1 Data Sovereignty: Freedom of Contract and Regulation

The claim to success for the IDS is driven by the combination of a common framework of values and reliability, including the reference architecture, connector technology, certification, and an ecosystem that any and all contributors and participants can trust, in order to share and exploit personal and non-personal data within a multitude of sectors and appliances.

At its heart, IDS intends to facilitate and enable the freedom of research, development, and business by sharing and using data between different players and giving any contributor of data the opportunity to manage and maintain control over the data that it puts at the disposal of others.

The claim of data sovereignty is inherently linked to putting the legal instruments and tools in the hands of each participant in the ecosystem, allowing freedom of contract as well as ensuring that exercising data exchange and consorted data usage in the data economy is in compliance with general and specific regulations, ranging from anti-trust to GDPR and cybersecurity regulations as well as sector-specific regulations. The following intends to provide an overview and orientation on the key areas to consider for stakeholders, participants, and the business more generally.

1.1 No Ownership or Exclusivity Rights in Data

Whereas the initial discussion about “who owns the data” dominated the initial phase of the data economy, policy makers, practitioners, and academics have now achieved an—close to unanimous—understanding that the defining and allotting “ownership” or other forms of exclusivity rights in data per se will not facilitate the development of the data economy. As a result of extensive consultation and debate, the focus has shifted to considering the issue of access and re-utilization of data as key to foster sharing and exchange of data, in order to unleash the potential of innovation through data, both in the private and the public sector.Footnote 1 While the outcome might appear “counter-intuitive” to some participants (“How can I not own ‘my data’?”), it is clear that it cannot be up to legislation or government to take decisions which could favor one side of the market and ecosystem, for example, the “data producer” or the “data holder” or the “data processor” or the “data aggregator,” etc. It is a grown consensus that while any unilateral determination of “ownership rights” in data would be premature while entering into and exploring the potential of largely unknown territories of the data economy, it appears quite likely to prevent rather than facilitate innovation through data.

As a result, the means and tools of enabling the data economy are based in contract law, i.e., regulation of data rights inter partes rather than erga omnes. The success of data sharing in the data economy depends on proper mechanisms of enforcing the contractual rights throughout the ecosystem.

By putting sample contracts at the disposal of all participants of the ecosystem, IDS gives orientation as well as the freedom to create contracts of their own that data providers, data brokers, and data consumers and any other participants can construe and implement their models for sharing data through licensing agreements of all sorts and kinds, without being prescriptive as to the kind and nature of the contractual relations.Footnote 2

1.2 Usage Control: Legally and Technically

Based on the concept of data licensing contracts that stipulate data usage rights under respective contract terms, the concept of IDS is to provide a technical solution which enforces such usage rights. The objective of IDS is to add to every dataset the respective protocols that define which data users (“data consumers”) are authorized and shall be technically enabled to access the data that a data provider and/or data broker wishes to share with them, under which purposes and for which duration. That may include whether a user may extract, develop, combine, and further enhance such data, as well as onward-share the data and/or any derivatives of such data and related database, next to the dealing with what shall happen after such usage rights have ended.

In other words, IDS has the overall objective of usage control by combining organizational elements under the auspices of freedom of contract with a technical solution. That said, it does not (yet) have the aim of providing a fully automated technical implementation of all contractual parameters as an executable in binary form (comparable to the concept of smart contracts in the blockchain/distributed ledger technology).Footnote 3 In fact, the path toward parameterizing different types of contracts and ascertaining related contractual remedies under a governing law (to be selected) bears a multitude of complexities, which need to be further explored. The current effort of the “Legal TestBed” initiated by the “Plattform Industrie 4.0”Footnote 4 is a first important step in that direction. By nature of how the formation and interpretation of contracts work, it is not a trivial task and, hence, important to manage expectations what semi-automated contracting and contract enforcement can achieve.Footnote 5 Yet, the vision of IDS is right and the implementation requires a legal framework that includes and supports the implementation of technical usage control. With that, usage control will have a stronger effect than the traditional licensing models.

1.3 Database Rights

Under current law, the most notable (yet largely unknown and underestimated) legal instrument available and applied to collections of data is the right of the database maker, as provided under the EU Database Directive 96/9/EC and implemented in each EU Member State.Footnote 6 The database right protects the investment into the systematical and methodical order of a collection of data in order to prevent extraction and/or re-utilization of the whole or a substantial part of the contents of the database,Footnote 7 but not the data as such.Footnote 8 That said, the database rights provide an important tool in managing data collections, which needs to be considered much more thoroughly in the context of the data economy. The database rights are limited to rightholders (including enterprises) who are nationals or have their habitual residence in the EU, and are construed as a sui generis right, giving the investor exclusivity rights for a duration of 15 years. It includes that the rightholder may transfer, assign, or grant usage rights under a contractual license; it applies independently of whether the actual content or the database as such is (also) eligible to copyright protection.Footnote 9,Footnote 10 It is important to note that the holder of database rights does not enjoy absolute protection, but may only claim a breach of his rights where he has “made available to the public” if a lawful user extracts or re-utilizes other than insubstantial parts of its contents.Footnote 11

Also, any substantial change to the existing database (e.g., made by a lawful user) may result in the creation of a fresh sui generis right in such new database.Footnote 12 EU Member States may also define certain usage rights, as permitted exceptions to the sui generis right, such as data extraction for private purposes, teaching, and scientific research, as well as extraction and/or re-utilization for public security or administrative or court procedures.

