Intersection between the Sui Generis Database Right and the Right to Portability

Introduction

To what extent does the Sui Generis Database Right limit the Right to Data Portability and do these two rights intersect or clash?

Scholars contend that the WP29 underestimates the conflict of SGDR and RtDP.[120]

The SGDR lend exclusivity to their beneficiaries and defines acts which third parties cannot undertake without the permission of beneficiaries. On the other hand, data portability assures the data subject’s right to their own information and for it to be transfer to a third party at their request. The right also sets the duties of the data subject vis-à-vis the controller and vice versa. The RtDP prompts the disclosure and use by the data subject; and use by the subsequent new data controller. The WP29’s stance on the application of recital 63 to article 20 of the GDPR, read together is that there is a conflict between the two rights which is certainly a higher threshold than a mere ‘interference.’[121]

It is within a ‘semantic or pragmatic’ scope that the individual has a RtDP[122]. A semantic scope encompasses information or knowledge that can be deduced from the data. It is logical that the RtDP is a right on a semantic level and that no ‘ownership- like’ right is given to the data subject, similar to an IP right, since this would prove to be dangerous for the purposes of innovation.[123] The types of data that are dealt with within the GDPR are also raw data. Similarly, Drexl[124] submits that the data controller is not under obligation to provide personal information or data from his database when the RtDP by the data subject is invoked.[125] Primarily, this is due to the fact that the raw data encoded into the connected device is unlikely to be in a “structured, machine readable format” which is one of the requirements under RtDP and therefore “the specific interest protected by the GDPR only relates to the semantic level of the machine-generated data.”[126] The right holder of the database is obliged to provide the personal information which is in the form of raw data within the database. We can take the example of software within the connected device which observes the personal information and analyses it. Data in its most natural state which has not been analysed can be provided.[127] Therefore, it has been recommended that controllers should also make use of API’s which allows for data to be in their most interoperable formats for the purposes of compliance with the GDPR or else the data subject will not be able to claim access to the data and neither is the data controller under any obligation to transfer it to another service provider. The processing of the data has to be based on consent or contract.[128]

5.2 Data portability leading to extraction or reutilization of the database

Can the RtDP affect the database maker’s SGDR? In other words, is there a right for the individual to port his or her own personal data from a database maker’s database given that they have a right to do so under the GDPR? If so, is the database maker allowed to raise his own defence and prevent such extraction and re-utilisation of parts of the database? The sui generis protection “prohibits extraction of all or a substantial part” of the database contents to another medium. Pursuant to recital 45 of the DbD “the existence of a right to prevent the unauthorized extraction and/or re-utilization of the whole or a substantial part of works, data or materials from a database should not give rise to the creation of a new right in the works, data or materials themselves.” This includes the copying of the individual data collected in a database. However, once the database contents are made public then the database maker cannot prevent third parties from using it.

A portability request under the GDPR may be interpreted as unlawful extraction. The receiving controller, through the use of database portability, may make the contents available to the public and thus be infringing the database maker’s right to prevent re-utilization. However, important to note here is that when the data subject requests for their personal information to be transferred to another controller due to the requests excessive and repetitive character, then the controller may either as per 12 (5)(a-b) of the GDPR:

“1. Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or 2.refuse to act on the request.”

Indeed, therefore there is a possible clash between the RtDP and the SGDR, where the latter can be invoked to bar the former in both regimes[129]

The RtDP is subject to limitations in the interests of third parties as laid down in Article 20(4) of the GDPR. These could be data protection rights of other platform users[130] but also IP rights such as the SGDR. The extent of the conflict of these interests in not known by the CJEU.

The commission has expressed that “there is also no explicit right for the individual to extract his/her own personal data (…) from an application or service”[131] Direct and indirect portability may amount to permanent transfer of the personal data to another medium which would impede the investments made in databases.

Basis for the database makers right to prevent portability request

Where a data subject invokes their right under article 20 of the GDPR, in his or her defence the database right holder may claim that their right to not disclose any information is already given to them under article 20(4) of the GDPR. The SGDR may provide an additional layer of protection where the database maker can claim protection under both the provisions of GDPR article 20(4) and the SGDR which would protect their investment made in the database.

