Statement
Public consultation on the EU Data Act Transparency register number: 1771817758-48
Federation of German Industries (BDI)
3 September 2021 01.2019
BDI statement on the EU Data Act in the public consultation
Table of Contents
Table of Contents .......................................................................................... 2 Preliminary note ........................................................................................... 3 1.
Business-to-government data sharing for the public interest ................ 5
2.
Business-to-business data sharing ......................................................... 6 2.1.
"In full compliance with applicable legislation" ........................... 6
2.2.
Fairness test for all B2B contracts (incl. sample contract clauses) 7
2.3.
Horizontal data access modalities ................................................. 8
4. Clarifying rights on non-personal Internet-of-Things data stemming from professional use .................................................................................... 8 5.
Improving portability for business users of cloud services ................... 8
6.
Complementing the portability right under Article 20 GDPR .............. 9
7.
Intellectual Property Rights - Protection of Databases ......................... 9
8.
Safeguards for non-personal data in international contexts ................ 10
2
BDI statement on the EU Data Act in the public consultation
Preliminary note The EU Commission rightly points out that the considerable potential for value creation in the handling of non-personal data is not yet being exploited. The fact that many companies still have some catching up to do in the economic use of data is demonstrated by a representative study commissioned by the BDI entitled "Data Economy in Germany" 1. Of the approximately 500 companies surveyed, only a total of 28 percent could be classified as „digital“ with regard to their own data management. 23 percent of the companies surveyed stated that they regularly search for new data sources and possible applications as part of a strategic process. 45 percent of the companies surveyed do not use data at all to optimize products or business models. Mirroring this, only 12 percent of the companies surveyed are willing to share their own data with third parties. The above considerations should not, however, obscure the fact that many companies - especially small and medium-sized ones - lack the ability to participate in the data economy in the absence of structured data management. However, there are a large number of companies that show a great willingness to share data, but in practice refrain from exchanging data with other companies because of too much (legal) uncertainty. This is where the EU Commission should take action in the Data Act. With the Data Act, the EU Commission is looking at a whole series of projects in different areas of law to increase the use and sharing of data. In the view of the BDI, however, this initiative, which is worthy of support in principle, should be based more on an evidence-based approach. There are currently no general imbalances or gaps in the legal framework that structurally impede the exchange of industrial data. On the contrary, many new initiatives are currently emerging within Europe, such as the European cloud project Gaia-X, with which the establishment of European data ecosystems is being developed, thus strengthening the trust that is sometimes lacking in the B2B sector. Strong political intervention within the framework of the Data Act threatens to impair these positive developments in industrial data exchange. This harbours the risk that the uncertainty of all players will increase further, which could have a counterproductive effect on the necessary innovative strength of companies and thus also on the objectives of the EU Commission in establishing an EU internal data market.
1
Datenwirtschaft in Deutschland - Wo stehen die Unternehmen in der Datennutzung und was sind ihre größten Hemmnisse?", IW study commissioned by the BDI, February 2021, available here: https://bdi.eu/media/publikationen/?publicationtype=Studien#/publikation/news/datenwirts chaft-in-deutschland/.