In essence, any provider of structured data should examine whether he/she can claim the database rights. If so, the rightholder should consider all options for granting licenses in the database as well as safeguarding his/her legal position against unwanted modifications and alterations, which could result in the creation of new sui generis rights.Footnote 13

Notably, the EU Commission has envisioned as part of its EU Data Strategy to possibly revisit the EU Database Directive, in order to further enhance data access and use (see Sect. 5.1.6).Footnote 14

1.4 Trade Secrets

Confidentiality agreements are generally a viable tool to protect confidential information. But how and what do you keep secret if you share data? What seems an oxymoron by nature needs to be carefully considered in any kind of data transactions.

When sharing data, it is not in first place the information that a data provider shares. It is rather the data provider who intentionally enables the data consumer (or a variety of them) and other participants in the ecosystem to derive and/or generate, each individually, new and different information and value from using the data. In other words, it is important to understand that the data provider cannot necessarily maintain control over what a data consumer makes out of the data that he/she provides.

When further looking into the information models of IDS,Footnote 15 the data provider does have certain control over the metadata that he/she shares and, thus, can define or limit the scope of possible conclusions that a data consumer can draw on the data provider’s sensitive business information.

To give a practical example, the owner of a steel mill that shares runtime data of his/her machines in real time is providing considerable transparency about his/her current level of bandwidth and manufacturing capacity at any given point in time. He/she will want to avoid that this information is disclosed to his/her competitors and/or intermediaries who might use the information to influence market pricing. The factory owner who is interested in sharing data with a supplier of predictive maintenance services for his/her steel mill may want to (1) enter into confidentiality agreements as well as (2) select and limit the type of metadata that he/she shares with the service provider and certain intermediaries. When going further in sharing data with a business innovator working on an AI-based optimization of the manufacturing process, he/she may want to limit the data he/she shares to other parts of the metadata, in respect of the same manufacturing process.

In addition to the tools of usage control and confidentiality agreements, however, it is important to consider the scope and inherent limitations under the EU Trade Secrets Directive (EU) 2016/943 and its varying implementation into national law of the EU Member States.

In essence, a data provider can claim trade secret protection for “information...which…is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to personal with the circles that normally deal with the kind of information in question… and has commercial value because it is secret…and has been subject to reasonable stepsto keep it secret.”Footnote 16 While this test can exclude trade secret protection for data with no information value, it is clear that the commercial value is likely to lie in the related metadata. A data provider must therefore determine (and document internally) before sharing it whether certain data has commercial value because it is secret and which protective measures the data provider has taken to keep it secret (such as limited access internally on a need to know basis, technical security measures, etc.). Subsequently, the data provider will be in a position to define access rights for the data, subject to confidentiality agreements with data consumers, data brokers, and others, and which must be combined with a reliable technical and organizational framework in order to prevent unauthorized third-party access so that the trade secret protection extends when sharing the data.

The benefits of trade secret protection in shared data are obvious, as the trade secret owner has actionable rights to request cease and desist against unlawful data usage (i.e., without the trade secret owner’s consent), claim damages against misappropriation of trade secrets, etc.Footnote 17

1.5 Competition Law

Competition law in the digital world raises the most complex and currently uncertain issues to be solved.Footnote 18 The traditional tools of merger control have been expanded over the last few years, in order to capture and regulate scenarios where the market impact is less influenced by the mere size of the merging companies, but rather to also address situations where the focus of the contemplated transaction is on a data-rich target company with limited economic size considered by the traditional parameter.Footnote 19 Further, the investigations conducted by the German Federal Cartel Office against Facebook, in which it looked at the terms of use to capture a scenario of (allegedly) excessive data collection, give an indication on how authorities are trying to expand their reach in regard to the control of market dominant positions that rely on the accumulation of vast amounts of data and related data-driven business models.Footnote 20 Ultimately, the EU Commission has addressed in its EU Data Strategy the issue of imbalance in market power in relation to data-rich businesses (“data advantage”), putting on the agenda the need to define new ways of preventing market distortion and lack of competition,Footnote 21 leading in particular to the new EU Digital Markets Act.Footnote 22

Where companies exchange sensitive or confidential information relating to their market position (e.g., price information, but also other information that might allow coordinated behavior), each party must ensure—and assumes proper responsibility—not to restrict competition and/or distort markets through agreements restraining competition or resulting in coordinated behavior.Footnote 23 While exchanging, for example, sensor data through IDS is per se unlikely to result in direct coordination over pricing between competitors, or other restraints and anti-competitive practices (both at a horizontal level between direct competitors, and vertically between the different levels in a chain of distributing products and services in a given market), it is clear that each participant in a bilateral or consorted exchange of data assumes responsibility and must ensure to comply with applicable competition law. Accordingly, data providers, data brokers, and data consumers may need to limit the exchange of market relevant information, which is contained in or could be directly derived from exchanging “raw data” together with relevant metadata.

As a further consequence, the operator of a data space will want to safeguard in its information notices and terms of use that each participant to a data exchange is properly aware and undertakes to avoid exchanging market-sensitive information that could be abused and/or that could result in coordinated behavior.