A limitation to the right of access under Article 15(4) of the GDPR is stated within recital 63 “A data subject should have the right of access...That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject.” This suggests that the SGDR may not be infringed where a data subject seeks to exercise their RtDP, yet also states that IP considerations should not result in the refusal to provide all information to the data subject. The WP29 has suggested that a middle ground to this would be that data controllers ”transmit the personal data . . . in a form that does not release information covered by trade secrets or IP rights.”[132]

Data portability tools needs to be taken account of when assessing if legitimate interest under Article 6(1)(f) of the GDPR is a suitable processing ground when balancing interests of the controller vis-à-vis the data subject.[133] The controller needs to justify processing on another ground under Article 6 of the GDPR i.e. contract or legitimate interest of the controller and thereby does not need to comply with the RtDP at the request of the data subject. Defining the ‘database’ is essential in determining whether the ‘extraction’ amounts to ‘substantial’ or ‘insubstantial’ part of the database. Here, the database maker can influence the ‘substantial’ or ‘insubstantial’ part of the database by limiting the personal data requested for portability. In essence, they could only define the dataset to include a smaller part of the database and this could bar the RtDP.

It has been argued that the where an individual invokes their RtDP and seeks access to the database then is could be denied, according to Drexlr,[134] as the database maker has financial incentives involved within the database’s right. Drexlr expresses that right of access, which is closely linked to the RtDP should “[…]be vested in the persons who have a legitimate interest in getting access to the data generated by connected devices”[135]The determining factor to the legitimate interest criteria would then be the individual that is dependent on the right. Therefore, it can be inferred that for the proper functioning of the connected device, the rights holder should be the database maker who has made a substantial investment into ‘obtaining, verifying and presenting’ part(s) of the database contents. Evidently, several parties, such as the processor, service providers, manufacturers; are present in the creation of the software, hardware and other components of the connected device, but for the purposes of this thesis they will not be scrutinised further.

WP29 maintains that “[t]he RtDP is not a right for an individual to misuse the information in a way that could be qualified as an unfair practice or that would constitute a violation of intellectual property rights.”[136]

Basis for the right to of the individual to port data from database

If the conditions for processing of personal data by the database maker are not fulfilled they may not collect these data. The basis of processing is consent, contract or another legitimate ground as laid down by law.[137] The individual whose personal data has been collected may just as well use one of the exceptions under the DbD to extract data from the database. They may for example extract ‘insubstantial parts’ or for ‘grounds of private use, non-commercial teaching and research, public security, and administrative or judicial procedure”[138]

Furthermore, if an individual is able to prove that one of the six principles[139] for lawful processing within the GDPR have not been applied in the processing then these could justify extraction by the individual.[140] However, it is clear that when the RtDP is set against the SGDR, the database right holder has a stronger incentive to protect their database as they have a legitimate interest to do so, considering that they have made a substantial investment.

Discussion

Intellectual property rights create incentives which can encourage further production or commercialization for the entire class of innovation. Therefore, IP rights contain an exclusivity prerogative which allow for uses of a protected investment allowed only with the consent of right holders. It is common that then the right holders commercialize their IP to exclude others from holding commercial rights in their IP or alternatively they may also commercialize them through markets, either on their own or through licensing.[141]

The way in which data portability policies may encumber IP rights holders investments and cause friction between the two are; Firstly, the mandatory portability can force disclosure of valuable data which would otherwise have not been disclosed to competitors. Secondly, it may also prompts data sharing where exclusivity was previously assured as a reward. Thirdly, Furthermore, it can encumber revenue that the potential beneficiary anticipated from their licensing activity and consequently broadly innovation incentives.[142]

An extensive analysis of the RtDP will obscures its interface with IP law.

Similarly, there are many open complications in relation to the extent to which businesses will be able to invoke their IP rights on datasets to prohibit data subjects from moving their personal data to another service provider or controller.

The extent of control the RtDP will carry is contingent on how its balancing with IP law is led in practice. While the GDPR is intended as a general-purpose control mechanism that applies irrespective of the type of reuse of data, the compromise of the GDPR with IP rights might again limit the follow-on use of ported data by purpose-specific considerations. It is evident that the one of the two rights must be compromised if a data subject were to invoke their RtDP right.

Gervais argues that big are unlikely be protected by the SGDR in databases due to the nature of ‘non-relational databases or no SQL’[143] which are common a ‘characteristic’ of big data.[144] The Commission is of the view that exchange and access of data between market players is “essential” in order for the EU financial market to reach its full potential.[145]

In order to do so open standards, interoperability and a simplification of data access regimes must be developed so as to increase competition and innovation.[146] One may be able to deduce the importance of interoperability of data held within a database to be exchanged and made use of for the advancement of the European Digital Market. It has been argued that data from connected devices is unlikely to be protected by the SGDR, it is yet to be seen which rights are vested in data deriving from connected devices and better yet how IP can adapt or become more malleable for the purposes of generating, processing and making use of data generated from connected devices.

