Legal study on Ownership and Access to Data
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of Legal study on Ownership and Access to Data
Digital Single Market
Legal study on
Ownership and
Access to Data
FINAL REPORT
A study prepared for the European Commission
DG Communications Networks, Content &
Technology by:
Osborne Clarke LLP
This study was carried out for the European Commission by
Osborne Clarke LLP
Internal identification
Contract number: 30-CE-0806550/00-95
SMART number 2016/0085
DISCLAIMER
By the European Commission, Directorate-General of Communications Networks, Content & Technology.
The information and views set out in this publication are those of the author(s) and do not necessarily
reflect the official opinion of the Commission. The Commission does not guarantee the accuracy of the
data included in this study. Neither the Commission nor any person acting on the Commission’s behalf
may be held responsible for the use which may be made of the information contained therein.
ISBN 978-92-79-62181-9
doi:10.2759/299944
© European Union, 2016. All rights reserved. Certain parts are licensed under conditions to the EU.
Reproduction is authorised provided the source is acknowledged.
3
Legal study on Ownership and Access to Data ....................................................................................... 1 1. Executive Summary .................................................................................................................... 6 2. The data study project ................................................................................................................. 7 2.1 The study questions ................................................................................................................. 7 2.2 Scope of this study ................................................................................................................... 8 3. EU Acquis Communautaire ......................................................................................................... 9 3.1 What laws apply? ...................................................................................................................... 9 3.2 How do these laws affect access to and ownership of data? .............................................. 9 (a) Trade Secrets Directive ............................................................................................................... 9 (b) Intellectual property laws ........................................................................................................... 12 (c) Example data access regime: chemicals and the life sciences sector ..................................... 15 (d) The impact of competition law ................................................................................................... 19 (e) The impact of contract law ........................................................................................................ 27 3.3 Academic discussion .............................................................................................................. 28 3.4 Responses to the study questions: EU acquis .................................................................... 28 4. Legal environment in specific countries .................................................................................... 30 4.1 Outline ...................................................................................................................................... 30 4.2 England & Wales ..................................................................................................................... 30 (a) Summary ................................................................................................................................... 30 (b) Statutes governing data ownership and access to data ........................................................... 31 (c) Case law .................................................................................................................................... 32 (d) Contracts under English law ...................................................................................................... 36 (e) Academic discussion on data ownership and access ............................................................... 40 4.3 France ....................................................................................................................................... 43 (a) Summary ................................................................................................................................... 43 (b) Statutes governing data ownership and access to data ........................................................... 43 (c) Case law .................................................................................................................................... 45 (d) Academic discussion on data ownership .................................................................................. 46 (e) Academic discussion on the access to data ............................................................................. 48 4.4 Germany ................................................................................................................................... 50 (a) Summary ................................................................................................................................... 50 (b) Statutes governing data ownership or access to data. ............................................................. 51 (c) Case law .................................................................................................................................... 53 (d) Academic discussion on data ownership .................................................................................. 58 (e) List of particular relevant articles and publications on ownership in data in German ............... 62 4.5 Spain ......................................................................................................................................... 70 (a) Summary ................................................................................................................................... 70 (b) Statutes governing data ownership and access to data ........................................................... 70 (c) Academic discussion on data ownership .................................................................................. 73 (d) Academic discussion on access to data ................................................................................... 77 4.6 US discussion .......................................................................................................................... 78 4.7 Results of the internal OC survey: UK, France, Germany, Spain, Italy, Belgium,
Netherlands ........................................................................................................................................... 81 (a) Common and civil law systems of contract ............................................................................... 82 (b) Practical experience in contracting over data ........................................................................... 85 (c) Best practice contract drafting in the current legal environment ............................................... 88 (d) Conclusions on contract ............................................................................................................ 93 4.8 Applicable laws identified by the OC survey........................................................................ 94 (a) Application of laws ..................................................................................................................... 94 (b) Ownership in data ..................................................................................................................... 95
4
(c) Access to data ........................................................................................................................... 96 4.9 Responses to the study questions: national laws ............................................................... 97 5. Identified issues ......................................................................................................................... 99 6. Suggestions and recommendations ........................................................................................ 100 Annex 1 Table of existing and proposed European Directives and Regulations in relation to data .... 101 Annex 2 – Bibliographies ...................................................................................................................... 114 1.1 Bibliography – EU .................................................................................................................... 114 1.2 Bibliography - France .............................................................................................................. 115 1.3 Bibliography – Germany .......................................................................................................... 117 1.4 Bibliography – Spain ............................................................................................................... 128 1.5 Bibliography – UK .................................................................................................................... 129 Annex 3 – Completed Questionnaires ................................................................................................. 131 Annex 4 – Example Clauses ................................................................................................................ 147 1 France ..................................................................................................................................... 147 2 Spain ....................................................................................................................................... 148 3 Germany .................................................................................................................................. 148 4 UK ............................................................................................................................................ 148 Example German data trading agreement ........................................................................................... 156
5
Abstract:
This is a study on the existing legal instruments and landscape affecting commercial operator’s
access to and rights over data. It considers the current EU regime which affects access to and
ownership of data. It discusses which are the most significant laws in this respect, and includes
a detailed discussion of the trade secrets directive, relevant intellectual property laws and
sector-specific laws which govern access to data. It also considers the national law regimes
defining rights to data in England & Wales, France, Germany and Spain, including analysis of
relevant case law. The study addresses the role of competition law with respect to access and
usage of data. A survey of selected practitioners across the EU was done to establish what
issues they are being asked to deal with in relation to data and how they are managing these.
Contractual clauses which are being used to manage rights attached to data are analysed and
the question of whether contractual provisions provide an efficient legal framework for managing
rights attached to data is reviewed.
6
1. Executive Summary
The ubiquity and increasing value of data in commerce and industry has shone a spotlight upon
the lack of coherence of its treatment in law within national laws, let alone harmonisation (other
than in respect of data privacy and, in future, trade secrets) between different Member States.
Within the United Kingdom, there is no statutory basis for the protection of data as such, and so
no property rights subsist: data cannot be stolen, assigned or inherited. Instead, the law of
equity provides limited protections for anyone holding valuable confidential data, including the
ability to withhold access to third parties, save where exceptions apply. Exceptions are very
limited and generally focus on individuals' rights. There is no exception by which the
importance of the data to the public interest, such as health or safety or potential for commercial
exploitation, can be invoked to provide any right of access for third parties.
Other Member States take completely different approaches. In Germany, some commentators
consider that the criminal law has the effect of conferring ownership-like rights on a data holder
while data access is treated primarily as a matter of statutory unfair competition law. Italy also
has an unfair competition provision in the Code Civile which can be used to address any
actions, such as theft and violation of secrets/ data, considered capable of breaking the
principles of professional integrity and that are able to damage other companies. Clearly, the
generality of such a provision is certain to lead to divergent approaches based upon the legal
and commercial cultures of the respective jurisdictions. The consensus of legal opinion in Spain
is that Roman law principles could confer property rights in data upon the owner of a data-
generating device, although this has not yet been tested in court. The same principle has been
considered by German authors among a range of other possibilities, and the subsistence of
property rights on this basis is considered unlikely. Further, Spanish law would not recognise
pure data as a trade secret capable of protection under its laws in that sphere. French law
relating to data includes both criminal and civil provisions, but the French criminal law applies
only to directors and employees of companies.
Consequently, it is currently difficult for businesses to manage their data in an economically
efficient fashion since a programme of licensing access to data simultaneously risks losing
control of the data. But such a regime, which incentivises stakeholders to withhold access for
third parties to their data altogether, potentially restricts the extent of exploitation and innovation
within data driven industry sectors. Further, the lack of clarity as to the rights which an entity
holding data may or may not have over the data can lead to errors. Although commentators
and contracting parties frequently discuss the issue in terms of 'ownership', this is misleading
since few jurisdictions other than certain states of the USA have laws that treat data as a form
of property. Legally speaking, to own something means to have property rights in it: that is, the
rights of possession, use, and enjoyment, which the owner can bestow, collateralize, encumber,
mortgage, sell, or transfer, and the right to exclude everyone else from.1 The point is more than
mere semantics: legal categorisation as property would automatically define the owner's
privileges, including the ability to enforce terms for third party access and use, and dictate the
legal mechanisms for transacting. Accordingly, a mistaken assumption that data is property may
1 Academic discussion contemplates a range of different models of what property rights might encompass; this definition
encapsulates the 'strong' form of property representing the rights of an owner of physical goods or land.
7
for example lead to reliance on covenants for title2 and equivalent statutory provisions which do
not, in fact, apply.
As a result, any business based upon generating, collecting and exploiting data currently needs
to take extreme care in both defining and obtaining the rights necessary for the uses it proposes
to make of the data. These problems are multiplied when a business operates across borders.
Nevertheless, the survey established that at present most businesses outside the UK are not
concerned to establish complex contractual arrangements for the management of their data.
The online advertising industry appears to be most aware of the issues; other industry sectors
do raise data issues but these are less consistently a feature of transactions. Within the UK,
where data issues are most frequently raised in transactions across a range of sectors, the
contractual provisions agreed vary considerably. There have been no disputes to date on the
effect of any form of clause in use and so no clear guidance as to what forms are more or less
effective has been given by the courts in any jurisdiction.
The most helpful jurisprudence of the Court of Justice of the European Union ("CJEU") is the
decision in Ryanair v PR Aviation3 where, on a reference from the Dutch Supreme Court, the
court ruled that there are no restrictions on the contractual limitations which may be applied by a
licensor of a database where that database is not protected by the sui generis database right.
Accordingly, freedom of contract applies, subject to any restrictions imposed by competition
laws or national laws, giving great flexibility for businesses to craft arrangements for the holding
of and access to data to suit the precise situation they are facing.
In these circumstances, the specific nature of the conflicts which may arise between different
parties in the data origination and exploitation process cannot yet be identified with any
certainty. It seems highly likely that conflicts will arise, and given the range of different interests
in, and values attaching to, data in different industry sectors there may be differences of quality
as well as commercial or legal significance in the conflicts which arise in those different sectors.
It may be necessary to await a maturing of the commercial and legal landscape in order
properly to formulate what, if any, legislative intervention would be most appropriate.
2. The data study project
2.1 The study questions
The European Commission has commissioned this study of the existing legal instruments and
landscape affecting commercial operators' legal access to and rights over data. Specifically, the
study addresses the questions:
What is the current EU legal regime defining what rights linked to data exist, how they
can be exercised and by whom, in particular in a commercial context? What rights are
2 The UK Law of Property (Miscellaneous Provisions) Act 1994 implies various covenants into transfers of property, for
instance. 3 Case C ‑ 30/14 15.1.15
8
defined in legislation for third parties wanting to access data held by a commercial
entity?
Are there inconsistencies in sector-specific rules that would make it difficult for business
to develop or improve products or services based on data?
Is there legislation on rights to data at Member State level which may be difficult to
reconcile with commercial arrangements involving actors in different Member States?
What is the role of competition law with respect to access and usage of data?
What aspects are not covered at all by legal instruments?
Can contractual arrangements provide an efficient legal framework for managing rights
attached to data, including on exclusivity, exchange, exploitation or access to data?
What elements are missing in legislation for contracts to perform this function – if any?
2.2 Scope of this study
The body of laws at EU level affecting access to and rights in data across all sectors is very
limited: the laws of trade secrecy, intellectual property, data protection and consumer contract
rights. There are a number of sector-specific laws requiring participants in various markets to
disclose data, generally either to regulators or consumers. These enable potential competitors
to obtain access either to the data as a whole or to particular subsets which may, over time,
enable them to build up a picture of their competitors' internal data such as customer base,
product ranges or pricing.
This conclusion is based upon a process of elimination, since our initial survey of existing EU
legislative instruments identified that the vast majority of those which refer to data or information
in the title relate to: information collection by Member States relating to either agriculture or
fisheries; employee consultation rights; or instruments dictating provision of information to
consumers and/or the public in respect of insurance or stock exchange operations
(prospectuses, listing and reporting activities). These are not relevant to the objectives of this
study, and so we have not included them in the tables or discussions below.
The legislation concerning data requirements for marketing of pharmaceuticals, plant protection
products or chemicals does make access available to third parties in respect of large quantities
of data concerning products in those sectors which would otherwise be kept confidential, and so
are relevant to the study in the broadest sense. We have described them in the statutory tables
and provide an overview of the regime, as an example of a data access regime imposed by
regulation, below.
A further category which gave rise to a large number of secondary instruments appearing in the
search results were those directed at providing access to statistical and other information held
by Community or Member State institutions, such as the Public Sector Information Directive or
the Directive on Access to Environmental Information. At the inception meeting we agreed to
focus the study on issues other than those with which the Commission is already familiar,
9
namely rights of access to public sector information, the results of publicly funded research or
data privacy. Accordingly we have excluded these.
The remaining instruments fall into three categories:
instruments of general (i.e. not sector-limited) commercial application e.g. intellectual
property, trade secrecy;
instruments of regulation enabling commercial entities to exploit data collected by other
market participants; and
sector-specific instruments.
3. EU Acquis Communautaire
3.1 What laws apply?
Annex 1 to this Report is a table setting out:
each instrument currently in force or under discussion which bears upon the handling or
exploitation of commercial data;
for instruments of specific rather than general application, the commercial or industry
sectors affected by it; and
a brief summary of the objectives and operative provisions of each instrument.
In the discussion below we use the short-form title for each listed law; full titles are set out in
Annex 1.
3.2 How do these laws affect access to and ownership of data?
In brief, the laws of general application identified in Annex 1 have either the effect of providing
some, albeit frequently limited, protection for data or constraints on businesses' ability to
exercise complete control over their data.
(a) Trade Secrets Directive
The most significant law for the purpose of this report apart from the General Data
Protection Regulation ("GDPR") is the recently passed Trade Secrets Directive. This
introduces, for the first time, a harmonised legal minimum standard of protection for
data of all kinds provided that the data meets the threshold criteria as information that:
is secret, meaning that it is not generally known or readily accessible within the
relevant circles;
has commercial value because it is secret; and
10
has been subject to reasonable steps, under the circumstances, by the owner to
keep it secret.
Commercial and technical data of any kind, clearly collections of data but even,
potentially, in exceptional cases individual items of data (a threshold temperature value
for operation of an industrial process, for instance) may be protected under this regime
when it comes into effect in 2018, or earlier if implemented by Member States. This
analysis, which would be unconditional if the Directive is interpreted as implementing
the UK approach, is subject to the interpretation placed upon it by the Court of Justice in
any future dispute. In particular, not all Member States' laws treat trade secrets as an
open-ended category of any information which is in fact confidential; Spain, for instance,
requires a company to nominate and take formal steps to identify information as a trade
secret, and would not see data as such (as opposed to a formula or operating manual,
for example) as within the category of things which can be a trade secret. On a referral
from the Spanish courts, such an interpretation could be proposed for the Trade Secrets
Directive and might be accepted. As with any new legislation, therefore, it is uncertain
precisely what will be captured and there is some risk that industrial data in its raw form
may not be treated as a trade secret at all.
Even if a liberal approach is adopted as to the categories of things that can be trade
secrets, the treatment under the Directive of subsets of data which are generally known
(for instance, the contents of public databases such as the UK's Electoral Register)
when incorporated into larger databases may need some clarification, as may the
scenario where a database has in fact been licensed, under confidentiality, to the
majority of businesses in a particular sector thereby rendering it "generally known" in
the relevant circles.
A further area of uncertainty arises as to what may or may not attract protection as a
trade secret from the requirement that the information must have been subject to
"reasonable steps" in order to keep it secret. The Directive gives no guidance as to
what may constitute reasonable steps, except to qualify it by reference to the
circumstances. We can therefore infer that it will not be necessary to store data on a
standalone server in a locked safe buried in a flooded mineshaft. Other countries, such
as Russia and Japan, in introducing statutory trade secret protection have opted to
stipulate detailed lists of protection measures which must be implemented, but did not
adopt the same ones. Similar culturally-inspired divergence between European Member
States is likely when the Directive is implemented into national law – almost
guaranteeing litigation in due course. In the meantime, businesses will have to take
their own views as to what is reasonable.
Subject to those uncertainties, in principle the Directive introduces a broad and effective
right of control over data while remaining neutral on the question of ownership of
information. It does not go so far as to introduce any property right although nothing in
the Directive prevents Member States from introducing property rights in data in the
course of implementation into national laws. Instead, the Directive refers to the holder
of a trade secret being the person who lawfully controls the trade secret. This absence
of ownership contrasts with the default position in patent and copyright law, where any
rights arising in work done by an employee in the course of her employment
automatically belong to the employer. Employers will not automatically be the holder of
11
trade secrecy rights in valuable data arising as a result of employees' work. It will be
important to provide for this in employment contracts.
The holder has rights against anyone who unlawfully acquires, uses or discloses a trade
secret. Acquiring a trade secret without the owner's consent will be considered unlawful
when it is obtained:
by unauthorised access to documents, electronic files or materials; or
under circumstances which are considered "contrary to honest commercial
practices", including but not limited to in breach of a confidentiality agreement.
There is no guidance as to what honest commercial practices may or may not be.
Again, this could well be the subject of divergent interpretations in the implementation
into national laws since the various jurisdictions have different approaches to conduct in
commercial dealings, and will have to be the subject of rulings from the CJEU in due
course.
Provided the holder of the original data is able to demonstrate that the trade secret was
acquired unlawfully they will be able to obtain an order for:
cessation or prohibition of the use of the trade secret;
prohibition against producing the infringing goods;
recall of infringing goods from the market; and/or
destruction of infringing goods or material recording the trade secret.
This regime introduces an effective, harmonised minimum standard of protection for
information which will apply throughout the EU. As a result, although the Directive itself
has no provisions as to licensing arrangements, businesses will be able to treat data as
another form of asset, with clear potential for the exploitation of previously private
datasets in similar ways or through licensing or franchising.
However, acquisition, use and disclosure of trade secrets will be lawful where that
acquisition, use or disclosure is required or allowed by EU or national law. For instance,
rules on whistle-blowing may permit the otherwise-unauthorised disclosure of secrets, if
their disclosure serves a public interest related to misconduct, wrongdoing or illegal
activity. One such instance directly relevant to industrial data arose in the English case
of Lion Laboratories v Evans4 where an employee disclosed data demonstrating that
breathalysers in use by the police to test whether motorists had breached the permitted
level of alcohol consumption were in fact inaccurate.
4 [1985] QB 526
12
Further, the Directive controversially expressly permits the acquisition of trade secrets
by reverse engineering, that is the observation, study, disassembly or test of a product
or object that has been made available to the public or that is lawfully in the possession
of the acquirer, without restriction of the right to reverse engineer. This is already the
case under the English law of trade secrecy but in direct contradiction of the German
approach. Such a right to reverse engineer will mean that data about the composition
or configuration of a product cannot be protected as trade secrets from the moment the
product is first placed on the open market; although industrial machines sold only in
small quantities directly to the end users may be protected through the imposition of
contractual restrictions on the right.
The major limitation of the Trade Secrets Directive, from the perspective of a data-
driven commercial entity, is precisely that it requires the data to be kept secret;
protection will be lost if the data is made public at any stage. Any licence granted over
the data implies the risk of loss of control if the licensee fails properly to protect the
data. A right to claim damages against the licensee is only a partial remedy if the
licensee cannot afford to pay for the full value of future revenues lost from potential
future licensing, and the Directive enables action to be taken against a third party
recipient of the data only if that third party knew or should have known that the person
passing it to them was not authorised to do so. If data was inadvertently published on
the internet, for instance, it is likely to be difficult to trace all third party recipients and
even harder to establish that each of them knew or should have known that the
publication was unauthorised.
In addition, holders of data subject to the compulsory disclosure obligations of the
various sector-specific laws will lose all rights under the Directive as soon as a
necessary disclosure is made.
(b) Intellectual property laws
The remaining instruments of general application are the intellectual property laws
relating to copyright and database right. Each of these has the legal status of property
and so could, in theory, provide strong protection for data. However upon analysis it is
apparent that neither of these laws necessarily provides protection at all and, even
where it does protect data, may provide only a relatively limited scope of protection.
The existing intellectual property laws do not provide a satisfactory framework for the
management of data as such since:
the analysis of each right depends on its own rules, making the analysis complex
and multi-layered;
within any single country, the scope and extent of each right are uncertain; and
in the international context, legal outcomes may differ between countries. For
example for the same fact pattern copyright or trade marks may be enforceable in
one country but not another.
13
(i) Copyright
Copyright is in principle available to databases, since all electronic information is treated
in copyright law as a written (literary) work. However, in order to attract copyright a
work must meet qualifying criteria. In particular, databases are capable of protection by
copyright under the InfoSoc Directive only if they reach a minimum standard of creativity
such that they can be considered "the author’s own intellectual creation", affording the
same level of copyright protection to such databases as to other literary works. The
objective of this test is to restrict copyright to works where some value has been added
by the exercise of creative or at least intellectual judgment. In the case of modern
electronic databases where the selection and arrangement of the contents is unlikely to
have been the subject of significant skill and judgment (since computing power enables
'brute force' approaches to searching to work just as well), this standard is unlikely to be
met. In addition, there is no definition of who is an 'author' or what constitutes a 'work'.
Accordingly, although the technology, including software, which enables data to be
captured is likely to be protected under trade secrecy, patents and/or (in the case of
software) copyright, it is unlikely that databases compiled through the automatic capture
and collation of data would qualify for copyright protection in principle.5 This Directive
therefore gives very limited protection to data itself.
The Database Directive was introduced precisely to fill the gap in protection for
utilitarian data left by copyright. At Article 3, it reiterates the status of copyright in
database contents set out above, providing that "the copyright protection of databases
provided for by this Directive shall not extend to their contents and shall be without
prejudice to any rights subsisting in those contents themselves". This was confirmed by
the Court of Justice in its decision in Football DataCo v Yahoo!6 where it held that
under the Database Directive a database could attract copyright only in its structure and
will not extend to the contents of the data itself where this amounts to no more than the
collation of pre-existing facts. It held that a database could attract copyright in its
structure, which will be protected when it is “original”. That criterion of originality is
satisfied when, through the selection or arrangement of the data which it contains, its
author expresses his creative ability in an original manner by making free and creative
choices. By contrast, that criterion is not satisfied when the setting up of the database
is dictated by technical considerations, rules or constraints which leave no room for
creativity. Expending significant labour and skill in compiling a database will not be
sufficient to give rise to copyright protection under Article 3(1) unless the author has
also expressed creative originality in the selection or arrangement of the data contained
in that database (whether carried out by hand or by software). Modern electronic
databases are rarely likely to qualify under this threshold.
Where copyright does subsist, this confers a property right upon the holder of the
database so that the copyright can be assigned, mortgaged or licensed like any other
form of property. It also enables the owner to prevent third parties from copying the
data without permission, regardless of whether the data is secret. There are however
limits to the protection from copyright: it is necessary to demonstrate that the infringer
5 There has been no case law on the question to date
6 C‑604/10 1.3.12
14
has in fact copied the data rather than having generated a similar database from other
sources. In other words, unlike patent rights copyright is only a partial monopoly. The
right also requires policing, which may be difficult if data is transferred over private
networks and then used within business' own computer systems rather than becoming
visible on the internet.
These disadvantages also apply to database right, which may subsist even where the
criteria for copyright protection are not satisfied. This is considered further below.
(ii) Database right
In order to enjoy protection under the Database Directive a database must be a
collection of independent works, data or other materials which:
(a) are arranged in a systematic or methodical way; and
(b) are individually accessible by electronic or other means.
All such databases are protected by database right, provided there has been a
substantial qualitative or quantitative investment of financial, human or technical
resources in obtaining, verifying or presenting the contents of the database concerned.
The precise meaning of 'substantive' in the evaluation of investment remains unclear.
The investment is to be measured either on a quantitative basis or a qualitative one, or
by a combination of both qualitative and quantitative. It can be made either at the
inception of a database project (obtaining its contents) or during the life of a database
(verifying or presenting its contents). One result of this definition of a database is that it
may result in protection being given to the contents of a website which is not available
to the same content published in hard copy form, such as an online newspaper site, for
instance. This may vary between the courts as it will depend on the facts of the case in
determining whether a qualifying investment can be identified in carrying on an online
version of an existing business.
The investment must, however, be in producing the database itself and not in a different
activity from which valuable data arises. This requirement has given rise to important
limitations on database right as a form of protection for data which arises in the course
of ordinary business activities or is captured by sensors for operational reasons, as a
result of the leading Court of Justice cases Fixtures Marketing.7 These established that
to attract database right an investment must have been made in the obtaining, selection
or verification of the data: investment in activities which give rise to data does not
qualify, regardless of the value of the resulting database. This issue is likely to be the
subject of further disputes as the value arising in databases of data automatically
generated or captured in the course of other activities causes commercial tensions. The
English Court of Appeal has already given a ruling, discussed in section 4.2(b) below,
7 Cases C-46/02, C-203/02, C-338/02 and C-444/02 Fixtures Marketing Ltd v. Oy Veikkaus Ab, The British Horseracing
Board Ltd v. William Hill Organisation Ltd, Fixtures Marketing Ltd v. Svenska Spel AB, Fixtures Marketing Ltd v.
Organismos prognostikon agonon podosfairou (OPAP)
15
which if more generally adopted could enable database right to subsist in some such
'collateral' data collections.
The database right enables the owner to prohibit third parties from either extracting or
re-utilising substantial parts of the data without permission, or repeatedly and
systematically extracting or re-utilising insubstantial parts of the database. Here,
extraction is considered the permanent or temporary transfer of the contents of a
database to another medium by any means or in any form and re-utilisation means
making the contents of a database available to the public by any means. The key issue
in determining infringement of a database right, other than the difficulty already alluded
to in connection with copyright of identifying the fact that an infringement has taken
place at all, lies in identifying what amounts to a substantial part of the data. This will
vary depending on the facts of the case but would encompass repeated extraction or re-
utilisation of insubstantial parts of the database. Notably, it does not prohibit merely
accessing the database; the owner of a valuable database would therefore be well
advised to implement technological protections (in addition to any contractual
restrictions where access has been permitted).
If the collection qualifies for database right protection, the protection lasts for 15 years
from the end of the calendar year in which the database was completed. However,
although there has been no case law to date, if updates to the database cumulatively
amount to a substantial change in the contents which would be considered a substantial
new investment, then the updated database qualifies for its own 15-year term of
protection. The right can therefore last indefinitely, so long as sufficient investment is
put into updating it periodically.
Finally, even where database right does subsist, the Database Directive includes
restrictions on the ability of database right owners to limit licensees' dealings with the
content. Article 15 prevents a licensor of a database which is made available to the
public in whatever manner from preventing a lawful user (i.e. licensee) of the database
from extracting and/or re-utilizing insubstantial parts of its contents, evaluated
qualitatively and/or quantitatively, for any purposes whatsoever. This appears to make
licensing under database right a 'once and for all' arrangement rather than being able to
be restricted to specific fields of use. It is not clear for what purpose the framers of the
legislation included this provision but it could hamper the exploitation of databases
which, for any reason are made available to the public either in the course of
commercial licensing or otherwise, through licensing since such a loss of control may
incentivise database right holders from making licences available on any terms.
(c) Example data access regime: chemicals and the life sciences sector
(i) Chemicals
Chemicals in the European Union are regulated under a single comprehensive set of
regulations, REACH, which came into force on 1 June 2007. It applies to all new
substances, and since December 2010 is being applied progressively over a phase-in
period to substances which were already on the market in the EU before it came into
effect. All chemical substances will be regulated under REACH by the end of 2018.
16
REACH sets up a system whereby chemical substances cannot be put on the market in
the EU unless they have been registered and, where necessary, authorized – which
may involve the imposition of restrictions. The system is very wide in scope, covering all
substances whether manufactured, imported, used as intermediates or placed on the
market, either on their own, in preparations or in articles. The process of registration,
evaluation and authorization is centrally managed by the European Chemicals Agency
("ECHA").
The system of registration and authorization requires the manufacturer or importer of a
substance to provide to ECHA a dossier with specified information about the substance.
Since this potentially involves many manufacturers carrying out identical tests on the
same substance, ECHA assists in the formation of Substance Information Exchange
Fora (SIEFs) for sharing data between applicants dealing with the same substance,
particularly animal test data at the pre-registration stage. Under Article 30, before
conducting any testing of their own SIEF participants must inquire whether a relevant
study is available within the SIEF, and if the testing of vertebartes is involved then any
such existing study must be requested There is a mechanism for sharing the costs
which the original registrant incurred in carrying out the tests, and the owner of the tests
must give permission to the new applicant to refer to the full study report for the purpose
of registration within two weeks of receipt of payment. A similar mechanism enabling a
later applicant to use an earlier applicant's test data applies under Article 27, outside the
SIEF arrangements. Industry consortia have also been established to reduce the
amount of redundant testing carried out, which usually allow members to use available
data and registration dossiers.
Article 10 REACH requires manufacturers and importers to submit:
a technical dossier, including intrinsic properties, uses and exposures, for
substances manufactured or imported in quantities of 1 tonne or more; and
a chemical safety report, for substances in quantities of 10 tonnes or more.
Article 10 refers to voluminous identification and test data more particularly specified in
Annexes VI-X REACH; preparation of the dossier is not a simple matter. Much of this
data may have to be obtained from companies further up the supply chain. Testing can
include physico-chemical, toxicological and ecotoxicological data; the amount of testing
required depends on the tonnage concerned, within bands. Any data produced by
testing which has to be carried out on vertebrates (which is only where other adequate
data gathering methods are not available) must be shared with other applicants.
Sharing of other test data is also strongly encouraged. Once the dossiers are submitted,
the substance is registered.
If a company fails to register a substance then the company is no longer allowed to
manufacture or import this substance.
REACH itself contains no provisions for the protection of confidential information, but
the risk that this could be compromised through either the data sharing or registration
requirements is clearly recognized.
17
Article 118 relates to ‘Access to Information’ held by ECHA, and begins by confirming
that the principles on transparency in Regulation 1049/2001 ("the Transparency
Regulation") apply. Article 4 of the Transparency Regulation requires an EU institution
to withhold a document in response to an access request if disclosure would undermine
any person’s commercial interests. Article 118(2) of REACH specifically acknowledges
that the disclosure of details of the full composition of a preparation; precise use,
function or application of a substance or preparation; precise tonnage of substances
and preparations; or links between a manufacturer or importer and downstream user
may undermine the protection of the commercial interests of the concerned persons.
Thus, in principle they are protected from disclosure. Nevertheless, ECHA is entitled to
disclose such information if urgent action is essential to protect human health, safety or
the environment, such as in emergency situations.
A registrant can request that components of the information in the dossier, which would
ordinarily be made available online, be treated as confidential. The request must
include a justification that is accepted by ECHA as to why publication of this information
is potentially harmful to commercial interests (of either the requestor or of any other
involved party).
ECHA also recommend that companies participating in a SIEF or other data sharing
arrangement should protect the confidentiality of their information either by entering into
confidentiality agreements limiting access to documents or other information to specific
named persons, or departments, for example, only the persons working within a
regulatory section are allowed to see certain information. This access could, for
instance, be confined only to access to a physical copy without the ability to copy it. If
the information is too confidential to share with competitors even on such a basis, then
the documents could be reviewed by a third party consultant who would report to the
other SIEF participants but not show them the information.
Further, a registrant can ‘opt-out’ from the joint submission of data if doing so would
lead to disclosure of confidential information. However, a party which opts out is still
bound by the data sharing obligations.
(ii) Pharmaceuticals
No medicinal product can be marketed anywhere in the EU without a marketing
authorization (MA). In order to obtain an MA, the applicant must demonstrate the
product’s safety, efficacy and quality to the required standards. Demonstrating safety
and efficacy involves very extensive pre-clinical and clinical testing, all of which must
itself be conducted in accordance with stipulated standards and procedures. The data
required includes relevant clinical (human pharmaco-kinetics, safety and efficacy data,
any post-marketing experience) and non-clinical (pharmacology, toxicology, pharmaco-
kinetics) studies. To demonstrate that the product is of the necessary quality, data must
be supplied showing the manufacturing processes to be used for the product, their
stability, characterization and control.
The application must demonstrate the quality, safety and efficacy of the product through
reference to sufficient, credible data. Consequently, the MA comprises not only any
document issued to confirm that an authorization is granted and specify any particular
18
conditions, but also the entire data dossier submitted with the application for
authorization, and associated documents.
Commercially confidential data included in the dossier are protected from disclosure to
third parties, but much of the data can be obtained upon request in reliance upon the
principles of the Transparency Regulation. On 30 November 2010 the EMA adopted a
new policy on access to its documents. In the press release accompanying the adoption
of this policy, the EMA stated that documents submitted to it as part of an MA
application, such as clinical trial reports, could henceforth be disclosed, provided that
the decision-making process for the application in question was finalised. The policy on
access to EMA documents became effective on 1 December 2010. Under its new
policy, the EMA drew up an output table for the various documents in its possession.
More specifically, MA dossiers or updates and amendments to those dossiers, including
clinical trial reports, are considered to be public, that is to say, they may be disclosed
once, inter alia, the Commission’s MA decision is available for the medicinal product
concerned. In March 2012 the output table was complemented by guidelines from the
EMA and heads of national medicines agencies regarding the types of information
included in an MA application that can be publicly released after the final decision on
the application. The objective is to enable a consistent approach to be adopted in order
to provide guidance on the identification of commercially confidential information which
must be protected after an MA has been granted.
According to the guidelines, the following are considered commercially confidential
information: detailed information concerning the quality and manufacturing of the
medicinal products; information concerning the development of the product, including
detailed information on the synthesis and manufacturing of the active substance;
formulation, test procedures, validation, as well as manufacturers and suppliers of the
active substance and excipients; and detailed descriptions of the manufacturing and
control processes for the finished product. By contrast, information encompassing
clinical and non-clinical development of a medicinal product is not per se commercially
confidential. Accordingly, as a rule the data included in clinical trial reports is regarded
as data that can be disclosed. Non-clinical studies are intended, inter alia, to identify the
pharmacological properties and to understand the toxicological profile of the medicinal
product, whilst clinical trials are studies that are intended to discover or verify the effects
of one or more investigational medicines. Regulation of those trials aims to ensure that
the rights, safety and well-being of trial subjects are protected and the results of clinical
trials are credible.
Consequently, since its new policy on access to documents has been in place, the EMA
has been releasing documents submitted as part of MA applications, including clinical
study reports, on request pursuant to the Transparency Regulation. The originator will
be notified and can request redaction of data, but the threshold for accepting that data
should not be disclosed is a high one. In November 2013 a decision was issued by the
CJEU on a challenge by InterMune to a decision of the EMA granting access to
competitor Boehringer Ingelheim despite its objections. The Court ruled8 that the
General Court, which had suspended the EMA's decision as a whole, should reconsider
8 Case C‑390/13
19
the issue of disclosure of specific parts of the information requested one by one in the
light of InterMune's specific arguments in defence of confidentiality. However,
InterMune subsequently withdrew its challenge (possibly after reaching agreement with
Boehringer Ingelheim as to provision of some parts of the data). No effective ruling has
therefore been given as to what extent of data can as a matter of right be withheld.
The dossier as a whole may be relied upon as the basis for an application from a third
party for authorization of a generic version of the same product or any line extension of
it, after a specified period, now harmonized at 10 years (subject to variation in certain
circumstances, such as an application to extend the use of the product to the paediatric
population), has elapsed since submission by the original applicant.
Pesticides and biocides are subject to similar pre-marketing registration and approval
schemes.
(d) The impact of competition law
Competition law can provide a powerful constraint on the extent to which either IP rights
or contractual arrangements can be used to maintain a market advantage in a data-led
market. Accordingly, where commercial arrangements concerning commercial or
technical data damage economic efficiency, competition law may provide a means for
managing that impact.
(i) IP rights, dominance and competition
Since at least 2001, the European Commission has expressed concerns about not
merely the prescription and drug sales data held by IMS Health, but, more specifically,
on the method of data organisation it had devised, known as the “brick” system. Bricks
are geographically defined blocks into which IMS had divided the countries and cities in
which it operated, to establish meaningful units for analysing sales of drugs. IMS
Health's structure for Germany, for instance, consists of 1,860 bricks. The company
tracks doctors' prescriptions and drug sales at pharmacies, on a brick-by-brick basis.
Drug companies pay for the analysis and use it to inform product strategies.
In theory, anyone can build their own brick structure by choosing where to set the
boundaries, and if original a particular set of bricks can be protected by copyright. The
reality may be different, however. When two other companies tried to create their own
brick structures in order to enter the German market and compete with IMS Health, they
found that most drug companies wanted either IMS Health's existing structure or
something based directly on it in order for all of the data to be directly comparable. The
IMS Health structure had become an industry standard. But IMS refused to license its
copyright to competitors and then successfully sued them for infringement when they
launched rival products, winning injunctions in the German courts. The rivals
complained that this refusal to license was an abuse of IMS Health's dominant position
in the market, contrary to Article 102 TFEU, and the complaint was upheld.
20
The case was amongst the first where the competition law concept of essential facilities
was applied in an information context.9 The doctrine says that a company, which is
dominating the market due to its control over an essential facility, may not use its
position to its advantage by disallowing competitors the access to this essential facility
and, hereby, undermining effective competition in another market. However, the
essential facility may only be accessed under “extraordinary circumstances”, which is
the case when the following requirements are fulfilled:
1. The access to the facility must be essential for entering the market.
2. The denial of access would exclude any effective competition on the respective
market.
3. The denial of access would prevent the release of a new product.
4. There is no objective reason for the denial of access.
Applying this in the context of IMS' rights over the brick structure, which was the subject
of a preliminary reference from a German court about IMS' refusal to license, the CJEU
held10
that a refusal to grant a licence by an IP owner who holds a dominant position
entails an abuse of dominant position within the meaning of Article 102 Treaty on the
Functioning of the European Union where:
(a) there are no objective justifications for such refusal;
(b) the subject matter of the IP right in question is an input that is indispensable for
competing on a secondary market. The national court must consider whether
there are products or services which constitute alternative solutions, even if they
are less advantageous, and whether there are technical, legal or economic
obstacles capable of making it impossible or at least unreasonably difficult for an
undertaking seeking to operate in the market to create such alternative products
or services. To establish the existence of economic obstacles, it must be
established that the creation of alternative products or services is not
economically viable for production on a scale comparable to that of the
undertaking which controls the existing product or service;
(c) the undertaking seeking the licence intends to produce goods or services of a
different nature which, although in competition with those of the IP owner, answer
specific consumer requirements not satisfied by the existing goods or services;
and
(d) the refusal is such as to reserve to the IP owner the market for the supply of data
on sales of pharmaceutical products in the Member State concerned by
eliminating all competition on that market.
