In a few days, on Sept. 24, 2023, the Data Governance Act active. In view of this, we inform you in this article about the new regulations and the associated legal acts of the new European Data Strategy.
This is intended to create a legally secure framework for economic investments and strengthen Europe's position in the digital transformation. Developers of digital business models should be aware that the cornerstones of the EU data strategy are extremely complex. The most important legal acts, including their recitals, comprise more than 600 closely printed pages.
This article gives you through the support of a webinar conducted in advance by the lawyer Dr. Timo Ehmann (Ehmann&Ehmann Rechtsanwälte PartG mbB, Munich) will provide a valuable overview of the laws already passed and planned by the EU Commission, the further strategy to regulate data ownership and how to apply the interlocking rules to your digital business model.
This article was written in German, automatically translated into other languages and editorially reviewed. We welcome feedback at the end of the article.
European data strategy - the key points in brief
- General Data Protection Regulation (GDPR) in force since 2018
- Digital Markets Act (DMA) in force since 25.06.2023
- Data Governance Act (DGA) active as of 09/24/2023.
- Digital Services Act (DSA) takes effect Feb. 17, 2024
- Data Act (DA) and Artificial Intelligence Act (AIA) close to legislative enactment.
These legal acts create the basis for future strategic and economic treatment of data in Europe. The diagram illustrates the main aspects of the EU data strategy:
Definition - Property
The § 903 BGB (Civil Code) "Powers of the owner" defines property as follows:
The owner of a thing may, unless the law or the rights of third parties are opposed, do with the thing as he pleases and exclude others from any interference.
Article 14 GG (Basic Law for the Federal Republic of Germany) supplements this definition:
(1) Property and inheritance rights shall be guaranteed. Their content and limits shall be determined by law.
(2) Ownership obliges. Its use shall at the same time serve the public good.
Distinction between property and intellectual property
According to the German Patent and Trademark Office, the term "intellectual property", internationally referred to as "intellectual property (IP)", includes property rights in creations of the human intellect. This includes, for example, inventions, know-how or Software.
This means: In contrast to the ownership of physical objects as defined in Section 90 of the German Civil Code, intellectual property refers to the exclusive right to intangible assets such as works of art or technical inventions.
-> What is intellectual property? Read it after.
How is intellectual property protected?
Industrial property rights (patents and utility models, trademarks, designs)
Example: A pharmaceutical company applies for a patent for a new vaccine, as in Covid-19, to protect its exclusive rights to manufacture and market it.
Example: A software company protects its proprietary algorithms and technologies as trade secrets by taking strict security precautions and concluding non-disclosure agreements with its employees and business partners. This prevents confidential information from being disclosed to third parties.
Copyright and related rights
Example: An author automatically enjoys copyrights to his work. These rights protect his intellectual property and grant him the right to publish, reproduce and sell the work. A photographer similarly owns the copyright to his images and protects it by marking and licensing his work. This case is clearly regulated.
But what about the question: May AI be trained on the intellectual creations of others? Copyright law is strict, and the answer to this question is correspondingly complicated. The short form is:
If the data to be used for the AI training contains copyright-protected content, various actions are already copyright-relevant in the preparation process of the training. This concerns, for example, texts, pieces of music, photos, films, drawings but also databases. However, it is important to note that not all AI training data automatically enjoy copyright protection. Data that is in the public domain or not sufficiently protectable can be used for training without violating copyright.
For more information on how to legitimately obtain artificial intelligence training data, check back soon for one of our in-depth blogposts.
Definition - Business Models
A business model is a model representation of the logical relationships of how an organization or company creates value for customers and ensures a return for the organization.
What is a digital business model?
The Bavarian Research Institute for Digital Transformation defines a business model as digital if digital technologies have a fundamental influence on the way the company does business and generates revenue. However, the specific degree of digitization of a company cannot be determined exactly.
What is a data-driven business model?
Data can be bought. Data-based business models exploit this principle (e.g., in online advertising) by using data as a key resource. Data-based business models differ from data-driven business models in that the latter merely supplement value creation processes with data-based technologies (e.g., additional sales via an app).
