The legal challenges of non-personal, IoT and M2M data

What rights can be held on IoT and M2M data and how they can be better exploited?

Ownership and exploitation of non-personal, including IoT and M2M, data trigger new legal challenges during the time when they are expected to become more valuable.

iConsumer brings news on non-personal data, including Internet of Things and Machine to Machine data, and their applicable regime and legal challenges to be dealt in the coming years.

From data ownership…

Digital assets of non-personal data are a fundamental resource for the economic growth of companies.

Many of these data are generated without the direct intervention of a human operator (the so-called machine-generated data). Indeed, they come from the sensors of interconnected smart objects, the so-called Internet of Things devices. And, after being subject to data analytics, they become valuable information ready for reuse. Companies exchange large datasets as goods through contractual arrangements, which, however, may raise several legal challenges.

Commentators name it “data ownership”, referring to the right to exclusively control use large amounts of non-personal data held by companies.

Certain existing legal regimes might provide a substantial degree of protection on this type of datasets, that is to say

  • Copyright protection, which could be relevant for the protection of single data included datasets;
  • Rights on databases (i.e., copyright and sui generis right) under Directive 96/9/EC;
  • Trade secrets, established under Directive (EU) 2016/9433;
  • Patent; and
  • Real property.

However, such existing protection regimes cannot provide appropriate protection to entities that control and economically exploit datasets. The shortcomings of the legal framework led several commentators in favor of establishing a new exclusive and absolute right on the use of large datasets to overcome the limitations of the legal framework. However, according to some scholars, the provision of new exclusive rights on non-personal data might considerably restrict the free flow of data and would represent a substantial barrier to entry into the Big Data markets.

The Commission and other EU institutions agreed with this latter discourse and promulgated a Regulation to foster the free flow of non-personal data, that Regulation (EU) 2018/1807.

… To the free flow of non-personal IoT and M2M data and its legal challenges 

As you may already know from a previous post by Tommaso Ricci, on 4 October 2018, the EU Parliament enacted the Regulation (EU) 2018/1807 on the free flow of non-personal data. The Regulation is the outcome of numerous studies and consultations of the Commission concerning non-personal data access and ownership.

The primary purpose of the Regulation is to unleash the full potential of the European Data Economy and the Digital Single Market Strategy. As Vice-President for the Digital Single Market Andrus Ansip puts it,

our economy is increasingly driven by data. With the regulation on the free flow of non-personal data and the General Data Protection Regulation, we have a comprehensive framework for a common European data space and the free movement of all data within the European Union.

The free flow of non-personal data provisions is in line with existing rules for the free movement and portability of personal data in the EU (e.g., Article 20 of the GDPR). In particular, the new Regulation on non-personal data is aimed at ensuring the following:

The free flow of data across borders

The new provisions set a framework for data storing and processing across the EU and prevent data localization restrictions. Member States are supposed to inform the EU Commission about any data localization limitations. In response, the EU Commission, in turn, will assess if they are justifiable. Therefore, the Regulation will enable the free flow of non-personal data creating a common European space for data. In the case of a mixed dataset (i.e., including data of personal and non-personal data), the GDPR provision guaranteeing the free flow of personal data will apply to the personal data part of the set, and the free flow of non-personal data principle will apply to the non-personal part.

Data availability for regulatory control

Public authorities will be able to access data for scrutiny and supervisory control wherever it is stored or processed in the EU. Member States may sanction users that do not provide upon request by the competent authority access to data stored in another EU Member State.

The development of codes of conduct

The adoption of codes of conduct will make the market for cloud services more flexible and the data services in the EU more affordable. In particular, under Article 6 of the Regulation, the EU Commission will encourage and facilitate the development of codes of conduct at the EU level to contribute to a competitive data economy. They will be based on the principles of transparency and interoperability and will take due account of open standards.

You can read an example of how non-personal data can be exploited in the sports sector in this article Why Federer knew to lose the tennis match of the century.

Soon, we’ll see whether such rules will foster the development of the digital economy within the EU.

Don't miss our weekly insights

Show More

Tommaso Fia

II am specialized in data protection, consumer law, and intellectual property law. I am very keen on music and its regulation.

Related Articles

Back to top button