7 minute read
1.2. Definitions
important cornerstones for the high level of data protection that Europe can boast in international comparisons. For this reason, many industrial companies have a great interest in working with anonymised data to a much greater extent. With regard to the legislative requirements, it must be stated that the GDPR does not contain any concrete requirements for the anonymisation of personal data and the Data Act will further exacerbate the already existing uncertainties in practice. Due to the resulting legal uncertainty and the lack of uniform standards, companies often refrain from participating in this project at present. In the IW Cologne study "Data Economy in Germany", 73 per cent of companies cited "a lack of standards for the anonymisation of personal data" as an obstacle to greater economic use of data.5 In order to be able to use the economic potential of anonymised data and, at the same time maintain the high European level of data protection, the BDI believes that legally secure and, at the same time practicable requirements, for example via the possibility of codes of conduct in accordance with Article 40 of the GDPR, are of central importance for data protection-compliant anonymisation of personal data. Corresponding guidelines should be developed in close consultation and cooperation with industry and build on best practices.6
1.2. Definitions
A fundamental problem of the Commission's proposal is that key terms are either not defined at all, or are defined with little clarity. In this respect, the Data Act-E leaves considerable room for interpretation regarding the scope of application and the practical reach of many regulations, which leads to great uncertainty in practical application. From an industrial perspective, the definitions in Art. 2 DA-E harbour the risk of leading to more legal uncertainty and thus less value creation. Therefore, the central definitions should not only be mentioned in passing in the recitals, but should be specified directly in Art. 2 DA-E.
Art. 2 (1) DA-E "Data": The definition of "data" is conceivably broad and very imprecise in view of the numerous specifications - especially with regard to the data provision obligation in Chapter II. After all, the data obtained in machines and then files generated are by no means homogeneous. Data originating from industrial machines may differ in terms of processing (raw vs. analysed or processed data), disclosure of trade secrets and knowhow, and the commercial and technical feasibility of making them available.
5 Datenwirtschaft in Deutschland - Wo stehen die Unternehmen in der Datennutzung und was sind ihre größten Hemmnisse?", IW study commissioned by the BDI, February 2021, available at: https://bdi.eu/media/publikationen/?publicationtype=Studien#/publikation/news/datenwirts chaft-in-deutschland/. 6 Cf. BDI guideline "Anonymisation of personal data", 2020, available at: https://english.bdi.eu/publication/news/anonymization-of-personal-data/.
It is also unclear when the threshold of "information derived or inferred from this data"(recital 14), which is not subject to the Data Act, exists.
The present definition will lead to great uncertainty in application practice as to which (non-)personal data are covered by the data access claims of Chapter II. In order for the positive effect intended by the EU Commission for a fair data allocation to occur at all, such a differentiation must not be left to the companies themselves. In order to ensure practicability and legal certainty for all actors, the Data Act must provide for a differentiated treatment of "data", taking into account the type of data, as well as the feasibility and side effects of its provision (e.g. in files or databases).
It must be clearly determined whether only raw data is covered and only data actually used by the "data holder" for its own business transactions is affected and no volatile data is included in the definition. In addition, it must be ensured that no (warranty and/or liability) claims arise due to its nature (data "as it is").
Art. 2 (2 and 3) DA-E "product" and "related service": It remains unclear which components (e.g. sensors) and functions of a physical asset fall under the definition of a product, especially in view of the accompanying recitals 14 and 15. In industrial applications, individual components cannot collect data spontaneously, but only on the basis of their special and individually tailored configuration by the respective user or the engineering provider commissioned by him. However, it follows from recital 15 precisely that products that collect relevant data only on the basis of human input, do not fall within the scope of the Data Act. Against this background, it would therefore be desirable that (1) the additional requirement of "human input" be included in the product definition and (2) industrial applications (such as industrial controls as well as industrial PCs) be included in the examples of Recital 15 for the sake of clarification. Especially industrial components can only fulfil their functions on the basis of certain human input configurations of the user. In addition, it would be desirable to clarify whether the individual component must already be able to fulfil the technical requirements independently due to its design, or whether it is sufficient that the technical requirements are fulfilled in interaction with other independent modules. For example, an industrial controller does not establish its own network connection by default, but can only do so if the user connects an additional network module. Furthermore, it is unclear whose perspective should be decisive in the assessment of the individual requirements of Art. 2 (2) DA-E. Clarification is necessary here because this would have a direct impact on Chapter II and any obligation to provide data. Furthermore, the definition of "related service" in Art. 2 (3) DA-E urgently needs to be clarified. Given that the focus of the article is on product manufacturers as well as their services offered with the products, only physical products as well as their core functions should also be covered by it. Otherwise, virtually any kind of "related services" provided by any market participant would fall under the
scope. Data services that use data of a product but are not directly linked or sold with the product should thus be excluded from the scope.
The legislative proposal lacks a definition of "competing product". This is mentioned in recital 35 and is of great importance for the economy/fair competition, as Art. 6 (2 e) DA-E contains specifications in this regard. In the absence of a definition, it remains unclear whether "competing product" only refers to products in the sense of Art. 2 (2) DA-E, i.e. only physical and movable objects, or whether the understanding of the term also covers "connected services", i.e. software and data-driven services, beyond Art. 2 (2) DA-E. The prohibition on using data obtained from the data holder for the development of a competing product should apply not only to products, but also to related services and virtual assistants. There is no obvious reason to limit the scope of such a prohibition in Art. 6 (2e) DA-E to products, while the data can also be obtained by connected services and virtual assistants. An understanding based on Art. 2 (2) DA-E entails the risk that competitors could benefit indirectly by developing (software-driven) products/services on the basis of the extracted data, which would then in turn compete directly with the original product/service.
Art. 2 (5 and 6) DA-E "user" and "data holder": The legislative proposal gives the impression of a very simplified, dichotomous, and not practical understanding of the relationships between producers and customers in many areas of industry. The draft does not take into account that in multilateral and -directional value creation networks, the "user" of a physical asset is also and in many industries even as a rule - the "data holder". As far as the DA-E states in its introduction that "the manufacturer or designer of a product or related service typically has exclusive control over the use of data generated by the use of a product or related service" (cf. p. 13 of the DA-E), this cannot claim validity for the industrial sector in all cases. The equation "manufacturer = data holder" does not reflect the industrial reality in many cases. Against this background, the terms "user" and "data holder" must be clarified in accordance with industrial practice. There is also a need for clarification to the effect that the "user" is defined in accordance with recital 18 via a corresponding contractual relationship. This is not expressed clearly enough according to Art. 2 (5) DA-E by the wording "or receives a service", but should rather be replaced by "or makes use of a contractual service". In order to ensure legal certainty, it should also be made clear that there can be several "users".
Clarifications are also necessary with regard to the definition of "data holder" . The definition of data holder appears to be at least partially circular, as the DA-E itself defines the term "data holder" as "the right or obligation, in accordance with this Regulation (...) to make available certain data" (cf. Art.2 (6) DA-E). Thus, it currently remains unclear whether the "data holder" is the one who produces the product (which in many cases does not reflect the industrial practice) or rather the one who holds the control over the data -