Would you like to find out more about data-based business models? Our continuing article will soon provide you with all the important background information and illustrative examples. It's worth visiting the AI Blog again in a few days.
Challenges for digital business models that go hand in hand with digitization and AI
Hate Speech and Fake News
Example: On social media, a person spreads racist and insulting comments towards a certain ethnic group. These posts violate the platform's guidelines. Operators must take action to remove the hate speech and potentially expose the user to to report to the Federal Criminal Police Office.
However, the mere expression of opinion remains covered by the expression of opinion: Ruling of the Hamburg Regional Court - rating on Google Maps is permissible expression of opinion. However lack factual reference points on which an opinion is based, or if the factual reference points are untrue, freedom of expression must regularly recedewrites Knuth Folger.
The future of copyright
Example: A well-known photographer discovers that his images are being used in various online publications without his consent. He decides to use blockchain technology to secure the authorship of his photos and ensure that he is fairly compensated for their use.
Monopolization tendencies and gatekeepers
Example: A large technology company has achieved a dominant position in the search engine market. It abuses its power to hinder smaller competitors and suppress competition by favoring its own services and disadvantaging others.
In a legal tug-of-war, which has already become the subject of many journalistic reflectionsWetter.com - a subsidiary of ProSiebenSat.1 Media SE based in Baden-Württemberg - has filed a lawsuit against technology giant Google at Mannheim Regional Court. At the heart of the dispute is a so-called "box" that Google places prominently within its search results. This box offers users a comprehensive display of weather data in advance, making the click on the link to the Wetter.com homepage obsolete.
This action poses a serious threat to Wetter.com's business model, which relies heavily on advertising revenue. By discouraging users from visiting Wetter.com's website, Google is depriving the company of potential advertising revenue and thus weakening its economic livelihood.
The matter raises complex issues of competition law and digital sovereignty, and it remains to be seen how the court will rule in this striking case.
Data protection and monitoring pressure
Example: A government conducts extensive surveillance of citizens and collects massive amounts of data about their online activities without taking adequate data protection measures. This raises privacy and civil liberties concerns.
AI security and transparency
Example: An autonomous vehicle with artificial intelligence (AI) is involved in an accident. Investigators need to understand the decision-making processes of the AI system to determine the cause of the accident and ensure that the AI algorithms are transparent and safe. This raises questions about accountability and the need for AI transparency.
Legal acts of the European Data Strategy that regulate these challenges
"Another clear decision to be made is on the question of whether there can be ownership of data."Excerpt from printed matter 19/26538, page 2, German Bundestag - 19th legislative period
|Hate Speech and Fake News||VO (EU) 2022/2065 Digital Services Act, valid from 17.02.2024|
|The future of copyright||RL (EU) 2019/790 UrhR Directive, effective since 06.06.2019|
|Monopolization tendencies||VO (EU) 2022/1925 Digital Markets Act, valid since 25.06.2023|
|Data protection and monitoring pressure||VO (EU) 2016/679 Basic Data Protection Regulation, valid since 25.05.2018|
|AI security and transparency||Artificial Intelligence Act, ongoing triolog negotiations|
"For all those who have contributed to the creation of data, we are strengthening standardized and machine-readable access to self-generated data. With a data law, we are creating the necessary legal basis for these measures."Excerpt from the coalition agreement fall 2021, use of data and data law
Overview of regulations that allocate data
To illustrate how exactly regulations and data are mapped to the different legal acts of the EU Data Strategy, please see the diagram:
The more detailed description of each legal act can be found in the following sections.
Digital Services Act
The Digital Services Act (EU Regulation 2022/2065) is effective from 17/02/2024.
This effective date automatically leads to the repeal of the Network Enforcement Act (NetzDG) and Telemedia Act (TMG).
