The new Information Economy, which is being accelerated by the pandemic’s impact, is based on the legally ‘fuzzy’ concept of ‘data’.
Fundamental industries in Europe, such as the automotive industry, will radically change their production and business models in the coming years thanks to real time data transmission from factories or the vehicles themselves.
Data can be defined as ‘the formalized representation of information, suitable for communication, interpretation or processing’. Data are, therefore, a symbolic representation of an attribute or variable that describes empirical facts.
From a technical point of view, Claude Shannon, an engineer at Bell Labs, published his communication mathematical theory as early as 1948, setting up the foundations for transmitting information with a minimum amount of data. It was launched without a thorough discussion of the legal nature of the information. However, concepts inherent to telecommunication service provision, such as privacy or information security, were considered from the beginning.
Data is considered to be the ‘new oil’. A single piece of data does not provide much value on its own though. It needs context. It is often necessary to process data in order to obtain information from it. Therefore, just like with ‘new oil’, data needs to be ‘refined’ and ‘transported’ to be turned into useful and valuable knowledge.
If context information (metadata) is added to raw data, for example, specifying that a number is a value for temperature being measured, this data becomes information. In turn, it is also necessary to consider a larger context so that this information is transformed into knowledge, for example, knowing it belongs to a certain place.
Arriving at this knowledge often requires to process the original data through artificial intelligence techniques already available. In this case, we are talking about both learning and end-use algorithms and models.
The aim of data regulation is to safeguard privacy and sensitive information. This concern for data protection began in the 1960s in the United States, Sweden and Germany, in parallel with progress in computing, information processing and data storage.
Personal data is a ‘highly personal right’ inherent to the individual, like the right to honor, privacy or one’s own image. ‘Personal’ data can be subject to ‘use rights’ of economic or ownership content, which can be transferred to a third party, just like with intellectual property. However, ‘moral rights’ are never waived; that is, a person’s data, such as their own image, can be held by someone, but they cannot do whatever they want with it if it affects another person. The Spanish Constitution protects digital rights as fundamental. They are defined as the right that every person has to decide on the use made of their personal data, and on who has the power to use it. In the end, personal data is another instance of property rights, only that it is applied to all circumstances concerning the person.
There are two basic business models when dealing with personal data, those that use client data to provide a better service and those that collect client data, with the approval thereof of their terms and conditions, to transfer them to third-parties or to direct advertising to these clients based on their profile, which is currently a more widely spread practice. The most common is to process the data, both to comply with regulations on anonymization, for example, and to obtain additional value.
Europe has become the great personal data protection benchmark since the implementation of the General Data Protection Regulation (GDPR) in May 2018. There are wonderful specialists in personal data processing in Spain, such as my colleague José Carlos Erdazoain at Pons IP. Today, we are faced with the challenge of defining the legal framework to regulate ‘non-personal data’, which are the basis of Industry 4.0 and the Business Information Economy, which is the title of this article.
In 2018, the European Commission adopted the framework for the free movement of non-personal data in Europe, in force as of May 28th 2019, which together with the GDPR, defines the framework for the definition of a ‘common European data space’
On November 25th 2020, the European Commission published a proposal for a regulation on data governance in Europe, called Data Governance Act (DGA). The DGA promotes Europe’s leading role in information economy based on non-personal data, primarily in relation to the industry sector. To this end, a European framework for data exchange is to be developed. The DGA is part of a European Data Strategy, which includes a Data Act to be passed by the end of 2021. Thanks to this framework, companies will be able to exploit data through intermediaries. Common spaces for data exchange, i.e., ‘Common European Data Spaces’ are platforms that promote information exchange and obtaining new information through data processing.
This type of space helps industrial companies obtain information about the operation of a certain machine, for example. SMEs will be able to create new business models based on third-party data processing, thus extending practices carried out in Open Data initiatives in large cities, for example.
We are witnessing the convergence of the industrial and digital world based on sharing data information on industrial processes through communication networks. The truth is that, until now, these data never came out of factories.
Founded on non-personal data, we have new business models based on the payment per use, predictive maintenance, or scale economies of platforms.
In order to carry out these procedures by ensuring all guarantees, the industry demands
- Safe telecommunication networks that are already being addressed from the cybersecurity viewpoint.
- A regulation that favors information exchange, such as the one promoted by the European Commission.
- A right-based application of intellectual property standards that ensure not only information privacy but also an increase in the productivity of the European industry. This issue has yet to be addressed.
The debate on the ownership of non-personal data started in Germany after the creation of the Industry 4.0 concept in 2011. German academics and regulators have examined the issue in depth and have even raised the possibility of a new kind of “property right” for data. The advocates of this idea consider that the European corpus regarding this matter is not sufficient as it is based on a civil tradition of safeguarding personal data that does not consider, for example, data generated by machines. Besides, the traditional framework is based on definitions like the single database, when, in fact, a business may handle multiple sources or public source data.
Regarding procedures for the protection of non-personal data, there are initially four options:
- Protection as copyright.
- Protection of databases as intellectual property.
- Protection as a trade secret.
- Protection of the elements of data generation.
1.- With regard to copyright, the agreements on intellectual property rights (TRIPS) of the World Trade Organization (WTO) expressly excluded data from copyright protection. However, within the framework of the ‘Single Digital Market’ initiative, the Commission paved the way for data and copyright information protection, based on the protection of copyright in media releases. Therefore, facts and news would be protected by ancillary copyright against any kind of digital use (contrary to the initial statement above, according to which data and information would be excluded from copyright protection). However, the very nature of industrial data, often generated by machines, discards the concept of copyright as inappropriate.