1.6 EU Strategy on Data: The Relevance of Data Spaces

The EU Commission has set important milestones for transforming the single market into a digitally enabled market and making the EU “leading in a data-driven society” and empowering “people, businesses and organisations … to make better decisions based on insights from non-personal data, which should be available to all”Footnote 24 and creating a “data-agile economy.”Footnote 25 Together with this ambitious claim, the EU Commission has presented its EU Data Strategy as a cornerstone to a wider framework of existing and upcoming regulation.Footnote 26

The EU Data Strategy envisions three fundamental objectives, namely, (1) the free flow of data within the EU and across sectors; (2) full respect of European rules and values, including in particular personal data protection, consumer protection, and competition law; and (3) fair, practical, and clear rules for fair access and use of data, based on trustworthy data governance mechanisms.Footnote 27

The EU Commission envisions new legislative measures to support those objectives, including in particular: (1) a cross-sectoral governance framework for data access and use, (2) making available more high-quality public sector data for re-use, (3) a data act for horizontal data sharing across sectors, which may include revisiting the EU Database Directive and the EU Trade Secrets Directive, in order to facilitate and enhance access and (re-)use of data.Footnote 28

Most notably, the EU Commission recognizes and endorses the fundamental importance of data spaces as part of the first pillar (1), aiming to “enable a legislative framework of the governance of common European data spaces,”Footnote 29 as well as providing significant investment and funding in High Impact Projects on European data spaces and federated cloud infrastructures.Footnote 30 It is clear by the wording and further considerations of the EU Commission that IDS and its key elements (i.e., the connector technology, reference architecture, usage control, certification scheme, and model contracts) provide the lead image and stand at the heart of this particular part of the EU Data Strategy. The EU Commission emphasizes that such data spaces shall “overcome legal and technical barriers to data sharing across organisations, by combining the necessary tools and infrastructures and addressing issues of trust, for example by way of common rules developed for the space. The spaces will include; (i) the deployment of data-sharing tools and platforms; (ii) the creation of data governance frameworks; (iii) improving the availability, quality and interoperability of data—both in domain-specific settings and across sectors.”Footnote 31 The EU Commission has defined as a key action point to that end combined investments in the range of EUR 4–6 billion including direct investments of up to EUR 2 billion.Footnote 32

As part of its data space strategy, the EU Commission has identified the following sectors where it intends to create “Common European data spaces”: industrial/manufacturing, Green Deal, mobility, health, financial, energy, agriculture, public administration, and skills.Footnote 33 In other words, IDS represents a role model, if not a blueprint, for these sectors to prepare and develop—in an active dialogue with the relevant stakeholders—the related data space implementations in accordance with the EU Data Strategy.

1.7 Data Governance Act: First Comments

The Data Governance Act of May 30, 2022,Footnote 34 is a pillar in the EU Data Strategy and will be complemented by the European Data Act to foster data sharing among businesses, and between business and governments,Footnote 35 and stands next to the Digital Markets ActFootnote 36 and the Digital Services Act.Footnote 37 It contains key elements of regulation for operators of data spaces.

Its principal areas of regulation cover the following objectives: (1) making public sector data available for re-use in situations where such data is subject to rights of others (such as privacy rights, IP rights, trade secrets, or other commercially sensitive information); (2) sharing data among businesses, against remuneration in any form; (3) allowing personal data to be used with the help of a personal data sharing intermediary that safeguards data subjects’ rights under the GDPR; and (4) allowing data use on altruistic grounds.Footnote 38 As regards public sector data, the Data Governance Act complements and stands in addition to the Open Data Directive.Footnote 39 The overall objective is to “facilitate data sharing by reinforcing trust in data intermediaries,”Footnote 40 which are expected to play a significant role in data spaces, whereas the rules on access and use of data shall be covered by the Data Act.Footnote 41 The Data Governance Act defines as overall requirements that data should be “findeable, accessible, interoperable and re-usable.”Footnote 42

The Data Governance Act accentuates the role and provides notification obligations for providers of data sharing services (“data intermediaries”), in an approach to create a European model for data sharing of personal and non-personal data through “neutral data intermediaries,” as an alternative to the current prevalence and market power of integrated tech platforms that are commonly run by corporate businesses.Footnote 43 While this approach emphasizes the importance of data held in the public sector and ensuring data sharing across Member States,Footnote 44 it is by no means limited to the same.

A key requirement to safeguard trust and control over the data sharing between data holders and data consumers is ensuring the neutrality of the data intermediary. That implies that the data intermediary only acts as an intermediary in data transactions and does not use the data for other purposes.Footnote 45 The data intermediary shall have an establishment in the EU, or an appointed representative if offering the intermediary services from outside, and must follow a notification procedure (yet to be developed in the Member States) such that it notifies the competent registry/authority of its intention to provide intermediary services. In essence, the focus on data intermediaries accentuates the role and responsibility of operators of data spaces.