Affected by the DAS are
- Online brokerage services e.g. hosting services, online platforms, search engines, marketplaces, app stores and social media offerings,
- Additional obligations (e.g., risk management) for very large providers (reaching more than 10 % of the 450 million consumers in Europe),
- Central parts are exempt for micro and small enterprises (less than 50 employees or less than 10 million euros in annual sales),
- Overlaps, particularly with Regulation 2019/1150.
Regulations of the DAS at a glance
- Transparency in the design of services
- Regulation for dealing with illegal content e.g. notice and takedown
- For large platforms: Risk analysis and mitigation
- Strengthening of fundamental rights through AGB regulation; explicitly mentioned on the official EU homepage, such as "freedom of speech"
Therefore applies: There is no regulation on the ban on using a clear name, Section 19 (2) of the TTDSG. Telemedia providers must enable the use of telemedia and their payment anonymously or under a pseudonym, insofar as this is technically possible and reasonable. The user of telemedia must be informed of this possibility.
Digital Markets Act
The Digital Markets Act (DMA) (EU Regulation 2022/1925) has been in force since 25.06.2023.
Affected by the DMA are
- Online gatekeepers such as GAFAM (Google, Amazon, Facebook (Meta), Apple, Microsoft),
- Companies with an enterprise value of over EUR 75 billion,
- Companies with annual sales of over EUR 7.5 billion.
Article 6 of the DMA regulates access to data on central platform services in paragraphs 9 to 11.
Paragraph 9 states that end-users and third parties commissioned by them shall be provided, upon request, with free and effective access to their own data that they have provided on the platform or generated through their use.
The 10th paragraph describes that commercial users and third parties authorized by them are granted free, high-quality and permanent real-time access to aggregated and non-aggregated data, including personal data generated in connection with the use of the platform services. This access requires the consent of the End Users.
In paragraph 11, online search engine providers are granted access under fair and non-discriminatory conditions to ranking, query, click and view data generated by end users through their search engines. All personal data in this data is anonymized. This is to ensure that access to data on central platforms is fair and transparent.
Regulations of the DMA at a glance
- Prohibition of bundling of certain services, services and apps (Art. 5 Par. 7, 8 DMA)
- Safeguarding the competitive freedom of competitors and participating merchants (e.g., IE from Microsoft; competition from Amazon Basics).
- Transparency regulations for online advertising (incl. information about prices)
- Easy uninstallation options of software applications on their operating system (Art. 6, 7 DMA).
- Transparent and fair display or rankings (Art. 6 para. 5 DMA)
- Notification requirements for certain mergers for merger control purposes
Data Governance Act
The DGA was published on May 30, 2022 and becomes effective on Sept. 24, 2023.
It aims to facilitate data sharing in the EU and promote the use of data in the interest of businesses and citizens. The act covers various aspects, including the regulation of data intermediation services, the reuse of public data and the promotion of data altruism. The focus is on the security and protection of data.
"We need to react wisely now and regulate artificial intelligence sensibly before it's too late for that. This must not take years again."Digital Minister Volker Wissing (FDP) told "Bild am Sonntag" in April 2023 in Berlin
Data switching services are particularly affected by DGA.
What are data switching services and who uses them?
Data brokering services are services or platforms that enable the exchange of data between different users or organizations. These services usually provide the technical Infrastructure and the Mechanisms ready to securely transfer or share data from one location to another. Data switching services occur in a variety of industries and applications. Examples are:
- Cloud services: Companies like Amazon Web Services (AWS), Microsoft Azure and Google Cloud offer data brokering services that enable companies to store their data in the cloud to store and process.
- Data marketplaces: Platforms such as DataMarket, DatastreamX and Data.gov provide a Marketplace for buying and selling data between different data providers and users.
- Financial services: Financial institutions use data intermediation services to conduct financial transactions between Banks, payment processors and other players in the financial industry.
- IoT platforms: Internet of Things (IoT) platforms such as AWS IoT and Azure IoT Hub facilitate the transfer and processing of data from connected devices and sensors.
- Social media: Platforms like Facebook, Twitter, and Instagram make it easy for users to share information and data in the form of posts, pictures, and videos.