9 The earliest cases on this general subject include Case C-241/91 RTE and ITP v Commission
10 Case C-418/01, IMS Health v. NDC Health
21
The analysis applied in IMS Health may be applicable by analogy to other situations in
which a business obtains dominance through exercising any form of IP right, and could
equally also apply where an entity obtains a dominant position through possession and
control of access to commercial or technical data.11
Accordingly, competition issues
may arise where any digital business achieves dominance in a defined data market,
such that competitors require access. The market could be with respect to a particular
dataset, or analytics software, or a physical product for data measurement and capture.
(ii) Competition and transactions
(a) Acquisitions and mergers
Competition law may similarly affect any corporate arrangements which potentially
affect rights of access and use to some categories of data. European competition
authorities are particularly alive to this given the increasing market power which large
datasets can confer. In May 2016, the French and German competition authorities
produced a joint report12
examining the application of competition law to data. In
summary, it concluded that as in any competition analysis case-specific assessment of
the reality and extent of the advantage of data for market power needs to be undertaken
to affirm or reject whether any advantage exists. Although data is everywhere, its
significance in any given markets depends on the extent to which it is substitutable and
accessible. The value of a dataset relies on the amount of information collected for
each individual as well as on the number of individuals. Further, the advantage
associated with access to a larger volume of data may be quite different for different
markets. The scarcity of data and the scale/scope of collections are particularly relevant
even though data is non-rival material, allowing for concurrent collections. Limited
access may still give rise to competition concerns.
Even more recently, delivering a speech on 9 September 2016, Margrethe Vestager,
EU Commissioner for Competition, explained that when the European Commission
reviews mergers involving the acquisition of valuable datasets, the key question is
whether a dataset is "unique" enough to drive rivals out of the market. Commissioner
Vestager added that DG COMP would be "keeping a close eye on whether companies
control unique data ... and can use it to shut their rivals out of the market."
Commissioner Vestager noted that the Commission considered this question in
particular during its Phase 1 merger investigation into the acquisition by Google of
DoubleClick, an ad serving, management and reporting technology business, in 2008.
In that case, the Commission approved the acquisition on the basis that DoubleClick's
advertising data, however valuable, was not sufficiently unique. On the contrary, other
companies already held similar data, or had the ability to purchase it. Accordingly, the
combination of Google's existing position with Doubleclick's data did not significantly
impede effective competition in the relevant markets.
Thus, the question of whether competition will be affected or not depends on the precise
details of the market concerned at the time.
11 Case T-201/04 Microsoft v Commission is also important in this area of law.
12 http://www.autoritedelaconcurrence.fr/doc/reportcompetitionlawanddatafinal.pdf
22
Health data
The European Commission has looked at the state of the market for data only in one
case: the assessment of a proposed merger between IMS and French company
Cegedim, in December 2014.13
In a decision in July 2014, the French Competition
Authority had already found that Cegedim had engaged in abusive discriminatory
conduct in breach of Article 102 of the TFEU and Article L.420-2 of the French Code de
Commerce by refusing to allow some customers of Euris, a CRM software provider, to
give Euris access to Cegedim's OneKey® database of healthcare professionals.
The merger investigated by the European Commission concerned IMS Health's
acquisition of part of Cegedim's business. One component of that business was actual
health data, forming part of the category described as real world evidence ("RWE")
services. RWE services are based on observational studies and on data collected on
actual patient experiences and actual use of a product in “real life" clinical practice (i.e.,
outside the controlled environment of pre-launch clinical trials). These services are
based on data obtained from a variety of sources, such as software keeping electronic
medical records, pharmacy management software, insurers, national health
reimbursement authorities and public health authorities.
Both IMS and Cegedim had contractual relationships with third parties in place to gather
RWE data and maintain their own databases of pre-collected RWE data. Competitors
included Insight Health and Kantar Health. While some of the competitors had
established relationships with upstream data suppliers and maintain internal RWE
databases, others did not and so did not have direct access to RWE data. A majority of
market participants consulted by the Commission considered that it is generally difficult
to collect and obtain RWE data from multiple sources and that the acquisition of data
may involve a considerable cost.
In this context, the Commission investigated whether the merger would increase IMS'
ability and/or incentive to limit third party access to RWE data suppliers and/or to RWE
data and, if so, whether this possible conduct was likely to have anti-competitive
foreclosure effects. A competition analysis depends upon identifying the precise
markets, commercial and geographical, in which the parties operate. So the question
raised is whether the markets for data underpinning particular RWE services were
separate. The Commission's market investigation in this case did not provide any basis
for identifying separate markets for particular RWE services depending on the type of
data they are based on or on the specific type of question they aim to answer. Nor was
it conclusive on whether a distinction could be drawn between the provision of the data
for the purpose of the RWE services on the one hand and the provision of the services
based on the RWE data on the other hand, given the close relationship between the two
activities.
The market investigation also needed to assess whether the markets for data are
geographically distinct. It provided mixed results with respect to the geographic
13 Case No COMP/M.7337 Case No COMP/M.7337, Commission Decision 19 December 2014.7 at
http://ec.europa.eu/competition/mergers/cases/decisions/m7337_20141219_20212_4101276_EN.pdf
23
definition for RWE services. It found that while some providers of RWE services seem
to operate on a local basis and offer contracts limited to one single country, others
deliver studies covering several countries within the EEA. Similarly, pharmaceutical
companies seem to purchase RWE studies both at the national and EEA level. They
usually rely on several local providers for RWE studies limited to individual Member
States and on one provider for studies of broader coverage. Most respondents also
indicated that there are differences in terms of regulation, language and healthcare
system between the Member States. The Commission concluded that the geographic
scope of the market for RWE data is likely to correspond to the geographic scope of the
market for the provision of RWE services, but did not make any specific finding as to
particular market limits, once again leaving this issue to be decided as and when
necessary in future transactions.
Overall, the Commission concluded that the merger would not increase IMS' ability
and/or incentive to limit third party access to RWE data suppliers and/or to RWE data.
The principal basis for this conclusion was that IMS Health and Cegedim's combined
share of the EEA market for RWE was only 5-10%. It found that the sample of data
needed in order to be able to provide meaningful RWE services is small and (despite
the respondents' comments to the contrary) readily accessible from various sources,
particularly historical data. There is thus no need for RWE services providers to collect
data over a longer period of time before being able to provide RWE services that rely on
historical data.
The results of this investigation are specific to the facts of the particular case but
illustrate the complexity of markets for data even in a single industry sector. Given the
different relationships which apply between data generators, aggregators and users (or
potential users) in other sectors, further competition analyses are bound to be needed in
future transactions.
Information society services
The Commission has considered the impact of data access in a number of other merger
investigations where electronic services were concerned, but no decision has yet been
based upon any analysis of data dominance or data market distortion. In the
TomTom/TeleAtlas merger,14
the parties argued that combining their data would in fact
promote consumer benefit, since customer feedback would enable the combined parties
to produce better digital maps, faster. The Commission did not give any opinion,
approving the merger in the light of low provider switching costs and limited pass-
through to consumers. In considering the Telefonica/Vodafone/EE joint venture15
and
similarly in respect of the Publicis/Omnicom merger16
(both concerning personal data)
the Commission concluded that the market potentially affected, for data analytics and
storage, was subject to robust competition. In the Facebook/WhatsApp acquisition, the
14 Case COMP/M.4854, Commission Decision 2008 OJ (C237) 53-55
15 Case COMP/M.6314 Decision 2012 OJ (C66) 122
16 Case COMP/M.7023 Decision 2014 OJ (C84) 112
24
Commission expressly declined to define or investigate a market for Big Data since
neither party was active in the provision of data to third parties.17
In August 2016 the European Commission's Competition directorate announced a
consultation to assess whether or not the threshold conditions in the Merger Regulation,
which currently focus purely on company turnover, should be revised to take into
account other assets such as valuable databases.
(b) Assignments and licences
Competition law, specifically Article 101(1) TFEU, prohibits any agreements between
undertakings, decisions by associations of undertakings and concerted practices which
may affect trade between Member States and which have as their object or effect the
prevention, restriction or distortion of competition within the internal market. Any such
agreements are automatically void, unless (pursuant to Article 101(3) TFEU) the
agreement contributes to improving the production or distribution of goods or to
promoting technical or economic progress, while allowing consumers a fair share of the
resulting benefit, and which does not impose any restrictions indispensable to the
attainment of these objectives or afford the possibility of eliminating competition in
respect of a substantial part of the products in question.
Prohibited agreements include all those which:
directly or indirectly fix purchase or selling prices or any other trading conditions;
limit or control production, markets, technical development or investment;
share markets or sources of supply;
apply dissimilar conditions to equivalent transactions with other trading parties,
thereby placing them at a competitive disadvantage; or
make the conclusion of contracts subject to acceptance by the other parties of
supplementary obligations which, by their nature or according to commercial usage,
have no connection with the subject of such contracts.
Article 101 has a particular significance in respect of licences relating to intellectual
property rights in view of the intrinsic potential for such rights to facilitate the
establishment of monopolistic or oligopolistic market structures. The 1984 version of
the Technology Transfer Block Exemption18
("TTBE"), since replaced by a more market-
share based approach,19
spelled out prohibited clauses, the inclusion of which in a
17 Case COMP/M.7217 Commission Decision 10 March 2014
18 Regulation 2349/84
19 Three subsequent versions of the TTBE were issued in 1996, 2004 and 2014 respectively.
25
licence would be likely to lead to a finding of infringement20
in detail. The principles
underlying these include: tying arrangements; royalties paid on products outwith the
scope of the licensed rights; restrictions on competition in research and development;
and any obligation to assign to the licensor rights in improvements of the technology or
new applications for it.
The current Technology Transfer Block Exemption21
takes a more nuanced approach
depending on whether the parties are competitors or not. Article 4 of the current TTBE
prescribes a number of "hardcore restrictions" that would cause the whole agreement to fall
outside the TTBE. In most cases, these restrictions are unlikely to satisfy the exemption
criteria in Article 101(3) TFEU. Broadly speaking, the list for agreements between
competitors is more restrictive than for non-competitors. In addition, Article 5 of the current
TTBE lists restrictions that are not block exempted but rather require individual assessment
of their anti-competitive and pro-competitive effects. The three excluded restrictions are: (i)
any direct or indirect obligation on the licensee to grant an exclusive licence or to assign
rights, in whole or in part, to the licensor in respect of its own improvements to, or its own
new applications of, the licensed technology; (ii) any direct or indirect obligation on a party
not to challenge the validity of intellectual property rights which the other party holds in the
Union (although an exclusive licence can be terminated if the licensee does bring such a
challenge); and, (iii) where parties are non-competitors, any direct or indirect obligation
limiting the licensee's ability to exploit its own technology or limiting the ability of any of the
parties to the agreement to carry out research and development, unless such latter
restriction is indispensable to prevent the disclosure of the licensed know-how to third
parties. If any of these three excluded restrictions are included in an agreement, the rest of
the agreement can still be covered by the TTBE, if the restriction(s) can be severed from the
agreement. In conclusion, the principles first set out so long ago remain a helpful guide to
the kinds of terms which are likely to be found to breach competition principles whether in IP
or 'pure' data agreements.
Patent wars and FRAND licensing
In recent years the competition authorities have paid close attention to the impact of patents
over aspects of technology where such technology is incorporated into industry-wide agreed
standards so that the patent is declared essential to any product conforming to the standard
("standards-essential patents", or "SEPs"). The Commission's review of the IPR Policy of
the European Telecommunications Standards Institute ("ETSI") led to a revision, such that
any company participating in the development of a technical standard, and which declares
that patents it holds are SEPs for that standard, must make a declaration that it is prepared
to grant licences under the patent to all-comers on terms which are Fair, Reasonable and
Non-discriminatory ("FRAND").
The subsequent commercial handling of FRAND licensing discussions has been fraught.
The objective of the imposition of a FRAND declaration on the patent holders was intended
20 Subject to the parties' market share: parties with a combined market share of less than 10% are exempt under the
Notice on Agreements of Minor Importance 21
Regulation (EU) No 316/2014 on the application of Article 101(3) of the Treaty on the Functioning of the European
Union to categories of technology transfer agreements
26
to eliminate the risk of so-called "patent hold-up" under which the patentee could potentially
force all technology users to pay royalties for the use of the patent simply based upon its
essentiality, without having also to undertake the necessary technical analysis to
demonstrate that the patent is in fact being infringed by the product. However, the system
has also permitted the emergence of a phenomenon known as "patent hold-out", under
which the technology user declares itself perfectly ready and willing to take and abide by a
licence on FRAND terms – but either fails to accept that the terms on offer by the patentee
are FRAND and/or also fails to engage with an effective negotiation process, all the while
continuing to use the technology secure in the knowledge that it is highly unlikely to be
injuncted from such use given that it is entitled to a licence. Such companies argue that it
would be an abuse of a dominant position for the patentee to seek an injunction in those
circumstances.
The CJEU finally ruled on this hotly debated topic, in Huawei Technologies Co Ltd v ZTE
Corp.22
The Court confirmed that the bringing of an action for a prohibitory injunction
against an alleged infringer by the proprietor of an SEP may (but will not invariably)
constitute an abuse of dominance, contrary to Article 102 TFEU. Specifically, an SEP
holder, which has given an irrevocable undertaking to the standardisation body to grant a
licence on FRAND terms, does not abuse its dominant position by bringing an action for
infringement seeking an injunction or the recall of products as long as:
(a) the SEP holder has
(ii) alerted the infringer to the fact of the infringement and the way in which
the SEP has been infringed; and
(iii) (after the infringer has expressed its willingness to conclude a licence
agreement) presented a written offer for a licence on FRAND terms
which specifies the royalty and how it was calculated; and
(b) the infringer has continued to use the SEP without diligently responding to the
holder's offer, in good faith and with no delaying tactics. This may require a
prompt, written counter-offer and the provision of security such as a bank
guarantee for the royalties due for past and on-going sales.
Nevertheless, the judgment leaves much still to be worked out. When does a disagreement
over the proposed terms of a licence cease to be good faith and become a delaying tactic?
In particular, the Court's acceptance that an alleged infringer cannot be criticised for
challenging the validity of the patent or indeed whether it is in reality essential to the
standard (and so necessarily infringed) opens the door to lengthy disputes as to the rights
and wrongs of those issues before any licence can be finalised. The provision that an
alleged infringer which agrees in principle to take a licence must provide security pending
final terms being agreed is meant to protect the SEP holder during this period – but the
Court stopped short of mandating third party adjudication of the appropriate royalty, leaving
that to the parties' equally uncertain agreement.
22 Case C‑170/13 judgment of 16 July 2015
27
In a dispute between SEP-holder Sisvel and two companies in the Qingdao Haier group,
the Dusseldorf court has found one set of circumstances where an injunction is appropriate.
Sisvel had provided information as to its allegation of patent infringement to the head
company in the Qingdao Haier group before bringing the claim, and proposed licence terms
including royalty rates. But Haier had not responded until after the claim was filed. At that
point it made a counter offer, and made others including one just before the actual trial. At
no time did it provide security for the royalties due under any of its sales, until the hearing
itself when it produced sales data and a small bond for accrued royalties.
Haier's FRAND defence was rejected. The German court did not look into the details of
whether Sisvel had provided enough information before starting the action, or the FRAND
(or otherwise) nature of either side's offers. Nor did it accede to Haier's request for Sisvel to
produce copies of the other licences it has granted under the patent in suit, to enable Haier
to assess whether or not those offers were FRAND. It simply found that Haier's conduct
amounted to delaying tactics so that the responses it had given through the course of the
action were not sufficient to ward off an injunction. Haier would have had to provide a bond
to cover accrued royalties within one month of making its first counter-offer, to demonstrate
its good faith and avoid the injunction.
The relevance of such issues to transactions in data, however, is limited since there is as
yet no equivalent to a technology standard in the world of data. Accordingly, even if a
refusal to license a set of data which had been found to be essential for a particular
commercial activity were found to be an abuse of dominance, no obligation to grant
licences to all-comers on FRAND terms would necessarily follow. The data holder could
instead grant licences selectively and on purely commercial terms, provided that the
specific terms were not themselves anti-competitive in breach of Article 101.
(e) The impact of contract law
To date, other than competition provisions discussed above, the EU has taken only limited
initiatives in the field of contract law, primarily directed at consumer protection and so not
likely to affect business-to-business transactions relating to data. As far as consumer
transactions are concerned, the Consumer Rights Directive is now in effect and requires
businesses to provide information to consumers before a contract is concluded including
information about the functionality and interoperability of digital content. It regulates the
consumer's right of withdrawal. It is unlikely to affect business' ability to access and control
data.
The pending Draft Digital Content Directive aims to give consumers of digital content better
rights with respect to defective products and arguably represents a step towards elevating
the status of data to that of other forms of value in consumer transactions since it covers
digital content supplied not only for a monetary payment but also in exchange for (personal
and other) data provided by consumers. It currently also proposes that upon termination of
the contract, the trader must stop using the data; and provide the consumer with technical
means to retrieve “all content provided by the consumer and any other data produced or
generated through the consumer's use of the digital content to the extent that data has
been retained by the supplier. The consumer shall be entitled to retrieve the content free of
charge, without significant inconvenience, in reasonable time and in a commonly used data
format". The final form of this proposal remains to be seen.
28
At national level, however, contract law is in practice the area of law which is most relied
upon at present between commercial entities developing and exploiting valuable data. This
is especially important if the data is not, or cannot be kept, secret and any intellectual
property rights related to the data are minimal. Enforceability issues can arise when the
parties' contractual rights are framed in terms of IP and confidentiality when on a strict legal
analysis the data is not protected in this way. Consequently, real care needs to be taken to
ensure that each parties' rights and obligations related to the data are expressly set out as
contractual terms, rather than simply claiming that the data is covered by IP rights and
confidentiality and expecting this to provide adequate protection.
Nevertheless, contractual terms can be used to confirm and clarify what rights each party is
to have in relation to data and define the restrictions that apply. In principle, there is no
reason why contracts cannot be framed to manage rights over data between parties in any
circumstances whatsoever.
In practice, whilst contract is a suitable instrument for managing rights between parties of
equal commercial bargaining strength and legal sophistication, familiar with the applicable
laws, it can also be an instrument whereby a stronger or more legally skilled party can
obtain an advantage over a weaker or less well advised counterpart. Consumer protection
legislation such as those mentioned above provide some assurance where one party deals
as a consumer; but where a smaller or inexperienced commercial party transacts with a
larger/ more experienced, what protections may exist is purely a matter of local contract
law. As discussed below, English law recognises a specific range of circumstances in
which an unconscionable contract clause may be set aside, such as an unfair limitation of
one party's liability, or where a clause is included because a party has exercised duress,
but there is no general principle that inequality of bargaining power alone can affect a
contract's validity. Although such a principle was formerly recognised in US contract law,
since the introduction of the Uniform Commercial Code (UCC) it has ceased to be relied
upon. Indeed, Comment 1 to UCC 2-302 suggests that bargaining power is not by itself
enough: “the principle is one of the prevention of oppression and unfair surprise and not of
disturbance of allocation of risks because of superior bargaining power.”
Where transactions take place across borders, a further lack of certainty arises as a result
of the different principles underlying the laws of contract between jurisdictions.
We discuss the use of contracts to manage data exclusivity and access in section 4.7
below.
3.3 Academic discussion
The vast majority of academic discussion which we have located around data relates to data
privacy. Some work is being done within national academic communities but in view of the
absence of case law at EU level regarding the handling of industrial or commercial data, it
seems that academics have not yet focussed on the question of commercial and industrial data,
at this level.
3.4 Responses to the study questions: EU acquis
29
In the light of the discussion above, we respond to the survey questions with respect to the EU
acquis as follows.
(A) What is the current EU legal regime defining what rights linked to data exist, how they
can be exercised and by whom, in particular in a commercial context? What rights are
defined in legislation for third parties wanting to access data held by a commercial
entity?
Excluding the GDPR, the primary legislation defining rights to data across all sectors is
the Trade Secrets Directive. In some circumstances the InfoSoc and Database
Directives may also confer rights.
Other than Article 102 TFEU, which may in some circumstances provide a mechanism
for third parties to access data held by a dominant undertaking, there are no provisions
of general application conferring rights on commercial entities to access other
commercial entities' data. In the chemicals and life sciences sectors, detailed
regulatory regimes enable third parties to access data filed by companies in the course
of obtaining regulatory approval to place products on the market in the EU. We have
not identified any legislation conferring equivalent or less-restricted rights of access in
any other sector.
(B) Are there inconsistencies in sector-specific rules that would make it difficult for business
to develop or improve products or services based on data?
No.
(C) Is there legislation on rights to data at Member State level which may be difficult to
reconcile with commercial arrangements involving actors in different Member States?
At present, i.e. before implementation of the Trade Secrets Directive into Member
States' national laws, the legal provisions on protection of data in the different Member
States are highly variable. Indeed, a third of Member States are reported to have no
legislation on trade secrets at all. So far as we are aware this has not prevented any
commercial arrangement involving actors in different Member States to date. But our
research indicates that commercial markets in data other than personal data are
relatively undeveloped at this stage such that if such conflicts are in fact implicit in the
divergences between Member States' laws, it could be that they simply have not yet
emerged.
(D) What is the role of competition law with respect to access and usage of data?
See section 3.2(d) above.
(E) What aspects are not covered at all by legal instruments?
The obvious absence is the question of property rights in data. The Trade Secrets
Directive does not create any such right nor, in the majority of cases, do the national
legal regimes we have reviewed. However in many cases data holders and even their
30
legal advisers assume that some form of property right subsists in data. This
assumption is sometimes (though certainly not universally) expressed as an expectation
of intellectual property rights but, as we have demonstrated above, such assumption is
frequently unfounded.
(F) Can contractual arrangements provide an efficient legal framework for managing rights
attached to data, including on exclusivity, exchange, exploitation or access to data?
What elements are missing in legislation for contracts to perform this function – if any?
Since contract law within the EU is almost exclusively a creature of the national laws,
we address this question following the discussion of the national legal environments,
below.
4. Legal environment in specific countries
4.1 Outline
In the sections below we briefly review the current legal framework at national level which
affects businesses' ability to control ("own") and/or access data.
Overall, we found that to date the power of data is an emerging rather than a truly established
phenomenon in day-to-day transactions, even in those industry sectors where its importance is
most evident. More transactions are single jurisdiction than cross-border, and disputes have yet
to emerge.
4.2 England & Wales
(a) Summary
The English law governing handling of data is principally derived from case law.
Although in a number of cases the courts have acknowledged (or refused to exclude)
the possibility that property rights could subsist in data, in every case to date where the
point had to be decided the courts have held that data is not property and therefore
cannot be stolen (Oxford v Moss23
) nor made the subject of a common law lien (Your
Response v Datateam Business Media24
). This does not in any way affect the ability of
a party which holds valuable data to charge others for access to it, even if there are no
underlying rights: the third party has no right of access to the premises or media on
which the data are stored, and so the possessor can legitimately levy a charge for
giving that access.25
But thereafter the originator's rights over the data are essentially
those conferred by any contract. The strongest protection currently available to the
holder of valuable data arises under the equitable right of action to prevent a breach of
confidence, i.e. judge-made law for the protection of trade secrets. Statute establishes
criminal offences regarding unauthorised access to computer systems including data
23 (1979) 68 Cr App Rep 183
24 [2014] EWCA Civ 281
25 Attheraces Ltd v British Horseracing Board [2005] EWHC 1553 (Ch)
31
stored on them, and modifying that data, but these have very rarely been used since the
statute is poorly drafted and so the offences difficult to prove.
(b) Statutes governing data ownership and access to data
There is no statute addressing any ownership-like rights over data nor any general
provision enabling access to data held by third parties.
The Computer Misuse Act 1990 ("CMA") was passed after a very early hacking incident
which no existing law appeared to prohibit since the hackers had merely gained access
to systems but had not attempted to steal or misuse any data.
Sections 1-3 CMA introduced three criminal offences:
unauthorised access to computer material, punishable by 12 months'
imprisonment (or 6 months in Scotland) and/or a fine (since 2015, unlimited);
unauthorised access with intent to commit or facilitate commission of further
offences, up to 5 years and/or a fine;
unauthorised modification of computer material, punishable by up to 10 years
imprisonment and/or a fine. This is aimed at persons who circulate viruses or
other malware.
The CMA has been amended several times, most recently in 2015 to add an offence of
unauthorised acts to a computer that cause, or create a risk of, serious damage to the
economy, the environment, national security or human welfare. However, the difficulties
of obtaining evidence and proving intent have meant that only a handful of cases have
ever been prosecuted.
Copyright under the Copyright, Designs and Patents Act 1988 ("CDPA") as enacted and
preceding copyright statutes was capable of protecting compilations of data since these
fell within the category of literary works to which the English courts applied a very low
threshold test of 'originality'. In effect, any work created by the author's labour would
qualify provided it was not copied from another work, without requiring any input of
artistic judgment. For instance, the court held that copyright subsisted in a directory
consisting of nothing more than an alphabetical list of the names of all solicitors
admitted to practise in England & Wales.26
However this was changed in 1996 when the
CDPA was amended to introduce the sui generis database right into English law by
carving out protection for purely information-based databases. Accordingly, databases
are now capable of protection by copyright only if they reach a minimum standard of
creativity through the selection and arrangement of their contents such that they can be
considered "the author’s own intellectual creation". As stated above, in the case of
modern electronic databases, and a fortiori in the case of databases consisting of data
captured automatically such that there has been no act of selection at all, this standard
26 Waterlow Directories v Reed Information Services [1992] FSR 406
32
is unlikely to be met. Although using copyright-protected software it is easy to envisage
a system which captures data selectively – for instance, noting the mechanical and
electrical status of a vehicle whenever a given engine temperature is exceeded – the
resulting selection of data would not be an intellectual creation of the kind the InfoSoc
Directive is intended to protect. Even in a more sophisticated example, such as an
artificial intelligence monitoring a smart building and recording data whenever recurrent
patterns in the data emerge, the resulting database would be a comprehensive and
objectively accurate record of naturally occurring facts rather than in any way an
intellectual creation.
Database right was implemented in the UK by the Copyright and Rights in Databases
Regulations 1997,27
introducing a new s.3A to the CDPA in order to implement the
Database Directive. The English Court of Appeal has however taken a somewhat more
practical approach than the apparently narrow view of the CJEU in the Fixtures
Marketing cases. In the more recent decision in Football Dataco Ltd & others v Stan
James Plc & others and Sportradar,28
the Court of Appeal held that the measurement of
physical phenomena such as temperature and pressure does not create data (which
would be excluded from database right protection under the CJEU's ruling in Fixtures
Marketing) but creates a record of pre-existing fact. Accordingly, pending further
decisions of the CJEU as to whether or not the English court's approach is compatible
with the Directive, under English law data recorded by industrial equipment, Internet of
Things ("IoT") devices and many other automatic systems may be protected if the
database maker's investment can be identified as having been made in the obtaining of
such records. This would represent a significant advantage for data driven businesses
in some respects, such as conferring property rights over the data. Issues are still likely
to arise if the data is collected as part of a process of monitoring the system's operation,
however, rather than for independent purposes such as product development since it
would then be arguable that there had still been insufficient investment in obtaining of
data as such.
Where database right does subsist, then the owner of the right has a property right in
the data as a collection, and can largely control third parties' access although the right
does not prevent third parties from accessing insubstantial parts of the database without
permission. However, given that the value of most industrial databases is likely to be in
the richness and extent of data they hold, a right to access only an insubstantial part, on
an essentially one-off basis, is unlikely to threaten the owner's economic position.
Access to communications data by government or police is governed by the Regulation
of Investigatory Powers Act 2000. However the objective of this Act is to control the
manner in which public bodies may conduct surveillance and access a person's
electronic communications; it has no effect on commercial entities' ability to control or
access third party data – or, rather, confirms that there is no legal basis for a private
entity to obtain access to data by intercepting electronic communications.
(c) Case law
27 SI 1997/3032
28 2013 EWCA Civ 27
33
(i) Data as property
The English courts have periodically had to address the question of property rights in
data and, while rarely prepared to exclude the possibility altogether, have never
determined a case by accepting the proposition. In Boardman v Phipps,29
a trustee and
beneficiary of a family trust wanted to buy a majority stake in a company (the trust
owned a minority stake). They ended up buying shares in their own capacity (which also
benefitted the trust as its shares increased in value). It was held the trustee had
breached his fiduciary duty by putting himself in a conflict of interest. Data (in this case
information about the company) came into the case as the trustee obtained information
and opportunity while acting in a fiduciary capacity (ie he knew that the company could
be turned around and there was a profit to be made – he had seen the company’s
accounts). The question arose as to whether the information was property of the trust.
The five judges did not agree: two were clear that in general, information is not property
at all, one thought that it could be and the other two thought that some information could
be regarded as property depending upon the facts.
More recent cases have reached similar conclusions. In Coogan and Phillips v News
Group,30
the Supreme Court had to consider whether unlawfully intercepted voicemail
messages constituted intellectual property as defined in Senior Courts Act 1981
s.72(2)(a)31
and concluded that they did not; the legislative purpose of s.72 was to
prevent remedies against commercial piracy from being frustrated by the privilege
against self-incrimination, not to cover the whole law of confidence. In Fairstar Heavy
Industries v Adkins,32
a shipping company got into a dispute with and needed access to
emails held by Adkins, its former CEO. When it applied to court for an order for
inspection of these emails, the judge at first instance held there was no proprietary right
in the content of an email. The Court of Appeal instead decided the case by reference
to the agency relationship –that a principal was entitled to require production by the
agent of documents relating to affairs of the principal. It was not necessary to decide
whether information in the content of the e-mails was property owned by Fairstar either
as a matter of fact or law. The court observed that ‘It would be unwise, for example, for
this court to endorse the proposition that there can never be property in information
without knowing more about the nature of the information in dispute and the
circumstances in which a property right was being asserted. Some kinds of information,
such as non-patentable know-how, are more akin to property in their specificity and
exclusivity than, say, personal information about private life’.
The following year, however, in Your Response v Datateam33
a differently constituted
Court of Appeal had to consider whether a possessory lien could be exercised over
information and was unanimous, though on different reasoning, that it could not.
29 [1966] UKHL 2
30 [2012] UKSC 28
31 “intellectual property” means any patent, trade mark, copyright, [design right] , registered design, technical or
commercial information or other intellectual property 32
[2013] EWCA Civ 886 33
[2014] EWCA Civ 281
34
(ii) Confidential information
English law protects in principle any and all confidential information, as a matter of
equity i.e. on the basis that any action which ought to taint the conscience of the
receiver of information can be prohibited. The law of confidence protects a wide range
of material which can legitimately be classified as confidential, including all forms of
technical and commercial information from industrial formulae, operating conditions,
business plans, customer lists or properties of materials. Three broad categories are
recognised.34
Some information may warrant only temporary protection, for instance
during employment but not once the employee has moved on, or protection from use in
a limited class of applications. Other information may warrant protection for a more
extended period, while highly valuable information is protectable indefinitely against all
the world. The more complex the information, the more likely it is to embody some
product of the human mind which is capable of being truly confidential. The Court of
Appeal (Lansing Linde Ltd v. Kerr 35
) has defined a trade secret, which will receive the
highest standard of protection, as information:
(a) which is used in the trade or business;
(b) whose dissemination is limited or discouraged by the owner; and
(c) which if disclosed to a competitor would cause real or significant harm to the
owner.
Thus, it is unlikely that substantial changes will need to be made to English law in order
to comply with the Trade Secrets Directive, pending decisions from the Court of Justice
in due course as to what standard of 'reasonable steps' taken to keep information secret
will justify the protection given.
Where information is already in the public domain, it is unlikely (although not necessarily
impossible (Schering Chemicals v. Falkman Ltd36
)) to be possible to enforce an
obligation of confidentiality over it. It is possible to impose a contractual condition in a
contract for hire that the product will not be reverse engineered (KS Paul (Printing
Machinery) Ltd v. Southern Instruments (Communications) Ltd37
), and this is necessary
since English law does not otherwise restrict reverse engineering by anyone who has
legitimate access to a product. If the information is in a public place (even if well hidden
in, for example, the bowels of a vending machine) and lawfully accessible by third
parties, the owner must accept that it could be decrypted (Mars v. Teknowledge Ltd38
).
The crucial distinction here is as to exactly what information is in the public domain. In
a case where the claimant argued that the defendant distributor breached a contractual
obligation of confidence by analysing the components of the claimant’s product and
34 Faccenda Chicken v Fowler 1986 1 All ER 625
35 [1991] 1 All ER 418
36 [1982] QB 1
37 [1964] RPC 118
38 [2000] FSR 138
35
producing its own version, the court held that there could have been no breach of
confidence since the key information was in the public domain in the form of a patent
application filed by the claimant. The decision was upheld by the Court of Appeal,
although Jacob LJ giving the leading judgment declined to comment upon the extent to
which information in the public domain could nonetheless be confidential, commenting
that it is a difficult legal point (EPI Environmental Technologies Inc. v. Symphony Plastic
Technologies plc39
).
The fact that information may be obtainable from the public domain by for instance
measuring or analysing a product publicly available does not make that information itself
automatically public: effort would be required for an interested person to obtain it,
whereas someone privy to (for instance) engineering drawings need make no such
effort. In these circumstances, a recipient of the information should not be allowed, by
virtue of their breach of confidence, to get a head start or ‘springboard’ over the rest of
the population in using the information. If, on the other hand, the information publicly
available is sufficient so that no additional work is needed by other interested parties,
such as should be the case where a patent application has been published, then the
recipient of confidential information gets no springboard and accordingly will not be
restrained from using it.
The springboard argument is applied even if the confidential information is later
published: the recipient may still be restrained even after the public in general are free
to use the information – at least for the period for which the head start they have
obtained might have produced an unfair commercial advantage.
The same test can be applied where a partial disclosure of the information has taken
place, by whatever means, to evaluate whether the information has by that disclosure
lost the ‘necessary quality of confidence’. If the information disclosed is sufficient for the
public to implement the product or commercial development, then the confidentiality
may well have been lost. However, disclosure only to a limited number of people, or of
only a portion of the information such that to reconstitute the whole would still take
material effort, will not destroy the confidentiality of the package of information as a
whole. Once again, it will be a question of fact and degree how wide the disclosure can
have been before confidentiality is lost.
Obligations of confidentiality are also frequently handled through contractual
mechanisms or notice. Information can be disclosed to an unlimited number of people
without losing its confidential character, as long as each and every one of them receives
it on terms of confidentiality (HRH Prince of Wales v. Associated Newspapers Ltd40
).
Disclosure for a specific, limited purpose will not destroy the confidentiality of
information for all other purposes. Thus, disclosure for the purpose of negotiations will
not entitle the recipient to use the information other than in the course of those
negotiations.
39 [2006] EWCA Civ 3
40 [2007] 2 All ER 139
36
As they do not have the status of property, trade secrets cannot be 'assigned' from one
exclusive owner to another. Instead, the best that can be done is for the owner to agree
to disclose the secret and all supporting information and materials to the proposed
‘transferee’, and simultaneously to agree not thereafter to use the information
themselves nor to disclose it to any third parties. However, the lack of any rights in the
data in rem means that if the previous owner subsequently does disclose the data, there
is a risk that third parties (with whom there is no contractual relationship) will be free to
use the data unless it can be shown that they realised the disclosure they received was
itself a breach of confidence.
Finally, confidential information in digital form is clearly more vulnerable to leakage than
the same data would have been had it been kept in a written ledger under lock and key.
In order to maintain its status as confidential, businesses need to ensure that any party
accessing the data finds clear notice that the information is confidential, must neither be
copied nor disclosed and is intended for receipt only by the addressee(s). As the Mars
case showed, it cannot be assumed that encryption by itself amounts to such notice to
third parties.
Thus, although the law of confidentiality provides substantial protection for valuable
data, it requires very careful handling in any disclosure and the flexibility of the law
means that issues frequently arise as to the extent of protection any given database
may attract.
(iii) Other grounds for accessing data
The English courts have a wide discretion to interpret the law to achieve a just result. In
some circumstances, this can include requiring a data holder to give another access,
but such an order is likely to depend upon the prior existence of a commercial
relationship. For instance in Fairstar v Adkins41
the Court of Appeal ordered the former
CEO of a shipping company, whose employment had been terminated after a takeover,
to give his former employer access to emails which he held on his personal computer.
An application based on property rights failed, since none such existed, but the Court of
Appeal ruled that Adkins held the emails as agent for his former employer and under the
law of agency the principal was entitled to require production by the agent of documents
relating to affairs of the principal. Materials held and stored on a computer, which could
be displayed in readable form on a screen or printed out on paper, were in principle
covered by the same incidents of agency as applied to paper documents.
Finally, the UK Government has implemented an Open Government Licence enabling
access to data held in public institutions.
(d) Contracts under English law
In the absence of statutory provisions, contract law is the tool companies use to govern
their data.
41 [2013] EWCA Civ 886
37
English contract law is very fluid in what terms can be incorporated into the contract.
Generally, everything is permitted that is not expressly prohibited by law. However
before a binding contract is created certain requirements must be fulfilled:
the contracting parties must have authority;
the contracting parties must have capacity; and
the contract must be correctly formed. This involves making an offer,
acceptance, consideration, intention to create legal relation and certainty of
terms.
An offer is a promise by one party to enter into a contract on certain terms. An offer
must be specific, complete, capable of acceptance and made with the intention of being
bound by acceptance. An offer can be made expressly or by conduct. English law
differentiates an offer from an 'invitation to treat'. An invitation to treat does not amount
to an offer; it is an invitation to negotiate. Common examples of invitations to treat are
advertisements and goods on display in a store; the offer ("I will buy these products at
these stated prices") is made by the customer on taking the goods to the till; the store is
not bound at this point ("No, I am sorry you are not yet 18 years old and we cannot sell
you alcohol").