With regard to scientific research, for example, in relation to the health sector or environmental issues under the Green Deal, the Data Governance Act defines the role of “Data Altruism Organisations recognized in the Union,” which are subject to a voluntary registration regime.Footnote 46

From an institutional perspective, the Data Governance Act will create a “European Data Innovation Board,” consisting of representatives of the Member States, the EU Commission, and representatives of relevant data spaces and specific sectors (e.g., health, agriculture, transport, and statistics).Footnote 47 It shall coordinate national processes and policies and support cross-sector data use within the “European Interoperability Framework” (EIF).Footnote 48

As for data held by the public sector, the Data Governance Act establishes a few key principles: generally, public sector bodies shall not enter into exclusive agreements for the re-use of data they hold, nor may they restrict the availability of the data for re-use, unless (as an exception to the rule) where a data consumer receives exclusive rights for a maximum of 3 years, in order to provide a service or product in the general interest and under a national concession issued in accordance with general transparency principles.Footnote 49 In all other cases, public sector bodies shall grant rights to re-use public sector data based on the rules of transparency, equal treatment, and non-discrimination on grounds of nationality. The actual conditions for re-use must be proportionate and objectively justified with regard to categories of data and purposes of re-use and may define (among others) obligations in regard to secure processing environments provided and controlled by the public sector.Footnote 50 Transfers of highly sensitive non-personal data to third countries may be restricted by national Member States laws.Footnote 51

The Data Governance Act requires data intermediaries to follow a notification procedure in regard to the following types of intermediation services: (1) between data holders (as legal persons) and data consumers both in bilateral or multilateral data exchanges, or the creation of platforms or databases that enable the exchange or joint exploitation of data, as well as the establishment of a specific infrastructure for the interconnection of data holders and data consumers; (2) between data subjects that want to make their personal data available and potential data consumers, thereby facilitating the data subjects to exercise their rights under the GDPR; and (3) services of data cooperatives particularly in the areas of micro, small, and mid-size enterprises.Footnote 52 The concept of notification does not imply an approval by the authorities,Footnote 53 but rather provides a mechanism to determine certain conditions for data intermediary services (before commencing their activity)Footnote 54 and to establish a supervisory control over an intermediary’s compliance with such conditions,Footnote 55 which can impose “dissuasive financial penalties” (to be further defined by the Member States) if need be.Footnote 56 The EU Commission stressed that additional measures regarding rights on access and use of data are envisaged for the EU Data Act, as in discussion since February 2022.Footnote 57,Footnote 58

The conditions under Art. 11 Data Governance Act are of particular interest in the given context of IDS: the intermediary may not use the data it receives for other purposes than putting them at the disposal of data consumers; he/she shall not use the metadata collected from the data sharing service for other purposes other than developing that actual service, ensuring fair, transparent, and non-discriminatory access to the service for data holders and data consumers, including as regards prices; facilitating data exchange in the formats that the intermediary receives the data and converts data into other formats only to ensure interoperability within and across sectors or if specifically requested by the data consumer, or if required under law, or to ensure harmonization with international or European data standards; preventing fraudulent or abusive practices; ensuring continuity of services and adequate technical, legal, and organization measures to prevent unlawful transfer or access to non-personal data; providing a high level of security for the storage and transmission of non-personal data; maintaining procedures to ensure compliance with competition law rules at the EU and Member State level; advising data subjects on potential data uses and standard terms and conditions attached to such uses; and advising on the relevant jurisdiction(s) of processing where an intermediary provides tools for obtaining consent from data subjects or permissions to process data made available by legal person.

From an IDS perspective, the Data Governance Act endorses the approach and key elements that IDS is promoting, including in particular the approach toward neutral intermediaries that rely on the reference architecture and the connector technology, in order to enable data sharing between data holders and data consumers in bilateral and multilateral data sharing ecosystems. The reference architecture and the information model of IDS are coherent with the requirements regarding data formats and interoperability. Operators of data spaces will need to pay particular attention, however, as to their monetization model. Under the current draft Data Governance Act, it appears excluded that an operator of a data space could generate innovative services through further-going metadata analytics, other than in order to “further develop” those data sharing services that the intermediary is actually providing to the specific data holders and data consumers concerned.Footnote 59 There are certainly good reasons to argue for such a limited remit, in respect to the definition of “metadata” that relates to the data holders and data consumers.Footnote 60 However, it appears important to discuss further clarity on whether an intermediary should not be able to generate (“anonymized”) metadata aggregations and reports containing findings and learnings, as well as whether to use such data possibly as training data for machine learning, as long as the information contained in the actual metadata itself is properly protected and not shared with third parties for commercial gains or other unauthorized purposes.

Obviously, the Data Governance Act is subject to further debate, including the relatively generic requirements on security (currently not referencing state-of-the-art security but only referring to “high level of security,”Footnote 61 whereas, e.g., Art. 32 para. 1 GDPR shows a way to make sure a controller at least “takes into account the state of the art”). Further, it is important to bear in mind that the Data Governance Act represents only one part of legislation in regard to the European Data Strategy.Footnote 62

1.8 Personal and Non-personal Data

With its definition of personal data, the GDPR has determined an ample scope: “personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, on online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”Footnote 63 Anonymization of personal data can enable a data controller to further process the data without considering the data protection requirements, provided that the data is no longer related to an identified or identifiable person.Footnote 64 Please note that pseudonymization of personal data (replacing identifiable personal data by a pseudonym) is reversible and can therefore only be used as an additional security safeguard for the processing. Examples such as IP addresses show that “personal data” is far more than might be obvious on first sight.Footnote 65 In addition, the rise of Big Data and AI has clearly shown that what might appear, at a given point in time, as anonymous data or other data with no connection or relevance to natural persons may actually turn out to be an element of personal data, once it is combined with other identifiers.Footnote 66

However, the EU Commission has recognized the distinction by referring to “non-personal data” within areas of (limited) regulation, such as the Free Flow of Non-Personal Data Regulation.