- E-commerce: Online marketplaces such as Amazon and eBay create the basis for the exchange of product data between sellers and buyers.
- Communication services: Messaging apps like WhatsApp and email services like Gmail are used to transfer text, audio, and video information between users.
Goals of the Data Governance Act
- Facilitation of data exchange
- Regulation of new data intermediaries
- Promoting data sharing for altruistic purposes.
- Consideration of personal and non-personal data
- Compliance with the General Data Protection Regulation (DSGVO)
- Regulation of the reuse of protected data held by public bodies
- Limiting exclusive data reuse agreements.
Regulations of the DGA at a glance
- Obligation to enter data brokerage services in a register (customer confidence)
- Data evaluation by data exchange service providers for neutral marketplaces (data exchange service providers may not evaluate the data for their own purposes)
- Avoiding lock-in effects by limiting contracts for exclusive data use
- Time limit of new contracts for exclusive use of data between authorities and companies to 1 year (fair competition)
- Time limit existing contracts for exclusive use of data between public authorities and companies will be limited to 2.5 years (fair competition)
- Structural separation between data switching and other services as well as fee regulations
- Voluntary provision of data for the public interest without consideration (data altruism).
- Compliance with European Data Innovation Board (EDIB) standards and consent forms.
- Establish a body to facilitate data exchange and interoperability standards.
- Strengthening international data transfers, taking into account data protection and security (international data flows)
Data Potential and Strategy Obstacles of the EU Data Gonvernance Act
The DGA serves to establish a framework for enhancing trust in voluntary data sharing for businesses and citizens.
Potential of data: Data offers great economic and societal potential for innovation, efficiency, healthcare, and social challenges.
Obstacles in EU data exchange: Low trust in data exchange, problems with the use of public data and technical hurdles limit data exchange in the EU.
Artificial Intelligence Act
The Artificial Intelligence Act (AIA) is currently still in ongoing trilogue negotiations within the EU Commission (as of 09/2023).
With the AIA, the European Commission presents the first legal framework for artificial intelligence (AI), which aims to address the risks of AI and put Europe in a leading position in this field. This regulatory proposal aims to set clear requirements and obligations for developers, providers and users of AI in specific application areas.
At the same time, the aim is to minimize the bureaucratic and financial burden on companies, especially small and medium-sized enterprises (SMEs). This proposal is part of a broader package of measures for AI, including an updated coordinated plan for AI.
Affected by the AEOI are
- AI systems providers,
- Users of third-party AI systems,
- Dealers and importers of AI systems.
Resolved contents of the AIA at a glance
- Safety regulations
- Rules on fairness and transparency
- Protection of privacy and fundamental rights
- Use of AI systems in specific areas (e.g., autonomous driving, biometric recognition).
Why do we need rules for AI?
The planned AI regulation ensures that people in Europe can have confidence in the potential of AI. Although most AI Systems have multiple applications and can help address societal problems, certain AI systems carry risks that need to be addressed as part of the European Data Strategy to prevent undesirable consequences.
For example, it is often not clear why an AI system made a decision or performed an action, making it difficult to assess potential inequities, such as in hiring processes or public utility services. Although existing laws provide some protection, they are not sufficient to address the specific challenges posed by AI systems.
Proposed provisions of the AEOI
- Addressing risks specific to AI applications,
- List of high risk applications,
- Establish clear requirements for AI systems for high-risk applications,
- Establish specific obligations for AI users and providers of high-risk applications,
- Conformity assessment before the AI system is put into operation or placed on the market,
- Enforcement after such an AI system has been placed on the market,
- Governance structure at European and national level.
Risk-based approach of the Artificial Intelligence Act
The regulatory framework establishes four levels of risk in AI:
- Unacceptable risk: Ban AI systems with clear threats to human safety, livelihood, and rights.
- High risk: Strict regulatory framework for high-risk AI systems, e.g., in critical infrastructure, education, and law enforcement.
- Limited risk: Transparency obligations for AI systems with limited risk e.g. chatbots.