The way ahead

The WP29’s stance on the application of recital 63 to article 20 of the GDPR, read together is that there is a conflict between the two rights which is certainly a higher threshold than a mere “interference.”[147] Therefore, below I discuss possible options that may mitigate the potential “interference” of the RtDP and SGDR.

Repealing the DbD so that it is fit for the purpose of not barring the RtDP is inconsistent for resolving of safeguarding portability of personal data and does not account for other potential problems and consequences. A solution to the problem of the SGDR barring the RtDP renders the following realistic possibilities.

So as to limit the clash of the SGDR vis-à-vis the RtDP, one recommendation would be that the SGDR is made into a registrable IPR as it would be necessary for the database holder to actively seek registration and only where there is an incentive to do so.[148] A registrable SGDR might lead to a growth in planned registration.[149][150] Registrable protection could prevent the sharing of users’ personal data with third parties, upholding the data subject’s right to privacy.

The enactment of a compulsory licensing system could prevent the SGDR from barring the RtDP, as the database maker would be obliged to allow a license upon the data subject’s and/or the new controller’s request, whereby the parties would have to settle upon a remuneration.[151]

Case‑law interpretation as a candidate would entail that when a potential dispute is sent to the CJEU in the capacity of a preliminary ruling under TFEU 267 then they could rule that article 20(4) GDPR prevails and confer full dominance of the SGDR over the RtDP. Such a ruling is unlikely and has not been given. Yet this would not only hamper individuals from accessing their personal data, but also have a domino effect in reducing competition between service providers and in turn limit the right of the individual to possess control over their data creating a lock-in effect.[152] Thus, case law interpretation would represent a negative precedent for other cases of legitimate interest in accessing data.

Where the data controller has real incentives to not disclose any personal information when the data subject invokes their RtDP, the data controller may even provide some form of remuneration to the data subject.[153] This possibility is likely the most highly unrealistic.

It is an imperative to take the big picture of the data economy into consideration. Rather than focusing exclusively on the RtDP or the SGDR, the superior solution would consist in the inclusion of a broader non-waivable exception in the DbD, whereby regimes on data access rights prevail over the SGDR.[154] The Max Planck Institute for Innovation and Competition has suggested for a non-waivable exception for those with a legitimate interest in a non‑waivable data access right (not restricted to personal data), such a right, under which the RtDP can be regarded as a special classification.[155]

The Second Evaluation Report considered a non-waivable exception and determined that it could be protected under an amended version of DbD,[156] which is comprehensible with the recognized necessity to assure greater access to data.

Although providing for an exception within the DbD would resolve the clash of the RtDP with the SGDR, it would not suffice in a wider framework, as it could be by-passed. To be effective, the access right needs to take account of other laws (such as privacy, trade secrets, contract law) to provide for a reliable and methodical regime.[157] In the long run and so as to achieve the best outcome, this would require analysis of empirical studies in diverse legal divisions to recognise where precisely alterations are essential, which also speaks against a case‑law option, which cannot deliver for such a far-reaching and synchronized option.

As well as covering the RtDP, the general access right exception has some clear advantages. Firstly, it could include likely upcoming forms of data portability, as well as other general access regimes developed based on the needs of new data business models. This broader provision would render it more time resistance. Second, database makers ‘law shopping’ could be at least reduced, as it avoids circumventing one access provision within legislation by choosing to invoke another right.[158]

The intersection between data protection and IPRs might not be very innate in a first moment; however such encounters are inclined to increase significantly within the data‑driven economy. EU data economy’s development could have disadvantaged by disregarding the potential harmful effects that non-regulation of data regimes may cause. The Commission has determined not to carry out a legislative interference with the DbD for now.[159]

An ownership right in data?

