Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Legal issues of data exchange in the IDS
2nd IDSA Summit, Task Force Legal Framework
25 June 2019, Bonn
Dr. Alexander Duisberg, Partner
Slide 2
International Data Spaces Association
Source: International Data Spaces Association 2019, "Datenmanagement und Datensouveränität" Prof. Dr. -Ing. Boris Otto
Service platforms
Connected physical platforms
Technological infrastructure
Smart Services
Smart Products
Smart Spaces
Overview
• Data – the new resource
• Protecting data base & know-how
• Data transactions
• Data privacy and data security – always an issue
• Conclusion
Data – the new resource
Slide 4
Data – information/knowledge – value creation
• Individual data entries raw data (e.g. sensor data)
• Content-/context level metadata
- Descriptive nature and/or proprietary content
- "20°" vs. "20° celsius, 25 June 2019, 4:30 pm, Deutsche Telekom Campus Bonn"
• Context orientation and differentiation via metadata
Value through data collections
Slide 5 "Images are used for educational and study purposes only"
Protecting database & know-how
Slide 6
Protecting database
Systematical or methodical order
• Data can be stored in an unsorted manner
• Electronic access to individual elements
• Constituent combination with a search system is key
Slide 7
Two-fold database term
Data storage
Search system
EU Trade Secret Directive (2016/943)
Towards a better framework
• Implementation of Trade Secrets Directive (EU 2016/943)
• Civil redress against unlawful disclosure etc.
• Protects information of commercial value, because it is secret
• Trade secret holder must have implemented reasonable measures to keep secret
Technical protection of trade secrets
• Technical and organizational measures
• Encryption and other technical safeguards
• Role and function of IDS Connector
Slide 8 "Images are used for educational and study purposes only"
Protecting know-how when you share?
Confidentiality agreements (NDA)
• Common standards
• Technical security essential!
• Lawful exemptions (prior knowledge, etc.)
• Contractual safeguards and penalties
Enforcement of know-how infringement
• Not an easy game
• Different legal systems wrt providing evidence
It's all in the metadata!
Slide 9
"Images are used for educational and study purposes only"
Data transactions
Slide 10
Data Transactions
General objectives
• Usage rights in data base (incl. structured data) and/or unstructured data
• Protection against unauthorized modification
• Indemnification towards data suppliers
• Limitation of liability for transfer/licensing-out
Prior to data transactions due diligence
• Data origin
• Third-party rights
• Access rights through regulation
• Privacy compliance
Slide 11
Risk assessment
"Images are used for educational and study purposes only"
Corner stones of data(base) transactions
• Purchase-, rental-, services or works contract?
• Compensation models
• Scope and deliverables
• Authorized usage and reproduction / copying
• For licensing-out: prohibit significant changes
• Privacy compliance
• Warranty and liability
• Exit and returning data
Slide 12 "Images are used for educational and study purposes only"
Slide 13
International Data Spaces Association
Source: International Data Spaces Association 2019, "Datenmanagement und Datensouveränität" Prof. Dr. -Ing. Boris Otto
Service platforms
Connected physical platforms
Technological infrastructure
Smart Services
Smart Products
Smart Spaces
Who are the actors?
Slide 14 "Images are used for educational and study purposes only"
Data privacy and data security – in pending tension
Slide 15
Privacy in times of Big Data and Analytics
Data minimisation?
• Outdated concept
• Relevant for purpose limitation
Joint controllership (Art. 26 GDPR)
• Highly relevant in data consortia
• Shared liability for compliance
Purpose limitation and variation?
• Limited flexibility (Art. 6 para. 4 GDPR)
• Big Data goes beyond
Issues for GDPR revision
• Greater flexibility on data usage for machine learning and AI training
• Criteria for pseudonymisation
• Reducing notification obligations (Art. 13, 14 GDPR)
Slide 16
"Today Data is the greatest asset. Both opportunities as well as the biggest challenges are being created by the
global flow of data." (Narendra Modi, World Economic Forum 2019)
"Images are used for educational and study purposes only"
Raw machine data and HMI
Big Data – overturning privacy by matter of fact?
• Anonymization
- Personal identifiers irreversibly removed
- Risk of de-anonymization
- Main techniques: randomization (e.g. noise addition, permutation, differential privacy, etc.) or generalization (e.g. aggregation and k-anonymity, l-diversity/t-closeness)
- WP 29 Opinion on anonymization
• Pseudonymisation to be updated
- Measure of risk minimisation
- GDPR sets incentives
- Close connection to encryption
- Industry to consider Codes of Conduct (Art. 40 GDPR)
Slide 17
EDPB to further specify
"Images are used for educational and study purposes only"
Security – a matter of board attention
Board- and management liability (e.g. Sec. 91 para. 2 Stock Corporation Act)
• "In particular.. The management board has to set up a monitoring system, so that developments that jeopardize the continuing existence of the company can be detected early."
• Violations can trigger personal liability of directors and officers
NIS Directive
• Since May 2018 (current: national implementation)
• Operators of Critical Infrastructure
• Notification of security breaches
• National security boards to set technical standards
• Impact on suppliers
Slide 18 "Images are used for educational and study purposes only"
Notification of IT malfunction
IT malfunction
No malfunction or disruption
possible
No notification required
Malfunction or disruption
possible
Ordinary IT malfunction
No notification required
Extraordinary IT malfunction
Notification required
Malfunction or disruption
occured
Notification required
Slide 19 Source: Bundesamt für Sicherheit und Informationstechnik
Slide 20
Next steps
Setting the landscape for data contracts
Slide 21
Data Purchase
Data Swap
Data as a Service (Data
Rental)
Data Lending
Things to consider – getting started
Data Provider (= data licensor)
• Data licensing 1:1 and 1:n
• Paid / free of charge?
• Purchase, swap, rental, lending?
• Warranties for data quality?
• Risk and limitation of liability
Data Consumer (= data licensee)
• Designated usage rights
• Exploitation – AI training
• Onward licensing
• Indemnification for data quality
Slide 22
Slide 23
Discussion – developing templates
twobirds.com Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address.
Thank you
Dr. Alexander Duisberg
[email protected] +49 89 3581 6000
"Alexander Duisberg stands out for fantastic work
advising clients on digital transformation on an international scale."
- Who's Who Legal, 2018
"Alexander Duisberg is recognised for his depth of
industry experience and his knowledge of digital transformations." - Who's Who Legal, 2018