Any concept regarding data spaces, such as IDS, must therefore be prepared to cater for compliance requirements regarding both personal and non-personal data.

1.8.1 GDPR

From an IDS and data sharing perspective, the main question to be considered is which actors take which roles (controllers, processors, and joint controllers), in order to assess the related obligations. Additional considerations relate to the operators of data spaces in regard to the technical and organizational measures that they provide, in order to enable controllers and processors to share and process (personal) data in a data space.

The roles of data providers (acting as the [original] data controllers)Footnote 67 and data consumers (acting as [subsequent] data controllers) appear clear in a bilateral data sharing scenario, i.e., resulting typically in a controller-to-controller transfer and where the operator of the data space provides the infrastructure and takes the role of a data processor.Footnote 68 The data provider will need to assess the legal basis for making the data available to the data consumer under Art. 6 GDPR (e.g., consent of the data subject, performance of a contract with the data subject, legitimate interest) and ensure compliance with further obligations of a data controller (e.g., privacy notice under Art. 13 and 14 GDPR; safeguarding data subjects’ rights under Art. 15 et. seq. GDPR, documentation obligations under Art. 30 GDPR, etc.). When it comes to scientific research—in particular in regard to special categories of data (e.g., health data, Art. 9 GDPR)—it may well be that data providers can claim specific legal justifications that the Member State legislators may have enacted, under the opening for national derogations.Footnote 69

When it comes to multilateral data sharing, the data provider will need to consider the legal basis for providing the personal data concerned in regard to the data consumer separately—which may result in different legal basis applying, depending on the nature of processing, the various data consumers envision. Notably, the scope for “purpose variation” is limited under Art. 6 para. 4 GDPR.Footnote 70 Where the data provider relies on consent, he/she will need to provide appropriate consent management tools (including the option to withdraw consent); where he/she relies on legitimate interest, he/she will need to safeguard the right of objection.Footnote 71

More complexity comes about where various data controllers jointly determine the purposes and means of processing personal data. This can occur in multilateral or consorted data sharing scenarios, either between the data provider and various data consumers or also (only) between various data consumers. In each of those scenarios, the parties involved will need to enter into a joint controllership agreementFootnote 72 and will assume joint and several liabilities for data protection compliance of their jointly controlled processing activities.Footnote 73

The operator of a data space should put appropriate tools in the hands of data controllers, in order to ease the data providers’ implementation of GDPR compliance. That can work by providing standardized documentation which the data controller(s) and processor(s) concerned can easily adapt and conclude as required—yet recognizing that a fully automated compilation of relevant documentation is very likely still a long way to go.

1.8.2 Free Flow of Non-Personal Data Regulation

The EU Regulation on the free flow of non-personal dataFootnote 74 has two core objectives: ensuring the free movement of non-personal data across Member State borders, i.e., removing data localization requirements between Member States (and preserving availability and access to data for regulatory control purposes)Footnote 75 and easing the portability of data (in particular with regard to professional users switching cloud providers).Footnote 76 The regulatory approach on data portability is “soft-handed” and intentionally not interventionist, but self-regulatory, requiring further development through a “code of conduct” at the EU level.Footnote 77 From an IDS perspective, the relevant claim of data portability essentially regards the relation between the data provider and the operator of a data space. The data provider must have the option to move his/her account to another data space. IDS’ reference architecture, the information model, and the data connector technology that allows to process and connect interoperable data formats are suitable measures to meet these requirements, which should therefore be instrumental in preparing related “code of conduct” under Art. 6 of the Free Flow of Non-Personal Data Regulation, if and when required.

1.9 Cybersecurity

The rise of cybersecurity threats is inherent to the growth of digital ecosystems and data sharing within data spaces. Clearly, robust cyber resilience and related organizational measures are a pre-condition for data providers and data consumers to share personal and non-personal data. However, it is also a question of regulation. The NIS Directive and the Cybersecurity Act are key pillars of a European cybersecurity framework and are complemented by the requirements on technical and organizational measures in regard to personal dataFootnote 78 as well as security measures required by data intermediaries.Footnote 79

1.9.1 NIS Directive

The NIS Directive and its implementation into national security laws set the framework for adequate security of providers of essential services as well as digital service providers.Footnote 80 Besides the providers of essential services, the NIS Directive requires EU Member States to impose security requirements also on providers of digital services, which are defined as online marketplaces, online search engines, and cloud computing services.Footnote 81 Cloud computing services are defined as “a digital service that enables access to a scalable and elastic pool of shareable computing resources.” The EU Commission has issued an Implementing RegulationFootnote 82 on the basis of Art. 16 para. 8 NIS Directive that specifies the security obligations of the providers of digital services. Accordingly, providers of essential services and/or digital services that fall within the scope of the NIS Directive will be able to use IDS, if and where they can define, configure, and rely on the security settings for data exchange.