No single regime deal with per se ‘ownership of data’ generated by connected devices which is a topic that has been under scrutiny with calls for regimen that regulate data as seen by some scholars as a move forward for the digital single market.[160] So as to limit clashes between the RtDP and the SGDR, scholars are of the opinion that data portability should be linked to a property-rights approach to data protection or data ownership.[161] In Rubinstein’s opinion this is called “property-related actions like trading, exchanging, or selling data”[162] instead of the central element of property rights i.e. the right to exclusion. Hence, scholars urge that “The global community urgently needs precise, clear rules that define ownership of data and express the attendant rights to license, transfer, use, modify, and destroy digital information assets”.[163] Adding further that “industries have called for data ownership principles to be developed, above and beyond current privacy and data protection laws”[164]

The justifications for the existence of an “ownership” type right in data are manifold as data can be traded and therefore its economic reality ‘cannot be denied.’[165] Albeit, on a constitutional level, information in the form of data should be feely accessible and thus no one should have a priori right over them.[166]

The Staff document has noted that “[T]he Database Directive did not intend to create a new right in the data. The CJEU thus held that neither the copyright protection provided for by the Directive nor the sui generis right aim at protecting the content of databases. Furthermore, the ECJ has specified that the investment in the creation of data should not be taken into account when deciding whether a database can receive protection under the sui generis right.”[167] Scholars argue that “if ownership itself is not recognized and enforceable under the rule of law, then the vitality, integrity, and potential of the “data-driven economy” is at risk.”[168] Nevertheless, an indication of creating a new exclusive right in data was not mentioned in the April 2018 document on the creation of a “European data space”.[169]