- Minimal or no risk: Free use AI systems with minimal or no risk e.g. spam filters.
The Data Act (DA) is expected to be effective in the fall of 2025.
DA affects providers of mobile devices or related services that collect and transmit data about usage or environment, for example, IoT devices such as smartwatches, fitness trackers, connected vehicles, or smart homes.
The draft Data Act is seen as a central component of data economy law. The EU Commission has abandoned the idea of exclusive rights of use, such as the concept of "data ownership", which is seen as positive. It would be legally and economically problematic to move from de facto exclusivity to legal exclusivity (Hennemann/Steinrötter, NJW 2022, 1481).
The Data Act regulations include two important articles.
Article 3: Obligation to make available data generated during the use of products or associated services
Products and connected services must be designed so that user-generated data is, by default, simple, secure and, where relevant and appropriate, directly accessible.
Article 4: Users' right to access and use data generated during the use of products or associated services
If the User cannot access the data directly, the Data Controller must provide the User with the data provided at the time of use immediately, free of charge and, if applicable, continuously and in real time, electronically upon simple request, if technically feasible.
However, there is still the question of whether different regulations could apply to different products or services, such as Apple Health and Adidas Runtastic.
Exceptions to the right of access
No business secrets need to be disclosed (Art. 4 para. 3 DA).
- No use of data for the development of a competitive product (Art. 4 para. 4 DA)
- No right of access with regard to personal data of third parties (Art. 4 (5) DA)
But: There is still no general limitation to conflicting intellectual property rights and no special regulation limiting the scope of protection of the database producer's right.
Summary of the pre-contractual information requirements
According to Art. 3 para. 2 of the Data Act:
- The type and amount of data expected to be generated when using the product or connected service
- Intention of the manufacturer to use the data itself
- Whether the seller, lessee or lessor or data owner is
- How the user can arrange for the data to be passed on to a third party
Obligation to obtain a "data license" and other regulations
Pursuant to Art. 4 (6) p. 1 of the Data Act:
- Data economy
- Disclosure of data at the request of the user Art. 5 DA-E
- Simplified switching and interoperability between providers e.g. phasing out switching fees Art. 23 et seq., 28 et seq. DA-E
Micro or small businesses are exempt from further DA regulations.
Outlook - Next steps in the European Data Strategy
Following the EU Commission's proposal in April 2021, the European Data Strategy Regulation partially entered into force in late 2022 or early 2023 during a transition period. During this period, standards would be prescribed and developed, and the governance structures put in place would become operational. The second half of 2024 is the earliest date that the European Data Strategy Regulation could become applicable to operators implementing all standards and conducting the first compliance assessments.
With the Digital Markets Act (DMA) in particular, the EU Commission is bringing forward some important aspects that are of great importance with regard to transparency and the technical implementation of the European Data Strategy. On the one hand, this emphasizes the need for more transparency, which is a positive step towards a more open digital market. On the other hand, there are also some challenges and open questions related to the DMA. The requirements for technical and organizational implementation, especially in the area of data access (DA) requirements, are high and possibly difficult to implement for some companies.
There are also clarifications regarding abusive business practices, especially related to the DMA and data access (DA) requirements, which are useful. This helps to combat unfair competitive practices. Nevertheless, many aspects remain unclarified and the DMA replaces traditional legislative structures, potentially leading to uncertainty.
Important points, such as the permissibility of crawling and the use of data in the area of SaaS (Software as a Service), remain in need of clarification. There is a risk of overestimating the enforceability of small-scale regulations, such as the restriction of the scope of use of data. In addition, increased information provision, similar to "cookie banners," will be required - and specific contractual requirements will be imposed.
Overall, the DMA of the EU Data Strategy only partially achieves its goal of a clear legal framework so far, as necessary compromises and some ambiguities remain. Implementation will continue to require careful monitoring and adaptation to achieve the European Commission's strategy goals.
If you liked the article, I appreciate feedback. If you have any questions about AI and Konfuzio, please contact our team of experts anytime via the Contact form.