A binding contract will only be formed if an offer is accepted. This acceptance must
correspond exactly with the terms of the offer with no variation of the terms. It is
possible to accept by conduct. If the contracting party purports to accept the offer but
seeks to vary the terms, this amounts to a counter offer and will not be effective
acceptance. Acceptance has no legal effect until it is communicated.
In English contract law there must be consideration passing under the contract, i.e. the
promisee cannot enforce a promise unless he has given or promised something in
exchange for it. The consideration does not need to be adequate but must be sufficient–
£1 is often used to provide adequate nominal consideration. There is however an
exception to this rule if a contract is entered into as a deed, (which involves certain
formalities) no consideration is required. It is also usually the case that past
consideration (i.e a payment already made) is capable of being consideration for a
present (new) contract.
Consideration must move from the promisee: if consideration is provided by a third
party, it will not be sufficient. However the consideration need not move to the promisor:
a party can agree to perform a contract in return for a payment being made to a third
party.
A contract cannot be made without a mutual intention to create a legally binding
arrangement. This is a fairly low threshold and is presumed to be the case in
commercial situations. It could however give rise to issues where consumers have
become accustomed to services being provided 'free' online, since it is unlikely that
many consumers believe that they are in any legal relationship when they use a web-
based service unless expressly asked to agree to terms and conditions before being
able to access it.
38
For a binding contract to exist, and to be enforced, the terms must be certain. Parties
must ensure that their agreement is complete and that it is not void for uncertainty.
However, there is no requirement for most categories of contract to be expressed in
writing; most everyday transactions do constitute contracts including terms implied by
statute as to the quality of the goods, but are never put into written form. Alternatively
the terms of a binding agreement can be inferred from communications, such as email,
which are never expressed to be a contract.
(i) Contents of a contract
The terms the parties have set out in their agreement are referred to as express terms.
These may be open to different interpretations and if so, the document setting out the
parties' agreement must be interpreted objectively. The 'true' interpretation of a contract
is not a question of what one party actually intended or what the other party actually
understood to have been intended but of what a reasonable person in the position of the
parties would have understood the words to mean. The starting point for ascertaining
the objective meaning is the words used by the parties. These are interpreted according
to their meaning in conventional usage, unless there is something in the background
showing that some other meaning would have been conveyed to the reasonable
person. Thus, the terms of the contract must be read against the "factual matrix"; that is,
the body of facts reasonably available to both parties when they entered the contract. It
does not, however, include the previous negotiations of the parties, or their declarations
of subjective intent.
English law does allow the courts to imply terms into contracts where they are not
expressly incorporated, in certain limited circumstances. These fall into 3 categories:
(a) Terms implied by fact i.e terms not expressly set out in the contract but which the
parties intended to include. The courts have developed two tests as to whether to
imply this sort of term:
(ii) Officious bystander test – this is where something is so obvious that
goes without saying – i.e 'if while parties making bargain, an officious
bystander were to suggest some express provision for it in the
agreement, they would testily supress him with a common 'Oh, of
course!' .
(iii) Business efficacy test – the courts will imply a term if some term not
expressed is necessary to give the transaction business efficacy.
The courts will not, however, imply terms in fact merely because it is reasonable
to do so. The test is whether the parties would have agreed to it, not whether it
would have been reasonable for them to do so. As a result, where two
commercial parties negotiate a contract, the court is very reluctant to interfere
and imply terms, and if it is necessary to do so will imply the narrowest possible
term to address the immediate issue. For instance, in the common situation
where one party commissions another to create a copyright work such as
materials for a marketing campaign, the commissioning party frequently assumes
that they must naturally under the contract own the copyright and so makes no
39
provision for this. In reality, the court is unlikely to imply any assignment of
copyright into the contract. It will normally imply a licence to use the work but
only for the purposes which were known to the parties at the time the work was
commissioned i.e. that particular campaign. If the customer wishes to use the
work for another campaign, or to extend the campaign from print media to online,
for example, then it will need a further agreement with the creative agency.
(b) Terms implied by law, imported by operation of law such as the Sale of Goods
Act, although the parties may not have intended to include them
(c) Terms implied by custom and practice in the relevant industry.
Law of Property (Miscellaneous Provisions) Act 1994
The Law of Property (Miscellaneous Provisions) Act 1994 legislation implies certain
covenants on title into a document transferring property depending on whether the
transfer is with full or limited title guarantee. These covenants will only be implied if the
disposition is expressed to be made with 'full title guarantee' or with 'limited title
guarantee'. These covenants may be implied into any "instrument effecting or purporting
to effect a disposition of property". A disposition of property is defined in section 205(1)
(ii) of the Law of Property Act 1925 and includes a transfer or conveyance of an existing
interest in property; charge; mortgage; vesting instrument; or disposal by will. Property
includes any thing in action (a form of intangible property) and any interest in real or
personal property. So, in the UK, if data were property, any contracts purporting to
transfer it with full or limited title guarantee would be subject to the implied covenants.
The covenants which are implied include that the person disposing of the property has
the right to dispose of it and that the person disposing of the property will, at its own
cost, make reasonable efforts to give the new owner of the property the title that the
person disposing of the property said it would give. Where the transfer is with full title it
is also implied that the property is free from known encumbrances etc. The seller will
not be liable under the implied covenants if the disposition is made expressly subject to
these.
Statutory Limitations
Although English contract law is fairly unrestricted in what the parties can agree, there
are some statutory limitations. The statutes mainly apply to situations where there is an
imbalance of bargaining power. When a party attempts to exclude or limit its liability, the
Unfair Contract Terms Act 1977 ("UCTA") will apply.
UCTA deals mainly with exemption clauses which limit one party's liability under the
contract – making some ineffective and others subject to a requirement of
reasonableness. This Act applies to contracts business-business or consumer-
consumer contracts, but not contracts between a business and a consumer.
The Unfair Terms in Consumer Contracts Regulations ("UTCCRs") deal with contract
terms in contracts between commercial suppliers and consumers, providing that the
40
terms do not bind where the terms are unfair. The court also has wide powers to
intervene under the Consumer Credit Act 2006 where a relationship between debtor
and creditor is unfair. However even where this legislation does not apply, common law
will sometimes intervene.
The Consumer Rights Act 2015 ("CRA") came into force on 1 October 2015. It primarily
applies to business-consumer contracts but business to business suppliers and
purchasers cannot ignore it if their goods, digital content or services will eventually be
supplied to consumers. The Act aims to ensure that terms in a consumer contract are
"fair" (including any terms limited or restricting liability). The CRA merges the rules
under UCTA and UTCCR as to consumer contracts. Most of the law remains the same
however there are some limited changes.
Unlike the UTCCRs, but broadly in line with UCTA, the CRA applies to notices as well
as terms, blacklists certain terms and notices (e.g. those that try to restrict certain rights
guaranteed under the CRA) and covers both negotiated and non-negotiated terms.
The law will also intervene if one party induces the other to enter into a contract by
making a misrepresentation, or through undue influence or illegality.
(e) Academic discussion on data ownership and access
The academic discussion amongst English practitioners and academics specific to data
ownership is very limited, and as regards access, other than in the specific context of
personal data or medical records, non-existent. We contacted the professors of
intellectual property at the Universities of Oxford and Cambridge, Queen Mary
University of London ("QMW") and the University of Hertfordshire. Some research is
being undertaken at QMW and Hertfordshire, but neither Oxford nor Cambridge has any
current academic interest in this topic.
Although the question is raised briefly in consideration of issues such as law
enforcement access to cloud-stored data,42
only one article was found which focusses
specifically on the issue, written by a senior practitioner, Christopher Rees.43
This
author deplores the current lack of clarity in English law as to the status of data as
property or otherwise – his personal view is that data could be classified as property
since he applies a definition of property simply as the right to use something and
exclude others from its use; but he accepts that this analysis faces difficulties when
applied to personal data observable in public or held on public records. (He does not
consider the question of alienability as an aspect of property rights, which has
repeatedly caused disputes to arise in the field of trade mark law where individuals such
as fashion designers have tried to continue using their personal names in a business
context despite having assigned all rights in a trade mark consisting of it as part of a
42 Walden, I Accessing data in the cloud: the long arm of the law enforcement agent available at
http://ssrn.com/abstract=1781067 43
Rees, Who owns our data? Computer Law & Security Report ("CLSR") 30(1):75–79 · February 2014
41
sale of a previous business.44
) The article points out the inability of data privacy laws,
based upon notions of human dignity, to address transactions in data where the
objective is primarily economic. The article specifically sets out to stimulate discussion
by proposing a system of in rem and in personam rights in data under which data
holders would have a trustee-like relationship with any personal data in their possession
and an obligation to account to data subjects for its use. In his view, a system of
property rights would improve compliance with best practice around data privacy and
security since the concept of property, and the need to maintain it, is universally
understood.
The suggestion that a system of property rights would lead to better compliance with
data privacy may have been derived from the extensive US academic discussion of the
issue. US commentators including Lessig, Schwarz, Solove, Litman and Brownsword
have written very extensively on the appropriate approach to personal data as a
repository of economic value but, as pointed out by Purtova45
the US discussion arises
in the context of a jurisdiction with little or no regulation of the use of personal data by
data holders. Further, the dual system of state and federal laws in the USA adds
tensions between state, federal and constitutional issues which do not apply in the
United Kingdom. We therefore summarise the basic arguments at 4.6 below only
briefly.
The majority of comment in English journals is focussed on issues of personal data
protection. and therefore at best tangential to the objectives of this study. However,
one recurring observation is the increasing erosion of the line between 'personal' data
and other data since the size of databases now being accumulated combined with the
improvements in analytics mean that data which formerly could not have been linked to
any identifiable individual either can now, or may in future be able to be so linked, and
the advent of smart cities and the Internet of Things will only exacerbate the situation.46
In addition, the contract terms which may apply to IoT devices can be impenetrable and
uncertain since, as discussed by La Diega and Walden, they may be distributed
between a number of interrelated agreements using inconsistent concepts and
definitions and not readily accessible to a person not prepared to devote significant
effort to tracing how they interact.47
Further, the data protection principle of data minimisation is fundamentally incompatible
with the purpose of accumulating large datasets. Consequently, maintaining a
regulatory approach founded on this distinction may not be capable of addressing the
real issues raised by big data in the near future. Pearce points out the need to
address the set of interconnected elements making up the internet as a whole rather
44 For example, see the CJEU decision in Elizabeth Florence Emanuel v Continental Shelf 128 Ltd. (Case C-259/04) or
Karen Millen v Karen Millen Fashions Ltd [2016] EWHC 2104 (Ch). 45
Purtova,N Property rights in personal data: learning from the American discourse CLSR (2009) 507-521 46
Pearce H Systems approach to data protection law and policy in a world of big data? Computer and
Telecommunications Law Review 2016; Edwards, L Privacy security and data protection in smart cities: a critical EU law
perspective European Data Protection Law Review (forthcoming, 2016) 47
La Diega and Walden Contracting for the IoT: looking into the Nest Queen Mary and Westfield University of London
Legal Studies research Paper 219/2016
42
than attempting to regulate elements in isolation. Under the current system, he
advocates increased use of personal information management systems to empower
data subjects to track and negotiate consents as and when it is being used.48
Edwards49
rejects an approach based upon compliance with "digital ethics", noting that
industry will apply standards of care necessary to maintain necessary minimum levels of
trust, but that the lack of apparent causative link between the ordinary drip of data
disclosures and eventual potential harm means there is a limited chance of recognition
of the impact of any breach. She instead considers a range of possible approaches:
Require data collected by the IoT to be held and processed locally rather
than passed to the cloud? This would require building the legal rules into
the code – which is likely to be difficult given the ambiguity of many laws,
and the striking lack of privacy mindset in IT system designers, whose
focus is on cost and speed of development and who also tend to conflate
'privacy' with 'security';
o To date, she comments, IoT devices are not even being designed to
be capable of having remote security patches applied as
vulnerabilities are identified;
Privacy impact assessments suffer from the same issue even though
required by data privacy rules for smart grid and smart metering systems
o A further issue being whether such a thing can even be done for a
system of the complexity of a smart city?
Require pre-consent, and restrict data holders' ability to go beyond it, or
introduce programmable software agents to make semi-autonomous
choices for individuals regarding privacy in ambient environments?
Transfer responsibility for ethical and responsible data collection to the
data collectors i.e. regulate them to comply with principles, acknowledging
that users do not have the time/ skills/ motivation to provide necessary
multiple layers of consents?
o But this raises immediate issues of enforceability;
Implement an "environmental public law model" of regulation, prohibiting
various forms of use of data regardless of consent, such as targeting
advertising to children, targeting drugs to addicts – although she
acknowledges that reaching consensus as to what these prohibitions
48 Pearce Online data transactions, consent and big data: technological solutions to technological problems? CTLR
2015 149 Also considered in Edwards, as a form of 'digital rights management' or a general privacy menu for IoT
devices. 49
Op cit
43
should include is likely to be difficult. She recommends increased focus on
algorithmic transparency – the right to see what is actually being done with
data, even if the systems adapt themselves – which is already provided
under the Data Protection Directive's right to obtain knowledge of the logic
involved in any automatic processing of data concerning oneself, but little
used.
4.3 France
(a) Summary
Although there are no laws specifically directed to an ownership right over data, the
French civil code does include both civil and criminal law mechanisms which may
provide the holder of data with the ability to prevent or restrain the misuse of data. In
particular, the French criminal courts have been willing to find that a downloading of
data without theft of the medium on which it is held can constitute theft. This has led a
minority of commentators to suggest that property rights may now subsist in data but
the view is far from settled; the majority of academic discussion in France focusses on
issues of personal data and privacy.
(b) Statutes governing data ownership and access to data
France does not currently have any comprehensive law governing data ownership and
access to data, except with respect to personal data which are protected under
privacy50
laws and with respect to databases.
The Database Directive, potentially providing for ownership over databases, has been
implemented into French law as follows:
protection of database where there is an original creation resulting from the
choice or layout of the material or data under copyright law (Art. L.112-3 of the
French Intellectual Property Code (“Code de la propriété intellectuelle”)), and
protection of database subject to qualitative or quantitative material and/or
human investments under a sui generis right (Art. L.342-1 of the French
Intellectual Property Code (“Code de la propriété intellectuelle”) - Based on
European legislation).
Hence, except where the collection of data constitutes a copyrightable work, French law
does not recognize any exclusive rights over data as such. Data are not considered as
appropriable assets.
50 Data Protection Act No.78-17 dated January 6, 1978 (“Loi informatique et libertés”) (based on European legislation),
Art. L.34-1 and seq., R.10-12 and seq. of the Postal and Electronics Communications Code (“Code des postes et des
communications électroniques”) that apply to the collection and use of personal data carried out in the context of
providing electronic communication services to the public, Art. L.1110-4 and seq. of the Public Health Code (“Code de la
santé publique”) that apply to the collection and processing of personal medical data.
44
However, a company which generates or holds data may seek their protection through
several indirect mechanisms as follows:
(i) General civil law mechanisms
Two general civil law mechanisms may apply. First the generic civil tort (Art. 1382 and
1383 of the French Civil Code (“Code civil”)): in case of misappropriation of data outside
any contractual framework, the data holder can bring an action grounded on unfair
competition or parasitism. However, such an action is conditional on evidence that the
infringer committed a fault (i.e. disloyal behaviour as for instance creation of a likelihood
of confusion, business disruption, etc…) and a causal link with the damage suffered.
The characterisation of a fault generally implies the evidence of a malicious intent.
Second, generic contractual breach (Art. 1134 and seq. of the Code civil) could be
invoked: in case of misappropriation of data in breach of a contractual commitment,
data holders can bring an action grounded on contractual liability.
(ii) General and specific criminal law mechanisms
There are a number of possible criminal offences which could in principle apply:
Art. 311-1 and seq. of the French Criminal Code (“Code pénal”) provides for criminal penalties in case of theft (punishable by 3 years jail sentence and/or a € 45,000 fine).
Art. 621-1 of the Code de la propriété intellectuelle (which refers back to Art. L.1227-1 of the Labour Code (“Code du travail”)) provides for criminal penalties against any director or employee of a company who disclosed or attempted to disclose a manufacturing secret (punishable by 2 years jail sentence and/or a € 300,000 fine).
Art. 314-1 of the Code pénal provides for criminal penalties in case of breach of trust (punishable by 3 years jail sentence and/or a € 375,000 fine).
Art. 323-1 and seq. of the Code pénal provides for criminal penalties against anyone who gains fraudulent access to or fails to leave all or parts of an automatic data handling system (punishable by 2 years jail sentence and/or a € 60,000 fine).
Art. 411-6 of the Code pénal provides for criminal penalties for whoever delivered or make accessible to a foreign power, a foreign company or organisation or under foreign control or to their agents, any process, object, documents, computer data or files which, if exploited, disclosed or gathered is liable to be prejudicial to the basic interests of the nation (punishable by 15 years jail sentence and/or a € 225,000 fine).
Art. 465-1 of the French Monetary and Financial Code (“Code monnétaire et financier”) provides for the following criminal sanctions: (i) for corporate officers and for any person holding privileged information within the scope of performance of their profession or duties, the fact of carrying out one or more transactions or permitting them to be carried out before the public becomes aware of such
45
information (2 years jail sentence and a €1,500,000 fine), (ii) for any person holding privileged information within the scope of performance of their profession or duties, the fact of disclosing privileged information to a third party outside the normal scope of their profession or duties (1 year jail sentence and a €150,000 fine), (iii) for any person knowingly holding privileged information, the fact of carrying out one or more transactions or permitting them to be carried out or disclosing such information to a third party (punishable by 1 year jail sentence and/or a € 150,000 fine).
As for access to data, the main legal provision concerns public sector data, which are
governed by the Act No2015-1779 of December 28, 2015 relating to the free reuse and
modalities of the public sector information (“Loi n°2015-1779 relative à la gratuité et aux
modalités de la réutilisation des informations du secteur public”) that promotes the
reuse of public data by limiting the exceptions to the principle of gratuitousness. France
exceeds there its European obligations, since rather than considering marginal-cost
pricing as allowed by EU Law, it prefers to submit its policy of opening up public data to
the principle of free reuse.
Ultimately, as far we know, there is no sector specific relevant law governing (non-
personal) data in France. Note, however, that the French Competition Authority
(“Autorité de la Concurrence”) announced that it will issue a specific opinion about the
exploitation of data in the sector of the online advertising (please see its decision 16-
SOA-02 dated May 23, 2016).
(c) Case law
Recent French case law having implications for data ownership and/or access to data
are as follows:
The supreme Court (“Cour de cassation”) gave a ruling dated May 20, 2015 (No14-81336): The Court stated that the offence of theft may consist in downloading remotely computer data without taking away their support. According to some commentators, this ruling would open the way to a general recognition of the theft of information by treating information as an object of property
51. Usually, French criminal courts reject this offence
where information is captured without physical medium (idem as for the breach of trust offence). In a series of cases Lectiel v. France Télécom the Cour de cassation ruled between December 2001 and June 2014
52 that where the holder of intellectual property rights in
database can “legitimately” require payment of a price to anyone who use the relevant data, this price must be reasonable and compliant with competition law where the database is considered as a key resource for competitive operators. Falling that, there is an abuse of a dominant position. The Court did not expressly state that the lack of intellectual property rights in database prevent its holder from requesting compensation to users.
51 P. Berlioz, « Consécration du vol de données informatiques. Peut-on encore douter de la propriété de l’information
? », Revue des contrats, December 1, 2015 - n° 04- p. 951 52
No99-16642, No08-20427 and No 12-29482
46
The Paris Court (“Tribunal de grande instance de Paris”) by a judgment dated February 21, 2013, sentenced a company which plundered a competitor’s client database on the ground of unfair competition.
53 However, the Court ruled that the claimant was also
partially responsible for such acts as it did not take sufficient security measures to protect its database and so reduced the damages granted to it.
The Autorité de la Concurrence has held in two decisions that the fact for a company to limit the access to certain data to its competitors may result in a market foreclosure. In the first case, the company Cegedim was sentenced to pay € 5.7 million for having unreasonably refused to sell its medical information database to certain pharmaceutical
laboratories54
. In the second case, the Competition Authority considered that the fact for GDF Suez (e.g. prior French gas and electricity monopoly) to retain certain information on electricity and gas household consumption may result in a potential foreclosing effect for new entrants to the gas and electricity market. Therefore, GDF Suez was required to
communicate to some new entrants certain information55
.
(d) Academic discussion on data ownership
(i) Data ownership already follows from existing law
Many academics observe that data are not appropriable as such under French
law. Primary data are royalty-free and only sufficiently reworked data can be
protected under copyright 56
.
However, certain authors consider that there is no doubt nowadays about the
existence of an ownership over data in view of the enshrinement by the French
supreme Court of the offence of computer data theft57
or in view of the
recognition of a sui generis right in databases (stating, however, that such a
protection does not protect companies in a comprehensive way as the judges
are free to decide whether the database investments are justified or not)58
.
(ii) Data ownership does not exist but should be established
53 Sté Sarenza c/ Sté NA2J and Stés Vivaki
54 Case No14-DE06 Cegedim accessible at: http://www.autoritedelaconcurrence.fr/pdf/avis/14d06.pdf
55 Case No14-MC-02 GDF Suez accessible at the following link :
http://www.autoritedelaconcurrence.fr/pdf/avis/14mc02.pdf 56
A. Mendoza-Caminade, « La protection pénale des biens incorporels de l’entreprise : vers l’achèvement de la dématérialisation du délit », Recueil Dalloz 2015 p.415, C. Castets-Renard, « Les opportunités et risques pour les utilisateurs dans l’ouverture des données de santé : big data et open data », Revue Lamy de l’Immatériel, 2014, 108, Supplément 57
P. Berlioz, « Consécration du vol de données informatiques. Peut-on encore douter de la propriété de l’information ? », Revue des contrats, December 1, 2015 - n° 04- p. 951 58
M. Bourgois, A. Bounedjoum, « Questions l’émergence de la valeur Data, un actif à protéger », La semaine juridique Entreprise et affaires n°28, July 9 2015, 575, 3
47
Most academic discussions focus on the recognition of an ownership right of
individuals on their personal data59
.
The academic discussion amongst French practitioners and academics specific
to data ownership is very limited However, as regards data in a more general
sense, we found few following views:
- A renowned academic considers that if the ownership right, allowing
assignability and transferability, is the better way to add value to
immaterial investments, she however believes that ownership is not the
only way of appropriation. As for instance, an agreement (e.g. know-how
licence or employment contract) can allow the exploitation of these
values, know-how or workforce. Criminal and tort law ensure also their
enforceability against third parties. However, this being said, considering
the importance of the information market nowadays, she highlights that it
is paradoxical to deny any status to valuable data and indicates that the
“reality” of this intangible heritage cannot be ignored anymore from the
law, all the more as several of these assets are visible (e.g. clientele,
trade name, domain name, goodwill, etc…). According to her, the fact
that these assets can be closely associated to individuals should not be
an issue60
.
- In the same direction, some academics consider that there is a significant
gap between the business world that considers economic data as real
assets and the legal world that denies such a nature. According to them,
this is clearly not acceptable, stating that principles that ideas are free to
be used and information is a “res nullius” or a “res communes” are old-
fashioned. Indeed, how can such crucial values for companies be
adequately protected through only indirect liability mechanisms? They
recommend a legal intervention to reform or to extend the intellectual
property rights in order to cover, under certain conditions, such assets61
.
- Other academics are more moderate; they only note that the Big Data is
adding value to the secondary use of data and, therefore, invite
consideration as to whether it is necessary to recognize a specific status
to valuable data regardless their belonging to a database or not62
. One
author considers that such a debate is crucial (even for primary data)63
.
59 A. Bensoussan, « Propriété des données et protection des fichiers », Gazette du Palais – October 23, 2010 - n° 296 –
p. 2, I. Beynex, « Le traitement des données personnelles par les entreprises: big data et vie privée, état des lieux », La semaine juridique Edition générale n°046-47, November 9 2015, doc.1260 60
M. Malaurie-Vignal, « Les valeurs immatérielles et virtuelles de l’entreprise, entre protection et liberté », Receuil Dalloz 2013 p.1919 61
F. Belot, « Pour une meilleure protection des valeurs économiques », Petites affiches – December 6, 2006 - n° 243 – p. 6 62
A. Bensamoun and C. Zolynski, “Big data et privacy: comment concilier nouveaux modèles d'affaires et droits des utilisateurs?”, Petites affiches – August 18, 2014 - No164, p.8 63
P. De Filippi, D. Bourcier, “La double face de l'Open Data”, LPA, October 10, 2013 - No203, p.6
48
- Others consider that at the very least the protection of data under criminal
law should be less stringent; Criminal offences (e.g. theft, breach of trust,
etc…) have to be widely applied to information whatsoever once it has an
economic value for a company and this regardless of the existence of a
medium. According to one academic, the assessment of this data value
by French judges should not be an issue as nowadays the wealth of a
company is generally determined as regards the information it holds64
.
- This being said, respected professors specialized in intellectual property
law consider that the recognition of an ownership right over valuable
data, namely an intellectual property right, would divert intellectual
property rights from their essential purposes65
. Besides, another
commentator observes that protection offered by way of an intellectual
property right is not fully adapted as it protects above all a form66
.
In light of the foregoing, it appears that there is a consensus to reconsider
French law in order to protect valuable data in a more adequate way
considering that actual protection mechanisms are not satisfactory67
.
However, debate and divergence of views exist over the question of the data
owner: should it be the company which made the relevant investments (i.e.
“deposit exploration”) or the person who provides the raw material?68
In this respect, M. Thomas Saint-Aubin considers that the recognition of
company ownership over data may result in depriving the individual whose data
are used from a right of use on these data and conversely. Therefore, such
phenomena should prevent the use of any concept of appropriation. Rather, M.
Thomas Saint-Aubin proposes to use the softer concept of “numeric heritage”
defined as gathering all the rights and duties a company have over all the data
in its possession at one time (without distinguishing between pre-existing data
and newly generated data). Specifically, this numeric heritage would be subject
to duties such as conservation, security and non-disclosure obligations as
regards data and, in return, would give right to use and adapt this heritage69.
(e) Academic discussion on the access to data
64 A. Mendoza-Caminade, « La protection pénale des biens incorporels de l’entreprise : vers l’achèvement de la
dématérialisation du délit », Recueil Dalloz 2015, p.415 65
A. Lucas, cit. in Belot, « Pour une meilleure protection des valeurs économiques », Petites affiches – December 6, 2006 - n° 243 – p. 6, M. Vivant « La privation de l’information par la propriété intellectuelle », Revue Internationale de Droit Economique, 2006 66
A. R. Bertrand, « Informations, données, bases de données », Dalloz 2010, Chapter 201 67
French Institute of Intellectual Property, « La propriété Intellectuelle & la transformation numérique de l’économie », Regards d’experts 68
A. Bensamoun and C. Zolynski, “Big data et privacy: comment concilier nouveaux modèles d'affaires et droits des utilisateurs?”, Petites affiches – August 18, 2014 - No164, p.8, G. Seligmann, « Cloud computing, big data : nouveaux risques, nouvelles réponses », Expertises 2013, p. 329, D. Bourcier et P. de Filippi, « La double face de l'open data», LPA, October 10 2013, p. 6, spéc. p. 7, F. Eon, « Objet connectés: comment protéger les données de santé? », Revue Lamy droit de l’immatériel – 2016 69
T. Saint-Aubin, « Les nouveaux enjeux juridiques des données (Big Data, web sémantique et linked data), les droits de l’opérateur de données sur son patrimoine numérique informationnel », Revue Lamy Droit de l’Immatériel, No102, March 2014, p. 94 and seq.
49
The academic discussion amongst French practitioners and academics specific
to data access is again very limited (except as regards personal data, data from
public entity and health data).
Nevertheless, we found a few views.
One author considers that the fact for competition law to govern the Big Data
sector may result in reinforcing the absence of competition70
.
As for non-accessible data (as opposed to open data), another author
distinguishes between (i) data which have to be highly protected as associated
to an individual, (ii) data from a collective nature (e.g. data diffused via social
media) which can be less (iii) and aggregated data with a lower level of
protection. In any case, for these data, the exploitation through algorithms, for
commercial purposes, notably by platforms, should be more strictly framed, by
using tools from civil commercial, competitive, consumer and electronic
communications law. This framework (preferably on European basis) could
provide for an intermediary status for these platforms (between the status of
hosting and publisher). Moreover, users should be charged for access to the
aggregated data. However, the fee should not be paid to the concerned
individuals but to the community via a tax based on the turnover generated in
this respect71
.
Another author evokes the fact that data collected as part of a "quantified self"
could be less protected (and therefore more easily accessible) than classic
personal data. This is due to the innovative context in which they have been
collected and to the fact that they have been made available voluntarily72
.
Specifically in the health field, an author considers that the “all accessible data”
is not advisable in the health field, due to the significant risk of re-identification.
This implies the need to be vigilant in this respect73
. She also advises that the
access to all public health data can benefit private companies which own
powerful information aggregator algorithms and so would be able to resell the
reworked information, which is not desirable74. Another wonders if it is not
necessary to offer a counterpart to individuals whose genetic data have
contributed to medical development17
.
70 T. Pénard, « Cette régulation doit-elle relever du droit commun de la concurrence ou faire l'objet de régulation
spécifique ?», N. Lenoir, « Le droit de la concurrence confrontée à l’économie du Big Data », AJ Contrats d’affaires – Concurrence – Distribution 2016 p.66 71
J.-L. Silicani, « Le numérique est au centre d’une quadruple révolution technique, sociétale, économique mais aussi juridique », Energie – Environnement – Infrastructures n°6, 2015 June, étude 11 72
A. Mendoza-Caminade, « Big data et données de santé : quelles régulations juridiques ? », Revue droit de l’immatériel, 2016 127 73
C. Castets-Renard, « Les opportunités et risques pour les utilisateurs dans l’ouverture des données de santé : big data et open data », Revue Lamy de l’Immatériel – 2014, 108, Supplément, 74
C. Noiville, E. Supiot, « Big pharma, big data et recherche génétique en santé », Revue des contrats – June 15, 2015 – No 02 – p. 352
50
Ultimately, the literature shows a consensus that the following data should be
given open access:
primary public data (by contrast with enriched/enhanced/valuated public data)
75;
data which fall within the scope of the right of information76
;
genetic data77
.
There is no such consensus as regards other commercial or technical data held
by commercial operators.
4.4 Germany
(a) Summary
(i) Data ownership
There is no established ownership or other erga omnes right in data in
Germany. However, data is protected by various statutes under criminal law.
The case law on data ownership recognizes the right of a data subject to
commercialize its data to the extent that this personal data is protected by the
general right of personality (Allgemeines Persönlichkeitsrecht). However, this
has only been applied in situations when the respective person was famous and
his or her name or picture has been used by third parties. Furthermore, the
case law confirms that accessing data belonging to another company can
constitute a violation of trade and business secrets. The German courts also
recognize that data can be of economic value and that the deletion of data can
cause a claim for damages. However, this claim for damages follows from a
violation of the ownership in the data carrier not from the violation of a right in
the data itself.
German academics discuss intensively whether a right in data exists and/or
should be introduced. The majority of scholars seem to agree that no right in
data exists. Especially the practitioners among the legal scholars seem to agree
that a right in data should currently not be introduced because the effects of
such a right are uncertain. In particular they argue that it has not yet been
shown that there indeed is an economic need to create a right in data.
(ii) Access to data
There are some legal instruments to gain access to data held by public
authorities in Germany. Most relevant are the information freedom acts which
75 P. De Fillipi, D. Bourcier, « La double face de l'Open Data », Petites affiches, October 10, 2013 - n° 203 – p. 6
76 A. R. Bertrand, « Informations, données, bases de données », Dalloz 2010, Chapter 201 77
C. Noiville, E. Supiot, « Big pharma, big data et recherche génétique en santé », Revue des contrats – June 15, 2015 – No 02 – p. 352
51
grant the right to access any information held by a public authority except if a
reason applies why this access should not be granted in the individual case.
Furthermore, the introduction of an “Open Data Law” is being discussed.
The legal situation is quite the opposite with regards to data held by private
companies. Beyond the competition law there is no law of general applicability
which can entitle a company to access data held by another company. Within
competition law only the “essential facilities doctrine” known from European law
might serve as a legal instrument to access data which is controlled by another
company. But the requirements of the essential facilities doctrine are very strict.
There is no case law on situations in which a company actually tried to access
data controlled by a third party. The German Monopolkommission – an official
expert committee on competition law – has recently addressed the access to
data in an expert opinion and, thereby, has triggered the discussion about data
and market power in Germany.
(b) Statutes governing data ownership or access to data.
Data Ownership
(i) Relevant basic principles of German law
In order to understand the discussion on data ownership in Germany, it is
necessary to also know about certain particularities of German law:
German law is a civil law system and largely based on statutes. But the German
courts have regularly derived particular individual rights from specific statutes
even if this right had not been known before the respective decision.
German scholars group rights in two groups: Absolute rights (i.e., erga omnes
rights) and Relative rights. Absolute rights apply with respect to any third party.
Such absolute rights grant the respective entitled person an exclusive authority
with regards to a certain legal position (e.g., an item or a patent). Relative rights
only grant legal claims towards particular individuals. The typical example would
be contractual obligations which only apply to the contract partner.
The discussion about data ownership in Germany in fact is a discussion about
whether there should be an Absolute right in data (not necessarily ownership).
Absolute rights can be further distinguished in personality rights
(Persönlichkeitsrechte), rights in rem (dingliches Recht) and intellectual
property.
(ii) Statutes governing data ownership
A variety of different laws are relevant with regards to data in Germany.
However, none of them addresses data as such.
52
Sec. 87a to 87e of the Act on Copyrights and Related Rights
("Urheberrechtsgesetz" - UrhG) govern the protection and use of databases.
These implement the Database Directive 96/9/EG into German law. We are not
aware of German peculiarities.
Sec. 69a to 69g UrhG govern the protection of software. They implement the
Directive RL 91/250/EWG on the protection of computer programs into German
law. We are not aware of German peculiarities.
Furthermore, various provisions in criminal law protect data. Such provisions
are not only relevant in criminal proceedings. If a third party violates one of
these criminal laws this also triggers claims for damages under civil law.
Furthermore, the respective holder of the data can file for cease and desist
orders which force the third party to stop violating the respective law.
According to Sec. 202a German Criminal Code (Strafgesetzbuch - "StGB") the
person who unlawfully obtains data which is not intended for him and which was
protected against unauthorised access commits a criminal offense if he has
circumvented the protection.
According to Sec. 202b StGB the person who unlawfully intercepts data not
intended for him by technical means from a non-public data processing facility
commits a criminal offense.
According to Sec. 303a German Criminal Code any unlawful deletion or
changing of data is a criminal offense.
Sec. 17 of the Act Against Unfair Competition (Gesetz gegen den unlauteren
Wettbewerb – “UWG”) protects business and trade secrets. According to this
provision, the acquisition or communication of a business or -trade secret for
the purposes of competition, for personal gain, for the benefit of a third party, or
with the intent of causing damage to the owner of the a trade secret without
authorisation constitutes a criminal offense.
All criminal law provisions protect both, legal and physical persons. I.e., a legal
person will be able to demand cessation of violations of these criminal law
provisions. In contrast, the perpetrator of such criminal law provisions can only
be a physical person. But a court can order that a legal person refrains from the
activity linked to the criminal act perpetrated by a physical person on behalf of
the legal person.
Data can constitute a business or trade secret pursuant to Sec. 17 UWG.
Information constitutes a business or trade secret pursuant to Sec. 17 UWG if
(i) the information relates to the respective business, (ii) the fact is not publicly
known, (iii) the respective business has a commercial interest to keep the
information secret and (iv) the business intends to keep the information secret.
Data can fulfil all of these requirements, especially if the data itself is of
commercial value and the business, therefore, has a commercial interest to
keep the information secret.
53
The German Federal Supreme Court (Bundesgerichtshof – “BGH”) has ruled in
two different decisions78
that data about customers constitutes trade and
business secrets and that accessing such data may violate Sec. 17 UWG. The
UWG contains an explicit claim of the business whose trade secrets were stolen
to claim damages (Sec. 9 UWG) and to issue cease and desist orders against
the respective third party (Sec. 8 UWG).
Finally, data being transferred between different locations will likely be protected
by the telecommunications secret. However, as far as we know, there has not
yet been any case law on this issue. The violation of the telecommunications
secret constitutes a criminal offense pursuant to Sec. 206 StGB and is also
prohibited according to Sec. 88 Telecommunications Act
(Telekommunikationsgesetz – “TKG”).
To the extent that data is being protected by the criminal law provisions listed
above, the respective holder of the data will have a claim for damages against
the respective perpetrator regarding the loss of data according to Sec. 823
para. 2 BGB. According to Sec. 823 para. 2 BGB if a person violates a law
intended to protect somebody else, this person is liable to compensation for the
damages suffered because of this violation.
There is no statutory law which (also not under the law of torts) which protects
data as such. However, please see below for the academic position according
to which data should be “another right” pursuant to Sec. 823 para. 1 BGB. If the
courts took the same view, data indeed would be protected by the law of torts.
But the courts have not yet taken this view as described in the section on the
German case law and in our view this is rather unlikely. This is a mere
academic position and should not be confused with the actual legal situation in
Germany.
(c) Case law
The review of the available case law shows that the German courts recognize the value
of data as such and that it should be treated separately from the data carriers on which
it is stored. But the courts do not recognize an erga omnes right in data. Only the owner
of the data carrier can have a statutory (i.e., not merely contractual) claim for damages
if data on his/her data carrier is destroyed.
(i) Federal Constitutional Court (Bundesverfassungsgericht)
There is no judgement of the Federal Constitutional Court (Bundesverfas-
sungsgericht - “BVerfG”) which addresses ownership in data as such. However,
the BVerfG stated in 1983 that an individual does not have an absolute and
unlimited right in data concerning him/her. The data about a person rather
represents an image of social reality, which cannot be allocated exclusively to
78 BGH, Urt. v. 14.01.1999 – I ZR 2/97; Urt. v. 27.4.2006 – I ZR 126/03.
54
the data generating person.79
It can be concluded that the German jurisdiction
traditionally does neither know nor deem sensible an ownership of a data
subject in his or her personal data.
(ii) Federal Supreme Court of Germany (Bundesgerichtshof)
The Federal Supreme Court (Bundesgerichtshof - “BGH”) issued various
judgement which concerned right in data but it has not yet acknowledged
ownership in data as such.