References

[120] Inge Graef et al, ’Data Portability and Data Control: Lessons for an Emerging Concept in EU Law’ [2018] 19 GLJ 0, 1375. [121] Martin Husovec, ‘Trademark Use Doctrine in the European Union and Japan,’[2017] 21 MIPR 1. [122] Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ (2018) BEUC >https://www.beuc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_connected_devices.pdfaccessed 9 June 2019> accessed 20 April 2021. [123] Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ (2018) BEUC >https://www.beuc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_connected_devices.pdfaccessed 9 June 2019> accessed 20 April 2021. [124] Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ (2018) BEUC >https://www.beuc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_connected_devices.pdfaccessed 9 June 2019> accessed 20 April 2021. [125] Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ (2018) BEUC >https://www.beuc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_connected_devices.pdfaccessed 9 June 2019> accessed 20 April 2021. [126] Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ (2018) BEUC >https://www.beuc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_connected_devices.pdfaccessed 9 June 2019> accessed 20 April 2021. [127] WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016). At10. [128] GDPR article 6. [129] Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ (2018) BEUC >https://www.beuc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_connected_devices.pdfaccessed 9 June 2019> accessed 20 April 2021. [130] WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016).At 12. [131] Commission, ‘Impact Assessment Accompanying the General Data Protection Regulation and the Directive on the Protection of Individuals with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and the Free Movement of such Data’ (Commission Staff Working Paper) SEC(2012)72 final 7. [132] WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016).At 70. [133] WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016).At 8. [134] Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ (2018) BEUC >https://www.beuc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_connected_devices.pdfaccessed 9 June 2019> accessed 20 April 2021. [135] Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ (2018) BEUC >https://www.beuc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_connected_devices.pdfaccessed 9 June 2019> accessed 20 April 2021. [136] WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016).At 12. [137] GDPR article 6, article 9. [138] DbD article 10(1). [139] GDPR article 5. [140] Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ (2018) BEUC >https://www.beuc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_connected_devices.pdfaccessed 9 June 2019> accessed 20 April 2021. [141] Inge Graef et al, ’Data Portability and Data Control: Lessons for an Emerging Concept in EU Law’ [2018] 19 GLJ 0, 1375. [142] Inge Graef et al, ’Data Portability and Data Control: Lessons for an Emerging Concept in EU Law’ [2018] 19 GLJ 0, 1375. [143] Daniel Gervais, ‘Exploring the Interfaces Between Big Data and Intellectual Property Law’ [2019] 10 JIPITEC 1, 1. [144]Daniel Gervais, ‘Exploring the Interfaces Between Big Data and Intellectual Property Law’ [2019] 10 JIPITEC 1, 1. [145] Commission, “FinTech Action plan: For a more competitive and innovative European financial sector Brussels,” 8.3.2018 COM(2018) 109 final, at 5. [146] Commission, “FinTech Action plan: For a more competitive and innovative European financial sector Brussels,” 8.3.2018 COM(2018) 109 final, at 7. [147] Martin Husovec,’The End of (Meta) Search Engines in Europe?’ [2014]14Chicago-Kent JIP1, 145-172. [148] DG CONNECT, ‘Study in Support of the Evaluation of Directive 96/9/EC on the Legal Protection of Databases – Final Report’ (prepared for the Commission by JIIP, Technopolis, and Individual Experts Lionel Bently and Estelle Derclaye) [2018] SMART 2017/0084 (Second Evaluation Report). [149] DG CONNECT, ‘Study in Support of the Evaluation of Directive 96/9/EC on the Legal Protection of Databases – Final Report’ (prepared for the Commission by JIIP, Technopolis, and Individual Experts Lionel Bently and Estelle Derclaye) [2018] SMART 2017/0084 (Second Evaluation Report). [150] DG CONNECT, ‘Study in Support of the Evaluation of Directive 96/9/EC on the Legal Protection of Databases – Final Report’ (prepared for the Commission by JIIP, Technopolis, and Individual Experts Lionel Bently and Estelle Derclaye) [2018] SMART 2017/0084 (Second Evaluation Report). [151] DG CONNECT, ‘Study in Support of the Evaluation of Directive 96/9/EC on the Legal Protection of Databases – Final Report’ (prepared for the Commission by JIIP, Technopolis, and Individual Experts Lionel Bently and Estelle Derclaye) [2018] SMART 2017/0084 (Second Evaluation Report) [152]Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ (2018) BEUC >https://www.beuc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_connected_devices.pdfaccessed 9 June 2019> accessed 20 April 2021. [153] Inge Graef et al, ’Data Portability and Data Control: Lessons for an Emerging Concept in EU Law’ [2018] 19 GLJ 0, 17. [154] Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ [2018] BEUC accessed 9 April 2021 ‘BEUC Study’ 83, 161. <https://www.be uc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_c onnected_devices.pdf> [155] Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ [2018] BEUC accessed 9 April 2021 ‘BEUC Study’ 83, 161. https://www.be uc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_c onnected_devices.pdf [156] DG CONNECT, ‘Study in Support of the Evaluation of Directive 96/9/EC on the Legal Protection of Databases – Final Report’ (prepared for the Commission by JIIP, Technopolis, and Individual Experts Lionel Bently and Estelle Derclaye) [2018] SMART 2017/0084 (Second Evaluation Report) 4. [157]DG CONNECT, ‘Study in Support of the Evaluation of Directive 96/9/EC on the Legal Protection of Databases – Final Report’ (prepared for the Commission by JIIP, Technopolis, and Individual Experts Lionel Bently and Estelle Derclaye) [2018] SMART 2017/0084 (Second Evaluation Report) 4. [158]Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ [2018] BEUC accessed 9 April 2021 ‘BEUC Study’ 83, 161. <https://www.be uc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_c onnected_devices.pdf> [159]Communication from the Commission to the European Parliament, The Council, the European Economic and Social Committee and the Committee of the Regions, “Towards a common European data space” (2018) COM 232 final. [160]Jeffrey Ritter & Anna Mayer, ‘Regulating Data as Property: A New Construct for Moving Forward,’[2018] 16 Duke Law & Technology Review 220-277. [161]Peter Swire et al, ‘Why the RtDP Likely Reduces Consumer Welfare: Antitrust and Privacy Critique,’ [2013] 72 MD. L. REV. 335, 373. [162]Ira Rubinstein, ‘Big Data: The End of Privacy or a New Beginning?’[2013] 3 IDPL, 74–87,84. [163]Jeffrey Ritteret al, ‘Regulating Data as Property: A New Construct for Moving Forward,’ [2018] 16Duke Law & Technology Review 220-277. [164]Jeffrey Ritteret al, ‘Regulating Data as Property: A New Construct for Moving Forward,’ [2018] 16 Duke Law & Technology Review 220-277. [165]Andreas Boerding et al. 'Data Ownership - A Property Rights Approach from a European Perspective' (2018) 11 J Civ L Stud 323. [166]Art 11(1) of the EU Charter of Fundamental Rights. [167]Commission, ‘Commission Staff Working Document on the Free Flow of Data and Emerging Issues of the European Data Economy Accompanying the Document Communication Building a European Data Economy’ SWD(2017) 2 final, 47. [168]Jeffrey Ritter, ‘Regulating Data as Property: A New Construct for Moving Forward,’ [2018] 16 Duke Law & Technology Review 220-277. [169]Communication from the Commission to the European Parliament, The Council, the European Economic and Social Committee and the Committee of the Regions, “Towards a common European data space” (2018) COM 232 final. [170] WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016).At 12.