3
BDI statement on the EU Data Act in the public consultation
Any legislative intervention needs to take into account that non-personal industrial data relies on prior investments in data collection, storage and structuring. The development and implementation of networked industrial plants requires high investments and is knowledge-intensive. An Industry 4.0 solution is composed of sensors, actuators, connectivity, data concepts and often customized service offerings. Industrial data is not a free good and markets need to provide sufficient incentives for investments in connected machines and data-based services. The regulatory framework must protect these investments. BDI believes that freedom of contract must be the guiding principle of the Data Act. Below we comment on each of the projects using the Inception Impact Assessment (IIA) and the public consultation questionnaire:
4
BDI statement on the EU Data Act in the public consultation
1. Business-to-government data sharing for the public interest In the area of B2G data sharing, the BDI still considers voluntary cooperation to be preferable to access obligations for data in the „public interest“. A structural (market) failure that would justify legislative intervention in the form of an access obligation is still not discernible here.2 The COVID 19 pandemic has made it clear that a large number of companies from a wide range of sectors are already cooperating very unselfishly and successfully with public authorities. Against this background, the BDI also considers the EU Commission's justification for a possible introduction of a statutory data access obligation in the Inception Impact Assessment to be questionable, insofar as commercialisation interests of companies are cited as the reason for the lack of willingness to cooperate on data with the public sector. In fact, by successfully offering data-based services and business models, many companies open up opportunities for public authorities to participate in the knowledge gained from them. In this respect, the EU Commission's assumption that a lack of data from companies is the reason for the "limited ability of the public sector to develop data models itself"3 is not substantiated. This ignores the fact that the skills, knowledge and resources to pursue datadriven innovation within the public sector are still largely underdeveloped. Rather, the public sector should take the recent - and very good - initiatives on open data and the re-use of public sector information (PSI Directive) and the proposal on European Data Governance (Data Governance Act) as an opportunity to better process its own public data and make it available to the public. Should the plans for B2G data sharing obligations nevertheless be implemented, it is imperative that the scope of the „public interest“ must be clarified and specified, and that a careful weighing of costs and risks be carried out. Such narrowly defined use cases are conceivable, for example, in the area of security or the protection of life and limb, but must be clearly defined in a context-specific manner. In addition, such a data sharing obligation must be accompanied by an adequate compensation mechanism that appropriately acknowledges the often time-consuming data preparation and analysis on the company side. The compensation regulations proposed in the report of the high-level expert group on B2G are a good basis for this. The EU Commission should continue the stakeholder dialogue here.
2
This was also confirmed, for example, by the European Commission itself in its Communication from 2018 (SWD (2018) 125), which issues corresponding guidance in the B2B, B2G area: "A broad stakeholder dialogue was conducted on the basis of that Communication. It concluded that the issue at stake did not justify horizontal legislative intervention at this stage and that guidance would be more appropriate." 3 IIA, P. 2.
5
BDI statement on the EU Data Act in the public consultation
In addition, B2G data sharing obligations must be designed to be both legally secure and practicable. This applies first and foremost to personal data in the form of legally secure and practicable guidance on the adequate anonymisation and pseudonymisation of personal data. Analogous to the discussions in the ongoing procedure on the Data Governance Act, it is completely unclear for companies in practice which technical measures are required for sufficient anonymisation of personal data. In addition, corresponding obligations should be addressed exclusively to „data „controllers“, so that „data processors“ are not forced to disclose customer data to public authorities contrary to their contractual obligations. 2. Business-to-business data sharing Particularly within the very heterogeneous industrial landscape with very different business models, the common rights and obligations in the use and exchange of data can best be solved through specific contractual agreements between companies. In the view of the BDI, freedom of contract must continue to be the guiding principle in the use and exchange of data, so that legislative intervention in the principles of freedom of contract in the form of a restriction of private autonomy should be clearly avoided. 2.1.
"In full compliance with applicable legislation"
The EU Commission should take the Data Act as an opportunity to clarify existing uncertainties in industrial application practice, especially with regard to competition and data protection issues. A major obstacle to data sharing is the large number and lack of standardisation of agreements and licences for data exchange. This is where Open Data agreements such as Community Data License Agreements can help. Standardized data license agreements can facilitate collaborative approaches to data sharing and reduce transaction costs. At the private-sector level, companies enter into data partnerships and data cooperations with each other to ensure secure access to data that promotes innovation. In addition, companies and such collaborations often make data available to the public, sometimes free of charge. In order to promote such cooperations, the legislator should create greater legal certainty for cooperations for the exchange of data between competitors by clarifying regulations in antitrust law. Due to the principle of self-assessment of exemption requirements in European antitrust law, companies are exposed to great legal uncertainty in this area, which leads to great reluctance in practice in view of the drastic sanctions threatened in the event of an antitrust violation (e.g. fines and damages payments). There is also great practical uncertainty in business practice with regard to the separation of personal and non-personal data. According to the study commissioned by the BDI on the current situation of the data economy in
6
BDI statement on the EU Data Act in the public consultation
Germany, 85 percent of the companies surveyed generally describe „grey zones under data protection law“ as an obstacle to the economic use of data.4 Against this background, the EU Commission should take the Data Act as an opportunity to look at possible development and facilitation potential in the General Data Protection Regulation (GDPR), for example in the processing principles, the permissive facts or the transparency obligations. In addition, companies need reliable and practical guidance on the application and interpretation of the GDPR. This applies, for example, to guidance regarding the requirements for data protection-compliant anonymisation of personal data. For German industry, there is no question that the regulations standardised in the GDPR and the freedoms protected by fundamental rights, in particular the right to informational self-determination of the individual, are important cornerstones for the high level of data protection that Europe can boast in an international comparison. This is the reason why many industrial companies have a strong interest in working to a much greater extent with anonymised data. With regard to the legislative requirements, it should be noted that the GDPR does not contain any specific requirements for the anonymisation of personal data. Due to the resulting legal uncertainty and in the absence of uniform standards companies often refrain from anonymisation-projects at present. In order to be able to exploit the economic potential of anonymised data and at the same time maintain the high level of European data protection, the BDI believes that legally secure and at the same time practicable requirements for anonymising personal data in accordance with data protection law are of central importance. 2.2.