In 1989 the BGH ruled that a contract on software stored on a data carrier shall
be governed by the statutes on contracts on the purchase of goods. However,
the BGH did not rule that the software itself should be a “thing” (Sache)
according to Sec. 90 BGB which would have meant that the software could be
subject to ownership. This assessment has not changed since.
In various further judgements the BGH ruled that software which is stored on a
data carrier is a thing pursuant to Sec. 90 BGB and can, therefore, be subject to
ownership. However, it is decisive that the software is stored on a data carrier in
order to constitute a thing pursuant Sec. 90 BGB (BGHZ 143, 307, 309; 109,
97, 100 f.; 102, 135, 144; BGH Urteile vom 4. März 1997 – X ZR 141/95 – MDR
1997, 913; vom 14. Juli 1993 – VIII ZR 147/92 – NJW 1993, 2436, 2437 f.; vom
7. März 1990 – VIII ZR 56/89 – NJW 1990, 3011; vom 6. Juni 1984 – VIII ZR
83/83 – ZIP 1984, 962, 963; Beschluss vom 2. Mai 1985 – I ZB 8/84 – NJW-RR
1986, 219). In this case the data carrier and the software together are the thing
– not the separate software. Therefore, the laws on the purchase of goods or
the law on the lease of goods shall apply to corresponding contracts. Based on
this jurisdiction the OLG Karlsruhe held in 1995 that also mere data (i.e., not
software) which is stored on a data carrier constitutes a thing pursuant to Sec.
90 BGB (see below, section (iii)). This assessment has certain implications: If
the holder of the data also owns the data carrier, any illegal access to the data
also violates the ownership in the data carrier and the data as a whole. I.e., in
these situations the owner of the data carrier has a certain erga omnes right in
the combination of the data carrier and the data.
In 1996 the BGH explicitly stated that the loss of data can constitute a financial
loss and, thereby, qualified data as a valuable good which must be considered
when assessing damages.80
In 1999 the BGH ruled that the data subject can have a commercial interest in
its own personal data which might even include a licensing right.81
The
judgement concerned the use of a picture and the name of the German actress
79 BVerfG, Urt. v. 15.12.1983 - 1 BvR 209/8 – Volkszählungsurteil = NJW 1984, 419.
80 BGH, Urt. V. 02.07.1996 – X ZR 64/94.
81 BGH, Urt. v. 01.12.1999 - I ZR 49/97 - Marlene Dietrich = GRUR 2000, 709.
55
Marlene Dietrich (who was already dead when the materials were used). Her
daughter claimed damages for this use. The BGH ruled that the use of the
picture constituted a violation of the general right of personality (Allgemeines
Persönlichkeitsrecht) of the actress. The general right of personality is a
fundamental right which results from Art. 1 GG and Art. 2 GG. It protects the
human dignity and the right to freely develop one’s own personality. Specific
subcategories of the general right of personality are the right in one’s image
(Recht am eigenen Bild) and the right to a name which protect the general right
of personality with regards to the specific issue. This judgment established a
proprietary position of the data subject in his or her personal data to the extent
that such data holds value. The general right of personality and its
subcategories protect not only non-material but also commercial interests of the
personality. Accordingly, the Court recognized the right to the image as a
proprietary exclusive right as well as generally established claims for
compensations in case of a violation of general right of personality.
In two different judgement in 1999 and 2006 the BGH recognized that the use of
customer data of a business can constitute the violation of a trade and business
secret of this company.82
Data about current customers who might also be
customers in the future regularly is of significant value to the company.83
A list
of such customers constitutes a business secret even if it was bought for a low
price. The business secret does not necessarily have to have an objective
value. It suffices if there are negative effects for the respective business if a
competitor gets to know the information. The company does not have to prove
its intention to keep the information secret, it suffices if this intention follows
from the nature of the information.
In 2015 the BGH has ruled that the owner of a data carrier stays the owner of
such data carrier even if its content multiplies the value of the data carrier and
another person is entitled to such content.84
Therefore, the person who has the
rights in the content is not necessarily entitled to request the handover of the
data carrier. The BGH clarified that the data carrier and the content stored on it
must be clearly distinguished. However, the BGH has not stated that there
might be a right in data as such. The case concerned audio recordings on
tapes.
(iii) Verdicts of other German courts
In 1995 the Higher Regional Court (Oberlandesgericht – “OLG”) Karlsruhe
made a landmark decision on the destruction of data.85
According to this
decision the deletion of data stored on a data carrier may violate the ownership
in the data carrier pursuant to Sec. 823 para. 1 BGB. Thus the protection of the
ownership in the data carrier extends to the data stored on the data carrier. If
82 BGH, Urt. v. 14.01.1999 – I ZR 2/97; Urt. v. 27.4.2006 – I ZR 126/03.
83 BGH, Urt.v. 27.4.2006 – I ZR 126/03, no. 19.
84 BGH, Urt. v. 10.07.2015 - V ZR 206/14 = NJW 2016, 317.
85 OLG Karlsruhe, Urt. v. 07.11.1995 - 3 U 15/95 - Haftung für Zerstörung von Computerdaten = NJW 1996, 200.
56
such data is deleted this constitutes a violation of the ownership in the data
carrier. In our view this is still the position of the German courts. Data as such is
not protected by the law of torts but only the ownership in the data carrier. But it
must be noted that the OLG Karlsruhe is only one of the German OLGs and its
decisions can be appealed to the BGH. Nevertheless, every other OLG would
explicitly address the decision of the OLG Karlsruhe if it had to decide in a
similar case. Finally, the decision of an OLG has a much stronger influence on
the interpretation of the German law than academic positions.
In 1996 the District Court (Landgericht – “LG”) of Konstanz clarified that
ownership in data itself does not exist because data lacks the necessary
material character.86
In 2012 the OLG Dresden confirmed that the legal situation with regards to
ownership in data has not changed and that there is no ownership in data as
such because data is not a thing pursuant to Sec. 90 BGB.87
A recent judgement by the OLG Naumburg addressed issues regarding the
legal authority to read and change data collected in a radar control system.88
The judgement addressed Sec. 202a StGB according to which reading data
without legal authority can be a criminal offense. The court held that the legal
authority to access and use data which was collected by a radar control lies with
the police and not with the producer of the respective radar control system.
Generally, the person who generated data is the person authorised to use such
data.89
The data in a radar control system is generated when controlling the
traffic after the ownership in the radar control system was transferred to the
police. Thus, such data was generated by the police and anybody acting on the
police behalf (e.g., technical experts) may access the data in accordance with
Sec. 202a StGB. This judgement is of particular relevance because it is the only
verdict which addresses the question whether the producer of electronic or the
owner may use the data generated by such systems.
(iv) Decisions on T&Cs regarding collection of personal data
The European Commission explained in our call on 9 September 2016 that it
would also like to have an overview of the decisions on unfair terms and
conditions with regards to the collection of personal data. We have added these
decisions in this separate section. However, this list is not exhaustive because
across Germany there have been numerous decisions on unfair terms and
conditions which concerned the collection of personal data. Therefore, we have
only listed the most prominent cases.
86 LG Konstanz, Urt. v. 10.05.1996 - 1 S 292/95 = NJW 1996, 2662.
87 OLG Dresden, Beschl. v. 05.09.2012 - 4 W 961/12 = ZD 2013, 232.
88 OLG Naumburg, Urt. v. 27.08.2014 – 6 U 3/14 = CR 2015, 83.
89 Please compare our further explanations in section 4.4(d)(i)(D)-
57
In 2013 the LG Berlin decided on the legality of Apple’s privacy policy.90
The LG
Berlin found various clauses illegal and laid down the following standards: Apple
must not collect the data of clients without specifying what type of data is
collected. It must tell when and for what purpose the data is collected.
Furthermore, Apple must provide detailed information on how the collected data
is used and the technical details of the respective use. If Apple is transferring
data to third parties, it must explicitly name the respective entities. Apple must
explain that clients may also choose not to consent to the collection of their
data. Lastly, Apple must anonymise personal data where applicable. One
important fundamental aspect of the decision is that the court established that a
declaration of consent and any further documents which are incorporated into
the consent by reference – in this case the privacy policy – is to be considered
general terms and conditions.
The BGH91
reviewed a decision passed by the Higher District Court in Berlin
(Kammergericht Berlin) of 21 January 2014 and reaffirmed its decision
regarding the Facebook “friend finder”. The Facebook friend finder was a tool to
find friends on Facebook. Once the respective button was pressed, the “friend
finder” searched and imported the e-mail contacts of the user including those
which are not registered at Facebook. It subsequently provided a list of the
contacts to which the user then could easily send invitations via an email from
Facebook. The BGH found, that during the registration process the user was not
sufficiently informed about the scope of the data collection carried out by the
“friend finder”, thus tricking the user into consenting to the data collection.
Additionally, Facebook violated Sec. 28 para. 3 data protection act (Bun-
desdatenschutzgesetz – “BDSG”). People, who are not registered at Facebook,
cannot effectively consent to the collection of their data for lack of information.
Therefore, Facebook was not allowed to collect their (email) data as they neither
had consented to the collection of their data nor had there been another legal
basis for such collection.
The LG Berlin decided92
on the legality of the data transfer to third parties
throughout the use of apps within Facebook. When playing games available in
the “app centre” of Facebook, Facebook transfers personal data of the user to
the respective game operator. Since there is no legal basis for this data transfer,
the consent of the user is needed. Sec. 4 para. 1 BDSG requires an „informed
decision“ in order to consent to the collection or use of one`s data. But users
were not properly informed about the transfer of their data to the game
operators, because Facebook did not provide sufficient information about the
purposes the game operators used the transferred data for. Therefore, users
were not able to assess the impact of the respective data transfers on their
privacy and the data transfer was found illegal.
90 LG Berlin, Urteil vom 30.04.2013 – 15 O 92/12.
91 BGH, Urteil vom 14.01.2016 – I ZR 65/14.
92 LG Berlin, Urteil vom 28.10.2014 – 16 O 60/13 (decision appealed).
58
The LG Berlin reviewed93
Google’s privacy policy and terms and conditions.
First of all the LG Berlin determined, that the data collection was not allowed
according to Sec. 15 Telemedia Act (Telemediengesetz – “TMG”) as that would
require a collection needed solely for billing purposes and to facilitate access to
the website. That does not apply to the creation of user profiles. Therefore
Google may not create user profiles of its users without anonymising the
respective personal data. Wherever there is no legal basis for the collection of
data, Google must ask the user for consent. Moreover, it must inform its users
about their right to object the collection of their data. Google needs to clarify the
exact scope and purposes of the data collection as well as explain how the data
is used and to whom it is transferred to. Hence the privacy policy was found
illegal.
The LG Frankfurt a.M.94
addressed the transfer of data by a smart TV built by
Samsung. The LG Frankfurt a.M. decided that Samsung Germany must inform
its clients, that their personal data might be collected and used once the smart
TV is put into operation. Samsung’s terms and conditions as well as privacy
policy did not sufficiently explain the extent of the data collection. The court
found them too long, vague and not transparent enough. However, the LG
Frankfurt a.M. did not decide on the legality of the data transfer because
Samsung Germany was not the data controller for the collection of data carried
out through the smart TV. The foreign parent company and third parties were
the data controllers.
(d) Academic discussion on data ownership
German legal commentators and lobbying groups discuss rather intensively whether
rights in data exist and/or should be created. New articles on this topic are published
constantly. Therefore, a detailed summary of all relevant articles is not possible. Instead
we have summarized the current discussion and the main arguments brought forward
by the various scholars. We have referred to the main articles in our summary.
Additionally, we have listed ten sources which we deem particularly relevant in a table
below (see section (e)) in case the European Commission would like to review certain
sources we suggest to start there. We have also provided a list of all relevant sources in
the Annex.
There are three main positions among German legal academics: (i) erga omnes rights
in data already exist, (ii) erga omnes rights in data do not exist but should be created
and (iii) erga omnes rights in data do not exist and there currently is no need for
additional laws.
(i) A right in data already exists
(A) Ownership of data
93 LG Berlin, Urteil vom 19.11.2013 – 15 O 402/12.
94 LG Frankfurt a.M., Urteil vom 10.06.2016 – 2-03 O 364/15.
59
An ownership pursuant to Sec. 903 BGB in data does not exist in
German law because it only knows ownership in things. Pursuant to
Sec. 90 BGB things in a legal sense are physical objects. As data is no
physical object it cannot be subject to ownership. Only the respective
data carrier can be owned. A mere use of the data on a data carrier
which does not affect the integrity of the data would not be protected by
such ownership. But such a use might violate rights in the data (e.g.,
copyrights). Therefore, any rights in the data carrier are to be strictly
distinguished from rights in the data itself.95
(B) Data as fruits pursuant to Sec. 99 BGB
A single legal scholar argues that data is the fruit of the respective thing
by which they were created.96
Such fruits of a thing usually
automatically belong to the owner of the thing according to Sec. 953
BGB. I.e., the right to use the fruits follows the ownership in the thing
from which the fruit originated. E.g., if a fitness tracker creates data
such data would belong to the person who owns the fitness tracker.
Other legal academics in Germany find this string of arguments not
convincing.97
There are a variety of reasons for this conclusion.
Pursuant to Sec. 99 BGB fruits are the products of the thing and the
other yield obtained from the thing in accordance with its intended use.
Some academics argue that fruits must be physical objects and,
therefore, data cannot be a fruit. Other legal scholars see data not as
the yield of the machine recording it but rather the yield of the thing or
person to which the data relates.98
Finally, even if data was considered
a fruit of the respective instrument which created the data, this
classification would not make this data a thing in the legal sense.
Therefore, the mere qualification of data as a fruit of the respective
instrument which created the data would not create a right in the data
because there is no right in data which could be awarded to the owner
of the instrument which created the data.
(C) Data as property of the data subject
Certain legal scholars argue that personal data should belong to the
data subjects.99
However, there are different ways in which they come to this
conclusion. Some academics argue that personal data is protected by
the respective data subject’s general right of personality. This would
95 BGH, Urt. V. 10.07.2015 – V ZR 206/14.
96 Grosskopf, IPRB 2011, 259.
97 Zech.CR 2014, 138 (142).
98 Specht, CR 2016, 288 (292).
99 Kilian, CR 2002, 921 (926); Buchner, Informationelle Selbstbestimmung im Privatrecht, p. 203 f., 223 f.
60
follow from the fact that the right to informational self-determination is a
subcategory of the general right of personality. Data protection laws
protect this right of informational self-determination. Therefore, the data
itself should be protected by the general right of personality as well.
Other scholars simply state that the extensive rights of data subjects
regarding their personal data implicitly establishes a general right of the
data subjects to commercially exploit their data.100
This theory would lead to an erga omnes right of data subjects in their
data because the general right of personality is recognized as an erga
omnes right. If third parties used personal data without the necessary
justification, the data subject would have a claim for damages and
basically have similar rights as if it owned such data. But the general
right of personality as such cannot be transferred (or at least only to a
limited extent). Therefore, the data subjects could only trade their data
to a limited extent. They would not be able to simply sell and let
somebody else exploit it.
The majority of legal scholars argue that there is no general right of
data subjects in their data.101
Even though data protection laws grant
the data subjects rather extensive rights, data protection law would only
be a regulatory instrument of the public law which is supposed to
regulate the interaction of data subjects and data controllers but should
not create private commercially exploitable rights. This finding seems to
be supported by the “census judgement” (Volkszählungsurteil) of the
BVerfG in which the court stated “information, also information on
people, is a picture of social reality which cannot be allocated
exclusively to the data subject”.102
However, recently there has been new support for this approach to
allocating data to the data subject.103
These scholars argue that the
BVerfG did not say that the data subject should have no proprietary
position in his or her data but only that such data shall not be
exclusively allocated to the data subject. Furthermore, the BVerfG could
not have foreseen the importance of data in the modern world and,
therefore, it would be uncertain whether its statements can be applied in
the modern economy.
(D) Right in data derived from criminal law
100 Weichert, NJW 2001, 1463 (1476), referring to Ladeur, DuD 2000, 12 (18); Kilian, Gedächtnisschrift für W.
Steinmüller, 2014, p. 195 (207 ff.). 101
E.g., Dorner, CR 2014, 617 (619 f.); Schefzig (co-author of this study), K&R 2015, Beihefter zu Heft 9, 3 (6). 102
BVerfG, Urteil v. 15.12.1983 – 1 BvR 209/83, 1 BvR 269/83, 1 BvR 362/83, 1 BvR 420/83, 1 BvR 440/83, 1 BvR
484/83. 103
Specht/Rohmer, PinG 2016, 127; Specht, CR 2016, 288 (292f.).
61
Other legal scholars argue that the German law already knows a right in
data because such a right would be a prerequisite for the protection of
data under criminal law.104
The Sec. 203a ff. StGB and Sec. 303a StGB
protect data (see section (b)(ii)). It is the common understanding that
the legal asset which is protected by these laws is the authority to utilize
the data. Therefore, in the view of these academics, such an authority
to utilize data (in any way) is already recognized by German law. In
conclusion this authority to utilize data should be seen as an erga
omnes right pursuant to Sec. 823 para. 1 BGB. The person who has
this authority to utilize the data should be the person who creates the
data, i.e., the person who saved the data (or in an economic context
was commercially responsible for the saving of the data). The decisive
moment is the act of writing the data on a data carrier (Skripturakt).
(ii) A right in data does not exist
The majority of legal scholars argue that German law currently does not know a
right in data as such.105
We have described the main arguments which referred
to a particular theory listed in section (i) when describing the respective theory.
But there is a general consideration which contradicts the hypothesis that
German law already knows a specific right in data. The main point is that the
legislator was aware of the fact that individual data is not protected when the
protection of databases was introduced.106
Therefore, there is no unintentional
gap in the current law. Such an unintentional gap would be required under
German law in order to construct a right in data similar to ownership even
though such a right is not laid down in statutory law.
(A) Ownership or intellectual property in data should be
established
Certain German speaking academics argue that a data right should be
introduced. There are four main arguments which in their view make the
introduction of a right in data worthwhile:107
Firstly, a right in data should incentivise companies to create and record
data.
Secondly, a right in data should incentivise companies to share data.
104 Hilgendorf, JuS 1996, 509 (511); Hoeren, MMR 2013, 486.
105 E.g., Dorner, CR 2014, 617; Zech.CR 2014, 138 (142); Schefzig (co-author of this study), K&R 2015, Beihefter zu
Heft 9, 3 (6); Kraus, TB DSRI 2015, 537; Grützmacher, CR 2016, 485. 106
Dorner, CR 2014, 617 (626 f.). 107
Zech, CR 2015, 137 (144 f.).
62
Thirdly, the creation of a right in data should trigger the creation of a
data market. According to this point of view creating such a data market
is difficult because data loses its value once a third party knows it.
Fourthly, the creation of a right in data shall ensure that it is clearly
defined who benefits from big data analyses. It is argued that this would
enable the legislative to clearly allocate the value of data and avoid
legal uncertainty.
(B) Ownership or intellectual property in data should not be
established
Other scholars do not see the need for a new right in data at the
moment.108
Their main point seems is that contractual solutions suffice
in order to protect data effectively.109
Personal data is protected by data
protection laws. Non-personal data is relevant mainly within one supply
chain and the participants in that supply chain can govern the exchange
of data by contractual provisions because they know with whom they
exchange the data. Therefore, these academics argue that it has not
yet been shown that there indeed is an economic necessity to create a
right in data.110
However, such a necessity should be clearly proven
before a right in data is established because such a right would
significantly interfere with free competition and the freedom of
information. Furthermore, the artificial limitation of data might negatively
affect innovation because especially big data applications depend on
large amounts of data.111
In essence they argue that it will not suffice to
address the question whether a right in data should be created from a
dogmatic point of view but should rather be addressed by conducting
thorough economic analyses.112
The relevant (data-)markets with their
particularities should be defined and it should be assessed what the
costs of the introduction and enforcement of a right in data would be.
(e) List of particular relevant articles and publications on ownership in data in
German
From the numerous sources on issues related to data ownership in the annex, we
consider the following recent sources the most relevant. We have summarized the
content of each source very roughly.
# Author Title Reference Content
108 Dorner, CR 2014, 617; Schefzig, DSRI TB 2015, 551; Grützmacher, CR 2016, 485.
109 Schefzig (co-author of this study), DSRI TB 2015, 551.
110 Dorner, CR 2014, 617 (626); Schefzig (co-author of this study), K&R 2015, Beihefter zu Heft 9, 3 (6).
111 Dorner, CR 2014, 617 (626).
112 Dorner, CR 2014, 617 (626).
63
# Author Title Reference Content
1 Dorner,
Michael
Big Data und
„Dateneigentum“
CR 2014,
617
Dorner discusses different approaches in
literature and case law to the concept of
“data ownership”.
An exclusive ownership-like right to data
cannot derive from German civil law
provisions.
Dorner neither finds the protection of
personal data inadequate nor does he think
that an extension of data protection is
necessary from an economic point of view.
2 Grützmacher
, Malte
Dateneigentum – ein
Flickenteppich
CR 2016,
485
Grützmacher discusses the protection of
data under civil law.
He especially explains that companies must
take technical measures to protect their
data in order to ensure that they indeed
enjoy a certain legal protection.
Grützmacher states that the protection of
data in Germany largely depends on the
individual case. Instead of a comprehensive
protection of data there are various specific
laws which protect data.
He concludes that a right in data currently
should not be introduced because its
effects are uncertain.
3 Hoeren,
Thomas
Dateneigentum – Versuch
der Anwendung von §
303a StGB im Zivilrecht
MMR 2013,
486
Hoeren considers transferring the concept
of data ownership from German criminal
law into civil law by way of an analogy to
Sec. 903 Civil Code which governs
ownership.
Hoeren argues that because data is being
protected by criminal law it can be
concluded that the German legal system
already recognizes an erga omnes right
over data which should also be recognized
in civil law. Such a right over data would be
64
# Author Title Reference Content
“an-other right” pursuant to Sec. 823 BGB.
In Hoeren’s view ownership of the data
carrier is not a suitable criteria to allocate
the rights over the respective data. Instead,
rights over the data should follow from the
authorship in such data. The person writing
the data on a data carrier should be the
holder of the right over the data.
4 Schefzig,
Jens
Die Datenlizenz DSRI 2015,
551
Schefzig discusses the necessary contents
of a data license.
5 Specht,
Louisa
Ausschließlichkeitsrechte
an Daten - Notwendigkeit,
Schutzumfang,
Alternativen
CR 2016,
288
Specht wants to present the current
discussion in German literature concerning
an exclusive right to data.
Specht then discusses the different
approaches regarding the allocation of data
and gives a detailed elaboration on to
whom the exclusive right should be
allocated to.
The author favours the introduction of a
right in data but does not specify what it
should look like.
6 Zech,
Herbert
Daten als Wirtschaftsgut –
Überlegungen zu einem
„Recht des
Datenerzeugers“
CR 2015,
137
According to Zech there are good reasons
for introducing a “data creator’s right”.
A transferable exclusive right to data shall
be developed.
The author discusses the scope of the
respective right and to whom such a right
could be allocated. He argues that such a
right should be allocated to the person or
entity responsible for writing the data on a
data carrier.
Specific suggestions as to the design of a right in data
65
We were not able to find specific suggestions as to what a right in data should
look like. But legal scholars seem to agree that the right to exploit personal data
economically should always be limited by applicable data privacy laws.113
Furthermore, various German academics argue that the right in data should be
allocated to the person responsible for writing the data on a data carrier (see
above).
Access to data
(i) Summary
The legal situation regarding access to data held by third parties depends
entirely on what kind of third party holds such data.
The access to data held by public authorities is protected by the German
Constitution (Grundgesetz – “GG”). Citizens shall be able to access such data
in order to be able to form their opinion in all matters. The main legal instrument
ensuring this right are Freedom of Information Acts
(Informationsfreiheitsgesetze – “IFG”), which guarantee access to information
held by public authorities. No specific legitimate interest in such information
must be shown in order to gain access. Freedom of Information Acts exist in
federal and state law. However not every state has introduced a freedom of
information act. The access to data held by public authorities will most likely be
further strengthened in the future.
The legal situation regarding access to data held by private entities is entirely
different. The German Constitution only grants the right to inform oneself
without hindrance from generally accessible sources. There is no general right
to access data which is not publicly available. However, one might be entitled to
access such data pursuant to competition law, if the data collected by a market
dominating company is an “essential facility” to access another market.
Additionally, data held by commercial entities can be accessed in certain
situations in order to ensure that certain other rights can be exercised. For
example, shareholders, who directly participate in the corporation, are entitled
to know the names and addresses of their fellow shareholders.
(ii) Access to data held by public authorities
(A) Administrative Procedure Act
Pursuant to Sec. 25 of the “Administrative Procedure Act”
(Verwaltungsverfahrensgesetz – “VwVfG”) persons involved in an
administrative procedure have the right to access data held by the
authorities which is connected with the respective procedure. The
parties shall know their rights and obligations, which evidence and
113 Specht/Rohmer, PinG 2016, 127 (131 f.).
66
documents they must bring and how long the procedure will take.
Besides that, Freedom of Information acts are the main legal
instruments to access administrative information, which is not already
publicly available.
(B) Freedom of Information Acts
On a federal level the access to data held by administrative bodies is
regulated by the Freedom of Information Act. There are also
corresponding acts in various states. Baden-Württemberg, Berlin,
Brandenburg, Bremen, Hamburg, Mecklenburg-Vorpommern,
Nordrhein-Westfalen, Rheinland-Pfalz, Saarland, Sachsen-Anhalt,
Schleswig-Holstein, Thüringen - 12 out of 16 states - have introduced
such acts. In Bayern, Hessen, Niedersachsen and Sachsen the
principle applies that one has to show a legitimate interest in the files
they want to inspect.114
In contrast, Freedom of Information Acts do not
require a legitimate interest.
The various German Freedom of Information Acts are based on the
same principles: everybody is entitled to apply for the access to any
data held by a public authority. The respective authority shall then grant
access to the information (e.g., data) in the manner and scope
requested except if certain exceptions apply. If the requested way of
providing the information would cause too much administrative
expenses, the authority may choose another way of providing it.
Furthermore the authority must withhold information insofar as
conflicting interests exist. Such interests can be of public and private
nature. The respective information shall not be provided if public safety,
military concerns or similarly important public interests might be
negatively affected. With regards to private interests, access to data
containing intellectual property, business or trade secrets and personal
data may only be granted where the data subject has provided his or
her consent or the interests of the applicant prevail.
These general principles were applied in a recent judgement by the
Berlin Administrative Court (Verwaltungsgericht Berlin – “VG Berlin”)115
.
According to this judgement a political consultant may request personal
data (name, title, academic degree, profession and function) of
members of the three subcommittees for pharmaceuticals, specialist at-
home care and disease management programs from the Federal Joint
Committee (Gemeinsamer Bundesausschuss - i.e., the highest
decision-making body of the joint self-government of physicians,
dentists, hospitals and health insurance funds in Germany). The
114 Caspar in: DÖV 2013, 371 (p. 371)
115 VG Berlin, Urt. V. 17.03.2016 – VG 2 K 1.15.
67
consultant wanted to assess, whether the members of the respective
subcommittees are in fact capable of representing the interests of all
persons and groups concerned. Since in the case at hand the personal
data of the members of the subcommittee was linked to their function
within the committee, such data was not considered particularly
sensible. As the consultant acted in the interest of himself and the
public, such interests exceeded the conflicting interests of the data
subjects.
(C) Open Data Law
The German government intends to further facilitate an access to data
held by federal authorities. Federal Minister of the Interior Thomas de
Maizière shall present a first draft of an Open-Data-Act by 21st
September 2016. Public authorities shall be obligated to proactively
publish data. The data will for instance contain information regarding
traffic, weather or geography. The Act shall primarily help the economy
to build new businesses in the digital world. Thus the data will likely be
provided under Creative-Commons-Licenses in order to enable free
usage.116
It is not certain that this Open-Data-Act will actually be introduced.
However, it seems to be the common understanding in Germany that
data held by public authorities should generally made public if no
conflicting interests apply. The Freedom of Information Acts are the
most obvious example of this trend.
(iii) Access to data held by commercial entities
(A) No case law on the access to data
We were not able to identify any specific German case law on the
access to data held by commercial entities.
(B) Fundamental right to access generally accessible data
Other than regarding the access to data held by public entities, there is
no fundamental right to access data held by commercial entities.
However, according to Art. 5 para. 1 GG every person “shall have the
right to freely inform himself without hindrance from generally
accessible sources”. This right applies to any kind of information as long
as the respective source of such information is generally accessible.
For example, broadcasts, television programs, newspapers, books,
116 MMR-Aktuell 2016, 379911
68
broad sections of the internet, commercial registers and cooperative
registers are considered generally accessible.117
However, people may not demand to be provided with information
based on this fundamental right.118
The fundamental right only protects
the people insofar as the may inform themselves from generally
accessible sources.
(C) Competition Law
Recently, considerations regarding a right to access data pursuant to
competition law have gained relevance. The discussion was triggered
by the impression that the market power of major web companies such
as Google and Facebook is growing.
Currently, the only way to access data held by a competitor is to refer to
the so-called essential facilities doctrine. The competition law concept
of essential facilities was used by the CJEU in IMS Health, discussed
above, and the earlier decision in Magill.
There is no case law as to whether data held by a company could be
classified as essential facility in Germany.
However, the German Monopolies Commission (Monopolkommission)
has discussed this topic in its special report no. 68 which was published
in June 2015. The Monopolkommission is an independent expert
committee, which advises the German government and legislature in
the areas of competition policy-making, competition law, and regulation.
Its role and competences are set out in Sec. 44 – 47 Act against
Restraints of Competition (Gesetz gegen
Wettbewerbsbeschränkungen), as well as in the General Railways Act
(Allgemeines Eisenbahngesetz), the Law on the Energy Industry
(Energiewirtschaftsgesetz), the Telecommunications Act (Telekommu-
nikationsgesetz), and the Postal Services Act (Postgesetz). Therefore
special reports published by the Monopolkommission are highly
relevant, they frequently outline legal principles which are applied by the
authorities afterwards.
The Monopolkommission discusses whether data in fact can be a
prerequisite to successfully access a Market, but it does not answer the
question.119
It rather elaborates on the pros and cons of such an
assessment. On the one hand, big search engines improve themselves
117 Neff in: DSRI-TB 2015, 81 (p. 83 f.)
118 BVerfGE 103, 49 (59 f.)
119 Sondergutachten 68: Wettbewerbspolitik: Herausforderung digitale Märkte, 01.06.15 (also available in English), p. 84
f.
69
based on the data, collected through search enquiries.120
On the other
hand, the advantage of one search engine cannot lie in their amount of
collected data, as the internet is characterized by the unhindered
access to information, so that anyone could collect the same data.121
Hence, the European legal situation regarding access to data pursuant
to competition law will, according to the prevailing opinion among legal
academics, most likely also apply in Germany.
(D) Individual further situations
There are certain further individual situations in which someone might
be entitled to access data held by another commercial entity. However,
these are exceptional cases. They have in common that the data to be
accessed is required for the purpose of exercising another right:
Sec. 34 Federal Data Protection Act (Bundesdatenschutzgesetz –
“BDSG“) regulates the provision of information to the data subject by
the data controller. The data subject can force the data controller to
provide information on which data about the data subject the data
controller holds and where it comes from, on the recipient or type of
recipients to whom the data are provided and on the purpose for which
the data is being stored.
Apart from that, there are specific situations in which certain data may
be accessed. However, none of the applicable laws have yet been
applied beyond the respective very specific scope. The different
situations listed below are not exhaustive. According to Sec. 166
para. 1 and Sec. 233 para. 1 Commercial Code (Handelsgesetzbuch –
“HGB“) both the limited partner and silent partner may examine the
respective books and papers in order to verify the correctness of the
annual financial statement.122
Furthermore, upon application of the
limited partner or silent partner the court can order the disclosure of
other books and papers, a balance or annual financial statement if there
is an important reason to do so, Sec. 166 para. 3 and Sec. 233 para. 3
HGB. 123
According to the BGH124
shareholders are entitled to access
information on the names and addresses of their fellow shareholders.
Apartment owners are entitled to access invoicing details regarding the
respective buildings. This might also include information regarding the
names and addresses of all apartment owners.125
120 Sondergutachten 68: Wettbewerbspolitik: Herausforderung digitale Märkte, 01.06.15, p. 89
121 Sondergutachten 68: Wettbewerbspolitik: Herausforderung digitale Märkte, 01.06.15, p. 92
122 BGH, 14.06.2016 – II ZB 10/15 points 20 ff.
123 BGH, 14.06.2016 – II ZB 10/15 points 14 ff.
124 BGH, 11.01.2011 – II ZR 187/09
125 Becker in: Bärmann § 28 WEG points 161 - 163
70
Furthermore, a right to access data can also derive from intellectual
property law. According to Sec. 101 para. 1 Copyright Act (Urheber-
rechtsgesetz) the owner of a copyright, which was infringed is entitled to
access information regarding the origin of the infringing copies and the
distribution channel used to distribute them. According to Sec. 140b
para. 1 Patent Act (Patentgesetz) “Any person who uses a patented
invention contrary to sections 9 to 12 may be sued by the aggrieved
party for provision of information, without delay, regarding the origin and
the channel of commerce of the products used.”126
And also Sec. 37b
para. 1 Variety Protection Act (Sortenschutzgesetz – “SortSchG”)
grants the party whose rights were violated immediate information
about the origin and the channel of commerce of the products used.127
4.5 Spain
(a) Summary
As of today we are not aware of any express legal provisions or case-law dealing with
the issue of data ownership. Therefore, an ad hoc analysis should be executed both on
the generally accepted legal principles affecting the data and on the concept of
ownership in Spain if no contract exists between the parties involved to regulate the
data ownership. Due to the lack of express regulation in Spain it can be said that the
concept of data ownership in Spain should be interpreted from the concept of ownership
-which in turn derives from the concept of ownership of Roman law- and therefore the
owner would be entitled to enjoy and dispose of the data. In any event, the debate on
data ownership has just begun in Spain so it can be expected that Spain might adhere
to the interpretation of ownership upheld by most leading technology companies.
(b) Statutes governing data ownership and access to data
As of today we are not aware of any express legal provisions or case law dealing with
the issue of data ownership. Thus, should we wish to know about the ownership of the
relevant data we should analyse each given situation (data flows from end to end) on a
case by case basis.
With a view to determine the entity/individual who is the legal owner of the relevant data
at hand an ad hoc analysis should be executed both on the generally accepted legal
principles affecting the data and on the concept of ownership in Spain. The ownership
concept currently in force in Spain derives from the ownership concept under Roman
law. The Spanish Civil Code states in its article 348 (first paragraph) that the 'property is
the right to enjoy and dispose of a thing, with no limitations other than those established
by law'. Therefore, it is our understanding that as long as no contract or agreement
governs the referred ownership of data among parties involved, the only entity or
individual that should have the right to enjoy and dispose of the data would be the one
that has actually generated/produced such data.
126 LG München, 21.04.2016 – 7 O 5930/15
127 LG Düsseldorf, 18.09.2014 – 4a O 24/14
71
Additionally, it would be also interesting to address the potential applicability of the
Trade Secrets Directive to the case at hand. Spanish law lacks a per se regulation on
the protection of trade secrets. It is regulated indirectly by way of prohibitions and
limitations established in various texts, both civil and criminal ones.
Protections under Criminal law
One set of rules prohibiting the violation of trade secrets is the Spanish Criminal Code,
which contains provisions, Articles 199 and 200 therein, setting out the prosecution of
those who reveal third-party – either a natural or legal person – secrets accessed as a
consequence of a labour relationship or secrets in respect of which the violator has
undertaken an obligation of confidentiality.
The Spanish Supreme Court (in its Judgment no. 285/2008, of 12 May 2008, Second
Chamber on criminal affairs) has also outlined the criteria to be used to ascertain the
existence of what will be considered as trade secret, so as to interpret the provisions of
the Spanish Criminal Code on the violation of secrets. The judgment defines trade
secrets very broadly as "any in-formation which, in case of disclosure, will affect the
competitiveness of the company in the market".
The Supreme Court went on to establish that, technical-industrial secrets, commercial
secrets, as well as purely organizational ones, can be understood to be included in the
concept of trade secrets. Also, the information needs to be:
• solely owned by the company;
• confidential; and
• economically valuable for its business activities.
Protections under civil law
The first issue to be pointed out is that the concept itself is not properly defined by the
provisions currently in force in the Spanish laws – something which definitely
characterises the Trade Secrets Directive as a meaningful leap forward on the matter.
Spanish law regulates the violation of trade secrets as unfair (albeit solely in the form of
industrial secrets) by means of the Spanish Unfair Competition Act (UCA). Article 13
UCA prohibits any disclosure or use, without the authorisation of the owner, of industrial
secrets or any other type of business secrets access to which has taken place either
legitimately under a duty of confidentiality or, illegitimately (through illegitimate means –
i.e. spying- or by inducing third parties to do it). This provision requires the violation of
the secret to be performed with the aim of attaining personal or third-party advantage or
harming the owner of the secret.
72
Therefore, according to the range of provisions prohibiting unlawful use of trade secrets,
it would be possible to seek remedies against the disclosure of the secret by means of a
civil procedure, in case of an unfair practice, or a criminal prosecution, the latter leading
to criminal penalties and civil redress. However, it is our understanding that this regime
would not be easily applicable in Spain in order for data to be considered as a trade
secret unless such data is considered to be (i) solely owned by the company; (ii)
confidential; and (iii) economically valuable for its business activities.
Protections under a contract
Once the legal grounds for seeking remedies against wrongdoers are clear, it is worth
noting some common ways of protecting trade secrets under Spanish law. Rules and
obligations are normally set out in contracts to be signed with employees and directors,
for instance, as well as confidentiality clauses, non-competition clauses or penalty
clauses – the latter operating in cases of breach or failure to comply with those
obligations.
The inclusion of such covenants in agreements means that they may be enforced
before a Court in case of breach. Therefore, civil redress might also be awarded if
breach of contract is proven.
Similarities with the Directive
Spanish law for the protection of trade secrets, like that of all other EU Member States,
is soon to be reformed by the Directive. However, it is worth noting some similarities
between Spanish law as it currently stands and the current state of the Directive. In
general terms, Spanish law provisions on the protection of trade secrets are mostly in
line with the Directive. In the following lines we disclose some examples to note.