1.9.2 Cybersecurity Act

The EU Cybersecurity Act (CSA) complements the provisions of the NIS Directive with additional regulations on the tasks and powers of the EU Agency for Network and Information Security (ENISA) and with the baselines of a new cybersecurity certification scheme for Information and Communications Technology (ICT) products services and processes. This cybersecurity certification scheme under Art. 51 CSA is still under development by the ENISA. On May 27, 2021, the Federal Government adopted and published its revised German IT security Act 2.0 (ITSiG 2.0). With the new ITSiG 2.0, the German Federal Offices for Information Security’s powers is largely expanded and provisions inter alia regarding the storage of log data, inventory data disclosure, and implementation of detection measures for network and IT security are implemented.Footnote 83 Where regulated entities need to follow these requirements, IDS can potentially offer the architecture and framework for related compliance, noting, however, that it remains within the responsibility of the regulated entity/ies to define and implement their security requirements for related data exchange.

2 Preparing Contractual Ecosystems

The IDS sets out the landscape of participants in the ecosystems, and deriving from that, which participants need to bound through contractual agreements with other participants, in order to support the data exchange between the data providers and data consumers (Fig. 5.1).

Fig. 5.1
figure 1

Data sharing in a data space. © 2021, International Data Spaces Association [CC-BY]. Used under permission from International Data Spaces Association

The entire concept of IDS and data sovereignty is based on the principles of contract law, in order to ensure that data providers can determine and enforce the rules and conditions under which they share with and enable data consumers to use their data, be it in bilateral (“1:1”) or multilateral usage scenarios (“1:1” and “1:n”). In that context, the fundamental principles of freedom of contract, including the freedom to choose the governing law, must always be at the disposal of the contracting parties.

IDS provides the framework and technology to allow the parties to limit their transaction costs and to ensure effective enforcement through the concept of usage control. In a future world, this will include increased automation of contract execution (conclusion, performance, and enforcement), whereas the steps to reach that goal are plentiful and, as of now, still require to “set the scene” with the means of traditional contractual agreements.

The following considerations explain some of the fundamental concepts and approaches for data licensing agreements, i.e., those agreements that data providers and data consumers will conclude, and how that can work on the basis of platforms that enable such data exchange. While the following explanations stand against the background of German law (and hence need to bear in mind that underlying statutory law can impact the formation and interpretation of contracts), they are to a considerable degree generic in nature and can be applied to other jurisdictions (even if adaptations under local law remain indispensable).

2.1 Platform Contracts

As mentioned above, the role of intermediaries and, in particular, operators of platforms is key for the success of facilitating data exchange and accelerating the growth of the data economy.Footnote 84 Accordingly, it is important to consider the contractual setting that a provider of data connector services has to offer, possibly in first place and by which the data providers and data consumers can transact. That said, it is equally possible that data providers can do without the services of a platform provider, if and where they simply draw on the IDS connector technology and organize the data exchange (1:1 or 1:n) by themselves.

2.1.1 Key Principles

A platform operator that offers services to facilitate a data exchange will typically define its contractual relationship with data providers and data consumers by general terms and conditions, similar to those of other digital marketplaces. The platform operator will want to consider the following key constituent elements in this context: (1) the platform that provides the technical infrastructure and related services (including service levels) for a reliable and secure data exchange, but is not prescriptive as to the actual commercial and legal terms under which data providers and data consumers perform data exchanges; (2) the platform operator that may put at the disposal of data providers and data consumers template contracts to facilitate transactions and reduce transaction costs for the various types of data licensing transactions, including related compliance documentation (such as data processing agreements as required under the GDPR) and may provide technical mechanisms to facilitate automated or semi-automated contracting as well as facilities for contract negotiation; (3) the platform operator that will typically set out a registration process for data providers and consumers, as well as define an acceptance process for the platform operator’s terms of use; (4) the platform operator that will set certain requirements for accepting policy frameworks (such as the IDS reference architecture, security settings, permitted usage and exclusions, requirements on IPR and GDPR compliance), codes of conduct, etc. that the data providers and data consumers have to follow; (5) remuneration and usage fees; (6) provisions on warranty and liability in regard to the functioning of the platform; (7) indemnities resulting from possible third-party claims raised against the platform operator resulting from the data providers’ transactions conducted with data consumers; (8) provisions and limitations regarding the platform operator processing, using and retaining data exchanged through the platform by data providers and data consumers; (9) term and termination; (10) confidentiality; (11) GDPR compliance in the relation between the platform operator and the data provider/data consumer and between the data provider and data consumers; (12) IDS certification of the platform operator; and (13) choice of governing law and dispute resolution.

These many aspects to consider show that contractual frameworks of platform operators cannot be easily transformed into binary executables or simple “smart contracts,” as well as that IDS-based platform operators need to resort to a predefined governing law and rules on dispute resolution (which can include online arbitration) in a particular jurisdictions. However, IDS can provide a template for platform operators. The sample “Terms and conditions of participation in an Industrie 4.0 platform” certainly gives a very good starting point and is available under a Creative Commons license.Footnote 85

2.1.2 Legal TestBed: A Lead Example

As part of its activities, the legal working group of the “Plattform Industrie 4.0” has initiated a widely remarked “Legal TestBed” that is designed as a sand-box exercise for simulating a legal contract execution process (conclusion, performance, and enforcement) in an Industrie 4.0 context.Footnote 86 As part of the exercise, the working group has created the “Terms of use for an Industrie 4.0 platform” (Terms of Use), by way of an extensive drafting and consultation process among legal practitioners of academia, industry, and private practice. These Terms of Use are designed to ensure a reasonable balance between the interest of the platform operator and the users (data providers and data consumers), in order to facilitate data transactions and/or operational processes (such as performance of a logistics order and performance process) on the platform.