Fairness test for all B2B contracts (incl. sample contract clauses)
In order to unlock the great innovation potential of the European data economy, it must be possible to share data voluntarily. Under the principle of freedom of contract, companies must be free to decide, within the limits of the law, with whom and under what conditions they share non-personal data, whether through contractual agreements, private sector data partnerships or a voluntary open data approach. Across the industry, there are numerous good examples of data-driven business models that have emerged based on entrepreneurship and freedom of contract for the mutual benefit of all stakeholders. With regard to the „B2B fairness test“ planned by the EU Commission, there are major doubts about its practicability in a complex and very heterogeneous application practice. It is already unclear with regard to the potential scope of the regulation in which circumstances a stronger bargaining power of a contracting party exists and how such a power is to be determined at all. From 4
IW study commissioned by the BDI, op. cit.
7
BDI statement on the EU Data Act in the public consultation
BDI's point of view, it is not sufficiently clear whether B2B data exchange is structurally impeded by a fundamental fairness problem, so that horizontal regulatory intervention does not appear to be justified. The role of the EU Commission should rather be limited to measures that promote data exchange and lead to a data ecosystem in which, for example, voluntary, dispositive model contract terms play an important role. In this context, the contracting parties must also have the possibility to legally agree on divergent provisions. In the potential development of model contract clauses, however, it is imperative that these be developed together with industrial application practice. 2.3.
Horizontal data access modalities
Horizontal modalities appear useful to ensure a coherent framework in case of possible sector-specific data access claims. At the same time, only very abstract rules (such as definitions and basic principles) may be adopted here, which concern in particular issues relating to the handling of data with third party IPRs. In B2B areas and where B2B data exchange is not possible under EU competition law or the possibility is not clear, more legal clarity should be created through adjustments so that the exchange of data is not prevented by EU competition law. 4. Clarifying rights on non-personal Internet-of-Things data stemming from professional use If the introduction of a data usage right is planned in the case of „co-generated data“, clear specifications are required with regard to the scope of the data access claims to be derived from this. Once again, contractual regulations must take precedence. It is unclear how the legislator intends to map the complexity of (data) value chains. Under no circumstances should contractbased „bottom-up“-regulations be restricted by legislation. 5. Improving portability for business users of cloud services BDI agrees with the EU Commission that a high level of interoperability and data portability are crucial for the development of an EU single data market. In principle, we welcome the EU Commission's intention to consider certain transparency obligations for all cloud service providers operating in the EU internal market. However, these obligations must ensure a level playing field. In order to ensure portability between different cloud service providers, the EU Commission has set up the "SWIPO" project on the basis of Art. 6 Regulation (EU) 2018/1807 to develop corresponding codes of conduct. In this context, the ISO 19441 standard on cloud interoperability and portability is also of particular relevance. Only last year, the „Infrastructure-as-a-Service (IaaS)“ and „Software-as-a-Service (SaaS)“ codes of conduct jointly
8
BDI statement on the EU Data Act in the public consultation
developed by cloud service providers and cloud users were published as part of this project. Both codes are intended to help prevent "vendor lock-in". Given the short duration of the SWIPO codes, it would be too early to fully assess their impact and effectiveness and to consider further legislative action. Instead, the EU Commission should support ongoing industry efforts to develop voluntary standards for data taxonomy, data exchange, data quality and record descriptions, and further promote open interfaces for data access. Close cooperation with European and international standardisation bodies as well as fora and consortia are particularly relevant for the development of market-oriented standards. Furthermore, the dialogue with the open source community should be continued. On the other hand, a more far-reaching legal specification of the requirement for all cloud service providers to use only certain technologies or data formats in future could restrict the choice for customers and slow down the development of more innovative offerings. 