The Directive requires the Member States to provide measures to ensure the availability
of civil redress against unlawful acquisition, use and disclosure of secrets to provide
safeguards against their abuse.
In general terms Spanish law includes all the measures set out in the Directive. The
Spanish UCA provides for declaratory and injunctive relieves (cessation, prohibition and
withdrawal) and the Spanish Civil Procedural Act includes interim and precautionary
measures.
The Directive requires Member States to provide a statute of limitations for bringing
actions against the infringer. The draft of the Directive stipulates "that actions for the
application of the measures, procedures and remedies provided for in this Directive can
be brought within at least one year", which was the position already adopted in Spain
(i.e. one year after the date on which the applicant became aware, or had reason to
become aware, of the last fact giving rise to the action). However, the final text of the
Directive and the Spanish law do not apply the same criteria when referring to the
expiration date for those actions. The Directive states six years after the date on which
the applicant became aware, or had reason to become aware, of the last fact giving rise
to the action; whereas the Spanish regulations establish one year from that moment,
and an overall limitation of three years from the moment the conduct was terminated.
73
Article 9 of the Directive requires Member States to enable the competent judicial
authorities to order any of the following measures (which are also applicable under the
Spanish Civil Procedural Act):
(i) the cessation of or, as the case may be, the prohibition of the use or disclosure
of the trade secret on an interim basis;
(ii) the prohibition to produce, offer, place on the market or use infringing goods, or
import, export or store infringing goods for those purposes;
(iii) and/or the seizure or delivery of the suspected infringing goods, including
imported goods, so as to prevent their entry into or circulation within the market.
Beyond these precautionary measures, the injunction and corrective measures are
developed in the Directive. The Spanish regulations allow any of those measures to be
sought on behalf of the interest of the claimant.
Article 13 of the Directive establishes the formulae to be applied by the authorities to set
the minimum amount of damages, on the basis of royalties or fees which would have
been due if the infringer had requested authorization to use the trade secret in question.
Spanish law contains no provisions for the calculation of damages. The claimant must
determine the amount he considers legitimate and the judge is empowered to reduce it.
Spanish courts rarely award moral damages; the damages available to a claimant are
those arising from the valuation of the damages itself and the loss of potential profits.
Companies may be interested in trying to protect their data under the trade secrets
regime. However, as of today, it is our understanding that in order for a database to
qualify as a company asset it would need to meet at least the aforementioned
requirements. However, even if it could be possible to try to protect the data as trade
secrets this way, it would not represent a practical manner of doing it. In any event, this
approach may be modified and/or further developed by the Spanish legislator when
implementing the new Directive on trade secrets, taking into consideration that Spanish
legislators may follow the implementation of the Directive in other EU countries with a
broader technology industry, such as, Germany.
(c) Academic discussion on data ownership
As pointed out above, scholars in Spain have not been proactive with regard to the
discussion on data ownership. The fact that the Spanish legal system stems from the
Roman law has given birth to a more 'pragmatic' approach of the concept of ownership.
Therefore, we could say that the data owner will be the one who has generated the
data, including also the fruits generated by such data. We could also say that as of
today there is a generally accepted understanding that the data owner will be the entity
or individual which generates the data.
74
In any event, after the news on the 5th of September of 2016 in the Spanish national
press about the so-called 'fourth platform' of Telefonica, this debate can be expected to
be boosted exponentially.
In general terms what Telefónica is willing to do is to give control of their data to the
data subjects in order to handle and 'make business' on their data. In words of Jose
María Alvarez Pallete, CEO of Telefónica, "the aim of the so-called fourth platform is to
restore the sovereignty of their digital life to its customers" and that "what characterizes
Google, Uber or Facebook is that they are platforms in real time, personalized with your
data, your tastes. The user likes this. And this also implies a new debate: who owns the
data, who owns what".
The said platform is expected to go operative from 2017, Telefónica's recorded and
shared data will filter through its network so users are able to select which data they
want to continue providing to the referred companies, as well as to "choose" the terms
under which the data exchange should take place.
Therefore, it is our understanding that this positioning of a huge Spanish market player
would imply at least the spur of a debate regarding data ownership in the Spanish
market. Finally, as published, Telefónica's stance on data ownership is that Telefonica's
customers are the actual owners of their data, as they already pay each month the
operator themselves, so Telefónica considers that it would not be legitimate to sell them
to third parties. "We decided to create this fourth platform to collect all information of our
customers, and we have decided that this information belongs to the client. It must be
he who decides what to do with it and what relationship you establish with the OTT".
Despite the current situation in relation with the academic discussion with regard to data
ownership in Spain, it is our understanding that the referred news would trigger a
debate on this topic in the coming months, which may also have an impact on the
interpretation or positioning of other EU Member states on their concept of data
ownership and its development in the near future. In any event, since Spain is not a
leading industrial/technological country, it is our understanding that Spain and the
approach to this matter would follow the approach taken by other leading industrial
companies such as Germany or the UK. In this regard, we can say that the debate in
Spain just kicked-off.
Finally with regard to the case law in Spain, the vast majority of case law that we have
come across when searching the databases or the Internet was related to personal data
instead of data in general terms since the Spanish Data Protection Agency is the one
agency/authority concerned with personal data protection, as well as one of the most
active agencies/authorities among those of the rest of EU Member States. However,
and as already pointed out, no specific case law on issues dealing directly with data
ownership relevant for these purposes have been found since, at the end of the day,
most of the issues were related to consumers, rather than to companies.
75
In this regard, the general and tacit understanding or approach on the matter in Spain
would be -as stated, for instance in the publication Situación Economía Digital Febrero
2016, by BBVA research128
that:
"There are different ways of understanding the ownership of the data. Among
the existing paradigms of ownership we can find the 'producer' as 'owner' (the
party that generates the data); consumer as owner (the data consuming party);
compiler as owner (the party that selects and combines/processes the
data/information); company as owner (the party that controls all data inputs and
outputs of the company); funding organization as owner (the party ordering and
paying for the creation of data); decoder as owner (if so, the part that unlocks
the encrypted data); packager as owner (the part that formats the data); reader
as owner (the part that incorporates data); data subject as owner (the data
subject of data, i.e. confidential data or copyrighted images...); buyer / licensor
as owner (the party purchasing or being licensed data); all as owners. In the EU
it seems as if the 'data subject as owner' (generally the producer of the data) is
the prevailing paradigm of ownership as of today".
Based on the paradigm above the owner of the data would be understood as the
individual generating the data (directly or indirectly -by the development of a device to
generate data without the interaction of any third party-) (i.e. thermometer) any type of
use of such data by any entity/individual other than the owner should be executed
through an agreement.
The language used in both the EU Data Protection Directive and in the glossary of
terms of the Spanish Data Protection Act, the data subject is defined as 'the natural
person to whom the data undergoing processing pertain'. It is our understanding that
this definition would be also translatable to those scenarios in which the data does not
pertain to a natural person or which does not qualify as personal data. In such case, the
data would be the property of the entity or individual that directly or indirectly
generates/produces such data.
In this respect, the data generated/gathered by devices/sensors in the framework of the
so called Internet of Things (IoT) may be the object of a separate analysis executed on
a case by case basis. As stated by Alejandro S nchez del Campo ( Regulatory counsel
for Telefónica Digital)129
:
"When dealing with data generated, for instance in an agrarian exploitation, with
no personal data involved it should be ruled by the agreement entered between
the agrarian company and the platform providing 'business intelligence'
services. I understand that this could not claim to share in the benefits
generated from the processing of such information by the company that
provides the B.I. services, unless the contract foresees such right. This purpose
could be also achieved through another legal instrument, as it has been agreed
128 https://www.bbvaresearch.com/wp-content/uploads/2016/02/Situacion_ED_feb16_Cap4.pdf
129 http://blogs.elconfidencial.com/espana/blog-fide/2016-04-21/de-quien-son-los-datos-del-big-data-e-internet-de-las-
cosas_1168423/
76
in the US, where several entities have signed a few months ago an agreement
on self-regulation on this matter, which states that the data belongs to
farmers/land owners and that any access or treatment thereof should be made
transparently and always with their informed consent".
Additionally, "The current legal framework in Spain does not specifically regulate the
ownership of data and courts have not had time to pronounce, so we must be focused
on the general principles of our Civil Code and on what was contractually agreed
between the parties involved. In the absence of specific provisions, I consider that
Article 348 of the Civil Code protects each company to "enjoy and dispose" of the data
collected, provided you do so in a way that does not violate the law. As we have seen,
the 'raw' data is important, but without the 'hardware' and 'software' right is difficult to
obtain some kind of performance thereof. The law wants to protect that effort and
recognizes a 'sui generis' right to whomever makes a substantial investment in
obtaining, verifying or presenting the contents of a database and allows your
'manufacturer' (in our case, would be the company that has made the investment in the
necessary data to address 'big data' or IoT) can prevent extraction and / or reuse of all
or a substantial part of the contents of that database infrastructure".
However, our understanding is that in general terms the entity or individual who
generates/produces the data would be the owner, even if a third party device/sensor is
required to obtain such data. In any event, due to the lack of express regulation in Spain
an specific and case-by-case analysis of the circumstances or agreements/contracts
involved (it should expressly stipulate who should be considered to hold the ownership
of the data).
Additionally, as stated in the article "Análisis sobre la heterogeneidad en la legislación
de protección de datos personales de carácter medico"130
De Diego and others:
"the recognition of the fundamental right to data protection has been
interpreted/executed very differently from one State to another as in some the
right recognized to privacy and human dignity and others had to be recognized
as a fundamental right to data protection. The right to data protection is
intended to ensure the right of every individual to manage their personal data
enabling the individual to have the ability to own their own data regardless of
where they are stored without prejudice to other fundamental rights. In addition,
organizations and governments are obliged to ensure the protection of
individual data are stored in their databases. Given the need to unify the right to
personal data protection at European level and to guarantee the rights of
access, rectification, cancellation and opposition of personal data Directive
95/46 / EC was developed."
The Article 29 Data Protection Working Party issued an opinion on the developments of
the Internet of things (Opinion 8/2014 on the on Recent Developments on the Internet of
130 Análisis sobre la heterogeneidad en la legislación de protección de datos personales de carácter médico; Abel
LOZOYA DE DIEGO, María Teresa VILLALBA DE BENITO, María ARIAS POU. Diario La Ley, Nº 8688, Sección
Doctrina, 25 de Enero de 2016, Ref. D-36, Editorial LA LEY.
77
Things adopted on 16 September 2014) from whose sections 3.3.5, 3.4, 4 and 4.1 we
may infer that when dealing with individual's personal data the 'owner' of the data
should be the individual, given that a consent is required to process such data.
This lack of applicable laws led companies to agree by means of agreements relating to
the data ownership, access, processing or benefits from its economic exploitation.
Therefore, since the parties are almost free to agree whatever they wish (provided that
general limits to the free will of the parties are observed ((i) mandatory laws, (ii) moral,
and (iii) public order), the parties would also be free to agree any type of remedy related
to the breach of any provision contained in such agreement in connection with the
ownership, access, processing or economic exploitation of data.
One of the main 'advantages' of this lack of specific regulation is that companies would
be entitled to submit their disputes to arbitration courts. In our experience, this option is
accepted by companies negotiating this kind of agreements since its complexity and the
degree of technical language used (for instance to regulate the way the software
included in a device/sensor works during the process of data generation) requires a
certain degree of specialisation in the matter.
As slightly pointed out above, parties would also try to protect their data (as an asset) by
means of any different systems available, even if they do not really fit for such
purposes, such as, trade secrets, confidential information, IP-protected rights etc.
However, it is our understanding that since no express legal provisions deals with the
issues addressed regarding data ownership, the parties would not be constrained by
mandatory legal provisions when negotiation takes place.
Therefore, this lack of regulation on the matter can be seen by the relevant market
players either as positive or negative. It would be seen as positive as parties will be free
to estipulate whatever they want but, on the other hand, it may be seen as negative
since no express provisions deal with the matter to state an appropriate level of legal
certainty. However, our feeling with companies when negotiating this type of agreement
(and since no personal data or sensitive data is involved and also since they are in a
quite similar negotiating position) are more comfortable without being constrained by the
mandatory legal requirement that needs to be observed.
(d) Academic discussion on access to data
Since no discussion is already on top of the table regarding data ownership, no
academic discussion on data access exists in Spain. In any event, it is our
understanding that we should differentiate 3 different types of data regarding the access
to such data. (i) personal data, (ii) open data, and (iii) any other data.
The access and processing of personal data in Spain is regulated by privacy laws or
any other sector specific law (i.e. health) in force. In general terms the access to such
data is limited to those entities or individuals to which the relevant consents have been
gathered from or to any other that is understood to be ancillary to the provision of a
service. In any event the law requires obtaining a consent from the data subject in order
to process such data and the data could solely be lawfully processed for the purposes
included in the consents gathered.
78
As it refers to the principles of open data in Spain, as of today such principles are not in
general terms expressly regulated in our legal system. However, one of the main issues
when dealing with open data is related to the reuse of open data. Reuse is the use of
the data found in possession of government authorities, for commercial or non-
commercial purposes by any private entity or individual, provided that such use does
not constitute a public administrative activity.
The access to data will be governed by the agreements entered between the parties in
order to know the agreed access/exploitation/processing regimes. However, as of
today, especially in relation to companies on the IoT sector, we have noticed that they
are not really conscious about the huge quantity of data that they are managing and,
therefore, it is not easy to regulate or stipulate those agreements.
Following the generally accepted interpretation on the ownership concept under
Spanish law, we may end up facing an additional issue in those cases where, for the
data to be generated or gathered, an action from an individual is required. In this
scenario we will be on a business-to-business-to-consumer relationship with regard to
the data ownership.
This issue can be easily identified in the following situation regarding the ownership of
the data gathered by a device installed in a car (for the purposes of this example we will
consider that no personal data is involved, even if, from a Spanish Data Protection point
of view it would be interpreted that the data gathered may qualify as personal data). Car
makers, include during the manufacturing process of the cars to be commercialised for
the general public a relevant number of devices to collect different types of data,
ranging from the air temperature to the average speed. When trying to ascertain the
ownership of such data in the simplest of the scenarios at least three parties will be
involved (i) the entity that has created or manufactured the device installed in the car,
(ii) the car manufacturer, and, (iii) the owner of the car (or any other person who will be
using that car at any time).
The very first question would be to analyse what is needed to collect that data. It is our
understanding that no data will be collected or gathered by the device or sensor
installed in the car until the engine is started. Therefore, an action from the individual is
required in order to initiate the sensors and to begin the data collection. From the
simplest point of view, the individual has paid a certain amount of money in order to
acquire the car and no doubts about the ownership of the car would exist at this stage.
Consequently, all the data gathered would be property of the car owner, unless any
agreement has been entered by the individual with the car manufacturer by virtue of
which the individual transfers to the car manufactures the ownership of such data or a
right to exploit them.
Focusing on the business to business relationship of the case above, the manufacturer
of the device would not be entitled to use or exploit such data unless it is somehow
enabled to receive such data by any means.
4.6 US discussion
79
Although not within the scope of the study, a search for commentary on issues of data
ownership and access in English language journals inevitably throws up the substantial body of
discussion by US authors on this topic. We briefly describe some of the positions taken, below.
The US authors are generally in search of models better to regulate the exchange between
individuals and the corporations which collect and exploit the data. One category of author,
privacy advocates131
takes the position that property rights already apply, and does so without
justifying the position but rather assuming that all information is somehow property by default.
The assumption may arise from the acceptance that a number of US states do recognise
property rights in information, principally in regard to trade secrets rather than information in
general, and frequently through criminal rather than civil law,132
and the ubiquity of the term
'proprietary information' in US legal discourse. Traditionally, lawsuits for misappropriation of
trade secrets have been fought in state courts and under state law. Although most states other
than New York and Massachusetts have now adopted a form of the Uniform Trade Secrets Act
(UTSA) there are significant differences as state courts developed their own, individual
jurisprudence. This has resulted in significant inconsistencies across the country in the
protection afforded to a company's trade secrets. For example, what constitutes a "trade
secret," what rises to the level of "misappropriation" of a trade secret, and what remedies are
available for trade secret misappropriation vary significantly from state-to-state.
The laws of trade secrecy at federal level in the USA were accordingly extended by the passage
in 2012 of the Theft of Trade Secrets Clarification Act, which amended the Economic Espionage
Act of 1996 (EEA), after a high-profile case in which the conviction of former Goldman Sachs
programmer, Sergey Aleynikov, for stealing source code for Goldman Sachs’ proprietary trading
platform was overturned on appeal as the Court of Appeals for the Second Circuit held the
stolen software was not protected by the statute because it was only used internally by the
company133
. However, the 2012 Act did not enable civil actions against trade secret
appropriation and so in 2016 the Defend Trade Secrets Law has been passed, which provides a
new, uniform federal civil remedy to trade secret owners. This should help to end the forum
shopping and other difficulties of enforcing rights.
US legal writers addressing the question of data ownership tend to be either privacy or free
market advocates, but between those extremes a range of possible approaches have been
proposed including bounded property rights subject to overall regulation, along the model of US
environmental regulation which seeks to harness market forces to increase respect for
environmental laws. The limit of a market-based model is pointed out by Schwartz134
since it
takes no account at all of the social value of enabling privacy and unrealistically presupposes
active engagement by the data subjects whereas evidence demonstrates that consumers
exhibit only "bounded rationality". It also fails to take into account the enormous disparity in
bargaining power and expertise. Further, the value of personal data is impossible to ascertain
in full at the point of disclosure since it depends upon as-yet unidentified potential future uses.
131 See for example Murphy, Property Rights in Personal Information: an economic defence of privacy (1996) 83 Geo LJ
2381 132
For instance, the criminal codes of the states of Massachussetts, New Jersey, New York, Pennsylvania, Texas all
include theft of trade secrets as an offence. 133
United States v. Aleynikov, 676 F.3d 71 (2d Cir. 2012) 134
Schwarz Property, privacy and personal data (2004) 117 Harvard L Rev 7 2055
80
Litman135
argues that it is unrealistic to expect to control undesirable aspects of a data market
by using market tools since the object of a market/ property model is to make it easy to sell
data.
An earlier US paper, written in response to the introduction of the draft Database Directive,
argued for two alternative but weaker forms of protection for commercially valuable data.
Reichman and Samuelson136
proposed approaches based either upon an unfair competition
model or upon a modified liability regime.
They acknowledge that an unfair competition approach is inherently unpredictable, but argue
that this enables judicial interpretation to provide interim relief at an acceptable social cost,
case-by-case. Their proposal is that the law should defend the incentive to invest when:
the costs of developing an information product are high;
the costs of copying are low;
copying yields a substantially identical product;
o which a copyist can price cheaply not having to cover R&D costs; and
o consumers, believing products identical choose to buy the cheaper one,
inducing market failure as originator cannot recoup expenses;
where a market failure could have been averted by a period of protection allowing the
first comer to recoup its investment costs.
In their view the uncertainty inherent in the many variables is properly bounded by an
appropriate conception of the minimalist market-preserving goal of the exercise. Courts could
use market criteria to determine what period of protection needed, such as:
How much has been appropriated;
the nature of data appropriated;
the purpose for which it was taken;
the degree of investment initially required to bring the data into being;
the degree of dependence or not of the unlawful user's own development effort and
substantiality of investment in those efforts;
the degree of similarity between contents of the database and the user's product (even
if only privately consumed);
135 Litman Information property/information privacy (2000) 57 Stan L R 1283
136 Reichman and Samuelson Intellectual property rights in data? 50 Vand L Rev 51 (1997)
81
the proximity or remoteness of the markets in which the data base owner and user are
operating; and
how fast the user was able to come into the market compared to the time which would
have been needed to develop the original database.
Alternatively, they suggest constructing a liability principle based regime modelled on that
applied in Italy in the 1930s to protect novel engineering project designs ineligible for copyright
protection and implemented by Italian courts and arbitrators to protect investors against unfair
extractions but requiring certain parties including sole-source providers of particular data to
license extractions and reuse of their database on Fair and Non-discriminatory terms. The
object is to provide a blocking period against appropriation of any substantial component (i.e.
enough to represent a threat of market failure; how much that might be will depend upon the
sector concerned) so that the originator can exercise monopoly pricing in this period subject
only to public interest limitations. As to how the licence terms are to be agreed, they propose
either:
an automatic licence built into the right with arbitration clauses for parties who could not
agree terms; or
an automatic universal licence, negotiated in advance of the regime by a group of
stakeholders including industry, to come into effect as soon as blocking period ended.
The cost could be based the value added to the free-rider's product so that they would pay only
according to how much of the original data was used compared to how much value derived from
their own investment; whether it competed with the originator's product or not, and similar
factors.
4.7 Results of the internal OC survey: UK, France, Germany, Spain, Italy, Belgium,
Netherlands
Overview
To assess the legal environment regarding ownership in and access to data, we drafted and
circulated a questionnaire to each of our European Offices; namely, Germany, Spain, Italy,
United Kingdom, Netherlands, Belgium and France. The raw data for this is attached at Annex
3. Below we have reported on and analysed the results of the responses we received. In this
section we review the adequacy of contractual approaches to handling data; in the next section
(section 4.8) we summarise the national legislation and feedback as to any areas where
improvement might be desirable.
The common theme across the responses is that issues in relation to ownership/access to data
are not at the forefront of client's minds currently and at this time these provisions are not
frequently causing disagreements. Many of our colleagues are comfortable that contractual
provisions can effectively take account of any issues arising. However Belgium noted that they
have faced issues in relation to data on some international transactions. They commented that
although parties tend to deal with the issues via contractual provisions, a lack of clear,
82
harmonised rules on data ownership causes companies to hold back on data sharing initiatives
and overcomplicates negotiations.
The sectors where data issues are commonly arising were reported as being: banking,
insurance, pharmaceuticals; innovative company, digital business, retail, energy industry 4.0
and online advertising. This covers the majority of the sectors we work with and thus indicates
this issue is occurring across a wide spectrum of areas and hasn’t yet become more prone in a
certain sector.
Below we explain how contract principles differ between common and civil law jurisdictions,
before reviewing the practical experience of handling data-driven contracts.
(a) Common and civil law systems of contract
A common law system such as England & Wales or Ireland does not always have a
written constitution or codified laws; judicial decisions are binding, such that decisions of
the highest court can generally only be overturned by that same court or through
legislation. In the commercial sphere, freedom of contract is extensive with very few
provisions implied into the contract by law (although provisions seeking to protect
private consumers may be implied). This will often result in a contract being longer than
one in a civil law country. Generally, the law is less prescriptive than a civil law system;
everything is permitted that is not expressly prohibited. The parties are presumed to be
able to assess the risks connected with the transaction and to provide for appropriate
regulation of the relationship and allocation of risk. The contract, therefore, is deemed to
be sufficient to regulate the transaction between the parties. Notwithstanding the
occasional inclusion in contracts of ideas such as best endeavours or agreements to
negotiate in good faith, concepts such as good faith and fair dealing do not apply during
the negotiation of the contract. The parties are expected to look out for their own
interests.
Civil law systems, by contrast, are generally a codified system of law taking their origins
from Roman law, and more prescriptive than common law. The constitution is based on
specific codes (such as a civil code, codes covering corporate law, administrative law,
tax law and constitutional law) enshrining basic rights and duties. Only legislative
enactments are considered binding for all. There is little scope for judge-made law in
civil, criminal and commercial courts, although in practice judges tend to follow previous
judicial decisions. In some civil law systems, e.g., Germany, writings of legal scholars
have significant influence on the courts. The extensive codified law regulates the
different types of contracts in detail which means that most issues which might arise,
e.g., from renting a flat are addressed in the laws itself. In general, parties have less
freedom of contract - many provisions are implied into a contract by law and parties
cannot contract out of certain provisions. In particular the national laws on unfair terms
and conditions limit the freedom of contract considerably. Further, the principle of good
faith in negotiation can be extended into an obligation to inform the other party of
material aspects that are relevant to the proper assessment, understanding or
performance of the contract, in stark contrast to the common law approach. This means
that less importance is generally placed on setting out all the terms governing the
relationship between the parties to a contract in the contract itself, as inadequacies or
ambiguities can be resolved by operation of law. This will often result in a contract
83
being shorter than one in a common law country. On the other hand, the contract is
interpreted in the light of implied principles of reasonableness, good faith or fair dealing
(in different degrees in the various national systems), intended to avoid unjust outcomes
which could arise from a literal interpretation of the contract. A contract which is found
to cause a result unfair to one party is unlikely to be enforced.
In addition to the common law elements of offer and acceptance, civil law focuses on
elements necessary to demonstrate that the agreement was the result of an exercise of
the parties' free will. Many civil law jurisdictions (such as Germany) only recognize
acceptance when the offeror knows or can reasonably learn of it, in contrast to the
common law norm that acceptance takes place when despatched. In civil law contracts,
the subject matter or purpose of the contract is also important. It must be based on the
set classification that the civil law assigns to different contractual forms, which may in
turn further define additional structural requirements that the parties must comply with in
order to give the contract full legal force.
The two systems also differ substantially in their approach to enforcement of contracts.
Under common law, it is rare to obtain specific performance of a contract except in
limited circumstances such as a contract for purchase of land, where the law accepts
that one piece of land is not substitutable for another. In other cases, damages are the
usual remedy. But if specific performance is ordered, then the court has the power to
enforce that decision through quasi-criminal remedies for contempt of court against a
non-compliant party: its assets may be sequestrated and its directors imprisoned. The
civil law system takes the opposite approach: specific performance is a statutory
remedy that the civil law courts are expected to turn to first. It may be replaced by
monetary damages only if specific performance is either unfeasible or inadmissible. But
although it is frequently awarded, specific performance is less likely to be enforced in
civil law countries because of the relative weakness of the remedial measures available
to their courts. For example, under the French system, where contempt charges are
usually limited to criminal proceedings and are therefore unavailable in civil actions,
French courts seek to persuade a party to comply with their decisions through a fee
(astreinte) payable to the state for each day of delay. In many civil law jurisdictions,
only after a claim for specific performance has been issued may the defendant, through
a complicated process, convert it into a claim for monetary damages. As a result, it can
be difficult for businesses familiar with contracting under the assumptions of the laws of
their home territory to understand fully the implications of contracts governed by a
different law.
Nevertheless, it is generally accepted that in this area "contract is king", and the CJEU's
confirmation in its 2015 decision in Ryanair v PR Aviation, that where a database is not
protected by the sui generis database right then there is no limitation as to the
contractual restrictions which can be applied to users of databases, has enhanced this.
Limitation of contract as a solution
There are important limitations on the control that can be exercised over the data itself
in contractual terms. Most importantly, the contractual terms will usually only apply
between the two parties and, unlike the laws applicable to trade secrets or intellectual
property rights, will not constrain third parties who may gain access to the data through
84
the performance of the contract, unless similar contractual restrictions can be imposed
directly on them.
Even between the contracting parties, it is not straightforward to find the right balance.
For example, if the data is to be processed or combined with other data by the licensee
then the contract will also need to set out the contractual parties' respective rights in
relation to the resultant data – commonly referred to respectively as 'derived' and 'co-
mingled' data. Similarly, the parties may need to consider what if any rights a licensor
can obtain over an extended database consisting of additional data developed
independently by the licensee, based upon some aspect of the original database but not
contained in it. Attempting to address such future developments in a contract before the
data transfer has taken place involves a degree of speculation as to future
developments and inevitably is often insufficient when circumstances work out
differently from the scenario that was anticipated in the contract.
The potential for competition law issues to arise is obvious, by analogy with the
exclusion, in Article 5, from the general exemption from Article 101(1) conferred on
patent and know-how licences by Article 2 of the Technology Transfer Block Exemption
Regulation ("TTBER")137
of terms conferring on a patent licensor the ability to demand
access to a licensee's improvements of the technology. Specifically, clauses which
impose any direct or indirect obligation on the licensee to grant an exclusive licence or
to assign rights, in whole or in part, to the licensor or to a third party designated by the
licensor in respect of its own improvements to, or its own new applications of, the
licensed technology will not be exempted.
Know-how under the TTBER is defined as
"a package of practical information, resulting from experience and testing, which
is:
(i) secret, that is to say, not generally known or easily accessible;
(ii) (ii) substantial, that is to say, significant and useful for the production of
the contract products; and
(iii) (iii) identified, that is to say, described in a sufficiently comprehensive
manner so as to make it possible to verify that it fulfils the criteria of
secrecy and substantiality."
There has been no case law as to whether data such as that generated by industry 4.0
might fall within this definition. On its face, there appears to be no reason why it should
not. The TTBER does not apply to licences solely of know-how, although a licence of
know-how alongside a registered technology right or software copyright will be covered.
137 Commission Regulation (EU) No 316/2014 of 21 March 2014 on the application of Article 101(3) of the Treaty on the
Functioning of the European Union to categories of technology transfer agreements (TTBER) OJ L93, 28.03.2014,
p.17-23
85
Accordingly a licence of software and such data could have the benefit of the 'safe
harbour' of the TTBER. Nevertheless, the fact of the exclusion of "improvements" from
the exemption strongly suggests that if a licensor of software and data included a term
requiring the licensee to grant access to derived or co-mingled data, it would be
arguable that the additional data constituted an improvement so that such a term could
cause an otherwise pro-competitive agreement to fall foul of the Article 101 prohibition
and so be void. A licence of data alone including such a term would require a ground-up
competition analysis. But the analysis necessary to understand whether or not any
restriction or distortion of competition will result from a particular accumulation of data
and its exploitation by one or several parties may be extremely complex.
(b) Practical experience in contracting over data
As part of our survey of national laws and practices relating to data, we asked our
colleagues to share their experience as to the prevalence and form of contracts
currently being used.
Prevalence
In all jurisdictions, our colleagues confirmed that they have drafted contractual
provisions in relation to data (excluding privacy law) within the last year. In most cases,
one party was not allowed to use the data for any purposes, other than fulfilling the
contract. In a very small number of cases a further provision was requested whereby
the party could exploit the data for other purposes. This scenario is not common, and
only arises in special cases or where there is unequal bargaining power of the parties.
However, in the majority of cases in the UK, the clauses being drafted stipulated more
sophisticated arrangements for access and exploitation, as evidenced by the example
clauses provided. This is a contrast to the position on the continent where the clauses
being drafted are relatively simpler.
From the results, it is clear that within our practice, complex data clauses are currently
only being reviewed or drafted a couple of times a year per jurisdiction. These issues
are being dealt with far more frequently in the UK. Whereas most of the countries
surveyed had been asked to draft or review complex data clauses a handful of times,
the UK team had looked at around 80 complex clauses on data in the last year. We
believe this is likely to be typical amongst our peer group. The most common issues
which are being picked up in this regard are
the possibility for a party to re-use/communicate data to third parties;
"ownership" of data generated/processed;
ownership of any IP rights at stake/generated by technical devices; and/or
to what extent parties who have access to data are allowed to commercialise it.
The sectors where our colleagues are being asked to draft these types of clauses are
predominately in the digital business, health, new technologies, IP, retail (know-how and
86
trade secrets), data centres and outsourcing deals. However, the issue is being
discussed more commonly than it is actually implemented. For instance, Germany
mentioned that they have only drafted clauses for companies involved in online
marketing but have been asked by industry 4.0 companies to assess the issue of
ownership in data from a rather abstract point of view. Spain had seen the issues in
various additional sectors including defence, distribution, digital media, healthcare and
financial services.
The majority of our colleagues have not been seeing variations in the drafting between
sectors. This may mainly be because they have only been drafting or reviewing these
types of clauses in one or two sectors. Germany however commented that they have
seen differences between the sectors. The trading of data has only really come up in
the context of online marketing and in industry 4.0. However, companies in industry 4.0
seem to address this issue less regularly and with less complex clauses than
companies involved in online marketing. In energy and healthcare, start-ups are trying
to commercialize data, but we have not been involved in the drafting of corresponding
clauses.
When asked if new laws would facilitate the drafting of contracts on handling access to
and control of data, one contributor commented that it would be useful to facilitate
drafting if new laws could provide a set of standard clauses that market operators could
use with regard to access and control of data; or a code of conduct on the use of third
party information. Others commented that any legislation in this area would inhibit the
freedom of the parties to agree their own provisions. Notably, it was commented that as
regards individuals as contracting parties it may be advisable to introduce laws to
determine ownership of data by law and not subject to the will of the commercial parties
since the individual has less bargaining power. Generally for sophisticated parties, the
view was that they should be free to agree the positions as they please.
Clauses
Sample clauses which our colleagues have used in relation to data access/ownership
are set out in Annex 4. We have anonymised these as far as possible. Neither our
colleagues in Belgium nor in the Netherlands were prepared to provide samples, citing
bar and client confidentiality rules.
The sample clauses we received varied widely in terms of length, level of detail and the
particular provisions. It seems that there is no general consensus on how best to
address the issues. It is also apparent from these clauses that the English law
provisions are much more comprehensive. As discussed elsewhere in this report, this
emphasises the difference between contractual provisions in common and civil law. It is
also noteworthy that when we were sent these clauses, the majority included long
provisions in relation to data protection, but much shorter provisions in relation to data
ownership/access to data, and in some the clauses were purely in relation to data
protection. This illustrates the comments we received as to the current focus of
contracts where data is being exchanged being more on personal data and the issues
of data governance in that context.
87
The example clause provided by France deals with the permitted use of data and
restrictions on the use of data. The first part of this clause deals with data protection
issues including anonymising the information. The latter half of the clause deals with
restrictions on the use of the data. From this it appears the customer can use the data
for things other than the purpose of the contract but in certain instances will need to
seek approval from the Provider. It cannot use the information in any way which
competes with the provider, but outside of this restriction, it appears it could use it. This
clause does not explicitly deal with the situation where the customer comingles the data.
It says it is not to 'otherwise exploit' the data; quaere whether this covers comingling
when the original data is no longer ascertainable?
The example clause provided by Spain highlights that as mentioned above, Spain does
recognise a concept of ownership of data. This clause is much shorter as ownership
rights are more clearly defined and so less additional wording to deal with uncertainties
needs to be incorporated. Interestingly the Spanish clause appears to allow the party
being granted access to the data to use this data for its own uses moving forwards, ie
'in order to improve and expand its Platform and Services'. It is likely that this provision
would only be agreed in cases where this party was in a much stronger bargaining
position. As reported above, in the majority of cases, the party can only use the data for
the purposes of the contract. The drafting is not comprehensive in terms of what the
data can be used for, presumably because the fact that the data is owned gives the
owner certain rights and remedies if it is misused.
The sample UK clauses provided are much more comprehensive. Example clause A is
lifted from an agreement where a licensee was buying data to combine it with and
enhance its own datasets. The clauses provided represent the supplier of the data's
opening position. This clause includes various definitions in relation to the data, for
example, Derived Data is the data which has been manipulated so it cannot be
identified as the original data or used in substitute for the original data. Manipulated is
also defined. There are tight provisions as to what the licensees can do with the
Manipulated Data, which may reflect the imbalance of bargaining power between the
parties. There is a clause which assigns to the supplier of the data with full title
guarantee all IPR in any Manipulated Data the customer may create by way of future
assignment. This clause could be effective if copyright arose in the Manipulated Data,
but will have no effect if copyright does not subsist – which may not be appreciated by
one or both parties relying on such a form of words.
Example clause B is extracted from a complex outsourcing agreement concerning the
provision of banking and IT services to underpin the operation of a simple card based
payments account. The clauses reflects flowdown from the Customer (who was
providing accounts to Account Holders) to the Supplier of the requirements of a
government department (the "Authority") that was ultimately paying for the payment
account to be set up. As such, the data comprises both personal data and data which
may not be personal. Pursuant to this clause, the Customer 'shall own all Account
Holder Data' as between the parties, and the Supplier agrees to execute any
documents needed to give this effect. The Customer then grants a licence for purpose
of obligations under the agreement to the Supplier. The effect of an arrangement where
the parties agree something – ownership held by Customer – which cannot take literal
effect in law is uncertain. It may be interpreted by a court as setting up an estoppel
88
against the Supplier either raising any challenge against exercise by the Customer of
any rights over the data which would accrue to an owner of property, or seeking to
exercise any such rights itself. But the precise interpretation given by the court will
depend on the factual circumstances of any dispute, and different interpretations of the
same wording could well arise as the court seeks to give effect to the parties' intentions
in different commercial relationships.
Example clause C is extracted from a clinical trials agreement between a US sponsor
and an EU based investor. Again this agreement refers to any data being the exclusive
property of the client. The drafting here is more concerned with protecting the
confidentiality of the data as opposed to the segregation of the data.
Example clause D is not a clause originally drafted by Osborne Clarke, but is a clause
we were asked to comment on in relation to a collaboration agreement in the
pharmaceuticals sector. This clause references the parties being joint tenants of any IP
(which includes data). Such a provision assumes property rights, since joint tenancy is
one of two legal mechanisms under which a property right can be held by more than
one person; and also brings into effect a relationship whereby neither party can transact
in the property without the concurrence of the other, unless the tenancy is 'severed'.
Such an arrangement has a clear potential to restrict either parties' later exploitation of
the data.
The German clauses come from a data trading contract. Both parties were involved in
the exchange of data between different companies in the internet. One of the
companies was an intermediary which tracked the impact of product information on
websites. The other party was involved in the trading of advertising space in the
internet. This contract was used in different combinations. It always related to the
exchange of data between different companies which tracked the behaviour of data
subjects in the internet in different ways and contexts. All such companies sold the
insights to third parties who intended to use them for different purposes.
(c) Best practice contract drafting in the current legal environment
In order to have a complete picture of the current legal situation with regards to the
trade of and ownership in data in Europe it is necessary to also consider what general
rules apply to the drafting of contracts on data (hereinafter referred to as “data licence”).
Therefore, we have described the best practice for data licences in the following.
However, to the best of our knowledge, no legal standard has yet been developed. The
following remarks merely describe our approach to drafting contracts on data and what
we consider best practice. Certain parts of these explanations have previously been
published by Jens Schefzig, a co-author of this study, in an article in 2015.
Implications of the legal environment in Europe with regards to data
Although the laws on data in the various European countries are not harmonized, they
still are similar: most European countries do not recognise a property right in data as
such. From our experience the same applies to most other global jurisdictions. But there
usually are certain defensive rights which protect data against unauthorised access.