The Terms of Use cover the principles set out above (Sect. By virtue and subject to the terms of the Creative Commons license, any third party is free to use and adapt these Terms of Use for its own platform operations.

2.2 Data Licensing Agreements

While building the data economy is a process that has only started, it appears that the commercial practice of data licensing is advanced in certain specific areas, whereas in other areas and sectors it is still largely “unknown territory.” Accordingly, data licensing agreements do not yet follow general common standards that practitioners can “pull off the shelf,” such as in the world of software licensing. In any event, therefore, it is helpful to be aware of the fundamentally different types of contractual arrangements that data licensing transactions can follow. In simplified terms, the key distinctions that any data provider must consider are around the nature of the transaction, i.e., whether he/she intends to grant (1) perpetual or temporary, (2) exclusive or non-exclusive, and (3) royalty-free or paid-up usage rights—and in which combination of each of these aspects. From a German legal perspective (which can at least be helpful also for other civil law jurisdictions), the categorization of contract types can help in this regard (Fig. 5.2).

Fig. 5.2
figure 2

Categorization of contract types. © 2021, Dr. Alexander Duisberg, Bird & Bird LLP

A “data purchase” implies perpetual (exclusive or non-exclusive) usage rights against a one-time remuneration. “Data as a Service” implies temporary (exclusive or non-exclusive) usage rights in data (comparable to a rental model), whereas “data lending” would imply that the lender asks for no compensation, and in a “data trade” the data provider would receive data as a non-monetary compensation. From a German law perspective, each of these different transactions falls in the category of a different contract type, to which the German Civil Code attaches different requirements, as well as contractual remedies in case of a breach. As a result, the data provider needs to consider the legal consequences and risks involved when setting his/her contract terms against that background.

2.2.1 The Contract Matrix

The following matrix provides initial guidance (under German law) on the key elements to consider in relation to the various parameters applied to the different contract types. Some of these parameters are suited for a binary implementation (e.g., exclusive or non-exclusive usage rights, etc.) which therefore facilitates automated contracting (Fig. 5.3).

Fig. 5.3
figure 3

Contract matrix. © 2021, Dr. Alexander Duisberg, Bird & Bird LLP

Obviously, any exclusive grant of usage rights is limited to 1:1 data licensing transactions—and would (potentially) even exclude further usage by the data provider, unless he/she explicitly reserves such rights. An important element to consider is the sui generis database right which is based on the (unique) EU Database Directive and its implementation to EU Member States laws.Footnote 87 A data provider that licenses structured data will need to consider the implications, i.e., whether and to which extent he/she defines limitations on the data consumer in creating new database rights by investing into substantively different methods of making datasets searchable.Footnote 88

2.2.2 The IDS Sample Contracts

In addition to the “Terms and conditions of participation in an Industrie 4.0 platform,” the IDS itself has developed two basic templates to cover data purchases and data as a service type of licensing transactions, designed against the background of German law and considering the particular implications of German rules governing standard terms and conditions. Again and as stated above, the intention of providing template agreements is not about being prescriptive, but rather to endorse the overarching principle of freedom of contract, whereas trying to reduce the transactional costs of setting up and negotiating suitable contracts for data licensing.Footnote 89

That said, any parties wishing to use the connector technology and transact under the framework and reference architecture of IDS will need to include the reference to IDS and, in particular, recognize the requirements on certification.Footnote 90

3 Implementing Compliance

Obviously, any participant in an IDS-based data exchange must be aware and ensure to take the appropriate measures to act in compliance with applicable laws, in particular with mandatory rules of data protection law (GDPR) and rules of competition law.

3.1 GDPR

The GDPR applies at any time where data providers share personal data, i.e., “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person,”Footnote 91 triggering all the relevant provisions regarding a legal basisFootnote 92 and its limitations on purpose variationFootnote 93 and transparency through privacy notices,Footnote 94 ensuring data subjects rights,Footnote 95 documentation requirements,Footnote 96 and breach notifications.Footnote 97

3.1.1 Controllers, Joint Controllers, and Processors

Data providers and data consumers will need to assess which type of relationship they will have, i.e., (1) whether the data consumer processes personal data as a new controller for its own purposes or (2) whether it is processing personal data together with the data controller for jointly defined purposes (i.e., acting as joint controllers). Where the data provider and the data consumer effect a data transfer to enable a new processing purpose, the data provider must assess the legal basis for the transfer in accordance with Art. 6 or Art. 9 GDPR (the latter for special categories of personal data). While legitimate interestFootnote 98 is very often the suitable basis for transferring data for processing purposes that the data provider has predefined, this approach will not work where it is foreseeable that the data consumer wishes to process that personal data for arbitrary purposes which are unclear at the time of the transfer. Equally, it may be a significant challenge to rely on legitimate interest where a data provider shares personal data in a 1:n relation with a (possibly unknown) multitude of data consumers. Further, it is important to recognize that legitimate interest cannot serve as a legal basis when it comes to special categories of personal data (e.g., health data).Footnote 99 Accordingly, data providers and data consumers may also need to consider if and where they need to base data transfers and subsequent processing on the data subject’s consent, and manage related consent management tools.