6. Complementing the portability right under Article 20 GDPR If a further development of Article 20(1) of the GDPR is considered, it should be clarified that the “provision” of the controller when exercising the right to data portability does not extend to data automatically generated by the service when the data subject uses the service (e.g. log files, traffic or location data). 7. Intellectual Property Rights - Protection of Databases BDI points out that a substantial change to the existing regulations would be rather critical, especially in view of the Database Directive 96/9/EC. A separate „data IP law“ has been intensively discussed in recent years. However, such a law would cause more problems than it would bring advantages. If, for example, a new IP law were to be created, there would again be the danger of valuable data being shielded by pooling, similar to patent pools, in the context of which, with a view to accessibility for everyone, discussions similar to those currently taking place in the case of standard-essential patents would then have to be conducted in advance, if necessary. Liability issues would also arise immediately: Who is liable for ensuring that the relevant reference database is statistically correct and representative? It would also be unacceptable for the existing important regulations on databases and the protection of trade secrets to now be watered down in order to ensure better access for third parties. A restriction or amendment of the provisions of Sections 87a et seq. of the German Copyright Act or the provisions on the protection of trade secrets is also not appropriate. Both the provisions on database protection in the German Copyright Act and the provisions on the protection of trade secrets do not protect data per se, but rather the rights of the owners. Restricting these
9
BDI statement on the EU Data Act in the public consultation
rights would therefore extend beyond data access. There would be a risk that the rights of the owners would be unduly restricted here. As a general warning, it must be noted that it will be very difficult to find an appropriate wording in the definition of access rights to data that can be interpreted and applied with legal certainty. This has already been pointed out in the discussion on the introduction of an IP right to data. All in all, it should be noted that the protection of data is currently regulated in a scattered manner in a number of special legal norms. However, these regulations fulfil their purpose and provide a balance between the protection of right holders and the interest of data users. Any current shortcomings in the use of data are therefore not due to a lack of protection by intellectual property rights or copyright. The content of the existing regulatory framework should therefore not be changed. 8. Safeguards for non-personal data in international contexts In order to ensure a level playing field, the envisaged transparency measures should in principle apply to all cloud computing service providers active in the EU internal market, regardless of their headquarters. Furthermore, the introduction of additional legal, technical and organisational measures must take into account the different business models of cloud computing service providers and their existing technical and organisational data protection measures and processing practices. Here, the EU Commission should continue to engage in dialogue with cloud computing service providers and include existing protection measures of the providers, such as confidential computing, homomorphic encryption and „keep-your-own-key“.
10
BDI statement on the EU Data Act in the public consultation
About BDI The Federation of German Industries (BDI) communicates German industries’ interests to the political authorities concerned. She offers strong support for companies in global competition. The BDI has access to a widespread network both within Germany and Europe, to all the important markets and to international organizations. The BDI accompanies the capturing of international markets politically. Also, she offers information and politico-economic guidance on all issues relevant to industries. The BDI is the leading organization of German industries and related service providers. She represents 40 inter-trade organizations and more than 100.000 companies with their approximately 8 million employees. Membership is optional. 15 federal representations are advocating industries’ interests on a regional level. Imprint Federation of German Industries (BDI) Breite Straße 29, 10178 Berlin www.bdi.eu T: +49 30 2028-0 Editor Dr. Michael Dose Senior Manager Department "Digitalisation and Innovation“ T: +49 30 2028 1560 m.dose@bdi.eu
BDI document number: D1440 Transparency register number: 1771817758-48
11