89
Such provisions generally have in common that an access to data will only be illegal if
the respective entity and/or person is not entitled to access the data.
Apart from the laws on data itself, questions regarding the laws on databases, privacy
laws and copyright laws might become relevant when trading data. These laws are very
similar in most European countries and will become even more harmonized after the
General Data Protection Directive comes into force.
Therefore, the legal environment for drafting contracts on data is actually quite
homogeneous across Europe. The lack of explicit statutory provisions on data as such
creates flexibility regarding the contractual clauses on the use of the data. Most
defensive rights with regards to data will only apply if the access to such data was
unauthorized. Access and use of data which is explicitly allowed by the contract will not
be affected by such provisions because the contractual right to use certain data confers
the authorization to do so. In conclusion, the current statutory provisions have only a
minor impact on the drafting of data licences.
But it certainly is necessary to choose a governing law in an international contract (to
the extent this is possible, e.g., it is not possible to choose privacy laws). Only such a
clause creates legal certainty as to the applicable legal context and tradition within
which the contract will be construed. This is not a distinctive issue: it arises with regards
to all international contracts and is not a distinct issue of contract on data.
Data and their characteristics
As shown above, companies are essentially free in how they choose to draft contracts
concerning data. This freedom makes it necessary to clearly identify the issues which
should be addressed in the contract. The lack of statutory provisions forces companies
to consider the aspects which have to be governed in the contract themselves without
having a statutory legal framework to simplify this task.
The starting point for drafting a contract on data is the characteristics of the data in
question. For the purposes of this discussion, we consider data in the form of machine-
readable, coded information. The decisive factor is not the semantic function which
implies the content of data. Instead, the encoded characters as such at a syntactic level
represent data. Therefore, the contract will basically cover the use of different sets of
characters. The content of the data is relevant only insofar as it causes specific legal
provisions to be engaged such as copyright laws.
Data is characterised essentially by three features: It is non-rivalrous, non-exclusive and
inexhaustible. An unlimited number of users can analyse data sets and use them by
copying, without affecting other users' ability to access the material; thus data is non-
rivalrous. Furthermore data is non-exclusive because the use of data by others cannot
be limited as soon as data is public. Finally, data can be copied easily at no cost. Data
can also not be consumed. It can be copied and analysed an indefinite number of times
without a lack of quality. In summary, data has potentially limitless availability, which
must be addressed in the contract.
Differences between data licences and other licences
90
A data licence serves the same purpose as other licences: it regulates the exploitation
of a certain good. Usually though, a licence is related to a right which can be enforced
erga omnes (against all the world) such as the various forms of IP. Statute confers on
the copyright holder the exclusive right to exploit the copyright; regardless of being able
to access the content, no other party has the legal right to copy or exploit it. In these
circumstances a licence can be used to grant specific rights to the licence holder. Based
on this licence appropriate exploitation activities can be undertaken; everything else
remains prohibited by statute. In conclusion, usually a licence allows activities which
would have been prohibited without the licence, it basically lists the allowed uses of the
IP in question.
The situation is the opposite with regards to data. Since data is not subject to any right,
data may be considered as “free” or a public good, which anybody may use without any
restrictions. Therefore, a data licence has to explicitly list the prohibited uses of such
data. From the point of view of a contract lawyer this would not be very effective as such
lists would be rather long (because usually only certain uses shall be allowed and
everything else prohibited). Thus, a data licence should stipulate that any data
exploitation is forbidden unless it is explicitly permitted. As a result, all rights of a licence
holder are positively expressed in the data licence.
Relevant IP
Insofar as the object of the contract is not just data as such but is also protected (in
whole or in part) by intellectual property laws (e.g., because a whole database is
transferred), the specific requirements of this legal field must be observed. For instance,
it might be necessary to explicitly include licences regarding database right. In this case
such licences would be combined with the licence regarding the data.
Provisions of a data licence
A. The object of a data licence
The database covered by the data licence must be clearly indicated. Especially in case
of dynamic databases the parties need to define specific data affected by the licence.
B. “Owner” of data
From an economic point of view, it is desirable to clarify which of the two companies
shall have the “ownership” of the data to ensure that both parties agree as to who shall
generally be entitled to commercially exploit the data. As already stated before, this
section will usually declare one party as the “owner” of the data and prohibit the other
party to use such data in any way except where explicitly stated otherwise in the
licence.
C. Quality of data
The parties should include clauses on the quality of the data and the liability of the
licensor for this quality. In particular, it should be defined which exact information must
91
be included in each data set and how reliable (accurate and up to date) this information
should be. Usually, a sample set of data will be attached to the agreement to ensure
that both parties agree on the exact data to be delivered.
D. Exploitation rights
When drafting a licence regarding IP it is usually convenient to refer to the different
possibilities to exploit the IP which are defined by law. As there are no defined ways to
exploit data, the parties will have to categorize possible exploitations of data starting
from an entirely blank page. To our knowledge there is no market standard as to the
possible ways to exploit data which must be addressed in contracts on data.
Schefzig (a co-author of this study) has developed a categorization regarding typically
relevant ways to exploit data as such. The main guideline of this categorization is to
separate such exploitations which will usually be distinguished by businesses instead of
simply using categories from copyright or privacy laws. This categorization is not a
market standard but it is rather helpful when thinking about uses of data. Schefzig has
developed five main possibilities to exploit data:
1. Access: The access to data describes the right to read the data.
2. Storage: Storage of data means the permanent storage of data on data carriers,
not the mere temporary storage in a random access memory.
3. Use: The use of data comprises any processing of data during which the data
itself is not changed, it especially comprises the analysis of data. Copying data
also constitutes a use of such data.
4. Change: Any interference with the integrity of data is a change.
5. Transfer: Transferring data covers both the intentional transmission of and
providing access to data.
It should be noted that these categories contain various subcategories which the parties
might intend to address explicitly, too. As already stated the use of data by way of
analysis might lead to derived data. It should be clearly defined which party shall be
entitled to use such derived data. It is a distinct challenge of contracts on data that an
exhaustive and generally accepted description of ways to exploit data currently does not
exist.
E. Type of licence
A data licence can be structured as an exclusive licence, a sole licence (in which the
data holder and a single licensee are the only parties able to exploit the data) or a non-
exclusive licence. A characteristic of a data licence is the possibility to agree on a sole
or exclusive licence for a specific purpose. Mostly, a licence holder is interested in
exclusive data exploitation only with regards to its own market. But the data might still
hold further insights for other purposes.
92
F. Duration
The data licence is a mere contractual obligation. Therefore, the parties need to make
sure that it still is enforceable after the actual term of the contract. E.g., if party A
delivers data to party B and party B shall only be entitled to use the data for two years, it
must be made sure that the contractual obligation of party B towards party A not to use
the respective data after these two years outlives the term of the contract. Otherwise,
party B would be free to use the data in any way after the contract. Furthermore, it is
best practice to include explicit clauses on the deletion of data and the technique by
which the data must be deleted in the contract.
G. Duty to forward any obligation
Erga omnes rights cannot be adequately replaced by contractual obligations. However,
it is possible to obligate the licensee to ensure that any obligations under the data
licence are also passed on to anybody who receives a sublicence. Furthermore, the
licensor should be awarded direct contractual claims against such third parties in the
contract between the licensee and the sub-licensee, although might be difficult to
enforce depending on the specific jurisdiction. Depending on the licensing system these
clauses might require quite sophisticated clauses. The licensor must anticipate how the
data might be used in the whole data value chain when granting the licence. This
causes complex exploitation chains. However, it must be noted that these limitations of
the licence will have not have effect in rem. That means if the licensee forwards the
data to a third party without imposing the obligations on a third party, the licensor will
have no claims against such third party under the licence, but will have to fall back on
other arguments such as database right or trade secrecy, if available.
H. Technical and organisational measures
The contractual protection of data is only as effective as the technical protection of such
data. If the data becomes available to third parties as a consequence of its own actions,
the licensor might not have any claims against such third party. Therefore, an obligation
to take effective technical security measures should be included in the data licence.
I. Audit rights
All obligations of the licence holder remain ineffective if the licensor cannot monitor the
compliance with such obligations. The data licence needs to explicitly state audit rights
which might also include audit rights with regards to sub-licensees (see above).
J. Contractual penalties
Depending upon the circumstances, the licensor may not be able to prove particular
damage caused by a breach of the obligations under the data licence. Therefore a
contractual penalty should be included. This issue would also arise if a statutory right in
data existed. Due to the current lack of data markets it is rather unclear what any data
pool is actually worth. The courts of the different jurisdictions apply different tests in
attempting to assess the damage to the licensor, which may in time lead to forum-
93
shopping for the most favourable approach. It is also noteworthy that the courts of some
jurisdictions would scrutinise also the regulation of the penalties as to whether they
create undue imbalances or not.
K. Miscellaneous clauses
This list only contains such clauses which address the characteristic issues of contracts
on data. Further standard contractual clauses will be needed, e.g., clauses on liability,
governing law and place of venue.
L. Additional clauses
This selection of relevant obligations is not final and based on a subjective assessment;
what is needed in any individual case is determined by the specific circumstances and
interests of the parties.
Contract partners
To ensure effective protection of data, the company has to conclude data licences with
all companies who are intended to have access to the data. This means that the
company has to anticipate the data flow and then conclude the data licence with all
companies who participate in this data flow.
(d) Conclusions on contract
The law of contract provides an almost infinitely flexible means for commercial parties to
arrange how they handle and access data. However, given that data as an asset has
emerged relatively recently, much of the drafting which is being done is purely local and
customised in nature, with a wide range of approaches and solutions reflecting the wide
variation in contracting parties: incumbents in traditional industries contracting with
potentially more data-aware tech start ups, as well as the information industry players
contracting with parties of all sizes in other industries.
The differences in national laws do not seem to cause significant additional issues. As
almost no country has specific laws on ownership in data, the legal background against
which contracts on data must be drafted is actually similar in most European countries.
Therefore, in our view, if there is a need to introduce statutory laws on data on a
European level, this need does not result from a lack of harmonization across Europe.
There has been no case law yet to give guidance on how the key issues, such as
derived or co-mingled data, should be handled contractually. Even within a given sector
or country, standard terms have not yet emerged. Rather, the approaches tend to
reflect national legal culture – more detailed and prescriptive approaches under
common law, relatively brief provisions under civil law models. Whilst it is clear that
competition law provides an overarching limitation on how a company with a database
which conferred dominance in a defined market could exploit that data, elsewhere it is
94
likely to be some time before the impact of general laws on contract fairness can be
seen.
4.8 Applicable laws identified by the OC survey
Each of the countries surveyed commented that, save for data privacy laws, they have no
specific laws in relation to the ownership of data, besides where applicable copyright and
database sui generis right. The only exception to this was Spain which does have a generally
accepted concept of 'ownership' of data. This is further discussed elsewhere in this report.
Additionally in the Netherlands, Belgium and Germany, there are criminal provisions dealing
with unlawful access to and interception of data, and in some cases disclosing trade secrets.
Further in Belgium, there are provisions regarding electronic communications which protect the
confidential nature of information sent over an electronic network. However although these
legislations refer to data, they do not necessarily deal with many of the issues foreseeable in
relation to industrial data.
(a) Application of laws
The following scenario was included in the questionnaires:
Case: Company A provides data to another company B and according to the
corresponding contract company B may not use the data for any other purpose than
fulfilling the contract between company A and company B. Company B nevertheless
forwards such data to Company C which commercializes such data. Which claims does
company A have against company C according to your national law in this scenario?
In Belgium, Company A will first and foremost have a claim for 'third party complicity to
breach of contract', provided that all the conditions for third party complicity have been
fulfilled. (One of these conditions being that Company C knowingly and willingly
participated in the breach of contract by Company B vis-à-vis Company A).
Furthermore, in the event of a breach of one of the provisions of the Belgian Criminal
Code, Company A will also be able to file a criminal complaint against Company C/the
infringers. Finally, if the data is protected under IP laws, Company A will also be able to
rely on the rights and remedies provided under such laws (including cease and desist
proceedings, claim for damages etc.).
In Italy, if Company C has violated copyright or database laws, Company A will have
rights, however if these laws have not been violated, Company A would have no claim
against Company C.
In France, Company A will have claims against company C on the ground of civil tort
liability (unfair competition and/or parasitism); subject to bringing appropriate and
sufficient evidence that Company C acted knowingly/wrongfully.
In the UK Company A may have a claim against Company C for unlawful interference
with contractual relations or inducing breach of contract, if Company C had a specific
subjective intention to cause economic harm to the claimant and knew that the
acquisition of the data from B would be in breach of B's contract.
95
Spain reported that at first, Company A would not have any direct actionable remedy
against Company C, as they are not party to an agreement. However, when claiming
against Company B, Company A may seek before the court a ruling that bans any
further use of the data acquired by Company C in breach of the agreement between
Company A and Company B. Also, Company A may seek that Company C makes it
best efforts to recover to the extent possible the data commercialised. This would
normally be deployed by requiring Company B that the data are recovered through
Company C. Company C would usually carry out this recovery process at Company B's
expense (in any event this would be subject to the regulation in the agreement between
Company B and C or potential rulings from a claim by Company C against Company B).
In the Netherlands, Company A will first and foremost have a claim for tort
(onrechtmatige daad), provided that Company C knowingly and willingly participated in
the breach of contract by Company B vis-à-vis Company A. Furthermore, in the event of
a breach of one of the provisions of the Dutch Criminal Code, Company A will also be
able to file a criminal complaint against Company C/the infringers. Finally, if the data is
protected under IP laws, Company A will also be able to rely on the rights and remedies
provided under such laws (including cease and desist proceedings, claim for damages
etc.).
Finally, in Germany company A will have rights against Company C to the extent that
Company C has violated either database protection laws, software protection laws or
the relevant German criminal laws which protect data. However if Company C has not
violated any of the laws listed above, Company A will have no claims against Company
C.
As can be seen from these, there is no coherent or clear rule across the EU countries
as to when Company A will have a claim against Company C. Although in most cases
there are circumstances where A will have a claim against Company C, these tend to be
quite limited and highly variable in their scope.
(b) Ownership in data
When asked if they would be in favour of introducing legislation which regulates data
ownership, our colleagues in the majority of the countries were not in favour of this. As
mentioned above, the majority opinion is that contract law can adequately address
issues in relation to ownership of data. Concerns were voiced that any legislation in this
area may hinder the movement of data and thus, if introduced, should be quite light
touch so as not to stifle the data economy
Spain commented that some rules or guidance, or at least a clear definition of who is
the owner of data and the rights that may be granted to the data owner, would be
useful. However they also commented that these laws should only apply where the
parties have not specifically dealt with data ownership issues in the contract.
Germany was of the view that laws in relation to the ownership of data would accelerate
monopolisation of data and cause more complications. They considered that contract
law is sufficient.
96
Belgium commented that the companies in different sectors would benefit from more
legal certainty in this area, but not necessarily from the introduction of legislation on
data ownership. Over time, it might well be the case that a more coherent set of
commonly agreed provisions emerges, but this is something which will take time.
Our colleagues in the Netherlands were strongly against the introduction of laws on
ownership as they commented it would be extremely difficult to identify the original
owner of the data and legislation may lead to unworkable situations. Again, they felt
data ownership can successfully be dealt with in contracts.
(c) Access to data
Our questionnaire asked for information on national laws which allow a commercial
entity or individual to gain access to data held by another unrelated person or
commercial entity.
In Germany, there are laws which allow access but only in very specific situations for
example, a dominant market player might be obliged (after a finding of abusive conduct)
to grant access to data to competitors. However, until now, this is only a theoretical
situation and has never been applied in court. The applicable standards result from the
corresponding jurisdiction of the CJEU. This observation of course applies equally in all
EU Member States.
Under Belgian, as under UK data protection and healthcare laws, an individual has the
right to gain access to any personal data pertaining to him/her, held by a company or
other individual. Belgium also referred to the FRAND licensing principles and suggested
that these could apply in certain situations/under certain circumstances.
Italy referred to competition law and also laws enabling access to every kind of
document held by public bodies (i.e. the documentation filed by a competitor during a
public tender), but no other form of access provision.
Spain identified laws governing those publicly managed registries such as the
Commercial Registry or Immovable Assets Registry. However they noted that those
registries may ask the individual or entity to demonstrate that they have a legitimate
interest in obtaining such data. They further noted that restrictions regarding the
massive access or economic exploitation of such data would be applicable.
Under Dutch data protection and healthcare laws, an individual has the right to gain
access to any personal data pertaining to him/her, held by a company or other
individual.
France also flagged that although the French judicial system does not provide for a
discovery process in litigation, it should be noted that Article 145 of the Code of Civil
Procedure ("Code de procédure civil") allows a plaintiff to obtain under certain
conditions an injunction, including ex parte, before the start of a dispute, to get specific
97
documents or evidence upon which the resolution of the dispute may depend.
Considering the potential dangerous effects of such a measure on competition, French
courts frame it strictly. Litigation in the English courts likewise, but rather more
commonly in practice, can lead to one company gaining access to any form of
information held by the other provided that it is necessary for the resolution of the
dispute. However, the English courts routinely craft confidentiality arrangements to
ensure that neither party can take commercial advantage of any data so disclosed.
Thus, the regimes in relation to access to data are limited everywhere, and almost non-
existent where data other than personal data is concerned, but not consistent across
the various member states.
In relation to the introduction to new laws on access to data, Italy strongly felt that a
statutory right to access data for legitimate reasons should be introduced in light of
transparency principles. Again however it was commented that the monopolisation of
data could hinder innovation and limit the positive effects of free competition. Our
German colleagues suggested an approach based on the rules established in the CJEU
IMS Health decision on data, whereby commercial entities might be granted access to
data in return for payment if they prove that they will develop innovative products with
such data (although in reality this might be a complicated provision to introduce). On
the other hand a statutory right to be granted access to data may, in relation to certain
data, foster new or upcoming economics/business (an example being given in the
automotive sector, allowing for alternative parts and repair services , etc.).
4.9 Responses to the study questions: national laws
In the light of the discussion above, we respond to the survey questions with respect to the
national laws as follows:
(A) What is the current EU legal regime defining what rights linked to data exist, how they
can be exercised and by whom, in particular in a commercial context? What rights are
defined in legislation for third parties wanting to access data held by a commercial
entity?
This question is addressed in the discussion of the EU acquis above.
(B) Are there inconsistencies in sector-specific rules that would make it difficult for business
to develop or improve products or services based on data?
The results of our survey of the national laws indicated that at a national law level there
are not yet sector specific laws on data. In the majority of the countries surveyed, the
applicable laws were those which enacted pursuant to EU legislation, i.e. copyright and
database sui generis rights.
(C) Is there legislation on rights to data at Member State level which may be difficult to
reconcile with commercial arrangements involving actors in different Member States?
98
As there is limited legislation in relation to rights to data across most of the member
states surveyed, we do not think the situation is likely to arise often whereby the
legislation is difficult to reconcile with commercial arrangements. The exception to this
however, is that it is foreseeable that issues may occur due to Spanish law recognising
data as a property right whereas the other member states surveyed do not. It is possible
that a complex situation could arise whereby an entity believes it 'owns' the data due to
Spanish law principles, and believes any issues would be dealt with under Spanish law
(conflict of laws rules normally state that conflicts in relation to property will be litigated
under the laws of wherever the property is located). However, as other member states
do not recognise this right, and data is not intrinsically located in any physical
jurisdiction, it would be very difficult to establish under which country's laws any dispute
would need to be dealt with. This discrepancy in Spanish laws could also lead to
situations whereby a company purports to say it owns data because for example, it has
a subsidiary in Spain that is holding the data. However due to a lack of legislation, it is
not clear whether the owner of the data would be the person storing it, the person who
generated it, the person who owns the sensors which are capturing it.
(D) What is the role of competition law with respect to access and usage of data?
See section 3.2(d) above.
(E) What aspects are not covered at all by legal instruments?
Data ownership is not explicitly dealt with in any of the legal instruments at national
level. Although Spain may (when the question comes to be tested in the courts)
recognise data as a property right, the expectation of this outcome stems from the
ownership concept under Roman Law as opposed to any specific legislation.
Some of the member states have criminal law provisions which protect data to an extent
which arguably gives equivalent rights to those held by an owner of property, but do not
govern ownership of data in the strict legal sense.
(F) Can contractual arrangements provide an efficient legal framework for managing rights
attached to data, including on exclusivity, exchange, exploitation or access to data?
What elements are missing in legislation for contracts to perform this function – if any?
From our research we conclude that currently contractual arrangements can provide an
efficient legal framework for managing rights attached to data. Many of our colleagues
are comfortable that contractual provisions can effectively take account of any issues
arising
However we would query whether some of the drafting currently being incorporated into
contracts deals with the issues as comprehensively as possible. We note that some of
the example clauses we were given assumed ownership in data. This common
misconception is one which may lead to issues. However this is only something which
will truly come to fruition once one of these clauses is tested in the courts. This is not
necessarily something which could or should be remedied by the introduction of laws. It
is indicative that these issues are not yet are in the forefront of business' concerns. So
far as we have been able to establish, no clause asserting ownership in relation to data
99
has been litigated to date so their effects remain open to question until such time arises
(if indeed it ever does).
5. Identified issues
From a practice perspective, the primary issue which has emerged from our research is that
despite a growing awareness of the importance of data in a number of industry sectors,
businesses in general are not yet attempting to establish sophisticated data business models
through contract. The exception appears to be the United Kingdom, where the tradition of
contractual drafting to cover every foreseeable eventuality has probably driven a more thorough
treatment of data matters at an earlier stage in market development. This is not to say that the
complex contractual handling of English law contracts is necessarily more likely to establish
appropriate relationships between data holders and users; rather, at this stage more alternative
models are being tried. Until some of these contractual arrangements are tested in court, there
is no useful guidance for practitioners to draw upon in creating the next draft.
The principal issue with respect to the legislative framework is that an assumption is widely
made that data are subject to property rights akin to intellectual property. This assumption is
flawed save in respect of Spanish law, where Roman law principles will uphold property rights
over data, although always subject to specific circumstances of the case. This is not to say that
the concept of ownership under Spanish law does not need to be enhanced and adapted to the
reality of data ownership in the current economic context. In some cases the terms 'owner' or
'ownership' are used in a contractual context in full awareness (on the part of the lawyers) that a
metaphorical rather than a literal meaning is intended. However simply the fact that the terms
are in use is likely to lead less well advised businesses to believe that property rights apply, as
seen in the English decision in Your Response v Datateam (section 4.2(a) above) where a data
bureau attempted to enforce a lien over its customer's data in order to secure payment. The
lien was denied by the courts entirely as a result of the absence of any property right in the data
itself. The decision was received with shock by many in the commercial legal community.
In consequence:
Spanish businesses licensing their data across borders are likely to expect to be
able to enforce using property rights as much as contractual remedies, and may
therefore not incorporate sufficient contractual protections into their licences; and
Smaller or less well informed businesses contracting to give or obtain access to
data may agree inappropriate terms.
There is no general agreement among practitioners whether statutory laws on data (e.g., an IP-
right) should be introduced or not. The lack of a statutory framework grants the freedom to
address the exploitation of data by flexible contracts. However, it is unclear which clauses are
actually needed. No best practice has yet evolved because the trading of data as such only
occurs to a limited extent.
We have not been able to find any economic analysis on the likely impact of statutory laws on
data on the European economy. In particular there seems to be no reliable research as to who
should be the owner of data and what such an allocation of data would mean for a data
economy. There is an intensive discussion about the introduction of statutory rights in data
100
among legal academics in Germany. But the question of how exactly the introduction of a
statutory right in data will affect the economy is not the focus of the discussion. Furthermore,
the specific form of a right in data has not yet been discussed. We are under the impression
that European businesses are also uncertain about the impacts of a right in data. We have
advised a major German company on possible ways to address data ownership and even within
the same company there were quite different views as to whether a right in data is sensible or
not. In conclusion it seems to be rather unclear what the economic effects of a statutory right in
data would be. This finding also affects the legal analysis because for most jurisdictions it is
(relatively) clear that no right in data as such exists but whether such a right should be
introduced largely depends on its likely economic effects.
6. Suggestions and recommendations
In the emergent state of practices for handling data, and in view of the as-yet untested
effectiveness of the Trade Secrets Directive (once implemented) for managing rights in data
within and across borders, it appears to be premature to attempt to identify aspects of the legal
framework which could be supplemented with further legislation.
In our view it is essential to assess the economic impact of a right in data in detail before
considering further legislation. Currently there seems to be no reliable understanding as to the
effects a right in data might have.
In the interim before commercial issues emerge, guidance from a competition law perspective
could well be useful in promoting legal certainty, as could model contract clauses for use in
particular sectors or markets.
101
Annex 1 Table of existing and proposed European Directives and Regulations in relation
to data
No Legislation Objectives and operative provisions Sector(s)
General application instruments
1. Directive 2001/29/EC of the European
Parliament and of the Council of 22
May 2001 on the harmonisation of
certain aspects of copyright and
related rights in the information society
InfoSoc Directive: this Directive sets a minimum
standard of protection for copyright works and
introduces two new acts which the owner of
copyright in a work can restrict, those of
communication to the public (electronically) and
making available (again electronically) on
demand. So far as relevant to data, the
provisions are:
Article 2: Reproduction right
Member States shall provide for the exclusive
right to authorise or prohibit direct or indirect,
temporary or permanent reproduction by any
means and in any form, in whole or in part:
(a) for authors, of their works;
(b) for performers, of fixations of their
performances;
(c) for phonogram producers, of their
phonograms;
(d) for the producers of the first fixations of films,
in respect of the original and copies of their
films;
(e) for broadcasting organisations, of fixations of
their broadcasts, whether those broadcasts are
transmitted by wire or over the air, including by
cable or satellite.
Article 3: Right of communication to the public of
works and right of making available to the public
other subject-matter
1. Member States shall provide authors with the
exclusive right to authorise or prohibit any
communication to the public of their works, by
wire or wireless means, including the making
102
No Legislation Objectives and operative provisions Sector(s)
available to the public of their works in such a
way that members of the public may access
them from a place and at a time individually
chosen by them.
Article 4: Distribution right
Member States shall provide for
authors, in respect of the original of
their works or of copies thereof, the
exclusive right to authorise or prohibit
any form of distribution to the public
by sale or otherwise.
2. Directive 96/9/EC of the European
Parliament and of the Council of 11
March 1996 on the legal protection of
databases
Database Directive: aimed to ensure that the
maker of an original database can control third
parties' access to and use of the data, by
stimulating development of data storage and
processing systems.
For the purposes of this Directive, 'database`
shall mean a collection of independent works,
data or other materials arranged in a systematic
or methodical way and individually accessible by
electronic or other means.
Article 7 introduces the sui generis database
right: Object of protection
1. Member States shall provide for a right for the
maker of a database which shows that there has
been qualitatively and/or quantitatively a
substantial investment in either the obtaining,
verification or presentation of the contents to
prevent extraction and/or re-utilization of the
whole or of a substantial part, evaluated
qualitatively and/or quantitatively, of the contents
of that database.
This potentially creates a form of ownership over
data, but has proved in practice to confer
protection limited to pre-existing data which
originates from third parties and so has been the
subject of investment to "obtain, verify or
present" the data. Data which arises in the
course of a company's own activities such as
103
No Legislation Objectives and operative provisions Sector(s)
operating machinery, developing and selling
products, is unlikely to be protected since the
investment made is in those activities rather
than in verifying or presenting the data arising.
3. Directive (EU) 2016/943 of the
European Parliament and of the
Council of 8 June 2016 on the
protection of undisclosed know-how
and business information (trade
secrets) against their unlawful
acquisition, use and disclosure
Trade Secrets Directive: aims to harmonise the
currently disparate laws of the Member States
as regards commercial confidential information.
Article 2 provides that: ‘trade secret’ means
information which meets all of the following
requirements:
(a) it is secret in the sense that it is not, as a
body or in the precise configuration and
assembly of its components, generally known
among or readily accessible to persons within
the circles that normally deal with the kind of
information in question;
(b) it has commercial value because it is secret;
(c) it has been subject to reasonable steps
under the circumstances, by the person lawfully
in control of the information, to keep it secret;
(2) ‘trade secret holder’ means any natural or
legal person lawfully controlling a trade secret;
(3) ‘infringer’ means any natural or legal person
who has unlawfully acquired, used or disclosed
a trade secret;
(4) ‘infringing goods’ means goods, the design,
characteristics, functioning, production process
or marketing of which significantly benefits from
trade secrets unlawfully acquired, used or
disclosed.
4. Directive 2011/83/EU of the European
Parliament and of the Council of 25
October 2011 on consumer rights,
amending Council Directive 93/13/EEC
and Directive 1999/44/EC of the
European Parliament and of the
Council and repealing Council
Consumer Rights Directive: aims to provide
consumers with a high common level of
protection, and in particular harmonise
regulatory aspects as regards transactions at a
distance, including online and across borders.
104
No Legislation Objectives and operative provisions Sector(s)
Directive 85/577/EEC and Directive
97/7/EC of the European Parliament
and of the Council
Regulatory
5. Regulation (EU) 2016/679 of the
European Parliament and of the
Council of 27 April 2016 on the
protection of natural persons with
regard to the processing of personal
data and on the free movement of
such data, and repealing Directive
95/46/EC
General Data Protection Regulation: aims to
ensure a high standard of protection for personal
data.
Substantially restrains business' ability to collect
and exploit large databases of consumer data
without freely given, express, specific, informed
consent. Introduces a modified portability right
(Article 15), the "right of access and to obtain
data for the data subject". Where personal data
is processed by electronic means, a data subject
has the right to obtain a copy of their personal
data in a "commonly used", "electronic and
interoperable" format without hindrance from the
data controller. However the controller need
only transfer the data direct to the other
controller where such a transfer is "technically
feasible and available"
Sector-specific instruments
6. Regulation (EC) No 1107/2009 of the
European Parliament and of the
Council of 21 October 2009 concerning
the placing of plant protection products
on the market and repealing Council
Directives 79/117/EEC and
91/414/EEC
Plant Protection Products Regulation: contains
data submission requirements and access
provisions equivalent to the Medicinal Products
Directive, in respect of pesticides.
Agrichemicals
7. Council Directive 2004/82/EC of 29
April 2004 on the obligation of carriers
to communicate passenger data and
Directive (EU) 2016/681 of the
European Parliament and of the
Council of 27 April 2016 on the use of
passenger name record (PNR) data for
the prevention, detection, investigation
and prosecution of terrorist offences
Advance Passenger Information Directive: aims
to enhance security and immigration control by
identifying in advance all persons who will be
entering the EU through an external border
crossing.
Passenger Name Record Directive: establishes
a system for analysis of further air passenger
data including complete itinerary for the
prevention of serious crime and terrorism.
Air transport
105
No Legislation Objectives and operative provisions Sector(s)
and serious crime Requires air carriers to transmit a specified list
of details about each passenger to the border
entry point before check-in is completed.
Member States must then communicate PNR
data amongst their respective Passenger
Information Units. No provision enabling any
other commercial entity to access the data,
though Europol is entitled to access data
collected under the PNR Directive.
8. Regulation (EC) No 715/2007 of the
European Parliament and of the
Council of 20 June 2007 on type
approval of motor vehicles with respect
to emissions from light passenger and
commercial vehicles (Euro 5 and Euro
6) and on access to vehicle repair and
maintenance information (as
amended)
Vehicle Emissions Regulations: regulates levels
of pollutants for most vehicle types, including
cars, lorries, trains, tractors and similar
machinery, but also aims to ensure competition
in the market for car maintenance services and
spare parts.
The Regulation stipulates that manufacturers
must provide unrestricted and standardised
access for independent operators to all
information required for diagnosis, servicing,
inspection, periodic monitoring, repair, re-
programming or re-initialising of the vehicle and
which the manufacturers provide for their
authorised dealers and repairers, including all
subsequent amendments and supplements to
such information. This information includes:
(a) an unequivocal vehicle identification;
(b) service handbooks;
(c) technical manuals;
(d) component and diagnosis information (such
as minimum and maximum theoretical values for
measurements);
(e) wiring diagrams;
(f) diagnostic trouble codes (including
manufacturer specific codes);
(g) the software calibration identification number
applicable to a vehicle type;
Automotive
106
No Legislation Objectives and operative provisions Sector(s)
(h) information provided concerning, and
delivered by means of, proprietary tools and
equipment; and
(i) data record information and two-directional
monitoring and test data.
Manufacturers may change reasonable and
proportionate fees for access to vehicle repair
and maintenance information; a fee is not
reasonable or proportionate if it discourages
access by failing to take into account the extent
to which the independent operator uses it.
Daily, monthly, and yearly fees must be offered,
the amount varying in accordance with the
respective periods of time for which access is
granted.
9. Directive 1999/94/EC of the European
Parliament and of the Council of 13
December 1999 relating to the
availability of consumer information on
fuel economy and CO2 emissions in
respect of the marketing of new
passenger cars; complementary
measure requires car manufacturers to
meet specific CO2 emission targets set
under Regulation (EC) 443/2009 .
Parallel legislation deals with
emissions targets for other categories
of vehicle.
Car Labelling Directive: aims to raise consumer
awareness on fuel use and CO2 emission of
new passenger cars, intending to give them an
incentive to purchase or lease cars which use
less fuel and thereby emit less CO2. In turn it
should provide an additional incentive to
encourage manufacturers to take steps to
reduce the fuel consumption of new cars.
No requirement to provide information as to the
technologies used to meet the emissions
standards and from this perspective may in
future be limited further since it has been
concluded that consumers respond less well to
provision of detailed technical information than
to 'traffic light' or A-E grading type systems.
Automotive
10. Regulation (EC) No 1907/2006 of the
European Parliament and of the
Council on the Registration,
Evaluation, Authorisation and
Restriction of Chemicals
REACH: contains data submission requirements
as regards any material not covered by the
Medicinal Products and Plant Protection
Products regimes.
Data submitted to the European Chemicals
Agency under REACH is subject to the
Transparency Directive (1049/2001) but REACH
acknowledges that details may be commercially
confidential and therefore disclosure may be
withheld, subject to exceptions such as
Chemicals
107
No Legislation Objectives and operative provisions Sector(s)
emergency situations where human health,
safety or the environment is threatened. There
are multiple routes for businesses to form
interest groups in order to compile the
necessary data and complex provisions over
data sharing; the Board of Appeal of ECHA has
recently issued its first decision in a dispute over
data sharing arrangements.
11. Directive 2014/65/EU on markets in
financial instruments repealing
Directive 2004/39/EC and Regulation
(EU) No 600/2014 on Markets in
Financial Instruments
MiFID II and MiFIR: aim to ensure price
transparency in financial markets.
Relevant to businesses which depend upon
financial data. Requires trading venues to offer
disaggregated pre- and post-contract data for all
securities trades on a reasonable commercial
basis, in order to prevent monopolistic market
positions arising through exclusive control of
financial market data.
Financial
services
12. Directive 2009/138/EC of the
European Parliament and of the
Council of 25 November 2009 on the
taking-up and pursuit of the business
of Insurance and Reinsurance
Solvency II Directive: aims to harmonise the
internal market for insurance through applying
consistent rules on capital and imposing
disclosure requirements to enable supervisory
authorities to verify compliance.
It requires insurance and reinsurance
undertakings to disclose publicly, on an annual
basis, a report on their solvency and financial
condition including
a description, separately for each
category of risk, of the risk exposure,
concentration, mitigation and sensitivity;
a description, separately for assets,
technical provisions, and other liabilities,
of the bases and methods used for their
valuation, together with an explanation
of any major differences in the bases
and methods used for their valuation in
financial statements;
a description of the capital
management, including at least the
Financial
services
108
No Legislation Objectives and operative provisions Sector(s)
following:
(i) the structure and amount of own funds, and
their quality;
(ii) the amounts of the Solvency Capital
Requirement and of the Minimum Capital
Requirement;
(iii) the option set out in Article 304 used for the
calculation of the Solvency Capital Requirement;
(iv) information allowing a proper
understanding of the main differences between
the underlying assumptions of the standard
formula and those of any internal model used by
the undertaking for the calculation of its
Solvency Capital Requirement;
(v) the amount of any non-compliance with the
Minimum Capital Requirement or any significant
non-compliance with the Solvency Capital
Requirement during the reporting period, even if
subsequently resolved, with an explanation of its
origin and consequences as well as any
remedial measures taken
13. Regulation (EU) No 1169/2011 of the
European Parliament and of the
Council of 25 October 2011 on the
provision of food information to
consumers, amending Regulations
(EC) No 1924/2006 and (EC)
No 1925/2006 of the European
Parliament and of the Council, and
repealing Commission Directive
87/250/EEC, Council Directive
90/496/EEC, Commission Directive
1999/10/EC, Directive 2000/13/EC of
the European Parliament and of the
Council, Commission Directives
2002/67/EC and 2008/5/EC and
Commission Regulation (EC)
No 608/2004
Food Information to Consumers Regulation:
aims to improve the information provided to
consumers so that they are able to make
informed choices about the food they buy.
Applies to all packaged foods above 5g weight
or 5ml, and includes a list of ingredients and any
necessary warnings. But no requirement to
provide process or other information; limited
value to other commercial entities.
Food
109
No Legislation Objectives and operative provisions Sector(s)
14. Directive 2009/24/EC of the European
Parliament and of the Council of 23
April 2009 on the legal protection of
computer programs (Codified version)
Software Directive: aimed to harmonise laws
relating to the protection of software and in
particular the right to create interoperable
products.
Relevant to access and ownership of data
insofar as the data is held in a database forming
part of a larger software product. Unlikely to
permit third parties to extract the data itself from
the software unless it can be shown that this is
necessary to create an interoperable product,
which is rarely the case (as opposed to matters
such as file formats which may be needed to
enable other products to communicate with the
application).
Information
society
15. Directive 2006/24/EC of the European
Parliament and of the Council of 15
March 2006 on the retention of data
generated or processed in connection
with the provision of publicly available
electronic communications services or
of public communications networks
and amending Directive 2002/58/EC
Data Retention Directive: aims to assist crime
prevention and anti-terrorism by requiring
communications companies to capture and
retain for a specified period various categories of
metadata relating to electronic communications.
Annulled by the Court of Justice in 2014 but we
assume some replacement instrument may in
time be re-enacted.
