Legal issues of data exchange in the IDS

2nd IDSA Summit, Task Force Legal Framework

25 June 2019, Bonn

Dr. Alexander Duisberg, Partner

Slide 2

International Data Spaces Association

Source: International Data Spaces Association 2019, "Datenmanagement und Datensouveränität" Prof. Dr. -Ing. Boris Otto

Service platforms

Connected physical platforms

Technological infrastructure

Smart Services

Smart Products

Smart Spaces

Overview

• Data – the new resource

• Protecting data base & know-how

• Data transactions

• Data privacy and data security – always an issue

• Conclusion

Data – the new resource

Slide 4

Data – information/knowledge – value creation

• Individual data entries raw data (e.g. sensor data)

• Content-/context level metadata

- Descriptive nature and/or proprietary content

- "20°" vs. "20° celsius, 25 June 2019, 4:30 pm, Deutsche Telekom Campus Bonn"

• Context orientation and differentiation via metadata

Value through data collections

Slide 5 "Images are used for educational and study purposes only"

Protecting database & know-how

Slide 6

Protecting database

Systematical or methodical order

• Data can be stored in an unsorted manner

• Electronic access to individual elements

• Constituent combination with a search system is key

Slide 7

Two-fold database term

Data storage

Search system

EU Trade Secret Directive (2016/943)

Towards a better framework

• Implementation of Trade Secrets Directive (EU 2016/943)

• Civil redress against unlawful disclosure etc.

• Protects information of commercial value, because it is secret

• Trade secret holder must have implemented reasonable measures to keep secret

Technical protection of trade secrets

• Technical and organizational measures

• Encryption and other technical safeguards

• Role and function of IDS Connector

Slide 8 "Images are used for educational and study purposes only"

Protecting know-how when you share?

Confidentiality agreements (NDA)

• Common standards

• Technical security essential!

• Lawful exemptions (prior knowledge, etc.)

• Contractual safeguards and penalties

Enforcement of know-how infringement

• Not an easy game

• Different legal systems wrt providing evidence

It's all in the metadata!

Slide 9

"Images are used for educational and study purposes only"

Data transactions

Slide 10

Data Transactions

General objectives

• Usage rights in data base (incl. structured data) and/or unstructured data

• Protection against unauthorized modification

• Indemnification towards data suppliers

• Limitation of liability for transfer/licensing-out

Prior to data transactions due diligence

• Data origin

• Third-party rights

• Access rights through regulation

• Privacy compliance

Slide 11

Risk assessment

"Images are used for educational and study purposes only"

Corner stones of data(base) transactions

• Purchase-, rental-, services or works contract?

• Compensation models

• Scope and deliverables

• Authorized usage and reproduction / copying

• For licensing-out: prohibit significant changes

• Privacy compliance

• Warranty and liability

• Exit and returning data

Slide 12 "Images are used for educational and study purposes only"

Slide 13

International Data Spaces Association

Source: International Data Spaces Association 2019, "Datenmanagement und Datensouveränität" Prof. Dr. -Ing. Boris Otto

Service platforms

Connected physical platforms

Technological infrastructure

Smart Services

Smart Products

Smart Spaces

Who are the actors?

Slide 14 "Images are used for educational and study purposes only"

Data privacy and data security – in pending tension

Slide 15

Privacy in times of Big Data and Analytics

Data minimisation?

• Outdated concept

• Relevant for purpose limitation

Joint controllership (Art. 26 GDPR)

• Highly relevant in data consortia

• Shared liability for compliance

Purpose limitation and variation?

• Limited flexibility (Art. 6 para. 4 GDPR)

• Big Data goes beyond

Issues for GDPR revision

• Greater flexibility on data usage for machine learning and AI training

• Criteria for pseudonymisation

• Reducing notification obligations (Art. 13, 14 GDPR)

Slide 16

"Today Data is the greatest asset. Both opportunities as well as the biggest challenges are being created by the

global flow of data." (Narendra Modi, World Economic Forum 2019)

"Images are used for educational and study purposes only"

Raw machine data and HMI

Big Data – overturning privacy by matter of fact?

• Anonymization

- Personal identifiers irreversibly removed

- Risk of de-anonymization

- Main techniques: randomization (e.g. noise addition, permutation, differential privacy, etc.) or generalization (e.g. aggregation and k-anonymity, l-diversity/t-closeness)

- WP 29 Opinion on anonymization

• Pseudonymisation to be updated

- Measure of risk minimisation

- GDPR sets incentives

- Close connection to encryption

- Industry to consider Codes of Conduct (Art. 40 GDPR)

Slide 17

EDPB to further specify

"Images are used for educational and study purposes only"

Security – a matter of board attention

Board- and management liability (e.g. Sec. 91 para. 2 Stock Corporation Act)

• "In particular.. The management board has to set up a monitoring system, so that developments that jeopardize the continuing existence of the company can be detected early."

• Violations can trigger personal liability of directors and officers

NIS Directive

• Since May 2018 (current: national implementation)

• Operators of Critical Infrastructure

• Notification of security breaches

• National security boards to set technical standards

• Impact on suppliers

Slide 18 "Images are used for educational and study purposes only"

Notification of IT malfunction

IT malfunction

No malfunction or disruption

possible

No notification required

Malfunction or disruption

possible

Ordinary IT malfunction

No notification required

Extraordinary IT malfunction

Notification required

Malfunction or disruption

occured

Notification required

Slide 19 Source: Bundesamt für Sicherheit und Informationstechnik

Slide 20

Next steps

Setting the landscape for data contracts

Slide 21

Data Purchase

Data Swap

Data as a Service (Data

Rental)

Data Lending

Things to consider – getting started

Data Provider (= data licensor)

• Data licensing 1:1 and 1:n

• Paid / free of charge?

• Purchase, swap, rental, lending?

• Warranties for data quality?

• Risk and limitation of liability

Data Consumer (= data licensee)

• Designated usage rights

• Exploitation – AI training

• Onward licensing

• Indemnification for data quality

Slide 22

Slide 23

Discussion – developing templates

twobirds.com Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address.

Thank you

Dr. Alexander Duisberg

Alexander.Duisberg@twobirds.com +49 89 3581 6000

"Alexander Duisberg stands out for fantastic work

advising clients on digital transformation on an international scale."

- Who's Who Legal, 2018

"Alexander Duisberg is recognised for his depth of

industry experience and his knowledge of digital transformations." - Who's Who Legal, 2018