of data, the compromise of the GDPR with IP rights might again limit the follow-on use of ported data by purpose-specific considerations. It is evident that the one of the two rights must be compromised if a data subject were to invoke their RtDP right.
For the recommendations given of how to mitigate the interference of the two rights is deliberated whether granting the repeal of the DbD as a whole or only the SGDR would solve the clash with the RtDP. Yet, these drastic options are not proportionate for the explicit aim of ensuring the RtDP. Leaving the issue for courts that may not be familiar with a wide‑ranging picture of the data economy can yield unwanted consequences, foreclosing data‑driven markets. Additionally, the likelihood of database makers evading a decision favouring the RtDP over the SGDR cannot be overlooked. A solution here could be to introduce an exception in the DbD authorising data access rights regimes to override the SGDR. This gives the institution the mandatory plasticity to stand the test of time, as well as the likelihood for the EU to ponder a comprehensive action though the acknowledgement of a non-waivable data access right for those with a legitimate interest in such access. Although providing for an exception within the DbD would resolve the clash of the RtDP with the SGDR, it would not suffice in a wider framework, as it could be by-passed. If a new regime were to be implemented, then, to be effective, the access right needs to take account of other laws (such as privacy, trade secrets, contract law) to provide for a reliable and methodical regime. In the long run and so as to achieve the best outcome, this would require analysis of empirical studies recognise where precisely alterations are essential, which also speaks against a case‑law option, which cannot deliver for such a far-reaching and synchronized option.
Not having defined data access right may have a broader effect on the data economy, which relies on digitisation processes such as Connected devices, the Internet of Things, artificial intelligence; as it becomes increasingly difficult to distinguish between the generation/creation and the obtainment of data in the context of such processes. The current legal regimes may not reconcile the developments in technologies and connected devices that generate big data or processes that perform data analytics. In relation to the RtDP, it becomes ever more difficult for an individual to exercise their RtDP where raw datasets containing personal information cannot be extracted due to the data being protected under the SGDR. The nature of the resulting control impact on incentives to innovate should not be hampered by the RtDP nor should the SGDR, and their mutual interplay be of as an incentive to recommend a change in the concern.
In conclusion, this thesis has attempted to elucidate the interfaces between the RtDP and the SGDR and give a reference of their conflicting nature. The intersection known between the two rights is not as mute as put forward previously and leaves open important glitches, which can destabilise the RtDP’s effectiveness.
References [1] Ivan Stepanov ‘Introducing a property right over data in the EU: the data producer’s right – an evaluation’ [2020] 34 IRL 1, Computers & Technology 65, 81. [2] Communication from the Commission to the European Parliament, The Council, the European Economic and Social Committee and the Committee of the Regions, “Towards a common European data space” (2018) COM 232 final. [3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ 2 119/1 (General Data Protection Regulation – GDPR) [4] Businesses are termed controllers in the GDPR. [5] Inge Graef et al, ’Data Portability and Data Control: Lessons for an Emerging Concept in EU Law’ [2018] 19 GLJ 0, 1360. [6] Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases [1996] OJ L 77/20 (Database Directive – DbD). [7] Michael Burri, ‘The Governance of Data and Data Flows in Trade Agreements: The Pitfalls of Legal Adaptation’ [2017] 51 UC Davis Law Review, 65, 133. [8] Mike Sands ‘Customer Data Is the Secret to Silicon Valley’s Success.’(2017) Forbes, Accessed April 22, 2021 >https://www.forbes.com/sites/mikesands1/2017/11/29/customerdata-is-the-secret-to-silicon-valleys-success/#135386886c3b> [9] Bertin Martens,’The impact of data access regimes on artificial intelligence and machine learning’ [2018] JRC Digital Economy Working Paper, European Commission, Joint Research Centre (JRC). [10] Daniel Gervais, ‘Exploring the Interfaces Between Big Data and Intellectual Property Law’ [2019] 10 JIPITEC 1, 1. [11] Bertin Martens,’The impact of data access regimes on artificial intelligence and machine learning’ [2018] JRC Digital Economy Working Paper, European Commission, Joint Research Centre (JRC). [12] Commission, ‘Commission Staff Working Document on the Free Flow of Data and Emerging Issues of the European Data Economy Accompanying the Document Communication Building a European Data Economy’ SWD(2017) 2 final, 47.
Comentários