Information
society
16. Directive 2002/58/EC of the European
Parliament and of the Council of 12
July 2002 concerning the processing of
personal data and the protection of
privacy in the electronic
communications sector (as amended)
Directive on privacy and electronic
communications: aims to ensure that electronic
communications are secure from interception
and that individuals' and business' right to
privacy in the electronic communication sector is
respected while maintaining free movement of
data, communication equipment and services.
Limits business' ability to maintain databases of
customer details for general marketing
purposes; consents in the form of opt-ins are
needed for specific uses of the data.
Information
society
17. Directive 2000/31/EC of the European
Parliament and of the Council of 8
June 2000 on certain legal aspects of
information society services, in
particular electronic commerce, in the
Internal Market
E-Commerce Directive: this Directive addresses
the relationship between the providers of digital
content (normally copyright owners), the
intermediaries who enable users to access that
content, and the users themselves.
Information
society
110
No Legislation Objectives and operative provisions Sector(s)
18. Proposal for a Directive on certain
aspects concerning contracts for the
supply of digital content
Draft Digital Content Directive: aims to give
consumers of digital content better rights with
respect to defective products.
The Directive arguably represents a step
towards elevating the status of data to that of
other forms of value since it covers digital
content supplied not only for a monetary
payment but also in exchange for (personal and
other) data provided by consumers, except
where the data have been collected for the sole
purpose of meeting legal requirements, which is
a very narrow exemption.
There is no concept of proportionality, so if any
data is provided (regardless of volume or value)
the rights and remedies will apply. This is at
odds with the provisions relating to payment in
the CRA, which is a flexible and proportionate
test i.e. the greater the payment, the higher the
expected quality of the content and vice versa.
On termination of the contract, the trader must
stop using the data; and provide the consumer
with technical means to retrieve “all content
provided by the consumer and any other data
produced or generated through the consumer's
use of the digital content to the extent that data
has been retained by the supplier. The
consumer shall be entitled to retrieve the content
free of charge, without significant inconvenience,
in reasonable time and in a commonly used data
format".
Information
society,
19. Directive 2001/83/EC of the European
Parliament and of the Council of 6
November 2001 on the Community
code relating to medicinal products for
human use
Medicinal Products Directive: aims to ensure
that medicines marketed in the EU meet
appropriate standards of quality, safety and
efficacy.
To that end requires applicants for marketing
authorisations to provide comprehensive pre-
clinical and clinical data arising from tests
conducted on the product at all stages of
development. Once a product has been granted
marketing authorisation third parties can access
the majority of the data on the competent
authority's file, although reliance on such data
Pharmaceutica
ls
111
No Legislation Objectives and operative provisions Sector(s)
for the purpose of obtaining marketing
authorisation for a competing product is subject
to a prolonged "data exclusivity" period,
reflecting the cost of investing in the necessary
tests and trials.
20. Directive 2010/30/EU of the European
Parliament and of the Council of 19
May 2010 on the indication by labelling
and standard product information of
the consumption of energy and other
resources by energy-related products
Energy Labelling Directive: mandates energy
efficiency information being provided on various
consumer products to enable consumers to
choose energy efficient products.
Now offers less useful information than it did
when first introduced since most products now
on the market are in the highest efficiency
category, so a proposal is under consideration to
redefine the efficiency categories. However, no
information is provided about how the efficiency
is achieved; this Directive therefore does not
grant competitors meaningful access to product
data.
Smart home;
energy
21. Directive 2012/27/EU of the European
Parliament and of the Council of 25
October 2012 on energy efficiency
Energy Efficiency Directive 2012: aims to assist
in overall energy security by, among other
things, empowering consumers to manage their
energy usage accurately according to cost and
source.
Does not mandate installation of smart meters
but where these are rolled out requires them to
make available to consumers (individual or
business) metering data on their electricity input
and off-take in an easily understandable format
that they can use to compare deals on a like-for-
like basis, and independently of whether smart
meters have been installed or not, Member
States must require that, to the extent that
information on the energy billing and historical
consumption of final customers is available, it is
made available to an energy service provider
designated by the final customer.
Smart home;
energy
22. Directive 2010/40/EU of the European
Parliament and of the Council of 7 July
2010 on the framework for the
deployment of Intelligent Transport
Systems in the field of road transport
and for interfaces with other modes of
Intelligent Transport Systems Directive 2010
aims to address the compatibility,
interoperability and continuity of ITS solutions
across the EU with the first priorities will be
traffic and travel information, the eCall
Automotive
112
No Legislation Objectives and operative provisions Sector(s)
transport emergency system and intelligent truck parking.
The directive sets out certain priority
areas/actions which mainly relate to the
availability to ITS service providers of traffic and
road data collected by public authorities and/or
the private sector, facilitating the electronic data
exchange between public authorities and ITS
service providers, etc. Again there are no
provisions in relation to data access/ownership
but there is a strong emphasis on the sharing of
data with the ITS (and also ensuring the data
privacy legislation is complied with).
23. Directive 2009/73/EC of the European
Parliament and of the Council of 13
July 2009 concerning common rules
for the internal market in natural gas
Directive on common rules for internal market in
natural gas: aims to open up the natural gas
market and make market more transparent for
consumers.
The directive refers to customers having access
to object and transparent consumption data. It
states that consumers should have the right to
be properly informed about their energy
consumption. Member states are put under an
obligation to ensure customers receive all
relevant consumption data and to contribute to
the compatibility of necessary data exchange
processes for customer switching
Article 45 which relates to retail markets states:
“In order to facilitate the emergence of well-
functioning and transparent retail markets in the
Community, Member States shall ensure that
the roles and responsibilities of transmission
system operators, distribution system operators,
supply undertakings and customers and if
necessary other market parties are defined with
respect to contractual arrangements,
commitment to customers, data exchange and
settlement rules, data ownership and metering
responsibility”
Further consumers are to be given the right to:
“have at their disposal their consumption data,
Energy
113
No Legislation Objectives and operative provisions Sector(s)
and shall be able to, by explicit agreement and
free of charge, give any registered supply
undertaking access to its metering data. The
party responsible for data management shall be
obliged to give those data to the undertaking.
Member States shall define a format for the data
and a procedure for suppliers and consumers to
have access to the data. No additional costs
shall be charged to the consumer for that
service”
24. Directive 2009/72/EC of the European
Parliament and of the Council of 13
July 2009 concerning common rules
for the internal market in electricity and
repealing Directive 2003/54/EC
NB as above but in relation to electricity Energy
114
Annex 2 – Bibliographies
1.1 Bibliography – EU
European
Commission
Action Plan on e -Health 2012-2020 - innovative
healthcare in the 21st century
https://ec.europa.eu/digital-
single-
market/en/news/ehealth-
action-plan-2012-2020-
innovative-healthcare-21st-
century
European
Commission
EU Commission: Priorities for the digital single market
MMR-Aktuell 2015, 367744
European
Commission
Memo: Making the most of the Data-Driven Economy http://europa.eu/rapid/press-
release_MEMO-14-
455_en.htm
European
Commission
Communication from the Commission to the European
Parliament, the Council, the European Economic and
Social Committee and the Committee of the Regions
Smart Grids: from innovation to deployment
http://eur-lex.europa.eu/legal-
content/EN/TXT/HTML/?uri=C
ELEX:52011DC0202&from=E
N
European
Commission
Communication from the Commission to the Council and
the European Parliament on a Draft Roadmap towards
establishing the Common Information Sharing
Environment for the surveillance of the EU maritime
domain
http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CE
LEX:52010DC0584&from=en
European
Commission
Strategy for a Digital Single Market for Europe http://eur-lex.europa.eu/legal-
content/EN/TXT/HTML/?uri=C
ELEX:52015DC0192&from=E
N
European
Commission
White Paper - Strategy for a Future Chemicals Policy http://www.greenpeace.org.uk/
files/pdfs/migrated/Multimedia
Files/Live/FullReport/5584.pdf
European
Economic and
Social
Committee
Opinion of the European Economic and Social Committee
on the ‘Communication from the Commission to the
European Parliament, the Council, the European
Economic and Social Committee and the Committee of
http://www.eesc.europa.eu/?i=
portal.en.ten-opinions.33384
115
the Regions — Towards a thriving data-driven economy’
1.2 Bibliography - France
P. Berlioz, « Consécration du vol de données informatiques. Peut-on encore douter de la
propriété de l’information ? », Revue des contrats, December 1, 2015 - n° 04- p. 951
A. Mendoza-Caminade, « La protection pénale des biens incorporels de l’entreprise : vers
l’achèvement de la dématérialisation du délit », Recueil Dalloz 2015 p.415
C. Castets-Renard, « Les opportunités et risques pour les utilisateurs dans l’ouverture des
données de santé : big data et open data », Revue Lamy de l’Immatériel, 2014, 108,
Supplément
M. Bourgois, A. Bounedjoum, « Questions l’émergence de la valeur Data, un actif à protéger »,
La semaine juridique Entreprise et affaires n°28, July 9 2015, 575, 3
A. Bensoussan, « Propriété des données et protection des fichiers », Gazette du Palais –
October 23, 2010 - n° 296 – p. 2
I. Beynex, « Le traitement des données personnelles par les entreprises: big data et vie privée,
état des lieux », La semaine juridique Edition générale n°046-47, November 9 2015, doc.1260
M. Malaurie-Vignal, « Les valeurs immatérielles et virtuelles de l’entreprise, entre protection et
liberté », Receuil Dalloz 2013 p.1919
F. Belot, « Pour une meilleure protection des valeurs économiques », Petites affiches –
December 6, 2006 - n° 243 – p. 6
M. Malaurie-Vignal, « Les valeurs immatérielles et virtuelles de l’entreprise, entre protection et
liberté », Receuil Dalloz 2013 p.1919
A. Bensamoun and C. Zolynski, « Big data et privacy: comment concilier nouveaux modèles
d'affaires et droits des utilisateurs? », Petites affiches – August 18, 2014 - No164, p.8,
P. De Filippi, D. Bourcier, « La double face de l'Open Data », Petites affiches – October 10,
2013 - No203, p.6,
M. Vivant, « La privation de l’information par la propriété intellectuelle », Revue Internationale
de Droit Economique, 2006
A. R. Bertrand, « Informations, données, bases de données », Dalloz 2010, Chapter 201
French Institute of Intellectual Property, « La propriété Intellectuelle & la transformation
numérique de l’économie », Regards d’experts
116
A. Bensamoun and C. Zolynski, “Big data et privacy: comment concilier nouveaux modèles
d'affaires et droits des utilisateurs?”, Petites affiches – August 18, 2014 - No164, p.8
G. Seligmann, « Cloud computing, big data : nouveaux risques, nouvelles réponses »,
Expertises 2013, p. 329
F. Eon, « Objet connectés: comment protéger les données de santé? », Revue Lamy droit de
l’immatériel – 2016
T. Saint-Aubin, « Les nouveaux enjeux juridiques des données (Big Data, web sémantique et
linked data), les droits de l’opérateur de données sur son patrimoine numérique informationnel
», Revue Lamy Droit de l’Immatériel, No102, March 2014, p. 94 and seq.
T. Pénard, « Cette régulation doit-elle relever du droit commun de la concurrence ou faire l'objet
de régulation spécifique ?», N. Lenoir, « Le droit de la concurrence confrontée à l’économie du
Big Data », AJ Contrats d’affaires – Concurrence – Distribution 2016 p.66
C. Noiville, E. Supiot, « Big pharma, big data et recherche génétique en santé », Revue des
contrats – June 15, 2015 – No 02 – p. 352
J.-L. Silicani, « Le numérique est au centre d’une quadruple révolution technique, sociétale,
économique mais aussi juridique », Energie – Environnement – Infrastructures n°6, 2015 June,
étude 11
A. Mendoza-Caminade, « Big data et données de santé : quelles régulations juridiques ? »,
Revue droit de l’immatériel, 2016 127
117
1.3 Bibliography – Germany
Data “Ownership” – Academic Discussion
Author Title Convenience Translation Reference
Arkenau /
Wübbelmann
Eigentum und Recht an Daten – Wem gehören die Daten
Property and rights to data - Who owns
the data
DSRI 2015, 95
Bartsch Computerviren und Produkthaftung
Computer viruses and Product Liability
CR 2000, 721
Bartsch Daten als Rechtsgut nach § 823 Abs. 1 BGB Data as a legally protected right as per
Art. 823 Abs. 1 BGB
Grützmacher (Hrsg), Recht der
Daten und Datenbanken im
Unternehmen, 2014, S. 297
Beer Ein zentraler Ort für alle meine Daten
A central location for all my data http://www.zeit.de/politik/deutschlan
d/2015-04/fdp-digitalisierung-
datenschutz-nicola-beer
Beucher Data Ownership: Wem gehört das neue Gold? Data Ownership: Who owns the new
gold?
Markenartikel 2015, Heft 4, 74-76
Bräutigam Das Nutzungsverhältnis bei sozialen Netzwerken - Zivilrechtlicher Austausch von IT-Leistung gegen personenbezogene Daten
The utilization ratio in social networks -
Civil Legal exchanging IT performance
against personal data
MMR 2012, 635
Buchner Der Charakter des Rechts auf Informationelle Selbstbestimmung The nature of the right to information
self-determination
Informationelle Selbstbestimmung
im Privatrecht, 2006, S. 203-230
Buchner Der Einwand der Kommerzialisierung
The objection of commercialization
Informationelle Selbstbestimmung
im Privatrecht, 2006, S. 203-230
Buchner Der Fokus des amerikanischen Rechts auf die staatliche Datenverarbeitung The focus of American law on state
data processing
Informationelle Selbstbestimmung
im Privatrecht, 2006, S. 7-25
Buchner Die Einräumung von Datennutzungsrechten The granting of rights of use data Informationelle Selbstbestimmung
im Privatrecht, 2006, S. 276-298
118
Author Title Convenience Translation Reference
Buchner Wissen ist Macht? – Zum Verhältnis zwischen Datenschutz und Wettbewerb Knowledge is power? - The
relationship between data protection
and competition law
DuD 2008, 724-728
Bultmann Aussonderung von Daten in der Insolvenz
Segregation of data in the insolvency ZinsO 2011, 992
Czarnetzki /
Röder
Data and claims of surrender in insolvency Data claims for surrender in insolvency Grützmacher (Hrsg), Recht der
Daten und Datenbanken im
Unternehmen, 2014, S. 332
DGRI Entwurf eines Gesetzes zur Strafbarkeit der Datenhehlerei
Hier: Stellungnahme der Deutschen Gesellschaft für Recht und Informatik e.V.; Juni 2015
Draft Law on the criminal availability of
data receiving stolen goods
Here : Opinion of the German Society
for Law and computer science E.V .;
June 2015
http://www.dgri.de/index.php/fuseac
tion/download/lrn_file/150602_stellu
ngnahme-datenhehlerei-
fachausschuss-strafrecht.pdf
Di Martino Datenschutz im europäischen Recht
Privacy in European law Datenschutz im europäischen
Recht, 1. Auflage 2005, S. 47ff.
Dorner Big Data und „Dateneigentum“
Big Data and data ownership CR 2014, 617
Faustmann Der deliktische Datenschutz
The tort Privacy VuR 2006, 260
Federal
Government of
Germany
Stellungnahme der Bundesregierung der Bundesrepublik Deutschland zur „Strategie für einen digitalen Binnenmarkt für Europa“ der Europäischen Kommission
Statement of the Federal Government
of the Federal Republic of Germany to
the " Strategy for a Digital Single
Market for Europe " of the European
Commission
https://www.bmwi.de/BMWi/Redakti
on/PDF/S-T/stellungnahme-
bundesregierung-zur-strategie-
digitalen-binnenmarkt-
europa,property=pdf,bereich=bmwi
2012,sprache=de,rwb=true.pd
Fritzsche BeckOK BGB, § 903 Rn. 10
BeckOK BGB, Art. 903 Civil Code
point 10
Gallwas Der allgemeine Konflikt zwischen dem Recht auf informationelle Selbstbestimmung und der Informationsfreiheit
The general conflict between the right to informational self-determination and freedom of information
NJW 1992, 2785
Ganter Münchener Kommentar zum Insolvenzrecht, Band 1, 3. Auflage 2013
Münchener Kommentar zum Insolvenzrecht, Band 1, 3. Auflage 2013 § 47 Rn. 31 a
Gennen Schutz des Betriebs- und Geschäftsgeheimnisses (mit Schwerpunkt auf Daten und Datenbanken)
Protection of trade- and business
secrets (focusing on data and
Grützmacher (Hrsg), Recht der
Daten und Datenbanken im
119
Author Title Convenience Translation Reference
databases) Unternehmen, 2014, S. 155
Grützmacher Außervertragliche Ansprüche auf Herausgabe von Daten gegenüber Outsourcing-Anbietern
Non-contractual claims for restitution of
data towards outsourcing providers
ITRB 2004, 282
Grützmacher Vertragliche Ansprüche auf Herausgabe von Daten gegenüber Outsourcing-Anbietern
Contractual claims for restitution of
data to outsourcing providers
ITRB 2004, 260
Grützmacher Dateneigentum – ein Flickenteppich
Data ownership – a patchwork rug CR 2016, 485
Hartung Datenschutz und Insolvenzverwaltung
Privacy and insolvency administration ZInsO 2011, 1225
Hoeren Anonymität im Web – Grundfragen und aktuelle Entwicklungen Anonymity on the Web - basic issues
and current developments
ZRP 2010, 251
Hoeren Dateneigentum – Versuch einer Anwendung von § 303a StGB im Zivilrecht Data Ownership - Attempt of an
application of Art. 303a of the Criminal
Code of Civil Law
MMR 2013, 486
Hoeren Der strafrechtliche Schutz von Daten durch § 303a StGB und seine Auswirkungen auf ein Datenverkehrsrecht
The criminal protection of data by
Art. 303a of the Criminal Code and its
effects on the data traffic law
Grützmacher (Hrsg), Recht der
Daten und Datenbanken im
Unternehmen, 2014, S. 303
Hoeren Information als Gegenstand des Rechtsverkehrs Prolegomena zu einer Theorie des Informationsrechts
Information as a subject of legal
relations - Prolegomena to a theory of
information law
MMR-Beil. 1998, 6
Hoeren n/a
n/a Hoeren, Big Data, 1. Auflage 2014,
10-57.
Hoerl Schadensersatz für Datenverlust
Compensation for the loss of data ITRB 2014, 111
Horner Sell Your Data, Datability und „The Economics of Data″: Gibt es Eigentum an Daten?, 4.03.2014
Sell Your Data, Datability und „The
Economics of Data″: Gibt es Eigentum
an Daten?, 4.03.2014
http://www.cmshs-bloggt.de/digital-
business/sell-your-data-datability-
und-the-economics-of-data-gibt-es-
eigentum-an-daten/
Hornung / "Data Ownership" im vernetzten Automobil
"Data Ownership" in connected CR 2015, 265-273
120
Author Title Convenience Translation Reference
Goeble automobile
Janger Privacy Property, Information Costs, and the Anticommens Privacy Property, Information Costs,
and the Anticommens
54 Hastings LJ 899
Jülicher Daten in der Cloud im Insolvenzfall - Ein internationaler Überblick Data in the cloud in case of insolvency
- An international overview
K&R 2015, 448-452
Kauert n/a
n/a In: Wandtke, Medienrecht
Praxishandbuch, 1. Auflage 2008,
S. 634
Kilian Eigentum an personenbezogenen Daten? Ein Denkanstoß von Herrn Prof. em. Dr. Dr. hc. Wolfgang Kilian im Rahmen der Vorlesung Informationsrecht
Ownership of personal data? A
Thought of Prof. em . Dr. Dr. hc .
Wolfgang Kilian within the lecture
Information Law
https://www.uni-muens-
ter.de/Jura.itm/hoeren/eigentum-
an-personenbezoge-nen-daten-ein-
denkanstoss-von-herrn-prof-em-dr-
dr-hc-wolfgang-kilian-im-rahmen-
der-vorlesung-informationsrecht
Kilian Informationelle Selbstbestimmung und Marktprozesse – Zur Notwendigkeit der Modernisierung des Modernisierungsgutachtens zum Datenschutzrecht
Informational self-determination and
market processes – The need for the
modernization of the modernization
report on data protection law
CR 2002, 921
Kilian Personal Data: The Impact of Emerging Trends in the Information Society Personal Data: The impact of
Emerging Trends in the Information
society
Cri 2012, 169
Kilian Strukturwandel der Privatheit
Structural change of privacy Garstka/Coy, Wovon – für wen –
wozu Systemdenken wider die
Diktatur der Daten
Wilhelm Steinmüller zum
Gedächtnis, S. 194 (204 ff.)
http://edoc.hu-
berlin.de/miscellanies/steinmueller-
40657/all/PDF/steinmueller.pdf
Kilian Wie der Staat unsere Daten schützen kann
How the state can protect our data FAZ 14.07.2014
121
Author Title Convenience Translation Reference
Kraus Telematik – wem gehören Fahrzeugdaten
Telematics - who owns the data of
automobiles
DSRI 2014, 377
Krings /
Mammen
Zertifizierung und Verhaltensregeln - Bausteine eines modernen Datenschutzes für die Industrie 4.0
Certification and codes of conduct -
building a modern data protection law
for the industry 4.0
RDV 2015, 231
Ladeur Datenschutz – vom Abwehrrecht zur planerischen Ordnung Data protection - from the right of
defence to a planning order
DuD 2000, 12
Ladeur Die Anpassung des privaten Medienrechts an die „Unterhaltungsöffentlichkeit” The adaptation of the private media
law to the " public entertainment "
NJW 2004, 393
Ladeur Persönlichkeitsschutz und „Comedy” - Das Beispiel der Fälle SAT 1/Stahnke und RTL 2/Schröder
Personality protection and "Comedy " -
The example of cases SAT 1 / Stahnke
and RTL 2 / Schröder
NJW 2000, 1977
Laudon Markets and Privacy
Markets and Privacy Communications of the ACM
September 1996/Vol. 39 No 9 page
92
Meier /
Wehlau
Die zivilrechtliche Haftung für Datenlöschung, Datenverlust und Datenzerstörung
Civil liability for data deletion , data
loss and data destruction
NJW 1998, 1585
Meister Das Schutzgut des Datenrechts
The protected good of data law DuD 1983, 163
Meister Orwell, Recht und Hysterie. Eine –Bemerkung zum informationellen Selbstbestimmungsrecht
Orwell, The right to hysteria. A remark
on the right to informational self-
determination
DuD 1984, 162
Meister Schutz vor Datenschutz?
Protection against data protection DuD 1986, 173
Miller Der Einbruch in die Privatsphäre - Datenbanken und Dossiers The breach in to privacy – databanks
and dossiers
In: Der Einbruch in die Privatsphäre
– Datenbanken und Dossiers, 1.
Vol 1973, p. 254
Moos „Geht nicht“ gibt es nicht: Datennutzung als rechtliche Gestaltungaufgabe “won’t work” does not exist: utilization
of data as a legal design task
K&R Beihefter 3/2015, 12
122
Author Title Convenience Translation Reference
Moos / Arning
/ Schefzig
Daten als Geschäftsmodell – rechtliche Herausforderung und Gestaltungsanforderungen im Übergang zum Datenzeitalter
Data as a business model – legal
challenges and design requirements in
the transition to the data age
K&R Beihefter 3/2015, 2
Peschel /
Rockstroh
Chancen und Risiken neuer daten-basierter Dienste für die Industrie Chances and risks of ne data based
services in the industry
DSRI 2014, 309
Pitschas Informationelle Selbstbestimmung zwischen digitaler Ökonomie und Internet Informational self-determination
between digital economy and internet
DuD 1998, 139
Posner The Right of Privacy
The Right of Privacy Ga. L. Rev. 393 (1978)
Redeker Information als eigenständiges Rechtsgut – Zur Rechtsnatur der Information und dem daraus resultierenden Schutz
Information as an independent legally
protected good – the legal nature of
information and thereof resulting
Protection
CR 2011, 634
Reiners Datenschutz in der Personal Data Economy - Eine Chance für Europa Data protection in Personal Data
Economy – a chance for Europe
ZD 2015, 51
Rogall n/a n/a GA Bd. 132 (1985) p. 1
Rombacher Killer-Viren als Kopierschutz
Killer-viruses as copy protection CR 1990, 101
Roßnagel Fahrzeugdaten – Wer darf über sie entscheiden? Vehicle data – who may decide on
them?
SVR 2014, 281
Roßnagel /
Pfitzmann /
Garstka
Modernisierung des Datenschutzrechts - Gutachten im Auftrag des Bundesministeriums des Innern
Modernisation of data protection law –
report on behalf of the Federal Ministy
of the interior
http://www.bfdi.bund.de/SharedDoc
s/VortraegeUndArbeitspapiere/200
1GutachtenModernisierungDSRech
t.pdf?__blob=publicationFile
Rule / Hunter Towards Property Rights in Personal Data
Towards Property Righty in Personal
Data
In: Bennett/Grant (Hrsg.), Visions of
privacy: Policy choices for the
digital age (1999) 168 ff
Sahl Daten als Basis der digitalen Wirtschaft und Gesellschaft Data as basis of the digital economy
and society
RDV 2015, 236
123
Author Title Convenience Translation Reference
Sahl Gesetz oder kein Gesetz, das ist hier die Frage – zur Notwendigkeit gesetzlicher Regulierung in der Datenökonomie
Legal provision or not, that is the
question - to the need for statutory
regulation in the information economy
PinG 2016, 146
Schefzig Wem gehört das neue Öl? – Die Sicherung der Rechte an Daten Who owns the new oil? – the securing
of data rights
K&R Beihefter 2015, 3
Schmidt-
Kessel
Privatrecht für die digitale Welt! Private law for the digital world! GPR 2015, 157
Schuster /
Hunzinger
Vor- und nachvertragliche Pflichten beim IT-Vertrag – Teil II: Nachvertragliche Pflichten
Advantageous and disadvantageous
obligations in the IT-contract – Part II:
post contractual obligations
CR 2015, 277
Schwart Property, Privacy, and Personal Data
Property, Privacy and Personal Data Harvard Law Review 2004, 2056
Schwartmann Daten als Rohstoff der Zukunft
Data as the resource of the future RDV 2015, 219
Schwartmann Geschäfte mit digitalisierter Persönlichkeit
Trading with digital personalities http://www.marktforschung.de/hinte
rgruende/recht/marktforschung/ges
chaefte-mit-digitalisierter-per-
soenlichkeit/
Schwartmann Wer unsere Daten anzapft, soll dafür zahlen Whoever taps our data, must pay for
that
FAZ 23rd Oct. 2015
Schwartmann/
Hentsch
Eigentum an Daten – Das Urheberrecht als Pate für die Datenverwertung Data ownership – copyright law as
godfather for data usage
RDV 2015, 221
Schwartmann/
Hentsch
Parallelen aus dem Urheberrecht für ein neues Datenverwertungsrecht Parallels of copyright law for a new
right of use of data
PinG 2016, 117
Simitis Die informationelle Selbstbestimmung Grundbedingung einer verfassungskon-formen Informationsordnung
Informational self-determination –
basic requirement of an information
regime in conformity with the
constitution
NJW 1984, 398
Simonite Der Marktwert der Verbraucherdaten
The market value of consumer data http://heise.de/tr/artikel/Der-
Marktwert-der-Verbraucherdaten-
124
Author Title Convenience Translation Reference
2116670.html
Specht Konsequenzen der Ökonomisierung informationeller Selbstbestimmung: Die zivilrechtliche Erfassung des Datenhandels
Consequences of informational self-
determination’s economization: the
civil registration of trade in data
In: Konsequenzen der
Ökonomisierung informationeller
Selbstbestimmung: Die zivilrecht-
liche Erfassung des Datenhandels,
1. Auflage 2012, P. 113-136, p.
161-172, p.227-253ff.
Specht/Rohme
r
Zur Rolle des informationellen Selbstbes-timmungsrechts bei der Ausgestaltung eines möglichen Ausschließlichkeitsrechts an Daten
On the role of the informational self –
determination right in the context of
the design of a possible exclusive right
in data
PinG 2016, 127
Spickhoff Der Schutz von Daten durch das Deliktsrecht Protecting data by tort law Leible/Lehmann/Zech, Unkörper-
liche Güter im Zivilrecht, p. 233
Spindler BeckOK BGB § 823,
Rn 93 - 94
BeckOK BGB § 823, Rn. 93-94 BeckOK BGB § 823, Rn. 93-94
Spindler Das Jahr 2000-Problem in der Produk-thaftung: Pflichten der Hersteller und der Softwarenutzer
The year 2000 – problems in product
liability: producer’s and software user’s
obligations
NJW 1999, 3737
Spindler Datenschutz- und Persönlichkeitsrechte im Internet - Der Rahmen für Forschungsauf-gaben und Reformbedarf
Data protection and personal rights in
the internet – framework of research
tasks and need for reform
GRUR-Beilage 2014,101
Spindler Deliktsrechtliche Haftung im Internet - nationale und internationale Rechtsprobleme
Liability by tort law in the internet –
national and international legal
problems
ZUM 199, 533
Spindler Der Schutz virtueller Gegenstände
Protecting virtual objects Leible/Lehmann/Zech, Unkörper-
liche Güter im Zivilrecht, p. 261
Stancke Grundlagen des Unterneh-mensdatenschutzrechts – gesetzlicher und vertraglicher Schutz unternehmensbe-zogener Daten im Wirtschaftsverkehr
Bases of entrepreneurial data
protection law – legal and contractual
protection of business-related data in
commercial trade
BB 2013, 1418
125
Author Title Convenience Translation Reference
Trute Der Schutz personenbezogener Infor-mationen in der Informationsgesellschaft Protection of personalised information
in the information society
JZ 1998, 822
Trute n/a
n/a In: Roßnagel, Handbuch
Datenschutzrecht, 1. Edition 2003,
p. 167
Ulmer Connected Car – welche Daten gehören eigentlich wem? Connected Car – which data belongs
to whom?
PinG 2015, 104
v. Lewinski n/a
n/a In: v. Lewinski, Die Matrix des
Datenschutzes – Besichtigung und
Ordnung eines Begriffsfeldes, 1.
Edition 2014
Vogelsang Grundrecht auf informationelle Selbstbes-timmung Fundamental right on informational
self-determination
In: Vogelsang, Grundrecht auf
informationelle Selbstbestimmung,
1. Edition 1987, p. 141ff.
Wagner § 823
§ 823 Civil Code Münchener Kommentar zum BGB,
6. Edition 2013, § 823 Rn.165
Weichert Wem gehören die privaten Daten?
Who owns private Data? Regulierung in der
Wissensgesellschaft, FS Kilian, 1.
edition 201, p.281
Welp Datenveränderung (§ 303a StGB) – Teil 1
Data alteration (303a Penal Code
(StGB)) part 1
Iur 1988, 443
Westin n/a
n/a Privacy of Freedom, 1967, p. 324ff.
Wulf / Bur-
genmeister
Industrie 4.0 in der Logistik - Rechtliche Hürden beim Einsatz neuer Vernetzungs-Technologien
Industry 4.0 in the logistics sector –
legal barriers of the application of new
crosslinking technologies
CR 2015, 404
Zdanowiecki Recht an Daten
Rights on data BDI Gutachten Industrie .0 –
Rechtliche Herausforderungen der
Digitalisierung – Recht an Daten
p.20
126
Author Title Convenience Translation Reference
Zech Daten als Wirtschaftsgut – Überlegungen zu einem Recht des Erzeugers Data as assets – considerations about
creator’s rights
CR 2015, 137
Zech Schutz des Speichernden
Protecting the controller Zech, Information als
Schutzgegenstand, 2012, § 26
Zöllner Die gesetzgeberische Trennung des Datenschutzes für öffentliche und private Datenverarbeitung
The legislative separation of data
protection for public and private data
processing
RDV 1985, 3
127
Data Access – Academic Discussion
Author Title Convenience Translation Reference
Hong Das Recht auf
Informationszugang nach dem
Informationsfreiheitsgesetz als
Recht zur Mobilisierung der
demokratischen Freiheit
The right to access data in accordance
to the Access to Information Act as
mobilisation for the democratic freedom
NVwZ 2016, 953
Kloepfer Pressefreiheit statt
Datenschutz? – Datenschutz
statt Pressefreiheit?
Press freedom instead of data
protection? – Data protection instead of
press freedom?
AfP 6/2000, 511
MMR-Aktuell Koalition erleichtert Zugang zu
Daten der Bundesverwaltung
Coalition facilitates access to data of the
federal administration
MMR-Aktuell 2016,
379911
Neff Die Zulässigkeit der
Verarbeitung von Daten aus
allgemein zugänglichen Quellen
Legal admissibility of data processing
from generally accessible sources
DSRI-TB2015, 81
Sofiotis Europarechtliche und
verfassungsrechtliche Vorgaben
zum Recht auf
Informationszugang
Requirements by European and
constitutional law relating to the right to
access to information
VR 12/2010, 397
Voigt Freier Zugang zu Anlegerdaten Open access to investor data NZG 2011, 256
128
1.4 Bibliography – Spain
"¿De quién son los datos del 'big data' e internet de las cosas?"; Sánchez del Campo,
Alejandro. April 2016. http://blogs.elconfidencial.com/espana/blog-fide/2016-04-21/de-quien-
son-los-datos-del-big-data-e-internet-de-las-cosas_1168423/
"¿Los pacientes deben ser dueños de su salud?"; Dr. Luna, Daniel, M2016. Intramed.
http://www.intramed.net/contenidover.asp?contenidoID=88040
"Análisis sobre la heterogeneidad en la legislación de protección de datos personales de
carácter médico"; Lozoya de Diego, Abel; Villalba de Benito, María Teresa and Arias Pou,
María. January 2016, Diario la Ley, Nº 8688, Sección Doctrina, Ref. D-36, Editorial La Ley.
"El mundo nuevo de la tecnología ponible: ¿Qué consecuencias tiene para la propiedad
intelectual (P.I.)?"; Poole, Enma. June 2014. WIPO.
http://www.wipo.int/wipo_magazine/es/2014/03/article_0002.html
"El nuevo derecho sui generis sobre las bases de datos"; Cámara Lapuente, Sergio. Actualidad
Civil, Sección Doctrina, 1999, Ref. IV, page. 49, Volume 1, Editorial La Ley.
"Gestión de 'big data' y uso en los servicios financieros"; BBVA research, February 2016.
https://www.bbvaresearch.com/wp-content/uploads/2016/02/Situacion_ED_feb16_Cap4.pdf
"Internet de la cosas, Todo un mundo por regular"; Enrile D'Outreligne, Carlos. December 2015.
Boletín Económico del ICE Nº3070.
"Internet de las Cosas: un desafío para la protección de datos personales"; Santamaría Ramos,
Francisco José. August 2015. Actualidad Administrativa, Nº7-8, Sección Administración del
Siglo XXI. Editorial La Ley.
"La Internet de las Cosas"; Davara Rodríguez, Miguel Ángel. December 2014. El Consultor de
los Ayuntamientos, Nº22, Sección Nuevas Tecnologías. Editorial La Ley.
"Protección de datos y copropiedad"; Vigil Fernández, Carlos. September 2015. Diario La Ley,
Nª 8607, Sección Tribuna, Ref. D-336. Editorial La Ley.
"Reutilización de la información del Sector Público", February 2014, Ministerio de Hacienda y
Administraciones públicas.
"Una aproximación a algunos elementos de internet de las cosas"; Puyol Montero, Javier.
September 2015. Diario la Ley Nº 8603, Sección Doctrina, Ref. D-327. Editorial La Ley.
129
1.5 Bibliography – UK
1. Bradshaw, Simon. Millard, Christopher. Walden, Ian. "Contracts for Clouds: Comparison
and Analysis of the Terms and Conditions of Cloud Computing Services". Queen Mary
University of London, School of Law Legal Studies Research Paper No. 63/2010.
2. De Filippi, Primavera. Maurel, Lionel. "The paradoxes of open data and how to get rid of
it? Analysing the interplay between open data and sui0generis rights on databases".
International Journal of Law & Information Technology/2015. 23 March 2015.
3. Edwards, Lillian. "Privacy, security and data protection in smart cities: a critical EU law
perspective".
4. Finding, Maxine. Taylor, Mark. Osborne Clarke LLP. CTRL Technology Section: "Smart
Homes".
5. Hoeren, Thomas. "Big data and the ownership in data: recent developments in Europe".
European Intellectual Property Review 2014.
6. Hoerter, Christian M. Feyel, Nils. Awad, Alexandria. "The Smart Grid: energy network of
tomorrow – legal barriers and solutions to implementing the Smart Grid in the EU and
the US". International Energy Law Review 2015.
7. Hoppner, Thomas. Anastasia, Gubanova. "Regulatory challenges of the internet of
things". Computer and Telecommunications Law Review 2015.
8. Kemp, Richard. Hinton, Paul. Garland, Paul: Kemp Little LLP. "Data law and the data-
centric world". Legal rights in data. 25 January 2011.
9. Kemp, Richard. "Legal aspects of managing big data". PLC 2016
10. Kemp, Richard. "Legal Aspects of Managing Big Data". Kemp IT Law. October 2014.
11. Noto La Diega, Guido. Walden, Ian. "Contracting for the 'Internet of Things': Looking into
the Nest". Queen Mary University of London, School of Law Legal Studies Research
Paper No. 219.2016.
12. Pearce, Henry. "A systems approach to data protection law and policy in a world of big
data?". Computer and Telecommunications Law Review 2016.
13. Pearce, Henry. "Online data transactions, consent, and big data: technological
problems?". Computer and Telecommunications Law Review 2016.
14. Pearce, Henry. "Big data and reform of the European data protection framework: an
overview of potential concerns associated with proposals for risk management-based
130
approaches to data protection law and policy".
15. Purtova, Nadezhda. "Property in personal data: A European perspective on
instrumentalist theory of propertization".January 2010.
16. Purtova, Nadezhda. "Property rights in personal data: Learning from the American
discourse". Computer Law & Security Review 25 (2009) 507-521.
17. Rees, Christopher. "Who owns our data?" Computer Law & Security Report ("CLSR")
30(1):75–79 • February 2014
18. Reichman, J.H. Samuelson, Pamela. "Intellectual Property Rights in Data?". 50 Vand. L.
Rev. 51 (1997).
19. Schermer. Dr Bart W. Custers, Dr Bart. Van der Hof, Simone. "The Crisis of Consent:
How Stronger Legal Protection may lead to Weaker Consent in Data Protection." Ethics
& Information Technology.