2.- Considering the protection of databases, the Spanish Intellectual Property Law defines databases as ‘ collections of works, data, or other independent elements that are systematically or methodically arranged and accessible individually by electronic means or otherwise’.
In accordance with the previous statement, the creativity in (i) the data ordering of a particular database, (ii) the storage, (iii) the selection criteria, etc., will determine whether it is “original” or not for intellectual property protection purposes. Consequences:
- If the database were original, it would be possible to register the database ownership under an intellectual property copyright.
- If the database were not original, it would be possible to register its ownership by a sui generis intellectual property right, which protects the investment made by the manufacturer without requiring proof of originality. We say manufacturer because the person would no longer be considered as the author.
Based on my technical expertise, I consider that this interpretation on data protection, starting from the mere protection of databases, is obsolete due to the advances in technology. In fact, the Commission has started to review the Directive on databases that is probably related to a database technology that no longer corresponds to the use of data in the context of IoT and macro data, which is characterized by real time data services. Therefore, at this point in time, it would not be the best option for protecting non-personal data either.
3.- In relation to the data protection and trade secret information, the European Directive and the corresponding Spanish Law consider that the trade secret system can initially protect any type of information that (i) is secret; (ii) has economic value due to its secrecy, and (ii) is subject to appropriate safety measures.
In the case of industrial processes based on the Internet of Things or Artificial Intelligence, the protection of trade secrets is quite flexible: it grants protection to individual pieces of information, and originality is not a requirement; it does not distinguish between the different data types that could be protected (although not all Member State laws have considered trade secrets as an open category of any confidential information); the protection is potentially unlimited in time, and protection requirements may be difficult to meet in the context of real time data processes.
The truth is that data collected by sensors or smart devices must be reused and combined with data from many device manufacturers: the secret cannot always be maintained. If a database license is granted with confidentiality restrictions to multiple companies in a particular industry, it may become ‘widely known’ within relevant fields.
In terms of commercial value, it is not clear if individual data generated by interconnected machines and devices can have commercial value as individual data or not. Instead, a lot of data might be considered valuable only if they are part of larger data clusters. Moreover, it is quite doubtful that raw data has any value “per se”, or rather only potential value. This analysis might be related to the industry (e.g., personal data tends to have high commercial value in the context of behavioral advertising and macro data). Finally, it may be argued whether it will always be possible to establish a causal relationship between information secrecy and commercial value or not.
Data must be shared among the different players in the data value chain and must be subject to adequate protection measures to maintain secrecy. The Directive does not provide any guidelines on possible reasonable steps (this assessment must be made according to the circumstances). However, it is possible to rely on confidentiality agreements as safety measures, at least in some jurisdictions. However, it may be particularly difficult to assign protection tasks to a single player controlling a trade secret when multiple data players interact.
Regarding ownership, the Directive establishes that the owner of a trade secret is the person who controls the information in accordance with the law. However, it grants an effective control right over data (by protecting against de facto “ownership”), while remaining neutral about information ownership. In fact, it does not establish a system of property rights (although it lets Member States establish provisions with a greater scope as well as grant data property rights). It must be taken into account that many agents are involved in an industrial production chain and that it is difficult to define this ownership concept. In the last few months, we have switched from avoiding these points in agreement negotiations to defending data ownership tenaciously, which will lead to the creation of models for sharing generated information.
Considering the scope of protection, the Directive does not go so far as to establish a new absolute intellectual property right for trade secrets. In fact, this protection is relative, i.e., only protection against wrongful appropriation. Independent findings of the same information and reverse engineering are legal. The Directive provides resources against third-party recipients of data in the event that they know or ought to know that the person transferring such data is not authorized to do so. It may be considered that this protection measure suits better the purposes of data economy by focusing on the specific way in which a third party unlawfully acquires access to data, thus creating a more flexible property system (within the limits described above).
According to this approach, the protection of non-personal data as a trade secret would, in fact, make sense if this information is not intended for publication, for example, in the common data spaces promoted by the European Commission.
4.- The last point regarding the ownership of non-personal data is related to the procedures that are implemented for obtaining and processing data. These mechanisms would be the “refinery” that handle raw data to be processed, and we can resort to intellectual property laws to know the ownership and the right of use of the “refinery” that transforms raw data into processed data. In this case, we would be talking, for example, about patents on algorithms or data collection procedures. This approach would be the most suitable one at this time. I understand that industrial data generation is a continuous process and that the data generation procedure would be more valuable than data itself.
Thanks to my dual role as an advisor to two leading companies in their fields (ASTI, the largest European mobile robotics company, and Pons IP, the largest intellectual property agency in Spain), I get the opportunity to have a strategic vision of intellectual property every day and help promote knowledge exchange. Recent times have highlighted the strategic value of the industry for Europe. Well, now, we have the opportunity to promote a productive network that creates new businesses arising from an efficient information exchange. The industry is loose regarding information confidentiality and productive process control. Therefore, it is necessary to establish, from the intellectual property viewpoint, a clear framework for knowledge exchange and value generation. Europe, particularly Spain, can lead this way.
Luis Ignacio Vicente. Strategic Counsel PONS IP.