Anonymised app data silos impede movement
EU policy makers are considering introducing a new licensing regime for anonymised “machine-generated data”.
It is one of the options the European Commission said could be introduced to facilitate greater access to the ever-growing volumes of data generated by “computer processes, applications or services, or by sensors processing information received from equipment, software or machinery, whether virtual or real”.
The options were outlined in a new Commission communication on building the European data economy, which was accompanied by an online consultation.
The paper was also published alongside other plans relevant to the use of data, including a draft new e-Privacy Regulation and a communication on exchanging and protecting personal data in a globalised world.
At the moment, much of the data that is generated is retained and analysed in “silos” by the generators of that information, the Commission said.
This makes it difficult for businesses and organisations to extract the maximum value from that data, it said.
The Commission said it intends to discuss how to address the issue with EU countries.
A data licensing regime is one option that could be developed depending on the outcome of those discussions, the Commission said.
“A framework potentially based on certain key principles, such as fair, reasonable and non-discriminatory (FRAND) terms, could be developed for data holders, such as manufacturers, service providers or other parties, to provide access to the data they hold against remuneration after anonymisation,” the Commission said. “Relevant legitimate interests, as well as the need to protect trade secrets, would need to be taken into account.”
“The consideration of different access regimes for different sectors and/or business models could also be envisaged in order to take into account the specificities of each industry.
For instance, in some cases, open access to data (full or partial) could be the preferred choice both for firms and for society,” it said.
Other options that could be taken forward include potentially developing new guidelines to incentivise businesses to share the non-personal data they have and granting public bodies special rights of access to data where this is in the “general interest”. New default contracts rules could also be set to facilitate access to data in accordance with benchmarks that account for the different bargaining positions that businesses in the market have, the Commission said.
It also said a new “data producer’s right” could be introduced.
“A right to use and authorise the use of non-personal data could be granted to the ‘data producer’, i.e. the owner or long-term user (i.e. the lessee) of the device,” the Commission said. “This approach would aim at clarifying the legal situation and giving more choice to the data producer, by opening up the possibility for users to utilise their data and thereby contribute to unlocking machine-generated data.”
“However, the relevant exceptions would need to be clearly specified, in particular the provision of non-exclusive access to the data by the manufacturer or by public authorities, for example for traffic management or environmental reasons. Where personal data are concerned, the individual will retain his right to withdraw his consent at any time after authorising the use. Personal data would need to be rendered anonymous in such a manner that the individual is not or no longer identifiable, before its further use may be authorised by the other party.
Indeed, the GDPR continues to apply to any personal data (whether machine generated or otherwise) until that data has been anonymised,” it said.
In its paper, the Commission also said it wants to deliver “meaningful portability for non-personal data”.
The GDPR will introduce data portability obligations in respect of some personal data.
The Commission said similar data portability rules to those in the GDPR could be established for non-personal data.
Alternatively, it could develop “standard contract terms requiring the service provider to implement the portability of a customer’s data”.
The Commission said it is also looking to determine whether existing EU product liability rules “remain appropriate for emerging technologies such as IoT (the internet of things) and autonomous connected systems”.
It has opened a separate consultation on the issue, which is open until 26 April.
The Commission said that in future, it could decide to assign liability to businesses on the basis that they generate “a major risk for others”, or because they are “best placed to minimise or avoid the realisation of such risk”.
It said it could also introduce “voluntary or mandatory insurance schemes” that align with those new liability rules.
“[The insurance schemes] would compensate the parties who suffered the damage (e.g. the consumer),” the Commission said. “This approach would need to provide legal protection to investments made by business while reassuring victims regarding fair compensation or appropriate insurance in case of damage.”
The UK government recently set out how it intends to address the issue of insurance pay-outs to innocent victims of collisions involving driverless cars, and the underlying liability for those incidents.
The Commission’s paper also referenced its concerns about unjustified restrictions on where data is stored and processed.
It said the removal of those restrictions could deliver an €8 billion boost to the EU economy, as well as provide for substantial environmental benefits.
It said “data localisation” measures are a barrier to “the wider adoption of cloud storage and computing” and that “a more efficient use of IT resources could contribute to the reduction of energy consumption and carbon emissions by net 30% or more”.
“The global energy-efficient data centre market is expected to grow to almost €90 billion by the end of 2020,” the Commission said. “A fragmented data services market would hinder the full development of these more energy-efficient services in the EU and also put at risk the willingness to invest.”
The Commission said a new “principle of free movement of data within the EU” should guide decision making by EU countries affecting data storage or processing.
Observing that principle would serve as “as a corollary of their obligations under the free movement of services and the free establishment provisions of the Treaty [on the Functioning of the EU] and relevant secondary legislation”, it said
“Any current or new data location restrictions would need to be carefully justified under the Treaty and relevant secondary law to verify that they are necessary and proportionate to achieve an overriding objective of general interest, such as public security,” the Commission said.
“The principle of free movement of personal data enshrined in primary and secondary law should also apply in the cases where the GDPR allows member states to regulate specific matters. Member states should be encouraged not to make use of the opening clauses in the GDPR to further restrict the free flow of data,” it said.
The Commission said it could “launch infringement proceedings” against EU countries that do not respect the principle, and that it “may also take further initiatives on the free flow of data” if it deems it necessary to “address unjustified or disproportionate data location measures”.
Copyright © 2016, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.
Sponsored: Want to know more about Privileged Access Management? Visit The Register’s hub