New guidelines on data ownership and liability could be issued to address 'internet of things' phenomenon

Out-Law News | 04 Jul 2014 | 10:43 am | 4 min. read

New EU guidelines on data ownership and liability could be published to address issues arising from the increasing volume and use of data that is anticipated as part of the 'internet of things' (IoTs) phenomenon.

In a new communication which outlines a vision for data to be a driver of growth in the EU (12-page / 110KB PDF), the European Commission said that it would consult on whether such guidance is necessary in light of the increasing interconnection of devices and the associated rise in the creation and flow of data between those machines – loosely defined as the IoTs.

"The Commission will launch a consultation and expert group to assess the need for guidance on specific issues of data ownership and liability of data provision, in particular for data gathered through IoT technology," the Commission said in its communication paper.

The Commission said that "digital data, computation and automation" is driving a "new industrial revolution". It said the collection and processing of data is now happening "on an unprecedented scale" and is leading to the development of "new products and services as well as new business processes and scientific methodologies".

Munich-based technology law expert Stephan Appt of Pinsent Masons, the law firm behind Out-Law.com, said there are a number of data ownership and liability issues that need to be resolved in the context of new 'connected cars'. 'Connected cars' is a term used to refer to vehicles fitted with SIM cards that allow real-time information to be transmitted over communication networks between those vehicles and information providers or even between vehicles themselves.

"Connected cars boast a number of sensors that generate data which can provide insight into the performance of a car and highlight potential defects to original equipment manufacturers (OEMs) before they materialise," Appt said. "There is, however, currently uncertainty about whether the car owner can always preclude third parties such as OEMs, car shops and others from accessing the data generated by those sensors on the basis that the data belongs to the owner of connected cars once a sale of that vehicle has been completed."

"An alternative view may be that OEMs can find arguments for having obtained database rights in the data because of the investment they have made, or that they have retained ownership in data-generating devices in the car that they might have specifically excluded from the sale at the time. Further restrictions certainly arise when personal data is concerned," he said.

"OEMs are keen to get hold of that data but a lack of clarity on data ownership creates legal risk for the companies which may stifle innovation," he said. "There are also a range of issues around liability that arise in a connected car setting should data not flow as intended across a network or security safeguards against external tampering or even cyber attacks prove to be insufficient."

Appt said that "adopting an open data approach" to big data and the IoTs could help alleviate some legal issues that could arise around access and proprietary rights to data.

"It could be argued that moving towards an open data approach for data generated by IoTs technology could avoid issues around unfair competition," Appt said. "Making data available to those to use in the interests of fostering new ideas and services would help to avoid monopolies emerging around access rights to data. With data likely to become an increasingly important asset, having monopoly rights to data and restricting rivals' access to that data under certain circumstances could be interpreted as a breach of competition rules."

In its paper the Commission said that the data revolution holds "enormous potential" for EU businesses to tap into, in sectors such as health, energy and transport but that the trading bloc is lagging behind the US both in terms of embracing opportunities and in "industrial capability".

The Commission identified shortcomings in data research projects and how the results of the research is being developed and said other barriers facing EU companies in realising the potential of using data to grow include a "shortage of data experts able to translate technology advances into concrete business opportunities", a complex legal environment and a scarcity of interoperable datasets and "enabling infrastructure" for companies to tap into.

To address these issues, the Commission outlined a number of actions. It stressed the importance of implementing an updated data protection law framework in the EU as well as introducing new rules on network and information security, both of which are currently the subject of drafting by EU law makers.

In particular it said it would seek to ensure businesses receive sufficient guidance on anonymising and pseudonymising data sets that include personal information, as well as on minimising the amount of data they collect following the adoption of the anticipated new EU data protection laws. Support will also be offered to research into "technical solutions that are privacy-enhancing 'by design'", the Commission said.

The Commission also announced that it would consult on plans to give users better control over their data through "cloud-based technologies".

New guidelines will also be proposed on how "security risks" associated with the increasing volume of data being created can be managed and reduced, the Commission said. The guidelines to be issued will address "good practices for secure data storage", it said.

The Commission said it would look to develop a "contractual Public-Private Partnership" (cPPP) with businesses on data in a bid to "develop incentives to share datasets between partners and mechanisms to facilitate knowledge and technology transfers".

A "European network of centres of competence to increase the number of skilled data professionals" will also be created as will an "open data incubator" to "help SMEs set up supply chains based on data, promote open or fair access conditions to data resources, facilitate access to cloud computing, promote links to local data incubators across Europe and help SMEs obtain legal advice", it said.

The Commission also said it would promote industry-led development of more open standards to encourage data to be exchanged and that it is in the process of writing "guidelines on recommended standard licences, datasets and charging for the re-use of documents". In addition, it said it would look to establish a new network of "data processing facilities" across the EU in a bid to make the most of datasets held by public bodies.

The Commission also said that funding will be provided to research into how cloud computing solutions can be best configured and used "for data analytics and advanced infrastructures and services".