3.1.2 Documentation

Where the data provider and the data consumer(s) or various data consumers among each other pursue common purposes of data processing, they will need to enter into joint controller agreements under Art. 26 GDPR. Again, IDS can provide template documents that allow the parties involved to reduce their transaction costs in setting up and negotiating such agreements. Yet, the parties involved will need to at least define the substantive content (data categories concerned, recipients, processing purposes), whereas certain standard elements including the required technical and organizational measuresFootnote 100 can (possibly) be incorporated by way of reference to the security standards provided by the platform operator.

The platform operator, by contrast, will normally act and position itself as the data processor who provides the technical facilities and, hence, effectively processes personal data on behalf of the various data controllers. Accordingly, the platform operator will provide (and the various data controllers can draw on) standard data processing agreements as required under Art. 28 GDPR, in which the parties involved (controllers and processors) will need to determine the data categories, data recipients, and processing purposes, as well as information on sub-processors and various other details, including the technical and organizational measures.

Further documentation requirements include that data controllers display the related privacy noticesFootnote 101 and maintain proper records of processing activities.Footnote 102

3.1.3 Breach Notifications

Where personal data breaches occur, the data controller(s) will need to assess the risk for the rights and freedoms of the data subjects and, if so, notify within 72 h the competent data protection authority and, in case of significant risks, also the data subjects.Footnote 103 In an environment of sharing personal data, this requires a clear allocation of responsibility and reporting back to the data controller. With the means of data processing agreementsFootnote 104 and the usage control under IDS, each data controller should be well equipped to follow through with its notification obligations, i.e., preparing a report on which data has been affected by which incident, what consequences might arise from the breach, and which measures the controller has taken to mitigate the impact.

3.1.4 Enforcement and Sanctions

All stakeholders need to be aware of the significant level of fines that the GDPR attaches to non-complianceFootnote 105 and the increased enforcement actions taken by the data protection authorities.Footnote 106

Obviously, the primary responsibility falls with the data controllers, but also data processors can be held liable, or even both, controllers and processors, can be held liable to pay damages to data subjects, jointly and severally.Footnote 107

IDS itself does not take the role of a data controller or data processor. Accordingly each participant in the IDS ecosystem must be aware and take responsibility for its compliance with the GDPR—respectively assess in the first place if and to which extent it is willing and capable to process personal data in light of those requirements, or determine that its data contributions and data exchange shall exclude personal data from the outset.

3.2 Competition Law

One of the significant challenges that all participants to data sharing ecosystems need to be aware of and observe are the requirements of competition law, in regard to horizontal cooperations between competitors, “vertically” in downstream distribution models for data, as well as wherever the market position of a data provider (or data consumer) and the nature of the information could result in a distortion of markets and/or an abuse of a market dominant position.Footnote 108 Arguably, European competition law is only picking up with the challenges of the digital economy. The future EU Digital Market Act (“DMA”) sets an important milestone in regulating platform operators that have the role of a “gatekeeper”. The DMA will likely enter into force at the begin of 2023. While it is premature to assess the actual impact of this regulation, the sanctions (of up to 10% of a gatekeeper’s aggregate annual revenues) give a strong message aiming at a fair data economy and preventing “data oligopolies”. Platform operators exceeding a certain size (in terms of market valuation, numbers of users, etc.) will fall under the DMA.Footnote 109

Beyond those generic principles it is clear that each participant in a data space must apply particular care in regard to the nature of information that it discloses and shares by way of a data exchange.Footnote 110 Accordingly, data providers and data consumers must take the necessary precautions to avoid that sensitive industrial information is disclosed which could allow entry into price ties, creating oligopolies, or induce coordinated behavior in breach of the applicable EU and national competition laws.Footnote 111

4 Certifications from a Legal Perspective

While certifications are by nature a technical issue, they represent an important pillar for building trust in IDS. In that context, a few legal aspects play a significant role.

4.1 Role of Procedural Rules

IDS has not only created a certification standard,Footnote 112 but is presenting the same in conjunction with procedural rules of certification.Footnote 113 These procedural rules of certification are built on the procedural rules of the “Trusted Cloud” initiative of the Federal German government, which have been developed and published in a joint initiative of various stakeholders.Footnote 114 As such, they represent a well-developed, reasonably balanced set of rules following common market standards to conduct certifications.

4.2 Additional Aspects

The issuance and management of the IDS certification standard can raise competition law aspects, if and when it develops to have a market-relevant impact. Accordingly, the IDS intends to enable further (commercially oriented) certification bodies to certify against the IDS standard in going forward at such point, whereas for the time being, the International Data Spaces Association (IDSA), acting as a non-profit organization on a mere cost basis) will currently act as the sole certification body.

Any entity seeking a certification (“applicant”) will enter into a related agreement with the certification body (i.e., IDSA or in the future other certification bodies) to conduct the certification assessment in accordance with the procedural rules. The actual examination may be assigned to a separate examination body (“audit body”), which will act either as a sub-contractor of the certification body or, preferably in order to maintain organizational independence, through a separate contract with the applicant. As regards contractual liability, the certification body and the audit body will seek to exclude liability to the extent possible under German law (and related rules on standard contract terms, i.e., limiting liability for ordinary negligence to the “typically foreseeable damage”). In addition, such bodies will want and need to maintain a suitable general liability insurance.