20. Schwartz, Paul M. "Property, Privacy, and Personal Data". Harvard Law Review.
Volume 117, May 2004.
21. Walden, Ian. "Accessing Data in the Cloud: The Long Arm of the Law Enforcement
Agent". QMW Cloud legal project
147
Annex 4 – Example Clauses
1 France
Provider Materials means any advertising tags, cookies, pixels, or other code or similar
technology that are provided by Provider to Customer and used in connection with the
provision of the Services
PROVIDER OBLIGATIONS
[...]Provider represents and warrants that it will use Provider Data to provide Services to
the Customer on an aggregated and anonymised form to obtain statistics on the media
quality [...] and use this information with similar information of other customers in other
products or services supplied by the Provider, provided that such Provider Data does
not include any raw data nor any personal data of the Client. [...] Provider represents
and warrants that any Provider Data collected in the frame of the Services for the
Customer and communicated to other customers will be communicated in an
aggregated an anonymised form.
INTELLECTUAL PROPERTY:
Intellectual Property.
1 Customer Materials. As between the parties, the Provider acknowledges that
Customer owns and shall retain all rights in and to content and materials that Customer
uses in connection with the Services (“Customer Materials”). Provider does not acquire
any right, title or interest in the Customer Materials by virtue of providing the Services.
Notwithstanding the foregoing, Customer hereby grants the Provider a limited license
during the Term to use the Customer Materials solely to the extent necessary to provide
the Services to Customer.
2 Services, Provider Data and Provider Materials. The Provider owns, and shall
continue to own, all intellectual property and other proprietary rights in and to all
portions of the Services, the Provider Data and the Provider Materials. Except for the
limited rights set forth in Section 1 [note: Licenses to Services and Provider Data], no
transfer is made of any ownership rights or intellectual property rights associated with
the Services, Provider Data or Provider Materials (including, but not limited to,
copyright, trademark, patent, business method and process rights, and database rights)
by virtue of entering into this Agreement.
3 Customer Restrictions. Customer agrees not to use, transfer, distribute, or dispose of
any information contained in the Services or in any Provider Data in any manner that
competes with the business of Provider. Except as otherwise provided herein,
Customer may not, without prior written approval from Provider, (a) sell, resell, license,
distribute or transfer to any third party, or otherwise exploit, any Provider Data; (b)
publicly disclose or publish any Provider Data in its entirety, or the substantial
equivalent of the same; (c) use the Provider Data to create white or black lists other
than for internal business purposes; (d) reverse engineer or attempt to reverse engineer
148
the Provider Data or the Services or (e) permit a third party to do any of the above.
Customer will not remove or obscure any copyright, trademark or patent notices that
appear on the Services. All rights not specifically granted to Customer hereunder are
retained by Provider.
2 Spain
"XXX would be the sole and exclusive owner of all the data generated by the devices,
among others and without limitation, mathematical algorithms, know-how, procedures,
operations, methods - that do not correspond with personal data of identified or
identifiable persons as well as all the rights of intellectual and industrial property that
could derive from its exploitation. YYY may exploit such data during the term of the
Framework Agreement and after the effective date thereof, in order to improve and
expand its Platform and Services. XXX do not assume any responsibility and will not be
the owner of any personal data of customers, whose ownership and responsibility is
attributed exclusively to YYY."
3 Germany
Data trading contract annexed at the end.
4 UK
A Clauses extracted from a "data licence agreement" tabled by a commercial
supplier of data services
"Data" means the data or information specified in Schedule 3
"Derived Data" means any Data (wholly or in part) Manipulated to such a degree that it:
(a) cannot be identified as originating or deriving directly from the Data and cannot be reverse-
engineered such that it can be so identified; and
(b) is not capable of use substantially as a substitute for the Data.
"Manipulate" means to combine or aggregate the Data (wholly or in part) with other data or
information or to adapt the Data (wholly or in part).
"Manipulated Data" means any Data which has been Manipulated but excluding Derived Data.
"Permitted Use" means internal business use (which shall not include the use of the Data by, or
for the benefit of, any person other than an employee of the Licensee).
"Quarter" means the period of those calendar months commencing on 1 January, 1 April, 1 July
and 1 October respectively.
"Restrictions" means the obligations set out in Schedule 4
149
1 …
2 SUPPLY OF DATA
2.1 Subject to clause 2.2 below, during the Term, the Supplier shall supply the Data to the
Licensee once per Quarter, such supply to be made during the first full calendar week
falling within each Quarter by the method set out in Schedule 1.
2.2 The first and final supplies of Data pursuant to this Agreement shall be made in the first
full calendar week of, respectively:
(a) April 2016; and
(b) October 2018.
3 LICENCE
3.1 The Supplier grants to the Licensee a non-exclusive, non-transferable, revocable,
licence for the Permitted Use only during the Term, subject to the Restrictions, to:
(a) access, view and Manipulate Data;
(b) store the Data and Manipulated Data on Licensee's systems;
(c) use the Data and Manipulated Data to produce Derived Data.
3.2 Except as expressly provided in this Agreement, the Licensee shall not:
(a) use the Data or Manipulated Data (wholly or in part) in its products or services; or
(b) transfer the Data or Manipulated Data outside of the Licensee's systems; or
(c) redistribute or on-supply the Data or Manipulated Data (wholly or in part); or
(d) make the Data or Manipulated Data (wholly or in part) available to any third party.
3.3 The Licensee undertakes to adhere, and to procure the adherence of any person
gaining access to the Data or Manipulated Data through the Licensee, to the
Restrictions at all times.
4 INTELLECTUAL PROPERTY RIGHTS OWNERSHIP
4.1 The Licensee acknowledges that:
(a) all Intellectual Property Rights in the Data and the Manipulated Data are the property of
the Supplier or its licensors, as the case may be;
(b) it shall have no rights in or to the Data or the Manipulated Data other than the right to
use them in accordance with the express terms of this Agreement; and
150
(c) the Supplier or its licensors has or have made and will continue to make substantial
investment in the obtaining, verification, selection, coordination, development,
presentation and supply of the Data.
4.2 The Licensee assigns to the Supplier, and shall assign to it, with full title guarantee all
Intellectual Property Rights in any Manipulated Data it may create, by way of future
assignment.
4.3 The Licensee shall, and shall use all reasonable endeavours to procure that any
necessary third party shall, at the Supplier's cost, promptly execute such documents
and perform such acts as may reasonably be required for the purpose of giving full
effect to this Agreement.
4.4 The Intellectual Property Rights assigned to the Supplier under Clause 4.2 shall be
deemed to be included in the Licence from the date when such rights arise.
5 IPR CLAIMS
5.1 If any claim is made by a third party that the provision, use or receipt of the Data by the
Licensee infringes any UK Intellectual Property Right, or in the Supplier's reasonable
opinion is likely to be made (an “IPR Claim”), the Supplier may at its sole option and
expense:
(a) procure for the Licensee the right to continue using, developing, modifying or retaining
the Data (wholly or in part) in accordance with this Agreement;
(b) modify the Data (wholly or in part) so that they cease to be infringing;
(c) replace the Data (wholly or in part) with non-infringing items; or
(d) terminate this Agreement immediately by notice in writing to the Licensee and refund
any Charges paid in advance by the Licensee as at the date of termination (less a
reasonable sum in respect of the Licensee's use of the Data to the date of termination)
on return of the Data and all copies of each of them.
5.2 This Clause 5 (IPR Claims) constitutes the Licensee's sole and exclusive remedy and
the Supplier's only liability in respect of IPR Claims.
Schedule 4 - Restrictions
5 Restrictions
5.1 The Licensee shall:
(a) limit access to the Data to the Licensee's authorised users;
(b) only make copies of the Data and Manipulated Data to the extent reasonably necessary
for the following purposes: back-up, mirroring (and similar availability enhancement
techniques), security, disaster recovery and testing;
151
(c) not use the Data, Manipulated Data or Derived Data for any purpose contrary to any law
or regulation or any regulatory code, guidance or request;
(d) not extract, reutilise, use, exploit, redistribute, redisseminate, copy or store the Data and
Manipulated Data for any purpose not expressly permitted by this Agreement;
(e) not do anything which may damage the reputation of the Supplier or the Data, including
without limitation by way of using the Data, Manipulated Data or Derived Data (wholly or
in part) in any manner which is pornographic, racist or that incites religious hatred or
violence.
B. Clauses extracted from a complex outsourcing agreement concerning provision
of banking and IT services to underpin operation of a simple card based
payments accounts
"Account Holder Data" means all information relating to each Primary Account Holder,
Third Party Cardholder, Applicant and/or any individual enquiring about a Card Account,
in each case obtained pursuant to this Agreement whether or not confidential
information, including:
(a) information provided by the Government Departments as part of the Card
Account opening process, and any subsequent changes to such information;
(b) information provided by an Applicant or Account Holder on any application form
or other form in relation to the opening or operation of a Card Account, and any
subsequent changes to such information;
(c) information contained on or used to generate a statement for an Account Holder
in relation to a Card Account or any electronic replacement for such a
statement;
(d) information logged by the Contact Centre in relation to a Card Account, Account
Holder or Applicant;
(e) information relating to an Account Holder's operation of a Card Account,
including:
(i) incidents of lost, stolen or damaged Cards;
(ii) incidents of Transactions attempted and not authorised;
(iii) incidents of PIN changes or re-issues;
(f) Card Account balances,
152
and all information derived from such information (other than information which has
been created specifically for the Bank's internal management purposes and which is
statistical or aggregated in nature);
"Authority Data" means:
(a) the data, text, drawings, diagrams, images or sounds (together with any
database made up of any of these) which are embodied in any electronic,
magnetic, optical or tangible media, and which are supplied to Customer or the
Supplier by or on behalf of the Authority via the Secure Electronic/On-Line
Communication System; and
(b) any Personal Data for which the Authority is the data controller,
but excluding:
(i) any data, text, drawings, images or sounds (together with any database
made up of these) which are created, collected or owned by the
Customer, the Supplier or its subcontractors; and
(ii) any Personal Data for which the Customer, the Supplier or its
subcontractors is the data controller;
30. …
31. ACCOUNT HOLDER DATA
31.1 As between the Parties, the Customer (or its licensors) shall own all Account Holder
Data. Where any right, title, interest or Intellectual Property in the contents of any of the
Account Holder Data vests in the Supplier (or the Supplier Group Companies or its or
their subcontractors), then (at the Customer’s request) the Supplier shall, and shall
procure that the Supplier Group Companies and its and their subcontractors shall,
execute all documents and take such other steps as may reasonably be necessary from
time to time to vest absolutely in the Customer (or the Customer’s nominee) all such
right, title, interest and Intellectual Property in the contents of Account Holder Data as is
owned by the Supplier, the Supplier Group Companies or its or their subcontractors.
31.2 The Customer hereby grants, and where relevant shall procure the necessary consents
and licences to grant, to the Supplier a non-exclusive, non-transferable, royalty-free
licence of the Intellectual Property assigned to the Customer or its nominee pursuant to
clause 31.1 solely for the purposes of performing its obligations under this Agreement or
allowing any of its subcontractors to perform their obligations relating to this Agreement,
in all cases including complying with Applicable Law. Such licence shall extend to the
Exit Assistance End Date and thereafter solely to the extent access to the Account
Holder Data by the Supplier or any of its subcontractors is necessary in order to comply
with Applicable Law.
31A. Authority Data
153
31A.1 The Supplier shall not delete or remove any proprietary notices contained within or
relating to the Authority Data.
31A.2 The Supplier shall not store, copy, disclose, or use the Authority Data except:
(a) as necessary for the performance by either Party of its obligations under this
Agreement; or
(b) as otherwise expressly authorised in writing by the Customer.
31A.3 To the extent that Authority Data is held and/or processed by the Supplier, the Supplier
shall supply that Authority Data to the Customer as requested by the Customer in either MS
Word format, MS Excel format or such other format as the Parties (acting reasonably) may
agree.
31A.4 The Supplier shall take responsibility for preserving the integrity of any Authority Data
while it is in the Supplier’s possession, and for preventing the corruption or loss of such
Authority Data.
31A.5 The Supplier shall perform secure back-ups of all Authority Data in the Supplier’s
possession and shall ensure that up-to-date back-ups are stored off-site as may be required by
the Business Continuity Plan. The Supplier shall ensure that such back-ups are available to the
Customer at all times upon request and are delivered to the Customer at no less than monthly
intervals.
31A.6 The Supplier shall ensure that any system on which the Supplier holds any Authority
Data, including back-up data, complies with the Security Policy.
31A.7 If any Authority Data in the Supplier’s possession is corrupted, lost or sufficiently
degraded as a result of the Supplier’s breach of this Agreement so as to be unusable, the
Customer may:
(a) require the Supplier (at the Supplier’s expense) to restore or procure the
restoration of such Authority Data and the Supplier shall do so as soon as
reasonably practicable but not later than 24 hours after the discovery of the
loss; and/or
(b) itself restore or procure the restoration of such Authority Data, and shall be
repaid by the Supplier any reasonable expenses incurred in doing so.
31A.8 If at any time the Supplier suspects or has reason to believe that Authority Data
in its possession has or may become corrupted, lost or sufficiently degraded in any way for any
reason, then the Supplier shall notify the Customer immediately and inform the Customer of the
remedial action which the Supplier proposes to take.
C. Clinical trials agreement
154
8 OWNERSHIP AND INTELLECTUAL PROPERTY
8.1 All data and other information and writings of the Client provided to Party A by and/or
on behalf of the Client in connection with the Services, including all data and
information from the Clinical Trial existing prior to and after the Effective Date of this
Agreement, irrespective of whether provided in paper, oral, electronic or other form
(including, but not limited to original case report forms, and including dictionaries and
data entry copies of case report forms), shall be the exclusive property of Client and
shall be subject to the obligations of confidentiality and non-use set forth in Clause
Error! Reference source not found. below. As utilised in this Agreement, the term
“electronic form” includes, but is not limited to, computer disks and tapes, CD-ROM
disks, optical disks, electronic mail and audio tapes.
8.2 Subject to Clauses 8.5 and Error! Reference source not found. below, any and all
data and other information (tangible and intangible) resulting from, and/or generated
or made in the performance of the Services or in support of the Clinical Trial prior to
and after the Effective Date of this Agreement, including without limitation writings
(irrespective of whether in written, oral or electronic form), inventions and work
products (including but not limited to patents, inventions, copyrightable material or
trade secrets), (collectively, the “Works”), shall be the exclusive property of the
Client and may be used for any lawful purpose and/or transferred by the Client at its
sole discretion with no further payment to Party A.
8.3 Party A and the Client understand and agree that all Works, both tangible and
intangible, that result from the Services performed under this Agreement are works
made for hire, as such is understood under the US Copyright Act of 1976, and that
the Client is the sole owner of all the rights in such Works in any form and in all fields
of use known or hereafter existing. The Client shall be considered author for
purposes of the US Copyright Act of 1976 (if applicable). Party A hereby assigns to
the Client all right, title and interest in and to any such Works and in any copyrights
therein and hereby irrevocably waives or shall (as applicable)- procure the
irrevocable waiver of any moral rights in the Works to which it is now or may at any
future time be entitled under Chapter IV of the Copyright Designs and Patents Act
1988 or any similar provisions of law in any jurisdiction.
8.4 In the event that the Client decides to file one or more patent applications covering
one or more inventions resulting from and/or made in the performance of the
Services, Party A shall at Clients’ request and expense assist Client in the
preparation and prosecution of such patent application(s) and shall execute all
documents necessary for the filing thereof and/or for the vesting in the Client of title
thereto.
8.5 Notwithstanding the foregoing, Party A and the Client understand and agree that all
rights, including Intellectual Property Rights, title and interest in all computer
systems, and related Documentation, information and materials used by Party A in
the provision of the Services, including without limitation the Software System (the
“Components”), together with any developments, modifications, inventions,
discoveries, patent rights, trademarks and copyrights that result from the provision of
any Services by Part A pursuant to this Agreement (or howsoever achieved) in
155
respect of the Components, shall remain the sole and exclusive property of Party A.
The Client agrees not to assert against Party A and its licensees any ownership
interest in the Components. Party A grants to Client a non-exclusive, royalty free,
worldwide right to use the Components and such resulting Intellectual Property
Rights incorporated in, or necessary for the utilisation of, the Works in accordance
with the terms of this Agreement and solely to the extent necessary for Client to
utilise the Works for Client’s own business purposes provided that Client has paid all
fees for such Works. Client may not decompile, reverse engineer, modify or utilise
the Components in anyway other than as required to utilise the Works and then only
with Party A’s prior written consent which may be subject to Party A carrying out any
such reverse engineering or modification involving the Party A Components.
D Clause regarding pharmaceutical collaboration (not drafted by OC):
8.6 All rights, title and interests to Pre-Collaboration IP shall remain with the Party
introducing or disclosing the same and shall remain unfettered except as set out in
this Agreement. Each Party grants to the other Party a non-exclusive, royalty-free,
licence to use its Pre-Collaboration IP for the purposes of the Project during the
Term and for no other purposes except as provided in this Agreement.
8.7 All rights, interests and title to Project IP shall be governed by the following
provisions:
8.7.1 The Parties shall own the Project IP as joint tenants. COLLABORATOR agrees and
accepts that RI may, at its absolute discretion but subject to the other terms of this
Agreement, assign or otherwise transfer to [PARTY X], its share of the legal and
beneficial ownership in the Project IP without any reference to COLLABORATOR or any
obligation to obtain COLLABORATOR’s consent.
8.7.2 The Parties shall appoint one of them as the lead party (hereinafter referred to as “IP
Lead Party”) to undertake the filing, prosecution and maintenance of all applications for
the registration of patents, trade marks, designs and copyrights (where applicable) for
the protection of the Project IP in the joint names of RI and COLLABORATOR or their
assignees. It is agreed that PARTY A shall have the first option to be the IP Lead Party.
“Project IP” means all IP which was discovered, developed, conceived or reduced to practice
solely or jointly by the Parties or their employees, servants, invitees or agents in the course of
the Project.
“Intellectual Property" or "IP” means all… rights in data… worldwide arising under statutory
or common law, and whether or not registered, the subject of pending applications, or
otherwise.
156
Example German data trading agreement
Stand: 01.01.2016
Datenlieferungsvertrag
zwischen der
X GmbH
(nachfolgend X)
und der
Y GmbH
(nachfolgend Y)
wird folgender Vertrag geschlossen:
4 Präambel
X betreibt eine Multi-Channel-Online-Lösung für E-Commerce-Shops. Das X-Produkt bietet
z.B. eine automatisierte Anbindung an Preissuchmaschinen und Produktsuchmaschinen per
XML-Feeds. Bei Einsatz der X Software kann X produkt- und nutzungsbasiert Suchen, Klicks
und Käufe der Produkte aus den Shops seiner Kunden erfassen. Diese Daten geben
Aufschluss über geplante und getätigte Käufe, jeweils mit einem ausgeprägten Detailgrad, der
z.B. den EAN-Code, den Produktpreis und die Produktbeschreibung umfasst.
Y plant, die von X bereitgestellten Daten ggf. zusammen mit Daten von anderen Anbietern zu
monetarisieren. Insbesondere sollen die Daten Kunden zur Verfügung gestellt werden, damit
sie diese zur Profilbildung und Segmentierung nutzen und auf Basis der Segmente - ggf. für
ihre eigenen Kunden - Werbeflächen auf Websites z.B. im Wege des Real Time Bidding
ersteigern können. Gegebenenfalls sollen die Kunden die auf Basis der Daten von X gebildeten
Profile und Segmente unter bestimmten Bedingungen auch veräußern dürfen. Zudem plant
auch Y, auf Basis der von X bereitgestellten Daten Profile und Segmente zu erstellen und diese
zu monetarisieren.
Dies vorausgeschickt, vereinbaren die Parteien Folgendes:
157
4.8 Vertragsgegenstand
4.8.4 X verfügt über Daten aus Website-Nutzungen, die von X in Datensätzen
zusammengefasst werden. X wird Y nach Maßgabe von Ziffer 4.9 dieses Vertrages
derartige Datensätze zur Verfügung stellen, wie sie bei X vorhanden sind. Eine stetige
Verfügbarkeit der Datensätze ist nicht geschuldet.
4.8.5 Die Datensätze sollen – im Rahmen des für X möglichen – die in Anlage 1 aufgeführten
Parameter (im Folgenden „X-Daten“ genannt) enthalten. Y ist bekannt, dass nicht jeder
Datensatz sämtliche der dort angegebenen Parameter enthält. X wird Y die in Anlage 1
aufgeführten Parameter so zur Verfügung zu stellen, wie diese Parameter X in einem
Datensatz auch tatsächlich vorliegen. Y ist in diesem Zusammenhang bewusst, dass X
die Richtigkeit der X-Daten nicht verifizieren kann; insbesondere kann X nicht
nachvollziehen, ob sich alle in einem Datensatz gesammelten Informationen auf
denselben Nutzer beziehen oder ein Rechner z.B. von mehreren Personen benutzt
wird.
4.8.6 Auf Wunsch von Y werden die Parteien über die Zurverfügungstellung zusätzlicher
Daten verhandeln, die auf bislang nicht in Anlage 1 aufgeführten Parametern beruhen.
Sollten die Parteien sich auf die Zurverfügungstellung solcher weiterer Daten einigen,
werden sie diesen Vertrag, insbesondere die Anlagen 1 und 2 entsprechend ergänzen.
Es besteht seitens Y kein Anspruch auf Zurverfügungstellung zusätzlicher Daten bzw.
den Abschluss einer entsprechenden Vereinbarung.
4.8.7 Y darf die X-Daten ausschließlich nach Maßgabe von Ziffer 4.10 dieses Vertrages
verwenden. Eine weitergehende Verwendung der X-Daten durch Y ist untersagt.
4.9 Bereitstellung der X-Daten
4.9.4 X wird Y die X-Daten nach Maßgabe von Anlage 3 zur Verfügung stellen.
4.9.5 Y obliegt die notwendige Mitwirkung, um X die Übergabe der X-Daten zu ermöglichen.
4.9.6 X ist berechtigt, die X-Daten nach angemessener Vorankündigung auf eine andere Art
und Weise als in der Anlage 3 beschrieben zur Verfügung zu stellen, sofern sich die
Parameter der Bereitstellung nicht wesentlich ändern.
4.10 Nutzungsrechte an den X-Daten
1.1 X räumt Y an den X-Daten hiermit – unbeschadet der Regelung in Ziffer 4.14.7 – ein
nicht-ausschließliches, übertragbares, räumlich auf Europa und zeitlich auf die Laufzeit
dieses Vertrages beschränktes Recht zur Nutzung der X-Daten nach Maßgabe der
folgenden Bestimmungen ein:
158
4.10.4 Nutzung der X-Daten durch Y
4.10.4.1 Umfang der Nutzung
Y ist berechtigt, die X-Daten – im Rahmen des datenschutzrechtlich Zulässigen – zu
nutzen, um sie Kunden nach Maßgabe von Ziffer 3.2 zur Verfügung zu stellen. Zudem
ist Y berechtigt, aus den X-Daten – im Rahmen des datenschutzrechtlich Zulässigen –
Profile zu bilden („Y-Profile“) und Segmente („Y-Segmente“) zu erstellen, die die
Ausspielung von maßgeschneiderter Werbung auf Webseiten ermöglichen sollen, um
sie anschließend nach Maßgabe von Ziffer 3.2 Kunden zur Verfügung zu stellen. Y darf
keine Segmente erstellen, die aus weniger als 500 verschiedenen Profilen bestehen.
4.10.4.2 Verbot der Weitergabe von X-Daten
(a) Y ist es grundsätzlich untersagt, Dritten Zugriff auf X-Daten, Y-Profile und Y-
Segmente zu gewähren oder diese an Dritte weiterzugeben; die Ausnahmeregelungen
gemäß Ziffer 3.2 bleiben hiervon unberührt.
4.10.4.3 Verbot der Nutzeridentifizierung
Es ist Y untersagt, die betroffene natürliche Person, auf die sich die X-Daten, Y-Profile
bzw. Y-Segmente beziehen, zu identifizieren, z.B. durch die Kombination mit bereits bei
Y vorhandenen Daten.
4.10.4.4 Erhebung weiterer Daten durch Y
Y ist es untersagt, Daten zu erheben und zu verwenden, mittels derer Y eine natürliche
Person, auf die sich die jeweiligen X-Daten, Y-Profile bzw. Y-Segmente beziehen, ggf.
nach Zusammenführung mit den X-Daten identifizieren könnte. Insbesondere ist es Y
untersagt, die X-Daten, Y-Profile und Y-Segmente mit derartigen Daten
zusammenzuführen.
4.10.4.5 Zusammenführen von Daten
Unter Beachtung von Ziffer 3.1.4 darf Y die X-Daten, Y-Profile und Y-Segmente mit
eigenen Nutzungs-Daten, welche Y von Dritten erworben oder lizensiert oder selbst
gesammelt hat, in ihrer eigenen Y-DMP oder ihrem DMP-Account zusammenführen und
die so zusammengeführten Daten in gleichem Umfang nutzen wie die X-Daten, Y-
Profile und Y-Segmente.
4.10.5 Weitergabe von X-Daten, Y-Profile und Y-Segmente an Kunden von Y
Y ist berechtigt, die X-Daten Kunden zur Verfügung stellen, die sie wiederum zur
Einstellung in eine DMP sowie zu Zwecken der Profilbildung und Segmentierung
verwenden dürfen, um auf Basis der Segmente (ggf. unter Einbindung einer DSP)
Werbeflächen auf Websites z.B. im Wege des Real Time Bidding zu ersteigern, damit
auf solchen Websites maßgeschneiderte Werbung ausgespielt werden kann. Die zu
diesem Zwecke zugelassene Verwendung der X-Daten durch Kunden von Y beinhaltet
159
insbesondere – aber nicht ausschließlich – die Segmentierung,
Zielgruppenmodellierung, Lookalike-Bildung, Anwendung statistischer Verfahren,
Datenanreicherung und jegliche Art von Data Mining und Analytics.
Zudem ist Y berechtigt, Kunden Y-Profile und Y-Segmente zur Verfügung stellen, damit
die Kunden aus den Y-Profilen eigene Segmente bilden können, die sie wie die Y-
Segmente zu Zwecken der Ausspielung von maßgeschneiderter Werbung auf Websites
verwenden dürfen.
Y hat sicherzustellen, dass (i) bei jeglicher Segmentierung der X-Daten bzw. der Y-
Profile keine Segmente erstellt werden, die aus weniger als 500 verschiedenen Profilen
bestehen, und (ii) die X-Daten, Y-Profile und Y-Segmente nicht für Zwecke des
Retargeting verwendet werden, d.h. an einen Nutzer Werbung für diejenigen konkreten
Leistungen oder Produkte ausgespielt wird, die in den X-Daten, Y-Profilen bzw. Y-
Segmenten für den Nutzer erfasst sind.
Voraussetzung für die Weitergabe der X-Daten, Y-Profile und Y-Segmente durch Y an
Dritte ist, dass Y den jeweiligen Kunden zuvor schriftlich ebenso verpflichtet hat, wie
auch Y aufgrund Ziffer 3.1.2 bis Ziffer 3.1.5 dieses Vertrages gegenüber X verpflichtet
ist. In diesem Zusammenhang hat Y auch sicherzustellen, dass die Berechtigung des
Kunden zur Nutzung von X-Daten, Y-Profilen und Y-Segmenten entsprechend des
Rechts von Y zur Nutzung dieser Daten, Profile bzw. Segmente endet und der Kunde
sie sodann nach Maßgabe von Ziffer 11.3 dieses Vertrags löscht.
Y ist zudem berechtigt, den Kunden die Weiterveräußerung der von ihnen auf Basis der
X-Daten (nicht notwendigerweise ausschließlich auf dieser Basis) erstellten Profile und
Segmente sowie der Y-Profile und Y-Segmente zu erlauben. Voraussetzung hierfür ist,
dass Y sicherstellt, dass die Kunden ihre Kunden im Hinblick auf die Nutzung und
Verwendung der Profile und Segmente zuvor schriftlich ebenso verpflichtet, wie die
Kunden von Y im Hinblick auf die Nutzung und Verwendung von Y-Profilen bzw. Y-
Segmenten aufgrund dieses Vertrags gegenüber Y verpflichtet werden müssen.
Die Weiterveräußerung von X-Daten durch Kunden von Y ist untersagt. Dies gilt ebenso
für die Weiterveräußerung von Profilen und Segmenten, die auf Basis der X-Daten
erstellt wurden, durch Kunden von Kunden von Y.
4.11 Vergütung
X erhält als Gegenleistung für das Zurverfügungstellen der X-Daten und die
Einräumung des Nutzungsrechts nach Ziffer 4.10 eine Vergütung von Y nach Maßgabe
von Anlage 2.
4.12 Abrechnung und Rechnungstellung
4.12.4 Y ist verpflichtet, X für jeden Kalendermonat ein Reporting zur Verfügung zu stellen,
welches die Umsätze und Nutzung sowie die Bruttoerlöse vor Steuern ausweist, die Y
160
unter Verwendung von X-Daten, Y-Profilen und Y-Segmenten erzielt hat. Die Inhalte
des Reportings sind in Anlage 5 geregelt. Y hat X dieses Reporting für den
abgelaufenen Kalendermonat in Textform bis spätestens zum siebten Werktags des
jeweils folgenden Monats zur Verfügung zu stellen.
4.12.5 Y ist verpflichtet, X oder einem von X beauftragten Dritten die Überprüfung der in dem
Reporting enthaltenen Angaben zu ermöglichen und sämtliche hierfür erforderlichen
Informationen zur Verfügung zu stellen. Insbesondere muss Y X bzw. dem beauftragten
Dritten – im Rahmen des Erforderlichen – hierzu auf erstes Anfordern unverzüglich
Zugang zu sämtlichen Unterlagen und Aufzeichnungen gewähren, einschließlich
lesenden Zugang zu Y-Abrechnungssystemen.
4.12.6 Die Rechnungsstellung seitens X erfolgt monatlich nach Ende des jeweiligen
Leistungsmonats.
4.12.7 Die Rechnungen sind innerhalb von 30 Tagen nach deren Zugang fällig.
4.12.8 Eine Aufrechnung durch Y ist nur mit anerkannten, unbestrittenen oder rechtskräftig
festgestellten Ansprüchen zulässig. Ein Zurückbehaltungsrecht kann nur wegen
Gegenansprüchen aus diesem Vertragsverhältnis geltend gemacht werden.
4.13 Datenschutz
Es ist das gemeinsame Verständnis der beiden Parteien, dass es sich bei den X-Daten
aus sich heraus um anonyme Daten i.S.d. Datenschutzrechts handelt.
4.14 Gewährleistung
4.14.4 X steht nicht für die Richtigkeit des Aussagegehalts der X-Daten oder etwa daraus
abgeleiteter Interessen, Vorlieben oder Nutzungsgewohnheiten ein.
4.14.5 Es ist das gemeinsame Verständnis der Parteien, dass es sich bei den X-Daten aus
sich heraus um anonyme Daten i.S.d. anwendbaren Datenschutzgesetze handelt. Die
Parteien sind sich bewusst, dass diese Qualifizierung mit rechtlichen Unsicherheiten
behaftet ist und nicht ausgeschlossen werden kann, dass eine etwa mit der
Angelegenheit befasste Datenschutzaufsichtsbehörde bzw. ein hiermit befasstes
Gericht diese Daten aus sich selbst heraus personenbezogen i.S.d. § 3 Abs. 1 BDSG
ansehen könnte.
4.14.6 Sollte eine Datenschutzaufsichtsbehörde oder ein Gericht zu der Auffassung gelangen,
dass es sich bei den X-Daten nicht um anonyme, sondern um personenbezogene
Daten handelt, haben beide Parteien das Recht, diesen Vertrag außerordentlich und
fristlos zu kündigen. Weitergehende Rechte von Y sind in diesem Zusammenhang
ausgeschlossen. Insbesondere kann Y aus diesem Grund keine Rückerstattung der
161
Vergütung für die bereits erbrachten Leistungen oder Schadens- bzw.
Aufwendungsersatz von X verlangen.
4.14.7 Y ist verpflichtet, mit sämtlichen Kunden schriftlich Ziffer 4.14.5 und Ziffer 4.14.6
entsprechende Regelungen zu vereinbaren und sie zu verpflichten, ihrerseits mit
sämtlichen Kunden schriftlich Ziffer 7.2 und Ziffer 7.3 entsprechende Regelungen zu
vereinbaren. Zuvor darf Y keine X-Daten, Y-Profile oder Y-Segmente nach Ziffer 3.2
weitergeben.
4.15 Haftung und Freistellung
[Deleted – Clauses not relevant with regards to data]
4.16 Vertragsstrafe und Informationspflicht
4.16.4 Im Falle eines schuldhaften Verstoßes von Y gegen eine der Verpflichtungen aus Ziffer
3.1 oder 3.2 dieses Vertrags wird pro Verstoß eine von Y an X zu zahlende
angemessene Vertragsstrafe fällig, deren Höhe von X festgesetzt und deren
Angemessenheit im Streitfall vom Gericht überprüft wird.
4.16.5 Im Falle eines schuldhaften Verstoßes eines Kunden von Y bzw. von dessen Kunden
gegen eine Verpflichtung im Sinne von Ziffer 3.2, die Y an den Kunden bzw. dieser an
seinen Kunden weitergeben muss, wird pro Verstoß eine von Y an X zu zahlende
angemessenen Vertragsstrafe fällig, deren Höhe von X festgesetzt und deren
Angemessenheit im Streitfall vom Gericht überprüft wird.
4.16.6 Y ist verpflichtet, X unverzüglich über Verstöße von Kunden von Y bzw. von deren
Kunden gegen eine Verpflichtung zu informieren, die Y nach Maßgabe von Ziffer 3.2
dieses Vertrages an einen Kunden bzw. dieser an seinen Kunden weitergeben muss.
4.17 Geheimhaltung
4.17.4 Der Parteien verpflichten sich, die Inhalte dieses Vertrages und alle ihnen im Rahmen
der Leistungserbringung zur Kenntnis gelangenden vertraulichen Informationen zeitlich
unbefristet geheim zu halten und sie – soweit dies nicht zur Erreichung des
Vertragszweckes zwingend geboten ist – weder aufzuzeichnen, noch an Dritte
weiterzugeben oder in sonstiger Weise zu nutzen. Vertrauliche Informationen sind alle
Informationen und Unterlagen der jeweils anderen Partei, die als vertraulich
gekennzeichnet oder aus den Umständen heraus als vertraulich anzusehen sind,
insbesondere Informationen über betriebliche Abläufe, Geschäftsbeziehungen, weitere
Betriebs- und Geschäftsgeheimnisse, Know-how sowie sämtliche Arbeitsergebnisse.
162
4.17.5 Von der Geheimhaltungsverpflichtung im Sinne von Ziffer 4.17.4 ausgenommen sind
solche vertraulichen Informationen,
(a) die der jeweils anderen Partei bei Abschluss dieses Vertrags nachweislich bereits
bekannt waren oder die ihnen danach von dritter Seite bekannt werden, ohne dass dadurch
eine Geheimhaltungsverpflichtung, gesetzliche Vorschriften oder behördliche Anordnungen
verletzt werden;
(b) die bei Abschluss dieses Vertrages bereits öffentlich bekannt sind oder danach
öffentlich bekannt werden, soweit dies nicht auf einer Verletzung dieses Vertrages beruht;
(c) die aufgrund gesetzlicher Verpflichtungen oder auf Anordnung eines Gerichts oder einer
Behörde offen gelegt werden müssen. Soweit zulässig und möglich wird die zur Offenlegung
verpflichtete Partei die andere Partei vorab unterrichten und ihr Gelegenheit geben, gegen die
Offenlegung vorzugehen.
4.17.6 Jede Weitergabe vertraulicher Informationen der anderen Partei an Dritte bedarf der
vorherigen ausdrücklichen schriftlichen Zustimmung der jeweils anderen Partei.
4.17.7 Die Parteien werden durch geeignete vertragliche Abreden sicherstellen, dass auch die
für sie tätigen Mitarbeiter und Erfüllungs- und Verrichtungsgehilfen zeitlich unbefristet
jede eigene Verwertung oder Weitergabe vertraulicher Informationen unterlassen. Die
Parteien werden ihren Mitarbeitern und ihren Erfüllungs- und Verrichtungsgehilfen
vertrauliche Informationen nur in dem Umfang offen legen, wie diese die Informationen
für die Durchführung dieses Vertrages kennen müssen.
4.18 Vertragsdauer
1-3 [Deleted – Clauses not relevant with regards to data]
4.18.4 Mit Beendigung des Vertrages ist Y dazu verpflichtet, die X-Daten, Y-Profile und Y-
Segmente unverzüglich, unwiederbringlich und vollständig zu löschen. Y hat
sicherzustellen, dass auch sämtliche Dritten, an die X-Daten, Y-Profile oder Y-
Segmente weitergegeben wurden, diese entsprechend löschen, auch soweit diese in
anderen Profilen bzw. Segmenten enthalten sind. Auf Verlangen von X hat Y X die
Löschung nach Maßgabe dieser Vorschrift in geeigneter Form nachzuweisen; dies gilt
auch für die Löschung bei Dritten.
4.19 Schlussbestimmungen
1-3 [Deleted – Clauses not relevant with regards to data]
163
4.19.4 Die Parteien vereinbaren im Hinblick auf sämtliche Rechtsbeziehungen aus diesem
Vertragsverhältnis die Anwendung des Rechts der Bundesrepublik Deutschlands unter
Ausschluss des UN-Kaufrechts.
4.19.5 Erfüllungsort und ausschließlicher Gerichtsstand für alle Streitigkeiten aus oder im
Zusammenhang mit diesem Vertrag ist Hamburg.
Ort, Datum Ort, Datum
X GmbH X GmbH
Anlagen:
Anlage 1: Inhalt der Datensätze (Einzelparameter) } Anlage 2: Vergütung } Deleted - confidential Anlage 3: Zurverfügungstellung der X-Daten } Anlage 5: Inhalte des Reportings }
European Commission
Legal study on Ownership and Access to Data – Final Report Luxembourg, Publications Office of the European Union
2016 – 164 pages
ISBN 978-92-79-62181-9
doi:10.2759/299944