2024-2025 Global AI Trends Guide
The EU has moved up a gear in recent times, and it is producing new legal tools for companies to maximize the possibilities to collect and make use of data (including personal data) in the context of its European Strategy for Data. This approach is being implemented, among other aspects, by introducing IP exceptions (e.g., database rights), reinforcing the possibility to re-use the data of public administrations, and exploring the possibility for consumers to provide personal data in exchange for certain digital services.
This is an outstanding opportunity for businesses in many sectors: use of consumer data for profiling and product improvement, use of health data for research purposes, and use of vehicle data for product optimization are three examples.
However, these opportunities also involve important legal challenges for the companies that want to maximize the use of data, including compliance with data protection regulations, how to protect the data from an IP perspective, and the ways to transfer it and license it.
Exploring new and alternative possibilities to use and process data (including personal data) presents numerous obstacles. In particular, the use, re-use, and processing of massive sets of data for commercial purposes is a practice that has faced significant scrutiny from the relevant authorities, especially when the data is held by public bodies, contains personal data, or is protected by IP/trade secret laws.
The European Union institutions and bodies (the EU) are aware that data is an essential resource for economic growth, competitiveness, innovation, job creation and societal progress in general. In order to maximize the possibilities of the use of data, while safeguarding the rights of EU citizens, the European Commission has developed the European Strategy for Data, which aims at creating a single market for data that will ensure Europe’s global competitiveness and data sovereignty.
Preliminary disclaimer: Directive 2019/770 expressly states that its content shall be construed without prejudice of data protection laws (i.e. the Data Protection Regulation (GDPR) and national laws "implementing" the GDPR). In the same sense, it also states that the content of the Directive does not change or affect any data protection principle or provision, including the GDPR. In fact, in the event of conflict between Directive 2019/770 and the GDPR, the latter will prevail.
Notwithstanding the foregoing, Directive 2019/770 has evidenced the possibility of consumers providing personal data in exchange for services, under certain conditions. Thus, a business might receive personal data provided by consumers that want to have access to digital content or services (even though this is subject to stringent requirements and privacy regulators are quite reluctant). In spite of the "negative view" held by privacy regulators, the option of providing data in exchange for digital content or services has been incorporated into Spanish consumer laws in a business-friendly way, which is very promising and makes room for future developments and business opportunities in this area.
And how does this work under the GDPR? The main compliance consideration that comes to mind is reliance on a suitable legal basis for processing. In this respect, it may be possible to rely on consent or legitimate interest. When applying any of these legal bases, companies must conduct a case-by-case assessment. As a positive note, the Spanish transposition of Directive 2019/770 expressly contemplates that the trader/data controller is allowed to terminate the contract in the event that the data subject objects to the processing or withdraws consent, respectively. We have further assessed this topic in this post.
Another example that has become recently applicable in the EU member states’ laws is the possibility to use data mining techniques in the context of the internet (e.g., through web scraping techniques) in order to collect and process massive amounts of third party information from an IP perspective (we have also written about it here).
The information that is usually available on the internet is very often subject to the protection of IP laws. The Copyright Directive is establishing a new exception to the currently existing IP laws for any player to be able to use text and data mining techniques.
The new exception would apply to the following IP rights:
Please note that this exception only covers certain IP rights and not other rights such as data protection, trade secrets, etc. Besides, the rightsholder has the opportunity to prohibit the use of data mining (e.g., it can reserve his/her rights by the use of machine-readable means, including metadata and terms and conditions of a website or a service).
The Open Data Directive establishes the possibility to re-use documents (in a broad sense) held by the public administrations together with their metadata for commercial and non-commercial purposes, where possible and appropriate, by electronic means, in formats that are open, machine-readable, accessible, findable and re-usable. In relation to certain categories of documents, it contains even more business-friendly rules:
However, the Open Data Directive does not cover many categories of data, such as personal data, data protected by IP provisions, trade secrets, etc. This is where the incoming Data Governance Act, which is still under legislative process (we have prepared a brief post about it here), plays a very relevant role, since it aims to provide new legal tools to enable the sharing of such data.
The key elements of the Data Governance Act are:
The abovementioned possibilities can be interesting in almost every sector: the use of consumer data for profiling and product improvement, use of health data for research purposes, use of vehicle data for product optimization, property management data used for energy management and product lifecycle purposes….
These possibilities also bring new challenges to explore:
Authored by Gonzalo F. Gállego, Clara Regalado and Juan Ramón Robles